Focusing on context in network traffic analysis

John R. Goodall, Wayne G. Lutters, Penny Rheingans, A. Komlódi

Research output: Contribution to journalArticle

37 Citations (Scopus)

Abstract

Intrusion detection analysis requires understanding the context of an event, usually discovered by examining packet-level detail. When analysts attempt to construct the big picture of a security event, they must move between high-level representations and these low-level details. This continual shifting places a substantial cognitive burden on the analyst, who must mentally store and transfer information between these levels of analysis. This article presents an information visualization tool, the time-based network traffic visualizer (TNV), which reduces this burden. TNV augments the available support for discovering and analyzing anomalous or malicious network activity. The system is grounded in an understanding of the work practices of intrusion detection analysts, particularly foregrounding the overarching importance in the analysis task of integrating contextual information into an understanding of the event under investigation. TNV provides low-level, textual data and multiple, linked visualizations that enable analysts to simultaneously examine packet-level detail within the larger context of activity.

Original languageEnglish
Pages (from-to)72-80
Number of pages9
JournalIEEE Computer Graphics and Applications
Volume26
Issue number2
DOIs
Publication statusPublished - Mar 2006

Fingerprint

Intrusion detection
Visualization

ASJC Scopus subject areas

  • Computer Graphics and Computer-Aided Design
  • Software

Cite this

Focusing on context in network traffic analysis. / Goodall, John R.; Lutters, Wayne G.; Rheingans, Penny; Komlódi, A.

In: IEEE Computer Graphics and Applications, Vol. 26, No. 2, 03.2006, p. 72-80.

Research output: Contribution to journalArticle

Goodall, John R. ; Lutters, Wayne G. ; Rheingans, Penny ; Komlódi, A. / Focusing on context in network traffic analysis. In: IEEE Computer Graphics and Applications. 2006 ; Vol. 26, No. 2. pp. 72-80.
@article{78c3fb4091c6463491823cb02ccc9450,
title = "Focusing on context in network traffic analysis",
abstract = "Intrusion detection analysis requires understanding the context of an event, usually discovered by examining packet-level detail. When analysts attempt to construct the big picture of a security event, they must move between high-level representations and these low-level details. This continual shifting places a substantial cognitive burden on the analyst, who must mentally store and transfer information between these levels of analysis. This article presents an information visualization tool, the time-based network traffic visualizer (TNV), which reduces this burden. TNV augments the available support for discovering and analyzing anomalous or malicious network activity. The system is grounded in an understanding of the work practices of intrusion detection analysts, particularly foregrounding the overarching importance in the analysis task of integrating contextual information into an understanding of the event under investigation. TNV provides low-level, textual data and multiple, linked visualizations that enable analysts to simultaneously examine packet-level detail within the larger context of activity.",
author = "Goodall, {John R.} and Lutters, {Wayne G.} and Penny Rheingans and A. Koml{\'o}di",
year = "2006",
month = "3",
doi = "10.1109/MCG.2006.31",
language = "English",
volume = "26",
pages = "72--80",
journal = "IEEE Computer Graphics and Applications",
issn = "0272-1716",
publisher = "IEEE Computer Society",
number = "2",

}

TY - JOUR

T1 - Focusing on context in network traffic analysis

AU - Goodall, John R.

AU - Lutters, Wayne G.

AU - Rheingans, Penny

AU - Komlódi, A.

PY - 2006/3

Y1 - 2006/3

N2 - Intrusion detection analysis requires understanding the context of an event, usually discovered by examining packet-level detail. When analysts attempt to construct the big picture of a security event, they must move between high-level representations and these low-level details. This continual shifting places a substantial cognitive burden on the analyst, who must mentally store and transfer information between these levels of analysis. This article presents an information visualization tool, the time-based network traffic visualizer (TNV), which reduces this burden. TNV augments the available support for discovering and analyzing anomalous or malicious network activity. The system is grounded in an understanding of the work practices of intrusion detection analysts, particularly foregrounding the overarching importance in the analysis task of integrating contextual information into an understanding of the event under investigation. TNV provides low-level, textual data and multiple, linked visualizations that enable analysts to simultaneously examine packet-level detail within the larger context of activity.

AB - Intrusion detection analysis requires understanding the context of an event, usually discovered by examining packet-level detail. When analysts attempt to construct the big picture of a security event, they must move between high-level representations and these low-level details. This continual shifting places a substantial cognitive burden on the analyst, who must mentally store and transfer information between these levels of analysis. This article presents an information visualization tool, the time-based network traffic visualizer (TNV), which reduces this burden. TNV augments the available support for discovering and analyzing anomalous or malicious network activity. The system is grounded in an understanding of the work practices of intrusion detection analysts, particularly foregrounding the overarching importance in the analysis task of integrating contextual information into an understanding of the event under investigation. TNV provides low-level, textual data and multiple, linked visualizations that enable analysts to simultaneously examine packet-level detail within the larger context of activity.

UR - http://www.scopus.com/inward/record.url?scp=33645236577&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33645236577&partnerID=8YFLogxK

U2 - 10.1109/MCG.2006.31

DO - 10.1109/MCG.2006.31

M3 - Article

VL - 26

SP - 72

EP - 80

JO - IEEE Computer Graphics and Applications

JF - IEEE Computer Graphics and Applications

SN - 0272-1716

IS - 2

ER -