Conference PaperPDF Available

Visualization Model for Monitoring of Computer Networks Security Based on the Analogue of Voronoi Diagrams

Authors:
Maxim Kolomeets at Newcastle University
Maxim Kolomeets
Andrey Chechulin at St. Petersburg Federal Research Center of the Russian Academy of Sciences (SPC RAS)
Andrey Chechulin
  • St. Petersburg Federal Research Center of the Russian Academy of Sciences (SPC RAS)
Igor Kotenko at St. Petersburg Research Center of the Russian Academy of Sciences
Igor Kotenko
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

In this paper we propose an approach to the development of the computer network visualization system for security monitoring, which uses a conceptually new model of graphic visualization that is similar to the Voronoi diagrams. The proposed graphical model uses the size, color and opacity of the cell to display host parameters. The paper describes a technique for new graphical model construction and gives examples of its application along with traditional graph based and other models.
Figures - uploaded by Maxim Kolomeets
Author content
All figure content in this area was uploaded by Maxim Kolomeets
Content may be subject to copyright.
Content uploaded by Maxim Kolomeets
Author content
All content in this area was uploaded by Maxim Kolomeets on Jun 22, 2022
Content may be subject to copyright.
Visualization Model for Monitoring
of Computer Networks Security Based
on the Analogue of Voronoi Diagrams
Maxim Kolomeets, Andrey Chechulin, and Igor Kotenko
(&)
Laboratory of Computer Security Problems,
St. Petersburg Institute for Informatics and Automation (SPIIRAS),
39, 14 Liniya, St. Petersburg, Russia
{kolomeec,chechulin,ivkote}@comsec.spb.ru
Abstract. In this paper we propose an approach to the development of the
computer network visualization system for security monitoring, which uses a
conceptually new model of graphic visualization that is similar to the Voronoi
diagrams. The proposed graphical model uses the size, color and opacity of the
cell to display host parameters. The paper describes a technique for new
graphical model construction and gives examples of its application along with
traditional graph based and other models.
Keywords: Visual analytics Visualization of security data Graphical
models Computer networks Voronoi diagrams
1 Introduction
Computer networks are rapidly growing today. Meanwhile, the more devices are in the
network, the harder it is to ensure its security. This problem is met by operators of
security systems of corporate level (e.g., security information and event management
systems, SIEM systems), when the analyzed computer network is measured not only by
hundreds of employeesworkplaces and high order technical equipment, but also by
smart doors, servers, various sensors of climate, security, etc.
To cope with the control of growing networks we need to apply systems for
monitoring network security, which give us possibility to visualize the computer net-
work and parameters of its state in a simple and efcient manner. But, as a rule, in such
systems the network is presented with the application of rather traditional graphical
models, for example, in the form of graphs or tables, that are difcult to understand in
the case of large networks and display of a variety of parameters. In order to cope with
this problem it is necessary to improve the efciency of visualization means by
complex use of various graphical models such as graphs, matrices, treemaps, parallel
coordinates, etc. in the framework of the multiple view concept [1]. At the same time it
is necessary to increase the efciency of visualization of particular graphic models.
In the case of visualization of computer networks and their security, different
techniques are developed that allow clustering of segments of the network (e.g., based
on clustering of graph elements) or encapsulation of the state parameters [2].
©IFIP International Federation for Information Processing 2016
Published by Springer International Publishing Switzerland 2016. All Rights Reserved
F. Buccafurri et al. (Eds.): CD-ARES 2016, LNCS 9817, pp. 141157, 2016.
DOI: 10.1007/978-3-319-45507-5_10
Yet another solution to the problem is to develop conceptually new graphical models,
which are able to present information in a form that is new for the user and that allows
to increase the efciency of the users work.
The novelty of this paper is to use a conceptually new graphic visualization model
similar to the Voronoi diagrams, which allows to increase the effectiveness of visual
analysis for the computer network security, for example, as one of functions of the
SIEM system. It is expected that this model will be used in the developed visualization
system in the framework of the supported multiple view concept.
The main contribution of the paper lies in the fact that it offers a new technique of
visualization of network security, as well as reveals the theoretical and practical side of
how this technique can be used in SIEM systems. The organization of the paper is as
follows. Section 2analyzes existing graphical models that can be used to visualize
parameters of computer network security with description of their advantages and
disadvantages. In Sect. 3we describe the developed conceptually new graphical model.
Section 4discusses the developed system for visualization of computer network
security and provides examples of application of the proposed graphical model in the
framework of this system. In Sects. 5and 6the proposed graphical model is evaluated,
as well as its comparison with other graphical models is performed. Section 7discusses
conclusions and future research directions.
2 Review of Computer Network Visualization Techniques
Within the developed computer network visualization system, graphs, matrices, and
treemaps were mainly used to realize the multiple view concept. The listed graphical
model (Fig. 1) have different advantages and disadvantages [3], which can also be
expressed in terms of informativity and ease of perception and use.
Fig. 1. Examples of graphical models (left to right): graphs, treemaps and matrices
142 M. Kolomeets et al.
Informativity can be represented as the detailization level, which is expressed in the
compliteness of simultaneously displayed data. Ease of perception and use can be
represented in the form of speed and simplicity of user interactions with displayed data.
It is obvious that different graphical models have different ratio of informativity and
ease of perception and use. Thus, often increase of the informativity due to the resulting
congestion of the graphical model negatively affects the ease of perception and use, and
vice versa. Some examples are an informative but difcult to read table, and an
uninformative, but easy to understand semaphore shown in Fig. 2.
Let us consider from this point of view the graphic models [4,5], which are most
often used to visualize the security of computer networks. Matrices [6] (Fig. 1, right)
are efcient in displaying the relations of elements of a small computer network that
has complex topology and where each host has many connections. Security parameters,
determined based on network trafc, can be set using the color and transparency of
cells, located at intersections of rows and columns. However, the size of the cells
depends on the dimension of the matrix, which is set by the number of network hosts.
With the increase in the number of rows and columns of the matrix, the size of a
particular cell goes to one pixel, the perception of the color tone and the more trans-
parency of which is difcult. Inefcient use of space of matrices should be noted, when
most of the cells remains blank, which has negative effect on the usersperception of
parameters, especially when large computer networks are visualized. It is also worth
considering that the matrices can visualize the links parameters, but not the parameters
of the computer network hosts.
On the other hand, matrices efciently display clusters of network, and they can be
used to construct attack graphs [7] (Fig. 3, left) and to analyze entire segments of the
network, rather than individual hosts.
Matrices can also be expanded by displaying multidimensional data in 3D space.
For example, the 3D analogue of a matrix is the dispersion chart [8], which is repre-
sented as a cube which axes are local IP addresses, global IP addresses and port
numbers, and the color of the dot shows successful and unsuccessful attempts to
establish TCP connections (Fig. 3, right). Thus, the presence of long lines or planes,
consisting of the points on the dispersion chart, can inform about network scanning.
For efcient visualization of host parameters (for example, the data of the vul-
nerability scanners [6] (Fig. 4, left), assessment of criticality of assets, etc.) of a
computer network, one can also use treemaps [9] (Fig. 1, in the center). Treemaps are
efcient to display parameters, as they can handle the color, depth and size. It should be
noted that in the presence of cells of large area, one can also use transparency as an
Fig. 2. Examples of a table and a semaphore
Visualization Model for Monitoring of Computer Networks Security 143
additional parameter. However, treemaps are suitable to visualize purely hierarchical
networks and are unable to visualize the interaction parameters. However, along with
matrices, treemaps can be expanded, for example, for constructing attack graphs [10],
when the steps of the intruder are displayed by directed edges (Fig. 4, right).
Graphs [11], as the most common way to visualize computer networks, are efcient
for topology visualization and can display parameters of hosts using the vertices of the
graph, as well as interaction parameters using edges. However, like matrices, graphs
inefciently use space, leaving large empty areas. However, graphs are often used to
display the network topology, when host type is used as vertices (Fig. 5).
For visualization of parameters vertices of graphs can be replaced by glyphs [12].
Glyphs can be represented in a pie chart in which the number of equal sized segments
depends on the number of displayed parameters (Fig. 6). The parameters themselves
can be expressed in the form of segmentscolor and their transparency. The glyphs can
be augmented by the ring with the same number of segments that display the previous
parameter value. Due to this, it is possible to produce a historical analysis.
Fig. 3. Usage of a matrix to visualize attack graphs (left) and as the dispersion chart (right)
Fig. 4. Visualization of security vulnerabilities (left) and attack graph (right) using treemaps
144 M. Kolomeets et al.
The disadvantage of glyphs is that when they are used the graphical model becomes
overloaded, thereby ease of perception deteriorates. It is worth saying that the graphs have
many variations of how they are built and used. For example, graphs can be used for visual
analysis of granting access to resources [13] with the role access system that supports
hierarchies or groups of users, to visualize patterns of network trafc[14], for visualizing
logs of nancial transactions [12], for visualization of computer attacks [15,16], etc.
At the analysis of existing graphic models the features were outlined that allow the
user to efciently analyze information. First, the user perceives better spatial mapping
(plane and spacial gures), while the color and shape of gures are optional parameters.
It is easy to demonstrate: the most important security parameters in treemaps (Fig. 4)
are displayed with size of the planes; graphs (Figs. 5and 6) operate with the sizes of
the vertices; and at rendering in the form of a matrix (Fig. 3) the operator most often
searches for and analyzes structures in the form of planes and lengthwise lines, con-
sisting of individual cells. Second, it can be concluded that to visualize the links
parameters it is better to use matrices, but they are unable to visualize hosts. For
visualization of hosts parameters it is better to use treemaps, but they are unable to
visualize links. In the case when it is necessary to visualize both hosts and links one
needs to use graphs. Thus, the analysis of the advantages and drawbacks of existing
graphical models showed that the simultaneous display of parameters of hosts and links
is only possible with the use of graphs. However, if the vertices in the graphs are
displayed in the form of planes, the operator will be able to analyze the information
faster. Thus, analysis of relevant works showed that the creation of graphical models
that will allow to effectively display both parameters (as in the treemaps) and the
topology (as in graphs) is a perspective approach.
3 The Proposed Graphical Model
For monitoring of computer network security a graphical model is proposed [17],
which visually resembles Voronoi diagram [18], however, it is not the same from
a mathematical point of view (Fig. 7). The main idea is to integrate capabilities of
graphs to visualize the topology of the computer network and treemaps to visualize
Fig. 5. A graph displaying host type Fig. 6. A graph, augmented by glyphs
Visualization Model for Monitoring of Computer Networks Security 145
parameters. The solution appeared from the representation of network hosts in the form
of cells, and links between hosts in the form of links between these cells. At the same
time in the graphical model there are separators (dark grey in Fig. 7) which divide the
cells that are next to each other, but have no links. For ease of understanding, we can
present an analogy in the form of a maze: cells-polygons that represent hosts can be
interpreted as the maze rooms; the links of the cells that represent the relationship
between hosts can be interpreted as doors between the maze rooms; the separators that
represent the lack of links can be interpreted as the maze walls.
The algorithm for constructing the proposed graphical model is more complex than
the algorithms for constructing graphs, matrices or treemaps, and consists of four steps:
(1) building of the convex hull of a given planar graph; (2) implementation of the
restricted Delaunay triangulation [18]; (3) formation of cells, based on triangulation;
(4) selection of separators.
Let us consider the algorithm for constructing the proposed graphical model in
more detail, on the example of the implemented software tool that provides a visual
interface to display the security parameters of computer networks.
The proposed graphical model is implemented on the basis of the graph adjacency
matrix. The rst step builds a planar graph, which is supplemented by the convex hull.
The convex hull is required for obtaining the convex gure, which is used to perform
the next step. Graph which will be used in this example, and the result of the rst step
are shown in Figs. 8and 9respectively.
Fig. 7. The proposed graphical model
Fig. 8. Planar graph Fig. 9. The construction of the convex hull
146 M. Kolomeets et al.
In the next step for the resulting gure we should produce a restricted Delaunay
triangulation [18]. It is worth noting the importance of implementing exactly limited
triangulation, as it allows to triangulate the gures taking into account already existing
relations and to avoid crossing of edges. The result of this step is shown in Fig. 10. The
next step is to form the cells that will serve as the basis of the graphical model. For this
we need to associate a subset of the triangles, obtained as the result of triangulation,
with the corresponding vertex of the graph.
For each vertex of the host (in Fig. 11 it is selected as a light grey circle) we nd
a subset of triangles (in Fig. 11 they are highlighted in gray) that includes this vertex.
Next for triangles of this subset the weight centers are determined (in Fig. 12 they are
shown as light gray points), union of which gives the desired polygon (in Fig. 12 it is
highlighted in light gray edges).
The resulting polygon corresponds to the host, based on which we dened the
subset of triangles of the triangulation. The result of the step is shown in Fig. 13, where
the edges of the gure resulting from the triangulation are black, and the edges of the
desired cells are red (in Fig. 13 it is light grey).
The next step is to outline the separators. Since each cell corresponds to a specic
host, the edges of the cells-hosts, with which there is a link, can be designated a certain
color, for example gray. All other edges will be separators and will have an appropriate
Fig. 10. The graph and its triangulation
Fig. 11. The determination of triangles required
to build a cell
Fig. 12. The construction of the cell
Visualization Model for Monitoring of Computer Networks Security 147
color (e.g. red in Fig. 14). To obtain a gure of a certain shape (e.g. rectangle as in
Fig. 14) we can also add points to the cells of the convex hull, or move these points to
the required positions. In Fig. 14 the resulting shape is depicted with addition of new
points, and Fig. 15 shows a gure with relocation of the common points of the
polygons-hosts of the convex hull.
Therefore, the graphical model allows to display hosts in the form of planes, and
the links between the hosts in the form of contact planes. The formal description of
the algorithm to build the presented graphical model can be represented as the fol-
lowing pseudo code:
Fig. 13. The result of building the cells of the graphical model
148 M. Kolomeets et al.
It should be noted that from the mathematical point of view [18], the proposed
model is not a Voronoi diagram, despite the visual similarity, since the Voronoi dia-
gram has the different mathematical meaning, and existing algorithms for its con-
struction do not allow to visualize the computer network topology when constructing
the chart based on vertices of the graph.
4 Examples of Application of the Proposed Graphical Model
The proposed graphical model can be used to visualize the security parameters of
a computer network or to analyze the behavior of the attacker. It may be required when
informing the operator of SIEM system about the threats of a security breach or by
visual analysis of computer network security. Let us consider examples of application
of the proposed graphical model in the framework of implementation of the visual-
ization system in more details.
4.1 Description of the Visualisation System
To analyze the security of a computer network the visualization system is developed,
which supports the display of the computer network using both the classical methods of
visualization, such as graphs, graphs augmented with glyphs, treemaps and matrices
and the graphical model, proposed in this paper. The example of dashboard of the
developed visualization system is depicted in Fig. 16.
The system includes the ability to manage data sources, aggregation and correlation
of data collected from sources and tools for visual analytics of computer network
security. Tabs to navigate to the relevant controls are at the top of the dashboard in
Fig. 16.
In the left part of the dashboard in Fig. 16 there is enumeration of representations of
computer networks formed on the basis of data from different sources.
The central part of the dashboard is the implementation of the multiple view
concept, when the data is displayed in different views: as graph; as the graph aug-
mented with glyphs; charts and diagrams; treemaps; matrices and as graphical model,
formed as the analogue of Voronoi diagrams, presented in this paper.
Fig. 14. Adding new points to the polygons Fig. 15. Relocation of points of the polygons
Visualization Model for Monitoring of Computer Networks Security 149
In various usage scenarios, the user selects the graphical model, which is capable to
visualize data the user needs at the moment most efciently. In the following sub-
sections the examples of scenarios of using the developed graphical model in com-
parison with the graphs will be presented.
4.2 Description of the Source Data
Data of a computer network (Fig. 17), which consists of 9 segments, will be used as
source data for visualization.
The segment, which consists of external users who have remote connection to the
computer network via the Internet, is represented in block 1. Block 2 displays the web
server for remote connectivity, as well as hosts needed to operate the web server. Block
Fig. 16. The dashboard of the developed visualization system
Fig. 17. Segments of a computer network
150 M. Kolomeets et al.
3 represents the security system located between the web server and the demilitarized
zone (DMZ). The demilitarized zone is shown by block 4 and includes segments of the
internal network of the company. Block 5 and block 9 are the computers of the internal
network users. Block 6 displays the devices connected to the network through Wi-Fi
connection. Block 7 is the server of storing and processing data. Block 8 corresponds to
the virtualization server, together with the virtual machines placed on it.
4.3 Example 1. Visualization of the State of Computer Network Security
To visualize the security of a computer network for each host the indicators of pro-
tection from attacks and possible damage in case of compromise of this host are
calculated. In the proposed graphical model the security level against attacks can be
represented in the form of a polygon color hosts that have passed the threshold are in
red color (in Fig. 18 dark grey), and possible damage is shown as the size of the
polygon (area of polygon). We shall also consider the example of visualization based
on the graph, where the security is represented by vertex color, and the possible
damage as the radius of the vertex. Let us consider two variants.
In the rst case (Fig. 18) the vulnerable hosts are red (dark grey in Fig. 18) are
strongly scattered. Almost every network segment has vulnerable hosts. Despite the fact
that damage at their compromise a small, scatteredness gives greater variability of actions
for the attacker due to the presence of many potential hosts from which attack may occur.
Figure 19 shows the corresponding visualization based on the graph, where the
value of the possible damage in case of compromise is outlined by radius of vertex, and
the presence of vulnerability is marked in red color (in Fig. 19 light gray, as they are
almost invisible, they are indicated by arrows). It is obvious that the proposed graphical
model allows us to more quickly identify vulnerable hosts and produce visual analysis
of the damage done when they are compromised.
In another case (Fig. 20), it is clear that virtualization platform is under vulnera-
bility, and therefore all machines, located on it, as well as some computers of internal
users are also under vulnerability. Corresponding visualization based on the graph is
shown in Fig. 21. As in the previous case, visual analysis of potential damage and
identifying the vulnerable segment are more efcient when using the proposed model.
Fig. 18. Scattered unprotected hosts are pre-
sented on the basis of the proposed model
Fig. 19. Scattered unprotected hosts are
presented on the basis of the graph
Visualization Model for Monitoring of Computer Networks Security 151
4.4 Example 2. Visualization of the Attack Route
Visualization of the route of the attack (Fig. 22) may be noted as another example of
using the proposed graphical model.
The host from which an attacker carries out an attack is one of the computers of
internal users. This host can be denoted in blue (dark gray in Fig. 22). All hosts, to
which the actions of the attacker were recorded, can be also displayed in blue, however
with different degree of transparency, which will depend on the intensity of the actions
of the attacker. Thus it is possible to analyze which segment of the network is affected
by the attack and if the attacker compromised the most important hosts or not. One can
also estimate how close the attacker came to certain hosts for subsequent selection of
protection strategies. In Fig. 22 it is seen that in such a scenario only some elements of
the network will be affected (virtualization platform and servers for storing and pro-
cessing data), however the potential damage from compromise is unreasonably great.
Fig. 20. Two segments of the network with
unprotected hosts, presented on the basis of
the proposed model
Fig. 21. Two segments of the network with
unprotected hosts, presented on the basis of
the graph
Fig. 22. Visualization of the attack route
152 M. Kolomeets et al.
5 Evaluation of the Proposed Graphical Model
In order to evaluate the proposed graphical model two groups of indicators were
identied performance indicators and functionality indicators.
Functionality indicators dene the set of scenarios that the proposed graphical
model is able to visualize, such as network connectivity, network size, abilities to
display topology, possibility to display the parameters of hosts and links between hosts.
Performance indicators dene the efciency of users perception of information and
ease of working with data, for example: the efciency of indicators perception, ef-
ciency of nding a way to attack, efciency of analysis of network segments.
The evaluation of the proposed graphical model was carried out in comparison with
the visualization of a computer network as a graph.
The evaluation was performed using a survey of experts. All experts note that in
a scenario, when the computer network is a non-planar graph, application of the pro-
posed graphical model is impossible, which is the main drawback of the proposed
graphical model. In some scenarios, when non-planar graphs are rarely used or not used
at all, the proposed graphical model is by an order more efcient. It is also noted that
the proposed graphical model is not efcient in visualization of small computer net-
works, and to visualize them it is more efcient to use matrices and graphs.
Thus, the graphical model is most appropriate to be used when rendering a medium
to large scale computer networks. High computational complexity of the algorithm is
also a disadvantage, however this can be shortened by using a client-server architec-
ture, when only coordinates of the cells will be transferred to the thin client.
As a whole experts agree in opinion that the proposed graphical model has more
options for visualizing metrics and network segments in comparison with the classical
methods of visualization that are based on graphs, matrices and treemaps.
Thus, the proposed graphical model is an alternative to visualization of computer
networks in the form of graphs, treemaps and matrices. The use of human spatial
perception (the location of the cell-computers relative to each other) and the absence of
necessity of edges provides a number of advantages at the cognitive level of perception
of visualization. On the other hand, a disadvantage of the presented graphical model is
that it can help to visualize exclusively planar graphs, which reduces the usage scope.
However, in some scenarios, when graphs are not planar, are rarely used or not used at
all, the proposed graphical model is by order more efcient. It is also worth noting that
the use of the proposed graphical model is applicable for visualization of any object
that can be represented as a planar graph.
It is supposed that the proposed graphical model can improve the efciency of
visual analytics using the graphical models to visualize the computer networks within
the multiple view concept in SIEM systems.
6 Discussion
Based on the evaluation of the proposed graphical model a comparative table (Table 1)
was built with three other graphical models graphs, treemaps and matrices. It should
be noted that graphical models are considered in the minimum version, i.e. without
Visualization Model for Monitoring of Computer Networks Security 153
additions and excluding the presentation of information in the form of text and sig-
natures. The table shows the display capabilities and the number of simultaneously
displayed parameters of security of network hosts, network connections, possibility of
extension of graphical models for visualization in 3D space, possibility of visualization
of topological parameters and possibility of display of networks of different topological
types. The cells contain evaluations of the efciency of parameters display perception
in one way or another. Four estimations are outlined: (1) does not support graphical
model does not support this method of visualization; (2) supports graphical model
supports this method of visualization, but with restrictions; (3) good graphical model
supports this method of visualization; (4) ne graphical model supports this method
of visualization, the efciency of the perception is high and the user easily analyzes the
information.
Graphs are not restricted in display of size and color of vertices, size and color of
connections, clustering, and can also display any topological types. Graphs have a limit
Table 1. Comparison of the possibilities of graphs, treemaps, matrices, and the proposed model
Graphs Treemaps Matrices The
proposed
model
Hosts parameters
display
size good ne does not
support
ne
color good ne does not
support
ne
transparency supports good does not
support
good
Display of
parameters of
links
size good does not
support
does not
support
good
color good does not
support
good good
transparency supports does not
support
supports good
shape supports does not
support
supports supports
Possibilities of extension for display in
3D
supports does not
support
supports supports
Display of
topology
parameters
hosts
clasterization
good good ne good
incapsulation of
hosts
(nestness)
does not
support
ne does not
support
ne
Display of
different
topological
types
hierarchical good ne good ne
planar good does not
support
good ne
non-planar good does not
support
ne does not
support
154 M. Kolomeets et al.
on the transparency of the elements, as with the transparency of less than 30 % the item
will be hard to read. Graphs also can display hosts and connections by a limited set of
geometric shapes to be visualized in 3D, provided that clustering of the vertices is
done. The only thing that graphs do not support is display of nesting.
Treemaps do well with display of hosts using the size and color of planes. It is the
use of planes that allows the user to efciently analyze information. With it, treemaps
have no restrictions in the display of hosts with transparency, because even at minimal
transparency the outlines of the plane are kept, and the user cannot miss it, as it would
be in the case of graphs. However, treemaps cannot display the parameters of the links
and cannot be displayed in 3D. But at the same time they do not have restrictions on
clustering of hosts and perfectly display nesting, as it is the basis of the very concept of
the treemaps. However, because of the nesting treemaps allow to display exclusively
hierarchical networks.
Matrices cannot display hosts, but allow to visualize them when using the cells
colors and their transparency. Matrices cannot operate with cellssizes. Transparency
of the matrix cells have the same restriction as graphs (at least 30 % transparency), but
they have no restrictions in colors. Cells themselves can also be represented as a limited
set of geometric shapes and can be displayed in 3D. Matrices cannot visualize nesting
of the hosts, however, with the help of links they can efciently display the networks
clusters that will be represented in the form of planes (Fig. 1, right part). Matrices can
display without limitations any topological types, however they are most efcient in
nding clusters in complex non-planar networks.
The proposed graphical model uses the size, color and opacity of the cell for
displaying of parameters of the host, as in the trees of maps, so their estimations
coincide. To display the linksparameters it uses size, color and transparency of edges
of cells. Edges are visualized as lines like in graphs, therefore their estimations are also
identical, except for the transparency in the proposed model, even at zero trans-
parency the contour of lines is preserved. The proposed graphical model can be rep-
resented in the form of a 3D polyhedron, where the edges will correspond to the cells.
The graphical model also has the capability of clustering, as shown in Fig. 18, and
through the use of planes, inside which one can place similar planes, it supports
nesting. The proposed graphical model also supports the display of hierarchical and
planar networks, but does not support non-planar network.
Thus, we can see that the proposed model in some cases (in the hierarchical and
planar network topologies) can provide an alternative to graphs, treemaps or matrices,
or be used as a supplement to graphical models within the multiple view concept, based
on which the dashboard of security systems are built.
The development of the presented graphical model is been continued. At the
moment the development of the algorithm of the polymorphism of cells is performed,
in order to be able to change the size and shape of the cells without violating the
topology. The development of the algorithm of display of proposed graphical model in
3D is carried out, this can be achieved by imposing points of the graphical model on the
sphere, and then to draw cross-sections of the sphere at the points that correspond to the
cells.
Another direction for future research is to analyze the possibility and efciency of
using the proposed graphical model for visualization of processes associated with
Visualization Model for Monitoring of Computer Networks Security 155
information security, but which are not associated with computer networks. Any
process that is currently visualized using planar graphs (some examples are displayed
in Sect. 2), can be visualized with the proposed graphical model. Thus, despite the fact
that in the implemented system the proposed model is used to nd vulnerabilities, risk
assessment and other parameters of a computer network, the scope and possibility of
application to ensure information security are much wider.
7 Conclusion
In this paper the analysis of existing visualization methods was performed and the new
graphical model based on the analogue of Voronoi diagrams was presented. We
demonstrated that the proposed graphical model of visualization of computer networks
allows in some cases to display data more efciently, compared to already existing
graphical models. The developed visualization system was presented used to analyze
the security of computer networks, and examples of visual analysis of the computer
network state were provided. The estimation of the proposed model for visualizing the
security parameters of computer network was done, and the comparison of its efciency
with graphs, matrices and treemaps was performed. Directions of future research based
on the use of the proposed graphical model were presented, in particular the devel-
opment of algorithms for polymorphism and nesting of cells, display in 3D and using
the proposed model for visual analytics of processes and objects, which were previ-
ously represented as graphs.
Acknowledgements. This research is being supported by the Ministry of Education and Science
of The Russian Federation (contract 14.604.21.0137, unique contract identier RFMEFI
60414X0137) in SPIIRAS.
References
1. Wang, M., Woodruff, A., Kuchinsky, A.: Guidelines for using multiple views in information
visualization. J. Adv. Vis. Interfaces, 110119 (2000)
2. Shi, L., Liao, Q., Sun, X., Chen, Y., Lin, C.: Scalable network trafc visualization using
compressed graphs. In: Proceedings of the IEEE International Conference on Big Data
(BigData 2013), Santa Clara, CA (2013)
3. Tufte, E.: Visual Explanations. Graphics Press, Cheshire (1997)
4. Klyshinskij, J., Rysakov, S., Shihov, A.: Review of the methods of multidimensional data
visualization. J. New Inf. Technol. Autom. Syst., 519530 (2014)
5. Marty, R.: Applied Security Visualization. Addison Wesley Professional, Reading (2009)
6. Kwan-Liu, M.: Cyber security through visualization. In: Asia Pacic Symposium on
Information Visualisation, Tokyo, Japan (2006)
7. Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered
adjacency matrices. In: 21st Annual Computer Security Applications Conference (ACSAC
2005). IEEE Computer Society (2005)
8. Lau, S.: The spinning cube of potential doom. Commun. ACM 47(6), 2426 (2004)
156 M. Kolomeets et al.
9. Harrison, L., Spahn, R., Iannacone, M., Downing, E., Goodall, J.: Nessus vulnerability
visualization for the web. In: VizSec 2012, Seattle, WA, USA (2012)
10. Williams, L., Lippmann, R., Ingols, K.: GARNET: a graphical attack graph and reachability
network evaluation tool. In: Goodall, J.R., Conti, G., Ma, K.-L. (eds.) VizSec 2008. LNCS,
vol. 5210, pp. 4459. Springer, Heidelberg (2008)
11. McGufn, M.: Simple algorithms for network visualization: a tutorial. J. Tsinghua Sci.
Technol. 17(4), 383398 (2012)
12. Novikova, E., Kotenko, I.: Analytical visualization techniques for security information and
event management. In: 21st Euromicro International Conference on Parallel, Distributed and
network-based Processing (PDP 2013), Belfast (2013)
13. Montemayor, J., Freeman, A., Gersh, J., Llanso, T., Patrone, D.: Information visualisation
for rule-based resource access control. In: International Symposium on Usable Privacy and
Security (SOUPS) (2006)
14. Glatz, E., Mavromatidis, S., Ager, B., Dimitropoulos, X.: Visualizing big network trafc
data using frequent pattern mining and hypergraphs. In: Proceedings of the First IMC
Workshop on Internet Visualization (WIV 2012), Boston, MA, USA (2012)
15. Mansmann, F., Fischer, F., Keim, D.A., North, S.C.: Visual support for analyzing network
trafc and intrusion detection events using treemap and graph representations. In:
Proceedings of the Symposium on Computer Human Interaction for the Management of
Information Technology (CHiMiT 2009), vol. 3, pp. 1928 (2009)
16. Kotenko, I., Chechulin, A.: Common framework for attack modeling and security evaluation
in SIEM systems. In: 2012 IEEE International Conference on Green Computing and
Communications, Conference on Internet of Things, and Conference on Cyber, Physical and
Social Computing, Besançon, France (2012)
17. Kolomeec, M., Chechulin, A., Kotenko, I.: Methodological primitives for phased
construction of data visualization models. J. Internet Serv. Inf. Secur. (JISIS) 5(4), 6084
(2015)
18. Aurenhammer, F., Klein, R., Lee, D.: Voronoi Diagrams and Delaunay Triangulations.
World Scientic Publishing Co., Singapore (2013)
Visualization Model for Monitoring of Computer Networks Security 157
... Approaches in this domain propose visualization models (e.g., graphical models [3,4], and geometrical models [5,6]) to estimate and analyze the impact of cyber events, making it possible to represent graphically scenarios of multiple attacks and to select optimal countermeasures accordingly. However, the main issue faced nowadays is to be able to select the appropriate model for the studied scenario. ...
... The current state of the art in visualization tools propose a wide range of models. It is suggested to select conditionally two kind of visualization models: geometrical models [5,6] and graphical models [3,4], to estimate the impact of cyber security events and to select countermeasures accordingly. The rest of the section details such models. ...
... The basic not numerical models are: graphs [20] (Fig. 2) -models where objects are represented as vertexes and linksas edges; matrices [20] (Fig. 2) objects are represented as axes and linksas their crossing; treemaps [20] (Fig. 2) hierarchical models where objects are visualized as areas and links as object placement (if objects are linked, they are located in each other); graphs with glyphs [20] (Fig. 2) graph models in which vertexes are replaced by the stacked pie-charts for possibility of placement more metrics of objects; Voronoi diagrams [3] (Fig. 2) -models where objects are represented as polygons and linksas tiny lines between the polygons; Chord diagrams [21] (Fig. 2) objects are represented as donate chart and linksas edges between chart`s pieces; geo-maps [20] (Fig. 2) models in which other models overlapping on geographical maps. ...
Choosing Models for Security Metrics Visualization
Conference Paper
Full-text available
  • Aug 2017
  • Lect Notes Comput Sci
This paper aims at finding optimal visualization models for representation and analysis of security related data, for example, security metrics, security incidents and cyber attack countermeasures. The classification of the most important security metrics and their characteristics that are important for their visualization are considered. The paper reviews existing and suggested research by the author’s data representation and visualization models. In addition, the most suitable models for different metric groups are outlined and analyzed. A case study is presented as an illustration on the way the visualization models are integrated with different metrics for security awareness.
View
... Thus, Voronoi treemaps have been further developed in the form of Voronoi maps [47], which display the topology based on the ratio of polygons rather than their nesting. Voronoi maps can display networks with a planar topology, in which a polygon represents the network node without intersections, and the connections between the nodes are represented by the contact of polygons with edges. ...
Graph Visualization: Alternative Models Inspired by Bioinformatics
Article
Full-text available
Currently, the methods and means of human–machine interaction and visualization as its integral part are being increasingly developed. In various fields of scientific knowledge and technology, there is a need to find and select the most effective visualization models for various types of data, as well as to develop automation tools for the process of choosing the best visualization model for a specific case. There are many data visualization tools in various application fields, but at the same time, the main difficulty lies in presenting data of an interconnected (node-link) structure, i.e., networks. Typically, a lot of software means use graphs as the most straightforward and versatile models. To facilitate visual analysis, researchers are developing ways to arrange graph elements to make comparing, searching, and navigating data easier. However, in addition to graphs, there are many other visualization models that are less versatile but have the potential to expand the capabilities of the analyst and provide alternative solutions. In this work, we collected a variety of visualization models, which we call alternative models, to demonstrate how different concepts of information representation can be realized. We believe that adapting these models to improve the means of human–machine interaction will help analysts make significant progress in solving the problems researchers face when working with graphs.
View
... Like the Circle Packing, TreeMaps [18] show the connections by nesting, but express values of various metrics using the size of the rectangles. Voronoi Maps [19] are suitable for visualization of planar data. Each cell is represented by an object, and the tiny edges between cells are links between objects. ...
Visual Analytics for Improving Efficiency of Network Forensics: Account Theft Investigation
Article
Full-text available
  • Aug 2018
In the paper, we propose a technique and means of visual analytics for network forensic investigation. It is assumed that experts will be able to decrease the time required for analysis and for creation of easy readable evidences, timelines and presentation for the court. Also based on an example of account theft cyber-attack investigation the technique for classification of different aspects (slices) of network traffic is proposed. The evaluation and recommendations for the technique usage are also presented.
View
... The current state of the art in visualization tools propose a wide range of models (e.g., geometrical models [6]- [13] and graphical models [14]- [16]) to estimate the impact of cyber security events and to select countermeasures accordingly. This section presents the different visualization models that use geometry as a tool to compute the impact of cyber attacks and security countermeasures within an information system. ...
Using an Event Data Taxonomy to Represent the Impact of Cyber Events as Geometrical Instances
Article
Full-text available
  • Aug 2017
Visualization and simulation models used for the evaluation and selection of security countermeasures need accurate data to compute the impact of cyber events (e.g., malicious and benign actions). The information required to build appropriate impact models depends directly on the nature of the system. The information dealt by water supply systems, for instance, is particularly different from the information obtained by energy, telecommunication, transportation, or finance systems. It is therefore important to properly classify the data of security events according to the nature of the system. This paper proposes an event data taxonomy based on the system’s criticality, the geographical location of the target, the time at which the information is obtained by the attacker, and the nature of the data. A use case on the impact assessment of events originated in a critical infrastructure is presented to show the applicability of the proposed taxonomy.
View
Methodological Primitives for Phased Construction of Data Visualization Models
Article
Full-text available
  • Jun 2015
The paper considers common methodological primitives for phased construction of data visualiza-tion models, which will help to create new graphical models of data security visualization, or will help to show advantages and disadvantages of existing models. The paper also considers examples of graphical models and additional tools, which allow to work with these models. The purpose of the paper is to form a comprehensive vision to create data security visualization models. The primitives classification and communication between them are suggested. On the base of identified primitives, graphical models and additional tools to work with graphical models, a methodology for constructing data security visualization models is provided. This methodology can be used for improving efficiency of existing models and for evaluating their effectiveness. The paper also considers a new visualization model for network security which was developed based on the proposed visualization process.
View
Common Framework for Attack Modeling and Security Evaluation in SIEM Systems
Article
Full-text available
  • Nov 2012
The paper suggests a framework for attack modeling and security evaluation in Security Information and Event Management (SIEM) systems. It is supposed that the common approach to attack modeling and security evaluation is based on modeling of a malefactor's behavior, generating a common attack graph, calculating different security metrics and providing risk analysis procedures. Key elements of suggested architectural solutions for attack modeling and security evaluation are using a comprehensive security repository, effective attack graph (tree) generation techniques, taking into account known and new attacks based on zero-day vulnerabilities, stochastic analytical modeling, and interactive decision support to choose preferred security solutions. The architecture of the Attack Modeling and Security Evaluation Component (AMSEC) is proposed, its interaction with other SIEM components is described. We present the prototype of the component and the results of experiments carried out.
View
Information Visualization for Rule-based Resource Access Control
Article
Full-text available
  • Jan 2006
A conventional approach to protecting sensitive information is to use different and unconnected physical networks. However, physical separation complicates data sharing and information fusion. Recently researchers have begun to introduce ways to reunify disparate systems while providing sophisticated access control mechanisms, for example through rules. Rules offer flexibility and protection at varying levels of control granularity, but the resulting complexity can quickly overwhelm the resource access control administrator. In this paper we suggest various information visualization techniques that may help the administrator more quickly to gain situational awareness of interactions among the access control rules.
View
View
Voronoi Diagrams and Delaunay Triangulations
Article
  • Aug 2013
Voronoi diagrams partition space according to the influence certain sites exert on their environment. Since the 17th century, such structures play an important role in many areas like Astronomy, Physics, Chemistry, Biology, Ecology, Economics, Mathematics and Computer Science. They help to describe zones of political influence, to determine the hospital nearest to an accident site, to compute collision-free paths for mobile robots, to reconstruct curves and surfaces from sample points, to refine triangular meshes, and to design location strategies for competing markets. This unique book offers a state-of-the-art view of Voronoi diagrams and their structure, and it provides efficient algorithms towards their computation. Readers with an entry-level background in algorithms can enjoy a guided tour of gently increasing difficulty through a fascinating area. Lecturers might find this volume a welcome source for their courses on computational geometry. Experts are offered a broader view, including many alternative solutions, and up-to-date references to the existing literature; they might benefit in their own research or application development. © 2013 by World Scientific Publishing Co. Pte. Ltd. All rights reserved.
View
NV: Nessus vulnerability visualization for the web
Conference Paper
  • Oct 2012
Network vulnerability is a critical component of network security. Yet vulnerability analysis has received relatively little attention from the security visualization community. This paper describes nv, a web-based Nessus vulnerability visualization. Nv utilizes treemaps and linked histograms to allow security analysts and systems administrators to discover, analyze, and manage vulnerabilities on their networks. In addition to visualizing single Nessus scans, nv supports the analysis of sequential scans by showing which vulnerabilities have been fixed, remain open, or are newly discovered. Nv operates completely in-browser, to avoid sending sensitive data to outside servers. We discuss the design of nv, as well as provide case studies demonstrating vulnerability analysis workflows which include a multiple-node testbed and data from the 2011 VAST Challenge.
View
Analytical Visualization Techniques for Security Information and Event Management
Conference Paper
  • Feb 2013
The paper proposes the architecture of the visualization component for the Security Information and Event Management (SIEM) system. The SIEM systems help to comprehend large amounts of the security data. Visualization is the essential part of the SIEM systems. The suggested architecture of the visualization component allows incorporating different visualization technologies and extending easily the application functionality. To illustrate the approach, we developed the prototype of the SIEM visualization component. The paper demonstrates the graphical user interface of the attack modeling component. To increase the efficiency of the visualization techniques we applied principles of the human information perception and interaction issues when designing graphical components.
View
Scalable network traffic visualization using compressed graphs
Conference Paper
  • Oct 2013
The visualization of complex network traffic involving a large number of communication devices is a common yet challenging task. Traditional layout methods create the network graph with overwhelming visual clutter, which hinders the network understanding and traffic analysis tasks. The existing graph simplification algorithms (e.g. community-based clustering) can effectively reduce the visual complexity, but lead to less meaningful traffic representations. In this paper, we introduce a new method to the traffic monitoring and anomaly analysis of large networks, namely Structural Equivalence Grouping (SEG). Based on the intrinsic nature of the computer network traffic, SEG condenses the graph by more than 20 times while preserving the critical connectivity information. Computationally, SEG has a linear time complexity and supports undirected, directed and weighted traffic graphs up to a million nodes. We have built a Network Security and Anomaly Visualization (NSAV) tool based on SEG and conducted case studies in several real-world scenarios to show the effectiveness of our technique.
View
Simple algorithms for network visualization: A tutorial
Article
  • Aug 2012
The graph drawing and information visualization communities have developed many sophisticated techniques for visualizing network data, often involving complicated algorithms that are difficult for the uninitiated to learn. This article is intended for beginners who are interested in programming their own network visualizations, or for those curious about some of the basic mechanics of graph visualization. Four easy-to-program network layout techniques are discussed, with details given for implementing each one: force-directed node-link diagrams, arc diagrams, adjacency matrices, and circular layouts. A Java applet demonstrating these layouts, with open source code, is available at http://www.michaelmcguffin.com/research/simpleNetVis/. The end of this article also briefly surveys research topics in graph visualization, pointing readers to references for further reading.
View
Visualizing big network traffic data using frequent pattern mining and hypergraphs
Article
  • Jan 2014
Visualizing communication logs, like NetFlow records, is extremely useful for numerous tasks that need to analyze network traffic traces, like network planning, performance monitoring, and troubleshooting. Communication logs, however, can be massive, which necessitates designing effective visualization techniques for large data sets. To address this problem, we introduce a novel network traffic visualization scheme based on the key ideas of (1) exploiting frequent itemset mining (FIM) to visualize a succinct set of interesting traffic patterns extracted from large traces of communication logs; and (2) visualizing extracted patterns as hypergraphs that clearly display multi-attribute associations. We demonstrate case studies that support the utility of our visualization scheme and show that it enables the visualization of substantially larger data sets than existing network traffic visualization schemes based on parallel-coordinate plots or graphs. For example, we show that our scheme can easily visualize the patterns of more than 41 million NetFlow records. Previous research has explored using parallel-coordinate plots for visualizing network traffic flows. However, such plots do not scale to data sets with thousands of even millions of flows.
View