Increasing numbers of alerts produced by network intrusion detection
systems (NIDS) have burdened the job of security analysts especially in
identifying and responding to them. The tasks of exploring and analysing large
quantities of communication network security data are also difficult. This thesis
studied the application of visualisation in combination with alerts classifier to
make the exploring and understanding of network security alerts data faster and
easier. The prototype software, NSAViz, has been developed to visualise and to
provide an intuitive presentation of the network security alerts data using
interactive 3D visuals with an integration of a false alert classifier. The needs
analysis of this prototype was based on the suggested needs of network
security analyst's tasks as seen in the literatures. The prototype software
incorporates various projections of the alert data in 3D displays. The overview
was plotted in a 3D plot named as "time series 3D AlertGraph" which was an
extension of the 2D histographs into 3D. The 3D AlertGraph was effectively
summarised the alerts data and gave the overview of the network security
status. Filtering, drill-down and playback of the alerts at variable speed were
incorporated to strengthen the analysis. Real-time visual observation was also
To identify true alerts from all alerts represents the main task of the
network security analyst. This prototype software was integrated with a false
alert classifier using a classification tree based on C4.5 classification algorithm
to classify the alerts into true and false. Users can add new samples and edit
the existing classifier training sample. The classifier performance was measured
using k-fold cross-validation technique. The results showed the classifier was
able to remove noise in the visualisation, thus making the pattern of the true
alerts to emerge. It also highlighted the true alerts in the visualisation.
Finally, a user evaluation was conducted to find the usability problems in
the tool and to measure its effectiveness. The feed backs showed the tools had
successfully helped the task of the security analyst and increased the security awareness in their supervised network. From this research, the task of exploring
and analysing a large amount of network security data becomes easier and the
true attacks can be identified using the prototype visualisation tools.
Visualisation techniques and false alert classification are helpful in exploring
and analysing network security data.
A Doctoral Thesis. Submitted in partial fulfilment of the requirements for the award of Doctor of Philosophy of Loughborough University.