Graph Exchange

This graph shows the statistical entropy of nine RDP sessions, as observed by net-entropy. There are two notable outliers - at this level of zoom, the black line is the most obvious. This was an RDP session to a server whose encryption level was set to "Low" - the other eight were to servers set to use "Client Compatible" encryption.
A second outlier appears at the beginning of the session (hard to see at this zoom level), and was due to the use of a different RDP client package. Further outliers (not on this graph) were observed when using rdesktop instead of the native Windows RDP client.
A fuller writeup is here.

Shown is a visual of a time series analysis representing malicious activity reported by our 6 most active and reliable SensorNET honeypots. These honeypots have been deployed for between 9 months and 2 years in the Australian IP space.
For the full analysis, see my blog http://honeynet.org.au/?q=Most_dangerous_time_on_the_Australian_Internet

ben

From blog:
http://honeynet.org.au/?q=time_series_geomapping_of_spam

"In a previous blog, we showed off some heatmaps that were supposed to help answer the question "Where does SPAM come from?". The problem with these maps, is that they are the combination of months of data without any respect to time.
So I set out to show the same information in a video to help answer a broader question "When and Where does SPAM come from?". Each red flash represents a moment in time that a point on the earth sent us some spam.
Without further ado, here is a video of about a week's worth of SPAM on the planet Earth......"

Note, I learnt about the logster tool here on the secviz blog first :)
Watch the vid on the blog, Here is a snapshot picture.

ben

video available at http://www.youtube.com/watch?v=53p0A_3WjgA

whitepaper describing the UI available at http://www.eqnets.com

In the snapshot above, the administrator has created a "Top Peers" statistics based on filtered log entries and decided to view the outcome as a Geolocation Map. You can monitor network traffic with the help of Geolocation Maps in real-time too. Here is a video that describes more closely how StoneGate Management Center's Geolocation feature works in practice: http://stoneblog.stonesoft.com/2009/07/smc-videos-geolocations/.

I have captured few examples for visualization to show internet distribution of OS X threat. This has been discussed here.

Just one malicious IP address leads you to variety of threats that maximizes the use of it.
I have blogged about this here. and here

Some time ago F-Secure collected a bunch of log data on about 700 000 botnet IRC channel joins. They then asked us to visualize the joins as a time lapse on a world map using geomapping. The results are available here: https://www.clarifiednetworks.com/Blog/2009-01-01%2018-15.

This was done using the circos tool. It is a very useful map style, this one shows some location attributes of malware captured by our nepenthes malware sensors at the Australian Honeynet Project.
For full story and maps of other attributes http://honeynet.org.au/?q=node/42
ben

This treemap was generated with the Treemap 4.1 tool from University of Maryland. This is a tutorial that I wrote on how to get to the output, step by step.