The Human Analysis Element of Intrusion Detection: A Cognitive Task Model and Interface Design and Implications

Ellis, Brenda Lee

01 January 2009

The use of monitoring and intrusion detection tools are common in today's network security architecture. The combination of tools generates an abundance of data which can result in cognitive overload of those analyzing the data. ID analysts initially review alerts generated by intrusion detection systems to determine the validity of the alerts. Since a large number of alerts are false positives, analyzing the data can severely reduce the number of unnecessary and unproductive investigations. The problem remains that this process is resource intensive. To date, very little research has been done to clearly determine and document the process of intrusion detection. In order to rectify this problem, research was conducted which involved several phases. Fifteen individuals were selected to participate in a cognitive task analysis. The results of the cognitive task analysis were used to develop a prototype interface which was tested by the participants. A test of the participants' knowledge after the use of the prototype revealed an increase in both effectiveness and efficiency in analyzing alerts. Specifically, the findings revealed an increase in effectiveness as 72% of the participants made better determinations using the prototype interface. The results also showed an increase in efficiency when 72% of the participants analyzed and validated alerts in less time while using the prototype interface. These findings, based on empirical data, showed that the use of the task diagram and prototype interface helped to reduce the amount of time it previously took to analyze alerts generated by intrusion detection systems.

Cognitive Task Analysis

Human Computer Interface

Intrusion Detection

Network Security

PARI Method

Task Diagram

Computer Sciences