Network Intrusion Detection and Visualization Using Aggregations in a Cyber Security Data Warehouse
The challenge of achieving situational understanding is a limiting factor in effective, timely and adaptive cyber security analysis. Anomaly detection fills a critical role in network assessment and trend analysis, both of which underlie the establishment of comprehensive situational understanding. To that end, the authors propose a cyber security data warehouse implemented as a hierarchical graph of aggregations that captures anomalies at multiple scales. Each node of their proposed graph is a summarization table of cyber event aggregations and the edges are aggregation operators. The cyber security data warehouse enables domain experts to quickly traverse a multi-scale aggregation space systematically. They describe the architecture of a test bed system and a summary of results on the IEEE VAST 2012 cyber forensics data.