Visual Analytic Agent-Based Framework for Intrusion Alert Analysis

A large amount of research effort is focused on developing methods for correlating network intrusion alerts, so as to better understand a network's current security state. The accuracy of traditional static methods of correlation is however limited in large-scale complex systems, where the degree of human insight and validation necessary is higher, and dynamic attack behaviours are likely. Many recent efforts have centred around visualising security data in a way that can better involve and support a human analyst in the network security triage process but this potentially gives rise to another complex system of analytical and visual components which need to be configured, trained and understood. This paper describes an agent-based framework designed to manage a set of visual analytic components in order to improve a security analyst's understanding and ability to classify the threats to the network that they govern. In the proof-of-concept system an agent selects the most effective method for event aggregation, given a particular set of events which have been generated by an Intrusion Detection System (IDS). We present a novel application of a dynamic response model in order to configure the aggregation component such that the data is best simplified for more effective further analysis.