AlertVision: Visualizing Security Alerts

  • Jina Hong
  • JinKi Lee
  • HyunKyu Lee
  • YoonHa Chang
  • KwangHo Choi
  • Sang Kil ChaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11402)


Security is not just a technical problem, but it is a business problem. Companies are facing highly-sophisticated and targeted cyber attacks everyday, and losing a huge amount of money as well as private data. Threat intelligence helps in predicting and reacting to such problems, but extracting well-organized threat intelligence from enormous amount of information is significantly challenging. In this paper, we propose a novel technique for visualizing security alerts, and implement it in a system that we call AlertVision, which provides an analyst with a visual summary about the correlation between security alerts. The visualization helps in understanding various threats in wild in an intuitive manner, and eventually benefits the analyst to build TI. We applied our technique on real-world data obtained from the network of 85 organizations, which include 5,801,619 security events in total, and summarized lessons learned.


Threat intelligence Alert visualization Alert correlation 



We thank anonymous reviewers for their helpful feedback. This research was supported by AhnLab.


  1. 1.
    Barnum, S.: Standardizing cyber threat intelligence information with the structured threat information expression (STIX™). Technical report, MITRE (2012)Google Scholar
  2. 2.
    Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: SplitScreen: enabling efficient, distributed malware detection, pp. 377–390 (2010)Google Scholar
  3. 3.
    Coull, S., Branch, J., Szymanski, B., Breimer, E.: Intrusion detection: a bioinformatics approach. In: Proceedings of the Annual Computer Security Applications Conference, pp. 24–33 (2003)Google Scholar
  4. 4.
    Cuppens, F., Ortalo, R.: LAMBDA: a language to model a database for detection of attacks. In: Proceedings of the International Workshop on the Recent Advances in Intrusion Detection, pp. 197–216 (2000)Google Scholar
  5. 5.
    Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the International Symposium on Information, Computer, and Communications Security, pp. 183–194 (2009)Google Scholar
  6. 6.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–128 (1996)Google Scholar
  7. 7.
    Fruchterman, T.M.J., Reingold, E.M.: Graph drawing by force-directed placement. Softw.: Pract. Exp. 21(11), 1129–1164 (1991)Google Scholar
  8. 8.
    Gotoh, O.: An improved algorithm for matching biological sequences. J. Mol. Biol. 162(3), 705–708 (1982)CrossRefGoogle Scholar
  9. 9.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the USENIX Security Symposium, vol. 5, pp. 139–154 (2008)Google Scholar
  10. 10.
    Heoh, S.T., Ma, K.L., Wu, S.F., Zhao, X.: Case study: interactive visualization for internet security. In: Proceedings of the IEEE Conference on Visualization, pp. 505–508 (2002)Google Scholar
  11. 11.
    Huang, X., Miller, W.: A time-efficient, linear-space local similarity algorithm. Adv. Appl. Math. 12(3), 337–357 (1991)MathSciNetCrossRefGoogle Scholar
  12. 12.
    IBM: IBM X-Force threat intelligence.
  13. 13.
    Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014)CrossRefGoogle Scholar
  14. 14.
    Kapetanakis, S., Filippoupolitis, A., Loukas, G., Murayziq, T.S.A.: Profiling cyber attackers using case-based reasoning. In: Proceedings of the UK Workshop on Case-Based Reasoning (2014)Google Scholar
  15. 15.
    Kirat, D., Vigna, G.: MalGene: automatic extraction of malware analysis evasion signature. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 769–780 (2015)Google Scholar
  16. 16.
    Kotenko, I., Polubelova, O., Saenko, I., Doynikova, E.: The ontology of metrics for security evaluation and decision support in SIEM systems. In: Proceedings of the International Conference on Availability, Reliability and Security, pp. 638–645 (2013)Google Scholar
  17. 17.
    Lee, K., Kim, J., Kwon, K.H., Han, Y., Kim, S.: DDoS attack detection method using cluster analysis. Expert Syst. Appl. 34(3), 1659–1665 (2008)CrossRefGoogle Scholar
  18. 18.
    Lee, W., Stolfo, S.J.: Data mining approaches for intrusion detection. In: Proceedings of the USENIX Security Symposium, pp. 79–93 (1998)Google Scholar
  19. 19.
    Livnat, Y., Agutter, J., Moon, S., Erbacher, R.F., Foresti, S.: A visualization paradigm for network intrusion detection. In: Proceedings of the Annual IEEE SMC Information Assurance Workshop, pp. 92–99 (2005)Google Scholar
  20. 20.
    Luh, R., Marschalek, S., Kaiser, M., Janicke, H., Schrittwieser, S.: Semantics-aware detection of targeted attacks: a survey. J. Comput. Virol. Hacking Tech. 13(1), 47–85 (2017)CrossRefGoogle Scholar
  21. 21.
    Luh, R., Schrittwieser, S., Marschalek, S.: TAON: an ontology-based approach to mitigating targeted attacks. In: Proceedings of the International Conference on Information Integration and Web-based Applications and Services, pp. 303–312 (2016)Google Scholar
  22. 22.
    McPherson, J., Ma, K.L., Krystosk, P., Bartoletti, T., Christensen, M.: PortVis: a tool for port-based detection of security events. In: Proceedings of the ACM Workshop on Visualization and Data Mining for Computer Security, pp. 73–81 (2004)Google Scholar
  23. 23.
    Mirheidari, S.A., Arshad, S., Jalili, R.: Alert correlation algorithms: a survey and taxonomy. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 183–197. Springer, Cham (2013). Scholar
  24. 24.
    Myers, E.W., Miller, W.: Optimal alignments in linear space. Bioinformatics 4(1), 11–17 (1988)CrossRefGoogle Scholar
  25. 25.
    Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 48(3), 443–453 (1970)CrossRefGoogle Scholar
  26. 26.
    Okada, D., Ino, F., Hagihara, K.: Accelerating the Smith-Waterman algorithm with interpair pruning and band optimization for the all-pairs comparison of base sequences. BMC Bioinform. 16(1), 321 (2015)CrossRefGoogle Scholar
  27. 27.
    O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Priv. 9(5), 41–47 (2011)CrossRefGoogle Scholar
  28. 28.
    de Oliveira Sandes, E.F., de Melo, A.C.M.A.: Retrieving Smith-Waterman alignments with optimizations for megabase biological sequences using GPU. IEEE Trans. Parallel Distrib. Syst. 24(5), 1009–1021 (2013)CrossRefGoogle Scholar
  29. 29.
    Qamar, S., Anwar, Z., Rahman, M.A., Al-Shaer, E., Chu, B.T.: Data-driven analytics for cyber-threat intelligence and information sharing. Comput. Secur. 67, 35–58 (2017)CrossRefGoogle Scholar
  30. 30.
    Ramaki, A.A., Amini, M., Atani, R.E.: RTECA: real time episode correlation algorithm for multi-step attack scenarios detection. Comput. Secur. 49, 206–219 (2015)CrossRefGoogle Scholar
  31. 31.
    Salah, S., Maciá-Fernández, G., DíAz-Verdejo, J.E.: A model-based survey of alert correlation techniques. Comput. Netw. 57(5), 1289–1317 (2013)CrossRefGoogle Scholar
  32. 32.
    Shittu, R., Healing, A., Ghanea-Hercock, R., Bloomfield, R., Rajarajan, M.: Intrusion alert prioritisation and attack detection using post-correlation analysis. Comput. Secur. 50, 1–15 (2015)CrossRefGoogle Scholar
  33. 33.
    Sibson, R.: SLINK: an optimally efficient algorithm for the single-link cluster method. Comput. J. 16(1), 30–34 (1973)MathSciNetCrossRefGoogle Scholar
  34. 34.
    Smith, T., Waterman, M.: Identification of common molecular subsequences. J. Mol. Biol. 147(1), 195–197 (1981)CrossRefGoogle Scholar
  35. 35.
    Spring, J., Kern, S., Summers, A.: Global adversarial capability modeling. In: Proceedings of the IEEE eCrime Researchers Summit on Anti-phishing Working Group, pp. 1–21 (2015)Google Scholar
  36. 36.
    Strasburg, C., Basu, S., Wong, J.S.: S-MAIDS: a semantic model for automated tuning, correlation, and response selection in intrusion detection systems. In: Proceedings of the IEEE International Conference on Computer Software and Applications Conference, pp. 319–328 (2013)Google Scholar
  37. 37.
    Tankard, C.: Advanced persistent threats and how to monitor and deter them. Netw. Secur. 2011(8), 16–19 (2011)CrossRefGoogle Scholar
  38. 38.
    Treinen, J.J., Thurimella, R.: A framework for the application of association rule mining in large intrusion detection infrastructures. In: Proceedings of the International Workshop on the Recent Advances in Intrusion Detection, pp. 1–18 (2006)Google Scholar
  39. 39.
    de Vergara, J.E.L., Vázquez, E., Martin, A., Dubus, S., Lepareux, M.N.: Use of ontologies for the definition of alerts and policies in a network security platform. J. Netw. 4(8), 720–733 (2009)Google Scholar
  40. 40.
    Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29(1), 124–140 (2010)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Jina Hong
    • 1
  • JinKi Lee
    • 2
  • HyunKyu Lee
    • 2
  • YoonHa Chang
    • 2
  • KwangHo Choi
    • 2
  • Sang Kil Cha
    • 1
    Email author
  1. 1.KAISTDaejeonKorea
  2. 2.AhnLabSeongnamKorea

Personalised recommendations