Nimble cybersecurity incident management through visualization and defensible recommendations

Authors:
Jamie Rasmussen;Kate Ehrlich;Steven Ross;Susanna Kirk;Daniel Gruen;John Patterson
Affiliations:
IBM Research, Cambridge, MA;IBM Research, Cambridge, MA;IBM Research, Cambridge, MA;IBM Research, Cambridge, MA;IBM Research, Cambridge, MA;IBM Research, Cambridge, MA
Venue:
Proceedings of the Seventh International Symposium on Visualization for Cyber Security
Year:
2010

Citing 13
Cited 3

Explaining collaborative filtering recommendations

CSCW '00 Proceedings of the 2000 ACM conference on Computer supported cooperative work
Structural Graph Matching Using the EM Algorithm and Singular Value Decomposition

IEEE Transactions on Pattern Analysis and Machine Intelligence - Graph Algorithms and Computer Vision
Toolkit Design for Interactive Structured Graphics

IEEE Transactions on Software Engineering
SnortView: visualization system of snort logs

Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Prefix-preserving IP address anonymization: measurement-based security evaluation and a new cryptography-based scheme

Computer Networks: The International Journal of Computer and Telecommunications Networking
An Information Visualization Framework for Intrusion Detection

CHI '04 Extended Abstracts on Human Factors in Computing Systems
IDS RainStorm: Visualizing IDS Alarms

VIZSEC '05 Proceedings of the IEEE Workshops on Visualization for Computer Security
Trust building with explanation interfaces

Proceedings of the 11th international conference on Intelligent user interfaces
Command line or pretty lines?: comparing textual and visual interfaces for intrusion detection

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Beyond Boundary Objects: Collaborative Reuse in Aircraft Technical Support

Computer Supported Cooperative Work
Tagsplanations: explaining recommendations using tags

Proceedings of the 14th international conference on Intelligent user interfaces
A Survey of Explanations in Recommender Systems

ICDEW '07 Proceedings of the 2007 IEEE 23rd International Conference on Data Engineering Workshop
Bubble Sets: Revealing Set Relations with Isocontours over Existing Visualizations

IEEE Transactions on Visualization and Computer Graphics

Taking advice from intelligent systems: the double-edged sword of explanations

Proceedings of the 16th international conference on Intelligent user interfaces
NV: Nessus vulnerability visualization for the web

Proceedings of the Ninth International Symposium on Visualization for Cyber Security
NAVSEC: a recommender system for 3D network security visualizations

Proceedings of the Tenth Workshop on Visualization for Cyber Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Analysts engaged in real-time monitoring of cybersecurity incidents must quickly and accurately respond to alerts generated by intrusion detection systems. We investigated two complementary approaches to improving analyst performance on this vigilance task: a graph-based visualization of correlated IDS output and defensible recommendations based on machine learning from historical analyst behavior. We tested our approach with 18 professional cybersecurity analysts using a prototype environment in which we compared the visualization with a conventional tabular display, and the defensible recommendations with limited or no recommendations. Quantitative results showed improved analyst accuracy with the visual display and the defensible recommendations. Additional qualitative data from a "talk aloud" protocol illustrated the role of displays and recommendations in analysts' decision-making process. Implications for the design of future online analysis environments are discussed.