Network log files often need to be investigated manually for suspicious activity. The huge amount of log lines complicates maintaining an overview, navigation and quick pattern identification. We propose a system that uses an interactive visualization, a visual filter, representing the whole log in an overview, allowing to navigate and make context-preserving subselections with the visualization and in this way reducing the time and effort for security experts needed to identify patterns in the log file. This explorative interactive visualization is combined with focused querying to search for known suspicious terms that are then highlighted in the visualization and the log file itself.

We created a pixel map for multi-variate data based on an analysis of the needs of network security engineers. Parameters of a log record are shown as pixels and these pixels get stacked to represent a record. This allows a broad view of a data set on one screen while staying very close to the raw data and to expose common and rare patterns of user behavior through the visualization itself (the “Carpet”). Visualizations that immediately point to areas of suspicious activity without requiring extensive fltering, help network engineers investigating unknown computer security incidents. Most of them, however, have limited knowledge of advanced visualization techniques, while many designers and data scientists are unfamiliar with computer security topics. To bridge this gap, we developed visualizations together with engineers, following a co-creative process. We will show how we explored the scope of the engineers’ tasks and how we jointly developed ideas and designs. Our expert evaluation indicates that this visualization helps to scan large parts of log fles quickly and to defne areas of interest for closer inspection.