Isis: An Infovis System for Investigating Intrusions


Doantam Phan, John Gerth, Marcia Lee


Isis is an infovis system for investigating intrusions. It allows network security administrators to visualize traffic using timelines and event plots in order to reconstruct the sequence of events that make up an intrusion. Below is a short video that demonstrates its features. The slides are from the thesis defense talk on Supporting the Visualization and Forensic Analysis of Network Events, of which this project is one part.

The flow of traffic among computers on a network is an example of a network event. Understanding the behavior of a network requires inspecting the connections among these events. Relevant events are hard to identify with automatic techniques, so the investigator must organize events into a narrative sequence by hand.

The investigation process requires backtracking and multiple comparisons, which is not well supported by current tools. This project contributes new interactive visualization techniques for analyzing, organizing, and presenting network event data at multiple levels of detail for the purpose of forensic analysis - tracking down causal sequences of importance.

We developed a technique we call progressive multiples, which combines ideas from progressive disclosure, which reveals data to the user on demand, and small multiples, which allows users to compare many images at once. Events are visualized as timelines which use screen space efficiently. A user explores the data set by interacting with existing timelines to create new timelines with related events. This provides the user with an exploration history, which allows users to backtrack and to explore multiple paths.

We apply this technique to isis, a system for the investigation of intrusions, which has been developed and evaluated with a long-term collaboration with network administrators.

Isis uses timelines to get an overview of network traffic. Activity of IPs is presented as a timeline. The x-axis is mapped to time, and the y-axis is mapped to the number of connections made by that IP in a given time period. Selecting a bin reveals the other IPs that have also communicated with a given IP. Brushing (in orange) is used to indicate where else in the timeline that IP appears.

Network administrators may also view the raw data in a table, as seen above, but this makes some temporal patterns hard to see, so we also provide administrators with an alternate view of the data, which we call an event plot. This event plot shows the sequence of an intrusion - the labels have been added for clarity.


Supporting the Visualization and Forensic Analysis of Network Flow Data
Doantam Phan
Ph.D. Dissertation

Visual Analysis of Network Flow Data with Timelines and Event Plots (Best Paper)
Doantam Phan, John Gerth, Marcia Lee, Andreas Paepcke, and Terry Winograd
Proceedings of VizSEC 2007

Progressive Multiples for Communication-Minded Visualization
Doantam Phan, Andreas Paepcke, and Terry Winograd
Proceedings of Graphics Interface 2007


A two-minute quicktime video that demonstrates the features of Isis (33MB) is also available.

Isis Presentation Slides (pdf)