| Intrusion detection systems (IDS) are widely used to detect attacks on computer networks. These tools scan incoming and outgoing traffic, searching for anomalies or suspicious activities. Unfortunately, they also generate much noise (i.e. false positives, redundant alerts, etc.), greatly complicating data analysis.;This thesis presents AlertWheel, a new software application easing network analysis on large-scale networks. It is based on a novel radial visualization capable of simultaneously displaying several thousand alerts, emphasizing the most important alerts or patterns in the dataset. Among other things, AlertWheel offers a new technique for representing bipartite graphs (where links exist between two distinct node groups). Using this approach, links are positioned in a way to reduce occlusion in the visualization. AlertWheel simultaneously combines three link bundling techniques in a novel way to reduce cluttering on the interface. Our solution also incorporates filtering options, annotation, logging and details- on-demand, to support analysis processes as described by specialists in this field.;AlertWheel enables three different levels of analysis: high level analysis (the alert wheel), intermediate analysis (alert matrix) and a detailed analysis (single alert). Our prototype supports different combinations and layouts of views, to adapt to many kinds of analysis.;The application was mainly developed to support honeypot analysis (virtually vulnerable computers used as a trap to analyze malicious traffic). AlertWheel could also be used on large computer networks where traditional techniques could not be adapted.;AlertWheel was evaluated using network traffic captured on the international honeypot network WOMBAT. Using our solution, it was possible to rapidly isolate actual attacks and identify high level attack patterns. |
