Loughborough University
Leicestershire, UK
LE11 3TU
+44 (0)1509 263171
Loughborough University

Loughborough University Institutional Repository

Please use this identifier to cite or link to this item: https://dspace.lboro.ac.uk/2134/14241

Title: Visualising network security attacks with multiple 3D visualisation and false alert classification
Authors: Musa, Shahrulniza
Keywords: Information visualization
Intrusion detection alert visualization
False alert classification
Human computer interaction
Network security visualization
Visualization for cybersecurity
Visualization for computer security
Issue Date: 2008
Publisher: © Shahrulniza Musa
Abstract: Increasing numbers of alerts produced by network intrusion detection systems (NIDS) have burdened the job of security analysts especially in identifying and responding to them. The tasks of exploring and analysing large quantities of communication network security data are also difficult. This thesis studied the application of visualisation in combination with alerts classifier to make the exploring and understanding of network security alerts data faster and easier. The prototype software, NSAViz, has been developed to visualise and to provide an intuitive presentation of the network security alerts data using interactive 3D visuals with an integration of a false alert classifier. The needs analysis of this prototype was based on the suggested needs of network security analyst's tasks as seen in the literatures. The prototype software incorporates various projections of the alert data in 3D displays. The overview was plotted in a 3D plot named as "time series 3D AlertGraph" which was an extension of the 2D histographs into 3D. The 3D AlertGraph was effectively summarised the alerts data and gave the overview of the network security status. Filtering, drill-down and playback of the alerts at variable speed were incorporated to strengthen the analysis. Real-time visual observation was also included. To identify true alerts from all alerts represents the main task of the network security analyst. This prototype software was integrated with a false alert classifier using a classification tree based on C4.5 classification algorithm to classify the alerts into true and false. Users can add new samples and edit the existing classifier training sample. The classifier performance was measured using k-fold cross-validation technique. The results showed the classifier was able to remove noise in the visualisation, thus making the pattern of the true alerts to emerge. It also highlighted the true alerts in the visualisation. Finally, a user evaluation was conducted to find the usability problems in the tool and to measure its effectiveness. The feed backs showed the tools had successfully helped the task of the security analyst and increased the security awareness in their supervised network. From this research, the task of exploring and analysing a large amount of network security data becomes easier and the true attacks can be identified using the prototype visualisation tools. Visualisation techniques and false alert classification are helpful in exploring and analysing network security data.
Description: A Doctoral Thesis. Submitted in partial fulfilment of the requirements for the award of Doctor of Philosophy of Loughborough University.
URI: https://dspace.lboro.ac.uk/2134/14241
Appears in Collections:PhD Theses (Mechanical, Electrical and Manufacturing Engineering)

Files associated with this item:

File Description SizeFormat
Thesis-2008-Musa.pdf12.13 MBAdobe PDFView/Open
Form-2008-Musa.pdf53.74 kBAdobe PDFView/Open


SFX Query

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.