The use of monitoring and intrusion detection tools are common in today's network security architecture. The combination of tools generates an abundance of data which can result in cognitive overload of those analyzing the data. ID analysts initially review alerts generated by intrusion detection systems to determine the validity of the alerts. Since a large number of alerts are false positives, analyzing the data can severely reduce the number of unnecessary and unproductive investigations. The problem remains that this process is resource intensive. To date, very little research has been done to clearly determine and document the process of intrusion detection. In order to rectify this problem, research was conducted which involved several phases. Fifteen individuals were selected to participate in a cognitive task analysis. The results of the cognitive task analysis were used to develop a prototype interface which was tested by the participants. A test of the participants' knowledge after the use of the prototype revealed an increase in both effectiveness and efficiency in analyzing alerts.
Specifically, the findings revealed an increase in effectiveness as 72% of the participants made better determinations using the prototype interface. The results also showed an increase in efficiency when 72% of the participants analyzed and validated alerts in less time while using the prototype interface. These findings, based on empirical data, showed that the use of the task diagram and prototype interface helped to reduce the amount of time it previously took to analyze alerts generated by intrusion detection systems.
Identifer | oai:union.ndltd.org:nova.edu/oai:nsuworks.nova.edu:gscis_etd-1144 |
Date | 01 January 2009 |
Creators | Ellis, Brenda Lee |
Publisher | NSUWorks |
Source Sets | Nova Southeastern University |
Detected Language | English |
Type | text |
Format | application/pdf |
Source | CEC Theses and Dissertations |
Page generated in 0.0021 seconds