Section: New Software and Platforms
ELVIS
Extensible Log VISualization
Keywords: Visualization - Cybersecurity - Intrusion Detection Systems (IDS) - Cyber attack - Forensics
Scientific Description
The studies that were performed last year clearly showed that there was an important need for technologies that would allow analysts to handle in a consistent way the various types of log files that they have to study in order to detect intrusion or to perform forensic analysis. Consequently, we proposed this year ELVis, a security-oriented log visualization system that allows the analyst to import its log files and to obtain automatically a relevant representation of their content based on the type of the fields they are made of. First, a summary view is proposed. This summary displays in an adequate manner each field according to its type (i.e. categorical, ordinal, geographical, etc.). Then, the analyst can select one or more fields to obtain some details about it. A relevant representation is then automatically selected by the tool according to the types of the fields that were selected.
ELVis [35] has been presented in VizSec 2013 (part of Vis 2013) in October in Atlanta. A working prototype is currently being tuned in order to perform field trials with our partners in DGA-MI. Next year, we are planing to perform research on how various log files can be combined in the same representation. In the PANOPTESEC project, we will also perform some research on visualization for security monitoring in the context of SCADA systems.
Functional Description
ELVIS is a log visualization tool that allows analyst-friendly log explorations through automated selection of adequate representations. Many log formats can be used and it is quite simple to add new ones. ELVis has been presented in VizSec 2013 (part of Vis 2013) in October in Atlanta.