W ith network size and complexity con- tinuously increasing, securing comput- ing infrastructures from attacks is an escalating challenge. Intrusion detection systems (IDSs) are often used to aid analysts’ efforts by automatically identifying successful and unsuccessful system attacks or abuses. Although IDS alerts can be a useful first step in uncover- ing security compromises, they’re often just that: a start- ing point. While IDS alerts contain some pertinent information, analysts can rarely determine an event’s accuracy and severity from an IDS alert alone. Rather, they must collect and construct the event’s relevant context within volu- minous network traffic data. Build- ing this contextual understanding of an event is fundamental to intrusion detection (ID) analysis. Whether the starting point of analysis is data rich (as with an IDS alert) or data poor (as with a phone call from a user), analysis of a net- work security event is a complex task. Generally, contextual data comes from collecting packet-level detail of the event-related network traffic. The textual or tabular tools that analysts currently use—such as Tcpdump (http://www.tcpdump.org) or Ethereal (http://www.ethereal.com)—focus on extracting this vital, detailed information from individual packets. However, such tools lack a mechanism for providing a simultaneous big picture view of the data. As analysts try to understand the details of the packets within the larger context of surrounding network activity, they must continually shift their attention, increasing their already considerable cognitive load. In addition, these tools excel at filtering and searching for details—but only if analysts know exactly what they’re looking for in the data. For less structured data exploration tasks aimed at discovering and understanding patterns and anomalies, the tools are less effective. To overcome these limitations, we designed an infor- mation visualization tool that gives network analysts a simultaneous view of both the big picture and individ- ual packet details. By integrating both of these essential views into a single tool, we can help reduce analysts’ cog- nitive burden. The tool also helps preserve the context required to comprehensively support the process of dis- covering, analyzing, and making decisions about anom- alous or potentially malicious activity. We’ve grounded our visualization design in the actual work practices of security analysts. Here, we describe this design process, present details of our visualization support tool, and demonstrate how it aids ID in three common scenarios. Intrusion detection: an overview In previous research, 1 we interviewed a diverse sam- ple of security analysts to identify some of ID’s most significant challenges. One such challenge is data over- load—a well-documented problem with many exam- ples in the literature. 2 This pressing concern is one reason that information visualization—which can make large amounts of data more compact and understand- able—offers such an appealing solution to the chal- lenges of ID. Intrusion detection tasks Based on our findings from this fieldwork, we classi- fy ID work into three tasks: monitoring, analysis, and response. 1 The monitoring task is typically focused on surveillance of the output of an IDS and other systems that monitor network state. This time-consuming task focuses on analysts’ need to maintain situational aware- ness of their networks’ dynamic activities. The analysis task focuses on determining the accuracy and severity of security events uncovered during monitoring. This is the most complex ID task, requiring substantial knowl- edge and experience. Often, on further analysis, indi- cations of malicious activity turn out to be benign. Even when analysts find that such activities are truly mali- cious, they must then determine how to prioritize an event. They do this on the basis of their knowledge of both the event itself and the relative importance of the targeted network device. Finally, response refers to an analyst’s reaction to a security event. This task ranges from proactively countering the attack if it’s a true mali- cious event, to updating their systems to ignore the event in the future if it’s a false positive. Visualization for Cybersecurity The Time-Based Network Traffic Visualizer combines low-level, textual detail with multiple visualizations of the larger context to help users construct a security event’s big picture. John R. Goodall, Wayne G. Lutters, Penny Rheingans, and Anita Komlodi University of Maryland, Baltimore County Focusing on Context in Network Traffic Analysis 72 March/April 2006 Published by the IEEE Computer Society 0272-1716/06/$20.00 © 2006 IEEE