Information Technology Reference
In-Depth Information
Fig. 2.
Our system's visual interface design. There are four areas in it. Area #1 contains con-
trols for interacting with the scenario construction. Area #2 contains the alert count color band
for easy referencing by administrators. Area #3 contains time-oriented coordinate systems of
events. And area #4 contains space-oriented coordinate systems of events.
4.1
Time-Oriented Coordinate System
In this coordinate system, related events of an attack are arranged in a one-
dimensional time coordinate as depicted in the bottom left of Fig. 2. Each event is
mapped to a circle whose center's location is determined by the event timestamp. To
reduce clutter, events happen closed enough are grouped together into one bigger
event. The size of each event circle depends on the number of elementary events
(event that is recorded in a single entry of the web server log or in a single IDS rec-
ord) contained in it. The color of each event circle is controlled by how much severity
this event makes to the web application. In our implementation, this severity is calcu-
lated as the number of alerts generated in the event circle. This coordinate system
helps security administrators to see how an attack scenario progresses through time.
4.2
Space-Oriented Coordinate System
In this coordinate system, events are grouped by the common URI they access. The
purpose of this is to show how many events happen on each page and which pages
receive the most interests from attackers compared to others. Similar to the time-
oriented coordinate system, each page has its size determined by the number of events
happen on it, and its color is determined by the severity degree it makes to the web
application. We also group pages by their levels, which are the minimum number of
links to reach to the selected alert page from that particular page for pre-events pages;
or the minimum number of links to reach to that particular page from the selected
Search WWH ::
Custom Search