Information Visualization for Intrusion Detection
This project is a joint venture between the UMBC Information Systems and Computer
Science departments to develop and test a tool for intrusion detection analysis.
The Intrusion Detection Toolkit (IDtk) is an information visualization developed
by the Computer Science department using input from our group in the Information
Systems department using various qualitative methods to learn from the people
who actually perform analysis on intrusion detection data. Information visualization,
which uses graphics to present large, abstract data sets to speed up human processing
of information, may prove to be a valuable tool in the security analysts' toolbox.
Information visualization emphasizes speed, recognition over recall to increase
working memory resources, and the easy identification of patterns and outliers
- all of which are important in intrusion detection analysis.
Also of interest to us is how a deeper understanding of how users interact
with intrusion detection systems can inform the design of a tool for intrusion
detection analysis. To this end, we have been conducting ongoing interviews
with information security analysts as part of the user needs assessment process.
These interviews are focused on the current work practices of security analysts,
the limitations and strengths of current intrusion detection analysis tools,
and the potential of using information visualization technologies for intrusion
detection analysis. We also conducted a focus group with the Washington, DC
Snort User Group. We are also conducting
usability tests on the current prototype at UMBC.
For more information, see http://www.umbc.edu/~jgood/idtk.php