A Framework for Effective Alert Visualization

Any organization/department that provides security typically deals with a large volume of alerts and logs generated from a variety of sources. These could originate from firewalls, intrusion detection/prevention devices and agents, vulnerability scanners, etc. It would seem like a good idea to apply as much correlation as possible to this data in order to be able to see things from a bird's eye perspective. Even at this point, a human could use some additional help in deciphering the situation. The authors believe that visualization is a key component to this end. This paper describes general methods and principles that allow the use visualization as an efficient tool for alert analysis. The paper is organized as follows: Section 1 talks about related work in the field of visualization to aid alert analysis and anomaly detection. Section 2 details some fundamental requirements and considerations that must be incorporated into the design of visualizations and related tools. Section 3 discusses a visualization tool used within our organization to aid in alert and anomaly analysis - while highlighting its place within the framework of requirements. Section 4 discusses a sample visualization, and how its design allows for intuitive analysis. Finally, the paper concludes by pointing out a few key areas where improvements could be made to improve existing visualization methodologies.