Reducing Intrusion Alert Trees to Aid Visualization

Cyber defense tools, such as intrusion detection systems, often produce huge amounts of alerts which must be parsed for defensive purposes, particularly cyber triage. In this paper, we utilize the notion of alert trees to represent the collection of routes that may have been used by a cyber attacker to compromise a set of computers. Although alert trees can be visualized to aid analysis, their usefulness in practice is often discounted by the fact that they can become unmanageable in size. This makes it difficult for cyber defenders to identify patterns or pinpoint network hotspots in order to prioritize defensive maneuvers, raising the need to reduce strain on defenders by minimizing the presence of non-critical information. To address this problem, we propose several methods, as well as a novel data structure, for modifying alert trees in order to reduce visual strain on defenders. We evaluate our methods using a real-world dataset, which demonstrates that our methods are effective at reducing redundancy while limiting collateral information loss.