No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
OCEANS: online collaborative explorative analysis on network security
... By assessing the security state of an organizations' different assets, the proposed framework helps administrator to identify compromised assets and prioritizes alerts [42]. A set of papers [30,46,48,55] has proposed a platform for security experts and security solutions used to share their knowledge. Jeong et al. [78] have followed the structure of having a coordination group with a participant group to propagate the relevant information to the external work or another coordination group. ...
... Threat visualization and analysis is an important part of security orchestration. A set of papers have mentioned several web portal or public websites that provide a web interface to visualize the threats [30,55]. ...
... Most cybersecurity communities lack collaborative processes for information sharing. Several papers [20,45,46,48,55,68,78] have highlighted the requirements for having a combined knowledge and experience from several domain experts due to the complexity of network flow and log data analysis. Most of the incident response teams follow no collaborative process while planning how to respond to a particular incident which results in poor strategies plan [45]. ...
Organizations use diverse types of security solutions to prevent cyberattacks. Multiple vendors provide security solutions developed using heterogeneous technologies and paradigms. Hence, it is a challenging rather impossible to easily make security solutions to work an integrated fashion. Security orchestration aims at smoothly integrating multivendor security tools that can effectively and efficiently interoperate to support security staff of a Security Operation Centre (SOC). Given the increasing role and importance of security orchestration, there has been an increasing amount of literature on different aspects of security orchestration solutions. However, there has been no effort to systematically review and analyze the reported solutions. We report a Multivocal Literature Review that has systematically selected and reviewed both academic and grey (blogs, web pages, white papers) literature on different aspects of security orchestration published from January 2007 until July 2017. The review has enabled us to provide a working definition of security orchestration and classify the main functionalities of security orchestration into three main areas: unification, orchestration, and automation. We have also identified the core components of a security orchestration platform and categorized the drivers of security orchestration based on technical and socio-technical aspects. We also provide a taxonomy of security orchestration based on the execution environment, automation strategy, deployment type, mode of task and resource type. This review has helped us to reveal several areas of further research and development in security orchestration.
... By assessing the security state of an organizations' different assets, the proposed framework helps administrator to identify compromised assets and prioritizes alerts [42]. A set of papers [30,46,48,55] has proposed a platform for security experts and security solutions used to share their knowledge. Jeong et al. [78] have followed the structure of having a coordination group with a participant group to propagate the relevant information to the external work or another coordination group. ...
... Threat visualization and analysis is an important part of security orchestration. A set of papers have mentioned several web portal or public websites that provide a web interface to visualize the threats [30,55]. ...
... Most cybersecurity communities lack collaborative processes for information sharing. Several papers [20,45,46,48,55,68,78] have highlighted the requirements for having a combined knowledge and experience from several domain experts due to the complexity of network flow and log data analysis. Most of the incident response teams follow no collaborative process while planning how to respond to a particular incident that results in poor strategies plan [45]. ...
Organizations use diverse types of security solutions to prevent cyber-attacks. Multiple vendors provide security solutions developed using heterogeneous technologies and paradigms. Hence, it is a challenging rather impossible to easily make security solutions to work an integrated fashion. Security orchestration aims at smoothly integrating multivendor security tools that can effectively and efficiently interoperate to support security staff of a Security Operation Centre (SOC). Given the increasing role and importance of security orchestration, there has been an increasing amount of literature on different aspects of security orchestration solutions. However, there has been no effort to systematically review and analyze the reported solutions. We report a Multivocal Literature Review that has systematically selected and reviewed both academic and grey (blogs, web pages, white papers) literature on different aspects of security orchestration published from January 2007 until July 2017. The review has enabled us to provide a working definition of security orchestration and classify the main functionalities of security orchestration into three main areas—unification, orchestration, and automation. We have also identified the core components of a security orchestration platform and categorized the drivers of security orchestration based on technical and socio-technical aspects. We also provide a taxonomy of security orchestration based on the execution environment, automation strategy, deployment type, mode of task and resource type. This review has helped us to reveal several areas of further research and development in security orchestration.
... Moreover, it is well known that the human brain processes visual patterns more quickly and accurately than any textual or speech report, gaining understanding at a glimpse, and this, naturally, also happens in cybersecurity [9,10]; as a consequence, representing the data (both raw and ML processed data) properly is also a decisive factor for Threat Hunters in order to achieve Situational Awareness [11,12] and therefore an early detection of any threat. Some studies have been trying to classify which advanced visualization fits best for each kind of attack [13,14]. ...
... As explained in [13,14], visual analysis can help Threat Hunters to solve difficult problems faster and ensure good results. ...
The number and the diversity in nature of daily cyber-attacks have increased in the last few years, and trends show that both will grow exponentially in the near future. Critical Infrastructures (CI) operators are not excluded from these issues; therefore, CIs’ Security Departments must have their own group of IT specialists to prevent and respond to cyber-attacks. To introduce more challenges in the existing cyber security landscape, many attacks are unknown until they spawn, even a long time after their initial actions, posing increasing difficulties on their detection and remediation. To be reactive against those cyber-attacks, usually defined as zero-day attacks, organizations must have Threat Hunters at their security departments that must be aware of unusual behaviors and Modus Operandi. Threat Hunters must face vast amounts of data (mainly benign and repetitive, and following predictable patterns) in short periods to detect any anomaly, with the associated cognitive overwhelming. The application of Artificial Intelligence, specifically Machine Learning (ML) techniques, can remarkably impact the real-time analysis of those data. Not only that, but providing the specialists with useful visualizations can significantly increase the Threat Hunters’ understanding of the issues that they are facing. Both of these can help to discriminate between harmless data and malicious data, alleviating analysts from the above-mentioned overload and providing means to enhance their Cyber Situational Awareness (CSA). This work aims to design a system architecture that helps Threat Hunters, using a Machine Learning approach and applying state-of-the-art visualization techniques in order to protect Critical Infrastructures based on a distributed, scalable and online configurable framework of interconnected modular components.
... Cyber security is an important domain for applying visual analytics techniques, see a survey by Shiravi et al. [9]. Applications in network security include anomaly behavior analysis in netflow data [5], malware behaviors [11], etc. Techniques such as parallel coordinates [5], time series visualization [11] and graph visualizations [8] are commonly used in this domain. In our case study, we focus on user behavior analysis using sequential session data, for identifying user behavior patterns using a map-like visual metaphor. ...
... Cyber security is an important domain for applying visual analytics techniques, see a survey by Shiravi et al. [9]. Applications in network security include anomaly behavior analysis in netflow data [5], malware behaviors [11], etc. Techniques such as parallel coordinates [5], time series visualization [11] and graph visualizations [8] are commonly used in this domain. In our case study, we focus on user behavior analysis using sequential session data, for identifying user behavior patterns using a map-like visual metaphor. ...
... Also, the ring graph represents the connections grouped by subnets within a selected time. The connection river represents connection behavior produced by the multiple data sources in a chosen time range ( Fig. 2 ) ( Chen et al., 2014 ). ...
... Third, nearly all of them considered at least one use case for evaluating validation methods. Chen et al. (2014) system received the highest overall score of 0.657, but there are rooms for improvements. They cover three categories of data sources, network traces, application logs and security events, achieving a data source score of 3/5. ...
Visualization helps to comprehend and analyse large amounts of data, a fundamental necessity for network security due to the large volume of audits traces produced each day. In this paper, we dissect the majority of recent work conducted in network security visualization and offer a taxonomy that provides a basis for classifying recently published works using nine criteria. Moreover, a comprehensive evaluation framework for comparing and ranking network security visualization systems and techniques is developed and presented. Finally, we present a taxonomy of network attacks, which covers most of the existing network attacks and provides a framework for the categorization of recent network security visualization systems.
... Their work focus malware analysis and provides a good case for visualization, which is needed to recognize and extract unseen malware patterns. In [10] authors propose an online collaborative and explorative analysis tool, named OCEANS to help network administrators and security analysts to analyze network flow and log data. OCEANS provided multi-level visualization with temporal overview about IP connections and allows participants to collaborate on finding events and targeting attacks. ...
... From the platforms presented above [7] and [6] are focused on a type of organization and provide very limited visualizations. The works proposed in [9], [10] and [11] focus only some types of threats. OwlSight aims to provide visualization dashboards according the user needs and focus different types of cyber threats to provide an integrated vision around the threat. ...
... Our aim is to validate if TMDS is capable of identifying notable events within this complex challenge. In contrast to the work by Chen et al. [7] who developed a highly interactive collaborative visual analysis system to address the challenge, our focus is on visually supported pattern finding. Furthermore, we focus only on the NetFlow dataset, while Chen et al. make use of all available datasets including NetFlow data, monitoring logs of a Big Brother (BB) system, and data of an intrusion prevention system (IPS). ...
... TMDS was able to reveal interesting patterns, which actually corresponded to suspicious events verified by the ground truth. However, compared to the work of Chen et al. [7], our system provides a general approach for the analysis of multivariate data and therefore does not provide additional correlated views tailored to the needs of security analysts. Interestingly, we were able to detect most of the patterns, although further manual analysis (details on demand) of the underlying data of identified patterns was needed to finally judge and classify the event. ...
Multivariate time series data can be found in many application domains. Examples include data from computer networks, healthcare, social networks, or financial markets. Often, patterns in such data evolve over time among multiple dimensions and are hard to detect. Dimensionality reduction methods such as PCA and MDS allow analysis and visualization of multivariate data, but per se do not provide means to explore multivariate patterns over time. We propose Temporal Multidimensional Scaling (TMDS), a novel visualization technique that computes temporal one-dimensional MDS plots for multivariate data which evolve over time. Using a sliding window approach, MDS is computed for each data window separately, and the results are plotted sequentially along the time axis, taking care of plot alignment. Our TMDS plots enable visual identification of patterns based on multidimensional similarity of the data evolving over time. We demonstrate the usefulness of our approach in the field of network security and show in two case studies how users can iteratively explore the data to identify previously unknown, temporally evolving patterns.
... [7] proposes a technique for extracting sensitive information from unstructured data. In addition, a large number of products for security analysis of logs have been put on the market, such as Splunk [8] and OCEANS [9]. ey realize interactive analysis by loading IPS logs, application logs, and other heterogeneous data to help experts discover anomalies and security events rapidly. ...
Logs is an important source of data in the field of security analysis. Log messages characterized by unstructured text, however, pose extreme challenges to security analysis. To this end, the first issue to be addressed is how to efficiently parse logs into structured data in real-time. The existing log parsers mostly parse raw log files by batch processing and are not applicable to real-time security analysis. It is also difficult to parse large historical log sets with such parsers. Some streaming log parsers also have some demerits in accuracy and parsing performance. To realize automatic, accurate, and efficient real-time log parsing, we propose Spray, a streaming log parser for real-time analysis. Spray can automatically identify the template of a real-time incoming log and accurately match the log and its template for parsing based on the law of contrapositive. We also improve Spray’s parsing performance based on key partitioning and search tree strategies. We conducted extensive experiments from such aspects as accuracy and performance. Experimental results show that Spray is much more accurate in parsing a variety of public log sets and has higher performance for parsing large log sets.
... OCEANS [93] is a web-based collaborative interface that allows collaboration between experts of the information system and goes further in the collaboration. The data sources are netflows, IDSes logs and host status logs, with views to detect anomalies Figure 3.13: VIAssist report [91] inside these flows. ...
A security operations center, SOC, is a key element for the security of information systems. In this thesis, weexhibited the limitations of SOCs and proposed a process associated with two tools to answer them. Ourcontributions enable a better collaboration between the security analysts working in SOCs and facilitate securityevents triage thanks to visualization.
... An online visual analysis system called OCEANS [8] was developed for close collaboration among security analysts to provide situational awareness. It uses heterogeneous data sources and provides a multi-level visualisation presenting temporal overview, IP connections. ...
The goal of the research reported here was to investigate whether the design methodology utilising embodied agents can be applied to produce a multi-modal human–computer interface for cyberspace events visualisation control. This methodology requires that the designed system structure be defined in terms of cooperating agents having well-defined internal components exhibiting specified behaviours. System activities are defined in terms of finite state machines and behaviours parameterised by transition functions. In the investigated case the multi-modal interface is a component of the Operational Centre which is a part of the National Cybersecurity Platform. Embodied agents have been successfully used in the design of robotic systems. However robots operate in physical environments, while cyberspace events visualisation involves cyberspace, thus the applied design methodology required a different definition of the environment. It had to encompass the physical environment in which the operator acts and the computer screen where the results of those actions are presented. Smart human–computer interaction (HCI) is a time-aware, dynamic process in which two parties communicate via different modalities, e.g., voice, gesture, eye movement. The use of computer vision and machine intelligence techniques are essential when the human is carrying an exhausting and concentration demanding activity. The main role of this interface is to support security analysts and operators controlling visualisation of cyberspace events like incidents or cyber attacks especially when manipulating graphical information. Visualisation control modalities include visual gesture- and voice-based commands.
... Relevant tasks such as spotting anomalies and trends, relating multiple metrics, and observing real-time changes are often effectively supported by visualization [31]. Applications in network security include anomaly behavior analysis in netflow data, malware behaviors [32], etc. Techniques such as parallel coordinates, time series visualization and graph visualizations are commonly used in this domain. Traditional sequential and timeline based methods cannot easily address the complexity of temporal and relational features of user behaviors, therefore a map-like visual metaphor is proposed for identifying user behavior patterns [33]. ...
The maritime ecosystem has undergone through changes due to the increasing use of information systems and smart devices. The newly introduced technologies give rise to new attack surface in maritime infrastructures. In this position paper, we propose the MAritime Threat INtelligence FRAMEwork (MAINFRAME), which is tailored towards collection and analysis of threat intelligence in maritime environments. MAINFRAME combines: (i) data collection from ship sensors; (ii) collection of publicly available data from social media; (iii) variety of honeypots emulating different hardware and software component; (iv) event detection assisted by deep learning; (v) blockchain implementation that maintains audit trail for activities and transactions, and electronic IDs; and (vi) visual threat analytics. To highlight the interdependencies between cyber and cyber-physical threats in autonomous ships, MAINFRAME’s operation is evaluated through the liquefied natural gas (LNG) Carrier case study.
... Relevant tasks such as spotting anomalies and trends, relating multiple metrics, and observing real-time changes are often effectively supported by visualization [31]. Applications in network security include anomaly behavior analysis in netflow data, malware behaviors [32], etc. Techniques such as parallel coordinates, time series visualization and graph visualizations are commonly used in this domain. Traditional sequential and timeline based methods cannot easily address the complexity of temporal and relational features of user behaviors, therefore a map-like visual metaphor is proposed for identifying user behavior patterns [33]. ...
The maritime ecosystem has undergone through changes due to the increasing use of information systems and smart devices. The newly introduced technologies give rise to new attack surface in maritime infrastructures. In this position paper, we propose the MAritime Threat INtelligence FRAMEwork (MAINFRAME), which is tailored towards collection and analysis of threat intelligence in maritime environments. MAINFRAME combines: (i) data collection from ship sensors; (ii) collection of publicly available data from social media; (iii) variety of honeypots emulating different hardware and software component; (iv) event detection assisted by deep learning; (v) blockchain implementation that maintains audit trail for activities and transactions, and electronic IDs; and (vi) visual threat analytics. To highlight the interdependencies between cyber and cyber-physical threats in autonomous ships, MAIN-FRAME's operation is evaluated through the liquefied natural gas (LNG) Carrier case study.
... Erbacher et al. [6] conducted another cognitive task analysis that examined the issues related to the cyber analysis process and developed a task-flow model of cyber analysis. OCEANS [7] chose to structure received data in a layered fashion, making it easier for analysts to study. It allows analysts to sort through data efficiently. ...
... Visualization based techniques: These techniques employ various visualization techniques in order to depict the various connections between the clients and servers [17]. Visualization methods often require manual intervention once its tags anything suspicious, making the process cumbersome. ...
... Visualization based techniques: These techniques employ various visualization techniques in order to depict the various connections between the clients and servers [17]. Visualization methods often require manual intervention once its tags anything suspicious, making the process cumbersome. ...
... Some researchers used visual analytic approach to visually identity such deviation by comparing visual correlation and similarity between the time series data [14,15,16]. Other researchers used collaborative and user defined events approach to highlight suspicious events from the experts instead of automatic detection algorithms [17]. Also, feature vector technique has been used in behavioral observation to detect cyber-threat in critical infrastructure [18]. ...
... OCEANS (Chen et al., 2014) uses chord diagrams (dubbed as Ring Graphs) for visualizing network flows between subnets. However, OCEANS is centered in traditional IT networks and lacks the additional information that can be gathered from industrial networks, where whitelisting policies can not be as strict as in industrial networks. ...
The appearance of the smart houses, buildings, and cities has defined new attack scenarios targeting industrial information systems. The paper suggests a visualization-driven approach to the analysis of the data from heating, ventilating and conditioning system (HVAC). The key element of the approach is the RadViz visualization that is used to form daily operation patterns and can detect suspicious deviations that could be the signs of fraudulent activity in the system. It is supplemented by a matrix-based representation of the HVAC parameters that is constructed in the way that allows highlighting changes in values of parameters being analyzed. The distinctive feature of the proposed visualization models is the ability to display data from different data sources. To demonstrate and evaluate the efficiency of the proposed approach we used the VAST MiniChallenge-2 2016 data set that contains logs from the HVAC system and the access control system.
User behaviour analytics (UBA) systems offer sophisticated models that capture users' behaviour over time with an aim to identify fraudulent activities that do not match their profiles. Motivated by the challenges in the interpretation of UBA models, this paper presents a visual analytics approach to help analysts gain a comprehensive understanding of user behaviour at multiple levels, namely individual and group level. We take a user-centred approach to design a visual analytics framework supporting the analysis of collections of users and the numerous sessions of activities they conduct within digital applications. The framework is centred around the concept of
hierarchical user profiles
that are built based on features derived from sessions, as well as on user tasks extracted using a topic modelling approach to summarise and stratify user behaviour. We externalise a series of analysis goals and tasks, and evaluate our methods through use cases conducted with experts. We observe that with the aid of interactive visual hierarchical user profiles, analysts are able to conduct exploratory and investigative analysis effectively, and able to understand the characteristics of user behaviour to make informed decisions whilst evaluating suspicious users and activities.
Security Operations Centers (SOCs) collect data related to the information systems they protect and process it to detect suspicious activities. In this paper we explain how a SOC is organized, we highlight the current limitations of SOCs and their consequences regarding the performance of the detection service. We propose a new collaboration process to enhance the cooperation between security analysts in order to quickly process security events and define a better workflow that enables them to efficiently exchange feedback. Finally, we design a prototype corresponding to this new model.
Netflow logs record the interactions between host pairs on both sides of the monitored border, and have got more attention from researchers for security concerns. Such data allows analysts to find interesting patterns and security anomalies. Visual analytics provides interaction and visualization techniques that can support these tasks. In this paper, we present a system called NetflowVis to analyze communication patterns and network abnormalities from netflow logs. This system consists of four views, including the communication trajectories view, the traffic line view, the snapshot view and the protocol view. The communication trajectories view is a composite view that dynamically describes the communication trajectories. This view combines a link-node tree and an improved ThemeRiver. The protocol view is designed to display statistical data of the upstream and downstream traffic on different protocols, which is an improved radial view based on an area filling strategy. The system provides a multilevel analysis architecture for netflow cognition. In this paper, we also present a case study to demonstrate the effectiveness and usefulness of our system.
We present the results of an interview study on the state of practice for Situational Awareness (SA) in the cybersecurity industry. Representatives from four global companies providing cybersecurity monitoring and analysis services and products were interviewed to get a view into the current state of practice in SA. The interviews were performed as a form of thematic interview, resulting in the classification of the results in three main areas of SA, i.e., how security is modelled, what information is collected, and how the data is analyzed. We describe the topics covered by the interviews, the common issues and methods, their differences, and provide a summary view on the current state of security monitoring and analysis in the cybersecurity industry. We also describe potential future work in terms of identified challenges in the area. The results help understand various aspects of cybersecurity situational awareness, to identify gaps between research and practice, and to build holistic SA solutions.
Cyber security visualization is a multi-discipline research field. Visualization techniques have injected new vitality into traditional analysis methods for cyber security. However, most existing studies focus on the visual expression and overlook the visual support for the data analysis process. This paper presents a top-down model for anomaly detection on network traffic time-series data drawing from the experience of cyber security analysts. A prototype system is designed based on this model, and it includes four collaborative views with direct and rich interactions. A number of experiments, including port scanning and DDoS attacking, are carried out to demonstrate that this system can support network traffic time-series analysis on overview to detail, point to area and past to future process flows. © Copyright 2016, Institute of Software, the Chinese Academy of Sciences. All rights reserved.
Les botnets, ou réseaux d’ordinateurs infectés par un code malveillant et connectés à un système de commande et de contrôle, constituent l’un des premiers outils de la délinquancesur Internet aujourd’hui. Ils permettent de concrétiser le développement d’un nouveau type d’activités criminelles : le crime comme un service (ou « crime as a service », CaaS). Ilsconstituent un défi en matière de répression. D’abord par l’importance de leur impact sur la sécurité des réseaux et la commission d’infractions sur Internet. Ensuite par la dimensionextrêmement internationale de leur diffusion et donc une certaine difficulté à mener des investigations. Enfin, par le grand nombre des acteurs qui peuvent être impliqués (codeurs,maîtres de botnets, intermédiaires financiers, etc.).Cette thèse porte sur l’étude des botnets (composantes, fonctionnement, acteurs), la proposition d’une méthode de collecte de données sur les activités liées aux botnets et enfinles dispositifs techniques et organisationnels de lutte contre les botnets ; elle conclut sur des propositions en matière de stratégie pour cette lutte. Les travaux menés ont permis de confirmer la pertinence, pour l’étude efficace des botnets, d’un modèle englobant l’ensemble de leurs composants, y compris les infrastructures et les acteurs. Outre un effort de définition, la thèse apporte un modèle complet du cycle de vie d’un botnet et propose des méthodes de catégorisation de ces objets.Il en ressort la nécessité d’une stratégie partagée qui doit comporter les éléments de détection, de coordination entre les acteurs et la possibilité, voire l’obligation, pour les opérateursde mettre en oeuvre des mesures de mitigation.
Botnets, or networks of computers infected with malware and connected to a command and control system, is one of the main tools for criminal activities on the Internet today. They allow the development of a new type of crime: crime as a service (CaaS). They are a challenge for law enforcement. First by the importance of their impact on the security of networks and the commission of crimes on the Internet. Next, with regards to the extremely international dimension of their dissemination and therefore the enhanced difficulty in conducting investigations. Finally, through the large number of actors that may be involved (software developers, botnet masters, financial intermediaries, etc.).
This thesis proposes a thorough study of botnets (components, operation, actors), the proposal for a data collection method on botnet related activities and finally the technical and organizational arrangements in the fight against botnets; it concludes on proposals on the strategy for this fight.
The work carried out has confirmed the relevance, for the effective study of botnets, of a model encompassing all their components, including infrastructure and actors. Besides an effort in providing definitions, the thesis describes a complete model of the life cycle of a botnet and offers methods for categorization of these objects.
This work shows the need for a shared strategy which should include the detection elements, coordination between actors and the possibility or even the obligation for operators to implement mitigation measures.
Monitoring, anomaly detection and forensics are essential tasks that must be carried out routinely for every computer network. The sheer volume of data generated by conventional anomaly detection tools such as Snort often makes it difficult to explain the nature of an attack and track down its source. In this paper we present TVi, a tool that combines multiple visual representations of network traces carefully designed and tightly coupled to support different levels of visual-based querying and reasoning required for making sense of complex traffic data. TVi allows analysts to visualize data starting at a high level, providing information related to the entire network, and easily move all the way down to a very low level, providing detailed information about selected hosts, anomalies and attack paths. We designed TVi with scalability and extensibility in mind: its DBMS foundations make it scalable with virtually no limitations, and other state-of-the-art IDS, like Snort or Bro, can be easily integrated in our tool. We demonstrate with two case studies, a synthetic dataset (DARPA 1999) and a real one (University of Brescia, UniBS, 2009), how TVi can enhance a network administrator's ability to reveal hidden patterns in network traces and link their key information so as to easily reveal details that by merely observing Snort's output would go unnoticed. We make TVi's source code available to the community under an Open Source license.
Monitoring computer networks often includes gathering vast amounts of time-series data from thousands of computer systems and network devices. Threshold alerting is easy to accomplish with state-of-the-art technologies. However, to find correlations and similar behaviors between the different devices is challenging. We developed a visual analytics application to tackle this challenge by integrating similarity models and analytics combined with well-known, but task-adapted, time-series visualizations. We show in a case study, how this system can be used to visually identify correlations and anomalies in large data sets and identify and investigate security-related events.
This paper presents a new approach to intrusion detection that sup-ports the identification and analysis of network anomalies using an interactive coordinated multiple views (CMV) mechanism. A CMV visualization consisting of a node-link diagram, scatterplot, and time histogram is described that allows interactive analysis from different perspectives, as some network anomalies can only be identified through joint features in the provided spaces. Spectral analysis methods are integrated to provide visual cues that allow identification of malicious nodes. An adjacency-based method is developed to generate the time histogram, which allows users to select time ranges in which suspicious activity occurs. Data from Sybil attacks in simulated wireless networks is used as the test bed for the system. The results and discussions demonstrate that in-trusion detection can be achieved with a few iterations of CMV exploration. Quantitative results are collected on the accuracy of our approach and comparisons are made to single domain explo-ration and other high-dimensional projection methods. We believe that this approach can be extended to anomaly detection in general networks, particularly to Internet networks and social networks.
Visualization systems for intrusion detection are becoming more prevalent with time, but the lack of an organizing framework for proper development of these systems is problematic. This paper introduces a component-based structure which can be used to adequately design and implement intrusion detection information visualization systems. This component-based structure implements a combination of common information visualization components with operational components which are specific to the critical, real-time nature of intrusion detection. The manuscript also performs an analysis of intrusion detection visualization research projects by verifying their use of the components described by this framework.
The VisAlert visual correlation tool facilitates situational awareness in complex network environments by providing a holistic view of network security to help detect malicious activities. Information visualization techniques and methods in many applications have effectively increased operators' situational awareness, letting them more effectively detect, diagnose, and treat anomalous conditions. Visualization elevates information comprehension by fostering rapid correlation and perceived associations. Our visualization technique integrates the information in log and alert files into an intuitive, flexible, extensible, and scalable visualization tool - VisAlert - that presents critical information concerning network activity in an integrated manner, increasing the user's situational awareness.
Anomalous communication patterns are one of the leading indicators of computer system intrusions according to the system administrators we have interviewed. But a major problem is being able to correlate across the host/network boundary to see how network connections are related to running processes on a host. This paper introduces Portall, a visualization tool that gives system administrators a view of the communicating processes on the monitored machine correlated with the network activity in which the processes participate. Portall is a prototype of part of the Network Eye framework we have introduced in an earlier paper (Ball, et al., 2004). We discuss the Portall visualization, the supporting infrastructure it requires, and a formative usability study we conducted to obtain administrators' reactions to the tool.
Web-based social data analysis tools that rely on public discussion to produce hypotheses or explanations of the patterns and trends in data, rarely yield high-quality results in practice. Crowdsourcing offers an alternative approach in which an analyst pays workers to generate such explanations. Yet, asking workers with varying skills, backgrounds and motivations to simply "Explain why a chart is interesting" can result in irrelevant, unclear or speculative explanations of variable quality. To address these problems, we contribute seven strategies for improving the quality and diversity of worker-generated explanations. Our experiments show that using (S1) feature-oriented prompts, providing (S2) good examples, and including (S3) reference gathering, (S4) chart reading, and (S5) annotation subtasks increases the quality of responses by 28% for US workers and 196% for non-US workers. Feature-oriented prompts improve explanation quality by 69% to 236% depending on the prompt. We also show that (S6) pre-annotating charts can focus workers' attention on relevant details, and demonstrate that (S7) generating explanations iteratively increases explanation diversity without increasing worker attrition. We used our techniques to generate 910 explanations for 16 datasets, and found that 63% were of high quality. These results demonstrate that paid crowd workers can reliably generate diverse, high-quality explanations that support the analysis of specific datasets.
Security Visualization is a very young term. It expresses the idea that common visualization techniques have been designed for use cases that are not supportive of security-related data, demanding novel techniques fine tuned for the purpose of thorough analysis. Significant amount of work has been published in this area, but little work has been done to study this emerging visualization discipline. We offer a comprehensive review of network security visualization and provide a taxonomy in the form of five use-case classes encompassing nearly all recent works in this area. We outline the incorporated visualization techniques and data sources and provide an informative table to display our findings. From the analysis of these systems, we examine issues and concerns regarding network security visualization and provide guidelines and directions for future researchers and visual system developers.
Current tools for forensic analysis require many hours to under- stand novel attacks, causing reports to be terse and untimely. We apply visual filtering and tagging of flows in a novel way to address the current limitations of post-attack analysis, reporting, and shar- ing. We discuss the benefits of visual filtering and tagging of net- work flows and introduce FlowTag as our prototype tool for Hon- eynet researchers. We argue that online collaborative analysis ben- efits security researchers by organizing attacks, collaborating on analysis, forming attack databases for trend analysis, and in pro- moting new security research areas. Lastly, we show three attacks on the Georgia Tech Honeynet and describe the analysis process using FlowTag.
The increasing practicality of large-scale flow capture makes it possible to conceive of traffic analysis methods that detect and identify a large and diverse set of anomalies. However the challenge of effectively analyzing this massive data source for anomaly diagnosis is as yet unmet. We argue that the distributions of packet features (IP addresses and ports) observed in flow traces reveals both the presence and the structure of a wide range of anomalies. Using entropy as a summarization tool, we show that the analysis of feature distributions leads to significant advances on two fronts: (1) it enables highly sensitive detection of a wide range of anomalies, augmenting detections by volume-based methods, and (2) it enables automatic classification of anomalies via unsupervised learning. We show that using feature distributions, anomalies naturally fall into distinct and meaningful clusters. These clusters can be used to automatically classify anomalies and to uncover new anomaly types. We validate our claims on data from two backbone networks (Abilene and Geant) and conclude that feature distributions show promise as a key element of a fairly general network anomaly diagnosis framework.
This article describes mechanisms for asynchronous collaboration in the context of information visualization, recasting visualizations as not just analytic tools, but social spaces. We contribute the design and implementation of sense. us, a Web site supporting asynchronous collaboration across a variety of visualization types. The site supports view sharing, discussion, graphical annotation, and social navigation and includes novel interaction elements. We report the results of user studies of the system, observing emergent patterns of social data analysis, including cycles of observation and hypothesis, and the complementary roles of social navigation and data-driven exploration.
This paper examines the dramatic visual fingerprints left by a wide variety of popular network attack tools in order to better understand the specific methodologies used by attackers as well as the identifiable characteristics of the tools themselves. The techniques used are entirely passive in nature and virtually undetectable by the attackers. While much work has been done on active and passive operating systems detection, little has been done on fingerprinting the specific tools used by attackers. This research explores the application of several visualization techniques and their usefulness toward identification of attack tools, without the typical automated intrusion detection system's signatures and statistical anomalies. These visualizations were tested using a wide range of popular network security tools and the results show that in many cases, the specific tool can be identified and provides intuition that many classes of zero-day attacks can be rapidly detected and analyzed using similar techniques.
The massive amount of alarm data generated from intrusion detection systems is cumbersome for network system administrators to analyze. Often, important details are overlooked and it is difficult to get an overall picture of what is occurring in the network by manually traversing textual alarm logs. We have designed a novel visualization to address this problem by showing alarm activity within a network. Alarm data is presented in an overview where system administrators can get a general sense of network activity and easily detect anomalies. They then have the option of zooming and drilling down for details. The information is presented with local network IP (Internet Protocol) addresses plotted over multiple yaxes to represent the location of alarms. Time on the x-axis is used to show the pattern of the alarms and variations in color encode the severity and amount of alarms. Based on our system administrator requirements study, this graphical layout addresses what system administrators need to see, is faster and easier than analyzing text logs, and uses visualization techniques to effectively scale and display the data. With this design, we have built a tool that effectively uses operational alarm log data generated on the Georgia Tech campus network. The motivation and background of our design is presented along with examples that illustrate its usefulness.
Data-Driven Documents (D3) is a novel representation-transparent approach to visualization for the web. Rather than hide the underlying scenegraph within a toolkit-specific abstraction, D3 enables direct inspection and manipulation of a native representation: the standard document object model (DOM). With D3, designers selectively bind input data to arbitrary document elements, applying dynamic transforms to both generate and modify content. We show how representational transparency improves expressiveness and better integrates with developer tools than prior approaches, while offering comparable notational efficiency and retaining powerful declarative components. Immediate evaluation of operators further simplifies debugging and allows iterative development. Additionally, we demonstrate how D3 transforms naturally enable animation and interaction with dramatic performance improvements over intermediate representations.
Information visualization leverages the human visual system to support the process of sensemaking, in which information is collected, organized, and analyzed to generate knowledge and inform action. Though most research to date assumes a single-user focus on perceptual and cognitive processes, in practice, sensemaking is often a social process involving parallelization of effort, discussion, and consensus building. This suggests that to fully support sensemaking, interactive visualization should also support social interaction. However, the most appropriate collaboration mechanisms for supporting this interaction are not immediately clear. In this article, we present design considerations for asynchronous collaboration in visual analysis environments, highlighting issues of work parallelization, communication, and social organization. These considerations provide a guide for the design and evaluation of collaborative visualization systems.
The Internet pervades many aspects of our lives and is becoming indispensable to critical functions in areas such as commerce, government, production and general information dissemination. To maintain the stability and efficiency of the Internet, every effort must be made to protect it against various forms of attacks, malicious users, and errors. A key component in the Internet security effort is the routine examination of Internet routing data, which unfortunately can be too large and complicated to browse directly. We have developed an interactive visualization process which proves to be very effective for the analysis of Internet routing data. In this application paper, we show how each step in the visualization process helps direct the analysis and glean insights from the data. These insights include the discovery of patterns, detection of faults and abnormal events, understanding of event correlations, formation of causation hypotheses, and classification of anomalies. We also discuss lessons learned in our visual analysis study.
The netflow observatory: An interactive 3-d event visualization
- L Bunch
- J M Bradshaw
- M Vignati
L. Bunch, J. M. Bradshaw, and M. Vignati. The
netflow observatory: An interactive 3-d event
visualization. In Proc. of VizSec, 2013.