Network Intrusion Detection Cognitive Task Analysis: Textual and Visual Tool Usage and Recommendations

Abstract

A task analysis is conducted for the complex task of network security engineers, intrusion detection (ID) of computer networks. ID helps engineers protect network from harmful attacks and can be broken down into the following phases: pre-processing information, monitoring the network, analyzing attacks, and responding to attacks. Different cognitive loads are placed on the engineer at each phase. Engineers also need to integrate information from a variety of tools and resources, which adds additional cognitive workload. Visualization tools have been developed to alleviate these workloads but they have had limited success. To address this problem, we make two recommendations: (1) these tools should be designed for use across the phases of ID; this reduces the number of resources used therefore reducing the workload of integrating information across sources, and (2) visualization tools should allow concurrent use of textual tools and resources that provide detailed information and a powerful interface.

Get full access to this article

View all access options for this article.

References

Ball

Fink

G. A.

North

(2004, Oct. 29). Home-centric visualization of network traffic for security administration. VizSEC/DMSEC, 55–64.

D'Amico

Kocka

(2005, Oct. 26). Information assurance visualizations for specific stages of situational awareness and intended uses: Lessons learned. VizSEC, 107–112.

Goodall

J. R.

(2005, June 15–17). User requirements and design of a visualization for intrusion detection analysis. IEEE Workshop on Information Assurance and Security, 394–401.

Goodall

Lutters

Komlodi

(2004a). I know my network: Collaboration and expertise in intrusion detection. CSCW, 342–345.

Goodall

Lutters

Komlodi

(2004b, Aug 6–8). The work of intrusion detection: Rethinking the role of security analysts. AMCIS, 1421–1427.

Goodall

J. R.

Lutters

W. G.

Rheingans

Komlodi

(2005, Oct 26). Preserving the big picture: Visual network traffic analysis with TNV. VizSEC, 47–54.

Goodall

J. R.

Ozok

A. A.

Lutters

W. G.

Rheingans

Komlodi

(2005, Apr 2–7). A user-centered approach to visualizing network traffic for intrusion detection. Extended Abstracts CHI, 1403–1406.

Julisch

Dacier

(2002, Jul 23–26). Mining intrusion detection alarms for actionable knowledge. KDD, 366–375.

Kandogan

Haber

(2005). Security administration tools and practices. In Cranon

Garfinkel

(Eds.), Security and Usability: Designing Secure Systems that People Can Use (pp. 357–376). Beijing: O'Reilly.

10.

Killcrece

Kossakowski

Ruefle

Zajicek

(2003). State of the Practice of Computer Security Response Teams (CSIRTs) (No. CMU/SEI-2003-TR-001): Carnegie Mellon Software Engineering Institute (SEI).

11.

Komlodi

Goodall

J. R.

Lutters

W. G.

(2004, Apr 24–29). An information visualization framework for intrusion detection. Ext. Abstr. CHI, 17–43.

12.

Lakkaraju

Bearavolu

Yurcik

(2003). NVisionIP - A traffic visualization tool for security analysis of large and complex networks. International Multiconference on Measurement, Modeling, and Evaluation of Computer-Communications Systems..

13.

Yin

Yurcik

Lakkaraju

Abad

(2004, Apr 15–17). VisFlowConnect: Providing security situational awareness by visualizing network traffic flows. IPCCC, 601–607.

14.

Yurcik

Barlow

Rosendale

(2003). Maintaining perspective on who is the enemy in the security systems administration of computer networks. ACM CHI Workshop on System Administrators Are Users, Too: Designing Workspaces for Managing Internet-Scale Systems..