Visualization of security event logs across multiple networks and its application to a CSOC

We introduce VisIDAC presented in Song at al (In: Nguyen, P.Q., Zhou, J. (eds.) Information Security—20th International Conference, ISC 2017, Security and Cryptology, vol. 10599. Springer International Publishing, 2017), which is a 3-D real-time visualization of security event log collection detected by intrusion detection systems installed in multiple networks. VisIDAC consists of three parallel plane-squares which represent global source networks, target networks, and global destination networks. Security events are displayed in different shapes, colors and spaces, according to their main features. It helps security operators to immediately understand the key properties of security events. We also apply VisIDAC to a public cyber security operations center, Science and Technology Cyber Security Center (S&T-CSC), and demonstrate its usefulness. VisIDAC allows users to grasp more intuitively the overall flow of security events and their trend, makes it easy to recognize large-scale security events such as network scanning, port scanning, and distributed denial of service attacks, and is also effective to distinguish security event types: which target network they are related to; whether they are inbound or outbound traffic; whether they are momentary or continuous; and what protocol and port number are mainly used.