Real-time Visualization Tool for Distributed Intrusion Detection System Data

Period of Performance: 06/29/2010 - 12/29/2010

$68.7K

Phase 1 SBIR

Recipient Firm

Sentar, Inc.
315 Wynn Drive Array
Huntsville, AL 35805
Principal Investigator

Abstract

Current intrusion detection systems are effective for collecting large quantities of event data, but they are inadequate for presenting information to security analysts in a useful way. Typically, to investigate a single problem, an analyst must study reams of data and devote substantial hours to writing complex custom filters; frequently critical data is distributed among multiple logs and available only on remote consoles, requiring access from multiple physical locations. To address this problem, Sentar proposes to develop a real-time visualization system, called Visual Net Defender (VND). VND aggregates, correlates, and presents data from multiple intrusion detection systems and enriches this information with data acquired through passive and active network monitoring. VND uses a multi-tier information architecture rendered in three dimensional space, using iconography based on familiar, recognizable objects, providing details on demand, while eliminating useless noise. Within this rich interactive environment, security conditions can be contextualized in intuitive ways that go beyond signature-based detection or automated correlation, allowing the analyst to integrate macro- and micro-level knowledge seamlessly and rapidly. By enabling systems and humans to do what they do best, VND permits the analyst to maintain an in-depth understanding the situation, resulting in better decision making, and therefore better security.