View article

False detection is a major issue in deploying and maintaining Network-based Intrusion Detection Systems (NIDS). Traditionally, it is recommended to customize its signature database (DB) to reduce false detections. However, it requires quite deep knowledge and skills to appropriately customize the signature DB. Inappropriate customization causes the increase of false negatives as well as false positives. In this paper, we propose a visualization system of a NIDS log, named SnortView, which supports administrators in analyzing NIDS alerts much faster and much more easily. Instead of customizing the signature DB, we propose to utilize visualization to recognize not only each alert but also false detections. The system is based on a 2-D time diagram and alerts are shown as icons with different styles and colors. In addition, the system introduces some visualization techniques such as overlayed statistical …