Edinburgh Napier University

  Monitoring log files for network intrusions is unwieldy. To build a mental model of the log, an analyst is required to recognise continuous timelines and attack patterns from a dataset that is essentially limited to an ordered list of events. Information Visualization techniques arrange data into directly perceivable visual patterns that may alleviate some overheads associated with interpreting these datasets and improve the ability of users, especially those in resource-stretched Small and Medium sized Businesses (SMBs), to make sense of activity patterns in Intrusion Detection System (IDS) event logs. To this end, we discuss existing network security visualizations for IDS logs and after examining the strengths and drawbacks of those applications we have prototyped a visualization tool, Pianola, that arranges events on multiple timelines to reveal patterns both in time and across a network. The tool was evaluated against the traditional use of command-line interface (CLI)-based tools for analyzing network security events and displayed significant improvements in both recognition and detection of attacks and reduction in the users’ subjective workload, measured using the NASA Task Load index (TLX).