John R. Goodall

Learn More
Intrusion detection (ID) systems have become increasingly accepted as an essential layer in the information security infrastructure. However, there has been little research into understanding the human component of ID work. Currently, security analysts face an increasing workload as their environments expand and attacks become more frequent. We conducted(More)
When performing packet-level analysis in intrusion detection, analysts often lose sight of the big picture while examining these low-level details. In order to prevent this loss of context and augment the available tools for intrusion detection analysis tasks, we developed an information visualization tool, the time-based network traffic visualizer (TNV).(More)
This paper reports a framework for designing information visualization (IV) tools for monitoring and analysis activities. In this user study, the domain for these activities is network intrusion detection (ID). User-centered design methods have been widely used for many years, however, innovative IV displays are often developed with limited consideration of(More)
The work of intrusion detection (ID) in accomplishing network security is complex, requiring highly sought-after expertise. While limited automation exists, the role of human ID analysts remains crucial. This paper presents the results of an exploratory field study examining the role of expertise and collaboration in ID work. Through an analysis of the(More)
The time-based network traffic visualizer combines low-level, textual detail with multiple visualizations of the larger context to help users construct a security event's big picture. TNV is a visualization tool grounded in an under standing of the work practices of security analysts. We designed it to support ID analysis by giving analysts a visual display(More)
User testing is an integral component of user-centered design, but has only rarely been applied to visualization for cyber security applications. This paper describes a comparative evaluation of a visualization application and a traditional interface for analyzing network packet captures, that was conducted as part of the user-centered design process.(More)
Computer network defense (CND) requires analysts to detect both known and novel forms of attacks in massive volumes of network data. It's through discovering the unexpected that CND analysts detect new versions of mal ware (such as viruses and Trojan horses) that have passed through their antivirus products, new methods of intrusion that have breached their(More)
This paper presents the intrusion detection toolkit (IDtk), an information visualization tool for intrusion detection (ID). IDtk was developed through a user-centered design process, in which we identified design guidelines to support ID users. ID analysts protect their networks by searching for evidence of attacks in ID system output, firewall and system(More)
Intrusion detection (ID) analysts are charged with ensuring the safety and integrity of today's high-speed computer networks. Their work includes the complex task of searching for indications of attacks and misuse in vast amounts of network data. Although there are several information visualization tools to support ID, few are grounded in a thorough(More)
Networked computers are ubiquitous, and are subject to attack, misuse, and abuse. Automated systems to combat this threat are one potential solution, but most automated systems require vigilant human oversight. This automated approach undervalues the strong analytic capabilities of humans. While automation affords opportunities for increased scalability,(More)