The image shows data from several FastFlux domains (blue)and their infected nodes (red)
We can see that several FastFlux domains are in the same network, so the nodes are inside several FastFlux networks associated with several domains.

The data has been collected across several weeks monitoring FastFlux domains entries.

Regards

This image shows data from a firewall log. It shows the connections between destination addresses and destination ports.

The script to generate the graph is written in Action Script (Flare). I hacked the sample Flare file: DependencyGraph.as to have it read CSV data, instead of some JSON formatted input. The script is a real hack at this point. If you want a copy, drop me a note. I will gladly share it. Here is the live graph.

Jason, thanks for all your help with the ActionScript stuff!

This is an image generated with Flare. The action script parses a CSV file that was generated from a firewall log. It visualizes the connections between the source and destination IP addresses.

Are you looking for a little challenge for the days between Christmas and New Year? Yes? Well, then try the 25C3 visualization contest and win a copy of Raffael's book "Applied Security Visualization". For details regarding the task and submission details see the 25C3 DAVIX Visualization Bootcamp page.

Zenmap is a GUI front end for nmap, the popular network and port scanning tool by fyodor.

Introduction
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. It is a multi-platform, free and open-source application designed to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scans can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. A typical Zenmap screen shot is shown in Figure 12.1. See the official Zenmap web page for more screen shots.

Both of these tools were recently released by Utah State University under the GPL license. You can read more about them by following the links, including sample movies that demonstrate how the tools work. The tools were created by Rian Shelley.

IPVisualizer
IPVisualizer is a visualization in which a range of IP addresses are represented as dots on a screen. The shape, intensity, and color of the dot indicate the direction, count, and type of the traffic, respectively.

OIP
OIP is a visualization in which individual machine IPs are placed randomly on a display, and packets are visualized as different sized dots flowing from one machine to another.

I just wrote a blog entry about some ideas of displaying time in link graphs. This is a problem that has bugged me for a while and I still don't have a good solution. The blog entry outlines some ideas and alternatives. Maybe you have a better way to visualize relationships and time in the same graph?

I have made a minor change with regards to letting people post comments to discussion entries. It used to be the case that anyone was able to post comments on the site. Unfortunately that meant that I got spammed quite badly. I realized that I had a huge approval queue for comments. I went through some of them and published them. Sorry if I deleted a comment of yours. Please repost if your comment got lost.

From now on, new comments can only be posted when logged in. Sorry for the inconvenience, but this should help a lot to make discussions more interactive through the comments.

Thanks for everybody that commented on broken links and such. I hope I fixed everything at this point. As always, if you have any input for the site, please let me know. Either by sending me an email or posting something here. Thx!

Interested in getting a quick overview of Security Visualization? I am guest-blogging on IT World. There you can find a series of blog entries about how to generate your own security visualizations:

(Update 12/05/08: Fixed the links. Sorry!)

• How do you encode hundreds of data points into one single graph? Use Sparklines.


• How do you visualize your traffic flow (NetFlow) logs?


• How do you prepare your security data for visualization?


• What is the right graph to use in what situation?


• How do you create good visualizations?


• How Do You Get Started With Security Visualization?

Today, I would like to see if the urls that are not common in the previous graph, In this graph, heatline rendering plugin is used to check with line coloration if an event is regular. In the fourth axis, you can see lines going at the bottom and red lines go there. So let's forget about this and filter to only display lines that appear above 50% of this axis.

The filter is between single quotes, just like what you'd do with tcpdump ( I actually took their code to handle this ;-) ).

This line was typed to get the graph you can see here:
pcv -Tpngcairo -Rheatline -Avirus access-wallinfire.net.pcv 'show plot > 50% on axis 4' -ra > picviz-uncommonurls.png

If we take a random IP, such as the one we clearly see on the second axis, 213.192.60.19, and googling about it, we find that this was an infected machine. The url here tells more about it.

As a conclusion for this graph, you can see that among all those lines of log, with a very empiric approach, we really discovered something. Not a very innovative attack I admit, but enough to keep searching (I will post ongoing researches here, keep following!).

Ah, and by the way Raffy, since you asked to only display lines every few times, I added the -L option, taking a number (N) as argument meaning every N lines you display the text.