Visual Analytics System for Large-scale Audit
Seunghoon Yoo, Jaemin Jo, Bohyoung Kim, and Jinwook Seo / 2018
- Seunghoon Yoo, Seoul National University, Seoul, Republic of Korea
- Jaemin Jo, Seoul National University, Seoul, Republic of Korea
- Bohyoung Kim, Hankuk University of Foreign Studies, Yongin-si, Republic of Korea
- Jinwook Seo, Seoul National University, Seoul, Republic of Korea
Audit logs are different from other software logs in that they record the most primitive events (i.e., system calls) in modern operating systems. Audit logs contain a detailed trace of an operating system, and thus have received great attention from security experts and system administrators. However, the complexity and size of audit logs, which increase in real time, have hindered analysts from understanding and analyzing them. In this paper, we present a novel visual analytics system, LongLine, which enables interactive visual analyses of large-scale audit logs. LongLine lowers the interpretation barrier of audit logs by employing human-understandable representations (e.g., file paths and commands) instead of abstract indicators of operating systems (e.g., file descriptors) as well as revealing the temporal patterns of the logs in a multi-scale fashion with meaningful granularity of time in mind (e.g., hourly, daily, and weekly). LongLine also streamlines comparative analysis between interesting subsets of logs, which is essential in detecting anomalous behaviors of systems. In addition, LongLine allows analysts to monitor the system state in a streaming fashion, keeping the latency between log creation and visualization less than one minute. Finally, we evaluate our system through a case study and a scenario analysis with security experts.
This work was supported by the National Research Foundation of Korea (NRF) grants funded by the Korea government (MSIP) (No. NRF-2016R1A2B2007153). Bohyoung Kim and Jinwook Seo are the corresponding authors.