| A major drawback of Intrusion Detection Sytems (IDSs), regardless of their detection mechanism, is the overwhelming number of alerts they generate on a daily basis that can easily exhaust security administrators. This limitation has lead researches in the IDS community to not only develop better detection algorithms and signature tuning mechanisms, but to also focus on discovering various relations between individual alerts, formally known as alert correlation.;In this thesis, we present a novel security visualization system entitled Avisa. It accentuates fundamental matters of information visualization, namely interaction and animation and synthesizes it with IDS audit traces. The system utilizes three categories of heuristic functions, each composed of multiple heuristic measures, to collectively identify hosts of peculiar behavior. Visual constraints inspired the use of heuristic metrics to select and display hosts with irregular and variant behaviors. We thoroughly describe the ideas behind the heuristic metrics and perform an empirical analysis to individually evaluate each metric's functionality on a new evaluation dataset. |
