With the expansion of the Internet, electronic commerce and distributed computing, the amount of information transmitted via electronic networks is continuously increasing. Such possibilities have opened many new business horizons. However, they have also resulted in a considerable increase of illegal computer intrusions.
An emerging trend that addresses this problem is the development of intrusion detection systems. These systems are aimed to detect attacks on the computer network by monitoring all network activities. Network activities are usually monitored by the intrusion detection system as a time-ordered sequence of events wherein each event is characterized by a given set of attributes, so-called dimensions. Each event therefore forms an n-dimensional space.
The monitoring of a high number of events each having many attributes triggered by an intrusion-detection system is a task that requires high skill and attention from the monitoring staff, since a large fraction of the triggered events is regularly reported. The challenge for an operator of the intrusion detection system is to spot those events that are indicators of a real security problem. In order to distinguish security problem events from “false positive” alarms, the operators of the intrusion detection system usually watches out for interesting event patterns by means of a pattern detection algorithm. This pattern detection algorithm enables to detect whether an arrived event is part of a given pattern on the basis of a comparison of the attributes allocated to this given pattern and the attributes assigned to the arrived event. For example, a pattern detection algorithm may determine whether the events triggered by the intrusion-detection systems all involve the same source IP, i.e. involve the same attacking machine, or the same destination IP, i.e. involve the same attack machine.
In order to render it possible for the operator to supervise the events triggered by the intrusion-detection system a suitable event visualization is needed. Current intrusion event presentation methods can be classified into three different groups: a first group of methods provides the operator of the intrusion detection system with a tabular text display of the relevant event information. For example, the operator console so-called Event Viewer of IBM Tivoli Enterprise Console TEC uses such a presentation method. In order to distinguish “false” positive events from real security problem events, a time-consuming comparison of textual information has to be carried out, making it difficult to spot interesting event patterns.
A second group of prior art event visualization methods provides the operator of the intrusion-detection system with a graphical representation of event information, but does not present the arrival time of the events. This second group method renders it possible to present various relations between event attributes. Such a second group method is known from Erbacher et al., Intrusion and Misuse Detection in Large-Scale Systems, IEEE CGA (2002). This document describes a visualization method representing security events as lines between points, each point representing a specific originating IP address or a specific destination IP address. From Girardin et al., A Visual Approach for Monitoring Logs, Proc. 12th Usenix System Administraction Conference, Boston, Mass., USA, 1998, a further second group method is known using a parallel coordinate visualization technique to represent different attributes of events. The disadvantage of the second group methods is that they do not display the event time, which is the most important event attributes. This makes it difficult for operators of the intrusion-detection system to quickly orient themselves if they have not watched the display for a while.
A third group of prior art event monitoring methods enables an event visualization that represents the arrival time of events as a separate event attribute. The arrival time of the event is regularly displayed as the x-axis of cross-plot. From Ma et al., Event Miner: An Integrated Mining Tool for Scalable Analysis of Event Data, May 2002, a visualization method is known using a two-dimensional mapping technique of arbitrary event attributes versa arrival time enabling an operator to analyze the event history. The disadvantage of this method is that only one of the event attributes may be plotted versus the arrival time of the events. Thus, the operators have to switch continuously between the various event attributes to make sure that they do not miss a significant event pattern. From Haines et al., Visualization Techniques for Event Stream Analysis, Eurographics UK Chapter 15th Annual Conference, Norwich, 1997, an event visualization technique is known using a vertical stack of cross plots to display multi-event attributes versus event arrival time. This known visualization technique works well if only a few event attributes have to be monitored simultaneously on a screen. A problem may, however, occur if an operator of the intrusion detection system has to supervise a large number of event attributes. He then has to simultaneously watch a large number of different plots each displaying an event attribute versus the event arrival time. In consequence, a high attention of the operator is required to detect all the security problems derivable from the displayed events.