Worm Path Identification Using Visualization System

In this paper, we propose a visualization system for worm investigation, which finds worm origins and worm paths. Although investigation of worms are very important for forensic use and further prevention, it is quite difficult for automatic systems to identify worm origins or paths due to the trade-off between false positives and false negatives. Therefore, we focused on interaction between analysts and connection logs. At first, an automated algorithm is run so that there are no false negatives, and then analysts investigate the result to reduce false positives by visualized system. We aim to solve the trade-off by conducting these two steps. We implemented a prototype and conducted a user experiment to evaluate our system. The results show our system enabled subjects to reduce 90% of false detection by an automated algorithm. Although the results depend on parameters or conditions, we show the effectiveness of our idea.