As computer and network intrusions become more and more of a concern, the need for better capabilities to assist in the detection and analysis of intrusions also increases. System administrators typically rely on log files to analyze usage and detect misuse. However, as a consequence of the amount of data collected by each machine, multiplied by the tens or hundreds of machines under the system administrator's auspices, the entirety of the data available is neither collected nor analyzed. This is compounded by the need to analyze network traffic data as well.

The Internet is quickly becoming entrenched in the communication and commercial sectors of everyday life. With this movement away from traditional fixed infrastructure we are also moving away from the traditional securities placed within fixed infrastructure. This has led to increasing numbers of attacks designed to infiltrate or disrupt the activities being performed by companies and individuals on the Internet. We are exploring the applicability of visualization techniques in conjunction with a well-known intrusion detection system (Hummer) for the detection and analysis of misuse of computer systems connected to the Internet. The visualization techniques will allow users to identify the behavior of users connecting to the system and identify those whose intentions are unwelcome. 1.

Visual monitoring environments, such as intrusion detection systems, debugging environments, and feature extraction systems, require that a user familiar with the target domain examine, most often continuously, the visual representation of the underlying data. This improves the efficiency of the analysis but requires that the visualization expert work with the user to provide the information in an efficient form. How the users employ the environment and the type and quantity of data will also affect aspects of the environment. The goal is to develop a user centric view when designing the software and meet the unique needs of the user at hand. Our work with intrusion and misuse detection has led to the need to develop techniques geared for these users. This requires us to give up some typical metaphors familiar to visualization experts that would not be acceptable to the expected user base. We will discuss the issues involved in developing visualization techniques when the user is not a visualization expert, has preconceived notions or expectation of the visualization environment, and has needs that fall outside the normal expectations of the visualization expert.