Towards Better Attack Path Visualizations Based on Deep Normalization of Host/Network IDS Alerts

Abstract

Mitigation techniques employed by attackers has meant that traditional Network Intrusion Detection Systems (NIDS) are no longer able to reliably protect a network in the face of ever more sophisticated attacks. Security Information and Event Management (SIEM) systems monitor network systems by analyzing the logs they produce. In this paper, we propose a method of visualizing attacks by aggregating, normalizing and analyzing alerts raised by SIEM-based IDS (SIDS) systems as well as NIDS systems in real-time. We present the results of our proposed visualization technique when applied to different attack scenarios. In many cases, our approach allows for the path an attacker takes during their attack to be visualized.