Transforming raw Snort alert streams into actionable security intelligence through interactive dashboards, timeline analysis, and real-time anomaly correlation.
Security analysts are overwhelmed — a typical IDS produces thousands of alerts daily, the vast majority false positives. Genuine threats are buried in a flood of information that text-log interfaces simply cannot make sense of.
Sentinel Visualiser acts as an analytical layer between raw IDS alert streams and the security analyst. It ingests Snort log data, correlates alerts with network flow information, and presents the combined picture through interactive visual interfaces that reduce cognitive load and accelerate incident response.
Rather than replacing existing IDS tools, the platform augments them — giving analysts the context, spatial reasoning, and pattern-recognition support they need to distinguish genuine threats from noise, fast.
Analysts face ~11,000 IDS alerts weekly; most require no action yet consume critical attention.
Traditional tools show isolated alerts without spatial or temporal correlation to network topology.
Interactive dashboards, timeline views and topology maps restore context and dramatically cut response time.
Five core modules covering the full analyst workflow from initial alert triage to incident resolution.
KPI cards for total alerts, open, critical, investigating, false positives, and resolved. Hourly alert volume chart, severity donut, top attack categories and top source IPs — all at a glance.
Paginated alert table with multi-column filtering by severity, status, category, and free-text. Sortable columns and bulk status updates.
Full alert metadata including SID, rule, category, protocol, and traffic-flow diagram. Related alerts from the same IP or category within a ±2h window.
Parses Snort fast.log format and normalises alerts to a unified JSON schema supporting all downstream visualisations.
Per-alert notes field with one-click save. Status lifecycle management from Open → Investigating → Resolved or False Positive.
JSON endpoints for per-alert status updates, bulk operations, and summary statistics — enabling future SIEM or SOAR integrations.
Prototype-grade platform targeting core data ingest, interactive visualisation, and basic anomaly scoring. Production SIEM integration and advanced ML pipelines are scoped for future work.
Three formal deliverables submitted as part of the 4th Year Cybersecurity capstone.
A comprehensive academic investigation into IDS visualization — surveying existing tools, analyzing visualization techniques, and establishing the theoretical foundation for the platform design.
The formal project specification document defining system objectives, scope, deliverables, user groups, and non-functional requirements for the Integrated IDS Visualiser platform.
The final project report covering the full design, development, testing, and evaluation lifecycle of the Sentinel Visualiser. Expected upon project completion.