Exploring three-dimensional visualization for intrusion detection

Intrusion detection systems have been popular tools in the battle against adversaries who, for whatever reason, desire to break into networks, compromise hosts, and steal valuable information. One problem with current implementations, however, is the sheer number of alerts they can generate, many of which tend to be false alarms. This drawback makes effective use of such systems a challenging task. In this paper we explore three-dimensional approaches to visualizing network intrusion detection system alerts and aggregated network statistics in order to provide the system administrator with a better picture of the events occurring on his or her network. While some research has been done using two-dimensional concepts, 3D approaches have not received much attention with regard to detecting network intrusions. Evaluation of our visualizations using the 1999 DARPA intrusion detection evaluation data set demonstrates the potential benefit of utilizing the third dimension. We show how a number of attack types in the data set generate visual evidence of abnormal activity that a security administrator might use as motivation for further investigation.