EN FR
EN FR


Section: New Software and Platforms

ELVIS

Extensible Log VISualization

Keywords: Visualization - Cybersecurity - Intrusion Detection Systems (IDS) - SIEM - Cyber attack - Forensics

Scientific Description

The studies that were performed since 2012 clearly showed that there was an important need for technologies that would allow analysts to handle in a consistent way the various types of log files that they have to study in order to detect intrusion or to perform forensic analysis. Consequently, we proposed this year ELVis, a security-oriented log visualization system that allows the analyst to import its log files and to obtain automatically a relevant representation of their content based on the type of the fields they are made of. First, a summary view is proposed. This summary displays in an adequate manner each field according to its type (i.e. categorical, ordinal, geographical, etc.). Then, the analyst can select one or more fields to obtain some details about it. A relevant representation is then automatically selected by the tool according to the types of the fields that were selected.

ELVis [35] has been presented in VizSec 2013 (part of Vis 2013) in October 2013 in Atlanta. A working prototype is currently being tuned in order to perform field trials with our partners in DGA-MI. Next year, we are planing to perform research on how various log files can be combined in the same representation.

Functional Description

ELVIS is a visualisation tool geared to system security which enables analysts to visually explore log files using relevant representations. The tool accepts many different types of log file and can easily be extended to accept new ones opportunistically. Thanks to its data typing mechanisms, it can automatically choose relevant representations depending on the type of data that the analyst wants to observe.