Visualization of System Log Files for Post-incident Analysis and Response

  • John Haggerty
  • Thomas Hughes-Roberts
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


Post-incident analysis of a security event is a complex task due to the volume of data that must be assessed, often within tight temporal constraints. System software, such as operating systems and applications, provide a range of opportunities to record data in log files about interactions with the computer that may provide evidence during an investigation. Data visualization can be used to aid data set interpretation and improve the ability of the analyst to make sense of information. This paper posits a novel methodology that visualizes data from a range of log files to aid the investigation process. In order to demonstrate the applicability of the approach, a case study of identification and analysis of attacks is presented.


Visualization system logs triage intrusion detection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ando, R., Kadobayashi, Y., Shinoda, Y.: Blink: Large-scale P2P network monitoring and visualization system using VM introspection. In: Proceedings of the Sixth International Conference on Networked Computing and Advanced Information Management, Seoul, South Korea, August 16-18, pp. 351–358 (2010)Google Scholar
  2. 2.
    Wang, C., Xiao, Z., Li, Y., Xu, Y., Zhou, A., Zhang, K.: SentiView: Sentiment Analysis and Visualization for Internet Popular Topics. IEEE Transactions on Human-Machine Systems 43(6), 620–630 (2013)CrossRefGoogle Scholar
  3. 3.
    Dunlop, M., Urbanski, W., Marchany, R., Tront, J.: Leveraging Cognitive Principles to Improve Security Visualization. In: Proceedings of Networked Digital Technologies, Dubai, UAE, April 24-26, pp. 262–276 (2012)Google Scholar
  4. 4.
    Giacobe, N.A., Xu, S.: Geovisual analytics for cyber security: Adopting the GeoViz Toolkit. In: Proceedings of the IEEE Conference on Visual Analytics Science and Technology, Providence, RI, USA, October 23-28, pp. 315–316 (2011)Google Scholar
  5. 5.
    Guerra-Gomez, J., Pack, M.L., Plaisant, C., Shneiderman, B.: Visualizing Change over Time Using Dynamic Hierarchies: TreeVersity2 and the StemView. IEEE Transactions on Visualization and Computer Graphics 19(12), 2566–2575 (2013)CrossRefGoogle Scholar
  6. 6.
    Haggerty, J., Haggerty, S., Taylor, M.: Forensic Triage of Email Network Narratives through Visualisation. Journal of Information Management and Computer Security (forthcoming, 2014)Google Scholar
  7. 7.
    Koniaris, I., Papadimitriou, G., Nicopolitidis, P.: Analysis and Visualization of SSH Attacks Using Honeypots. In: Proceedings of EuroCon, Zagreb, Croatia, July 1-4, pp. 65–72 (2013)Google Scholar
  8. 8.
    Krishnan, H., Garth, C., Guhring, J., Gulsun, M.A., Greiser, A., Joy, K.I.: Analysis of Time-Dependent Flow-Sensitive PC-MRI Data. IEEE Transactions on Visualization and Computer Graphics 18(6), 966–977 (2012)CrossRefGoogle Scholar
  9. 9.
    Mantoro, T., Aziz, N.A., Yusoff, N.D.M., Talib, N.A.A.: Log Visualization of Intrusion and Prevention Reverse Proxy Server against Web Attacks. In: Proceedings of the International Conference on Informatics and Creative Multimedia, Kuala Lumpur, Malaysia, September 3-6, pp. 325–329 (2013)Google Scholar
  10. 10.
    Nishioka, C., Kozaki, M., Okada, K.: Visualization System for Log Analysis with Probabilities of Incorrect Operation. In: Proceedings of the IEEE 17th International Conference on Parallel and Distributed Systems, Tainan, Taiwan, December 7-9, pp. 929–934 (2011)Google Scholar
  11. 11.
    Promrit, N., Mingkhwan, A., Simcharoen, S., Namvong, N.: Multi-dimensional visualization for network forensic analysis. In: Proceedings of the 7th International Conference on Networked Computing, Gumi, South Korea, September 26-28, pp. 68–73 (2011)Google Scholar
  12. 12.
    Schmerl, S., Vogel, M., Rietz, R., König, H.: Explorative Visualization of Log Data to support Forensic Analysis and Signature Development. In: Proceedings of the Fifth International Workshop on Systematic Approaches to Digital Forensic Engineering, Oakland, CA, USA, pp. 109–118 (May 10, 2010)Google Scholar
  13. 13.
    Schmidt, J., Groller, M.E., Bruckner, S.: VAICo: Visual Analysis for Image Comparison. IEEE Transactions on Visualization and Computer Graphics 19(12), 2090–2099 (2013)CrossRefGoogle Scholar
  14. 14.
    Schrenk, G., Poisel, R.: A Discussion of Visualization Techniques for the Analysis of Digital Evidence. In: Proceedings of the Sixth International Conference on Availability, Reliability and Security, Vienna, Austria, August 22-26, pp. 758–763 (2011)Google Scholar
  15. 15.
    Stoll, J., Tashman, C.S., Edwards, W.K., Spafford, K.: Sesame: informing user security decisions with system visualization. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Florence, Italy, April 5-10, pp. 1045–1054 (2008)Google Scholar
  16. 16.
    Thomson, A., Graham, M., Kennedy, J.: Pianola - Visualization of Multivariate Time-Series Security Event Data. In: Proceedings of the 17th International Conference on Information Visualisation, London, UK, July 15-18 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • John Haggerty
    • 1
  • Thomas Hughes-Roberts
    • 1
  1. 1.School of Science and TechnologyNottingham Trent UniversityNottinghamUK

Personalised recommendations