Discussions

This is where you can start discussions around security visualization topics.

NOTE: If you want to submit an image, post it in the graph exchange library!

You might also want to consider posting your question or comment on the SecViz Mailinglist!

Discussion Entries

warning: Creating default object from empty value in /usr/www/users/zrlram/secviz/modules/taxonomy/taxonomy.module on line 1387.

AfterGlow Cloud: Initial release

With the marking of the mid-term milestone in GSoC 2012, we're happy to announce a first version release of AfterGlow Cloud. After a lot of discussions and review the project seems to be in a good position for an initial release. The project in essential is based on AfterGlow [1], a security visualization tool which facilitates generating visual graphs from data you upload. The tool described at [1] is originally command-line based, the aim of this project, in general is to bring this tool and its options to the cloud -- so as to provide a neat interface for on-the-fly visualizations.

Live demos of the project are currently available at:

This release covers all the basic features discussed and agreed upon initially [2]. You can upload any comma-seperated file (only CSV files) as your log source to visualize it. The current version doesn't cover parsers for exporting logs from different sources (example tcpdump) into CSV -- but this is a future addition, likely in the next release. To have a feel of what the application is capable of, you can try uploading the sample "firewall.csv" file (in the attachments). This sample file contains some rules (pass, block) over different source and destination nodes. Getting any sense of what's exactly going on is difficult by merely inspecting the CSV file -- this is where AfterGlow is needed.

Labels "Settings" and "Advanced Settings" cover some rendering settings you might want to choose or override for better customization. For example, "Print Node Count" would append the number of times each source/destination node occurs in the log file provided -- this gives a sense of the frequency of the nodes. Similarly, "Text Label Colour" provides the option to override the default black colour of text on the graph (You can hover over the "?" next to any input for a description of what they exactly mean).

Configurations are used to further scrutinize the rendering of the graph, for example you might want to colour a set of source/destination nodes "red" if their IP is '68.xx.xx.xx'. Each of these configuration lines bring about several layers of visualization. For example, you'd probably want the 'size' of the node on the graph to be proportionate to the frequency they appear throughout the log (configuration under 'Node Sizes' - 'Predefined - Number of Occurrences'). You can remove or change the ordering (ordering of configurations matter) once a line is added. A detailed guide to the different configuration options available, would be added later.

A sample configuration file is added as an attachment (sample.properties). If you'd like to try this out with the sample "firewall.csv" data file, you could choose "Manual" under the configurations and paste the contents of the file (instead of manually feeding in every line). The application also provides the feature of "saving" your settings. All changes you make in "settings" and "advanced settings" pane are stored as a cookie (for four days) if the save feature is checked. AfterGlow populates your settings every time you visit the application with an active cookie.

Here's how a rendered graph looks like:

Original CSV data:

Graph rendered by AfterGlow on the above data:

The source for the entire projects rests at the GitHub repository. If you choose to run your own local install of the project, detailed instructions are provided in the README. The instructions and requirements listed in the README cater to Ubuntu and run Django's development runserver module (instructions for a production like environment -- Apache would be added later).

With this release, we've started to list out the possible features and additions that can be brought on to the next version of AfterGlow cloud (API, adding parsers to convert data from tcpdump etc to CSV files, among others). There's still a lot to be covered and added so please let us know if you'd like to suggest new features on the project, report a bug or any general comments (a feedback form would soon be added to the current demos)!

Links:

[1] http://afterglow.sourceforge.net/
[2] https://www.honeynet.org/gsoc/slot6

pixlcloud is assembling its founding team

We are a big data analytics company, building the next generation visualization tools for enterprises to help them understand their data for cyber security, fraud, supply chain optimization, etc.

Find out more

Are you into big data? Are you frustrated that you can't make those huge amounts of data actionable? Want to be part of the founding team of an innovative and fun enterprise company? We are building the next generation data visualization application for big data. We are making enterprise data analytics accessible to the analysts through a fun and beautiful experience. We are leveraging the power of visualization to let analysts without data mining backgrounds explore and understand their data.

We are currently working with some of the world's largest corporations to help them protect and understand their cyber security data.

These are the types of people we are looking for:

  • Backend / big data ninja
  • Front end samurai
  • UX/UI maven

Apply Now!

VAST Challenge 2012 - There's still time to enter

This year’s VAST Challenge focuses on visual analytics applications for both large scale situation analysis and cyber security. There are two mini-challenges to test your visual analytics applications and your analytical skills.

In mini-challenge 1, (the imaginary) BankWorld's largest financial institution, the (fictitious) Bank of Money needs your best situation awareness visualizations to understand the health of its global corporate network. How do you visualize status data for a network containing nearly a million computers in a way that you can perceive network health and identify problems?

In mini-challenge 2, unusual events are occurring in one of the Bank of Money's regional offices. Some of them may very well wreak havoc across the institution if they turn out to be malicious. What are these unusual events? And if you were in charge of computer security, what actions should be taken to safeguard the network and quite possibly save the Bank of Money from disaster? (Participants from last year's VAST challenge may find their firewall and IDS log analysis tools useful for this challenge as well.)

We encourage participation by individuals and teams in industry and academia. Creative approaches to visual analytics are encouraged.

Please visit http://www.vacommunity.org/vastchallenge2012 to download datasets and instructions. For more information, please contact vast_challenge@visweek.org.

The submission deadline is July 9, 2012.

We look forward to seeing your creative solutions!

Visual Analytics – Delivering Actionable Security Intelligence

At the end of August, I will be teaching a visualization workshop in Iceland. The workshop is part of the Nordic Security Conferene.
The workshop has gotten quite a face lift. The visualization module was updated a lot to include more on graphs and visuals, as well as a little bit more on visualization theory that is immediately applicable to your every day security visualizations. I am introducing many more visualization tools in a hands-on fashion and I am, for the first time, going to teach a module on big data: Hadoop, Riak, Mongo, Flume, etc. What do they have to do with security intelligence and security monitoring? Come and explore the topic with me!

Sign up today!

3D Visualization of Attack and Exploit Paths

I recently posted some new video’s to Tenable’s Youtube channel about how to visualize network attack and exploit paths in 3D. The videos are located on this playlist. They make use of data from Tenable’s Nessus and the Passive Vulnerability Scanner products to identify exploitable internet facing systems, exploitable internet browsing clients and exploitable clients that are trusted by servers. There is also a blog post and white paper on this sort of 3D analysis on the Tenable blog.

youtube-3d-attatck-path-visualization.PNG

VizSec 2012

VizSec 2012 will be held in mid-October as part of VisWeek in Seattle. When we know the exact date, we will update the web site. Papers are due July 1.

The International Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cyber security community through new and insightful visualization techniques. Co-located this year with VisWeek, the 9th VizSec will provide new opportunities for the usability and visualization communities to collaborate and share insights on a broad range of security-related topics. Accepted papers will appear in the ACM Digital Library as part of the ACM International Conference Proceedings Series.

Important research problems often lie at the intersection of disparate domains. Our focus is to explore effective, scalable visual interfaces for security domains, where visualization may provide a distinct benefit, including computer forensics, reverse engineering, insider threat detection, cryptography, privacy, preventing 'user assisted' attacks, compliance management, wireless security, secure coding, and penetration testing in addition to traditional network security. Human time and attention are precious resources. We are particularly interested in visualization and interaction techniques that effectively capture human analyst insights so that further processing may be handled by machines, freeing the analyst for other tasks. For example, a malware analyst might use a visualization system to analyze a new piece of malicious software and then facilitate generating a signature for future machine processing. When appropriate, research that incorporates multiple data sources, such as network packet captures, firewall rule sets and logs, DNS logs, web server logs, and/or intrusion detection system logs, is particularly desirable.

More information is on the web site:

http://www.ornl.gov/sci/vizsec/

IEEE Network special issue on Network Visualization - Updated deadline

IEEE Network Magazine, Special Issue on Computer Network Visualization has an Extended Deadline, now May 1, 2012

Visualizing Packet Captures For Fun and Profit

I wrote a small blog post about AfterGlow and how to visualize packet captures. It gives a few examples on how packet captures can be visualized as link graphs.

I then followed up with a post on Advanced Network Graph Visualization with AfterGlow. In this post I show how you can use some extended capabilities of AfterGlow to read configuration parameters from variables and files in order to influence your network graph's colors, clustering, etc.

Curious to hear your feedback!

CFP: IEEE Network, Special Issue on Computer Network Visualization

Call for Papers

IEEE Network Magazine
http://dl.comsoc.org/livepubs/ni/

Special Issue on Computer Network Visualization, Nov./Dec. 2012 issue

Background

Computer networks are dynamic, growing, and continually evolving. As complexity grows, it becomes harder to effectively communicate to human decision-makers the results of methods and metrics for monitoring networks, classifying traffic, and identifying malicious or abnormal events. Network administrators and security analysts require tools that help them understand, reason about, and make decisions about the information their analytic systems produce. To this end, information visualization and visual analytics hold great promise for making the information accessible, usable, and actionable by taking advantage of the human perceptual abilities. Information visualization techniques help network administrators and security analysts to quickly recognize patterns and anomalies; visually integrate heterogeneous data sources; and provide context for critical events.

Scope

This special issue seeks original articles examining the state of the art, open issues, research results, evaluations of visualization and visual analytic tools, and future research directions in computer network visualization and visual analytics. All submissions should be written to be understandable and appealing to a general audience. Research papers should contain a substantial amount of tutorial content and minimal mathematics. Topics of interest include, but are not limited to:

* Uses of visualization for network status monitoring and situational awareness
* Visualization methods employed in the classification of network traffic and its analysis
* Visualization methods enhancing network intrusion detection and anomaly detection
* Visualization methods for the analysis of network threats (e.g. botnets)
* Visualization methods for the analysis of network routing
* Methods for integrating analytics and visualization together for network analysis tasks
* Methods for visually integrating heterogeneous data sources to support network analysis tasks
* Case studies of open source visualization tools in network analysis tasks
* Evaluations of network visualization tools in situ

Manuscript Submission

Articles should be written in a style comprehensible and appealing to readers outside the speciality of the article. Authors must follow the IEEE Network Magazine guidelines regarding the manuscript and its format. For details, please refer to the "Guidelines for manuscripts" at the IEEE Network Magazine web site at http://dl.comsoc.org/livepubs/ni/info/authors.html. Submitted papers must be original work and must not be under consideration for publication in other venues. Authors should submit their manuscripts in PDF through ScholarOne for IEEE Network Magazine. Choose this special issue from the drop down menu on the submission page. Authors uncertain about the relevance of their paper to this special issue should inquire with the guest editors before submission.

Schedule
Submissions: April 1, 2012
Author notifications: July 1, 2012
Final papers: September 1, 2012
Publication: November 2012

Guest Editors

John Goodall
Oak Ridge National Lab
jgoodall@ornl.gov

John Gerth
Stanford University
gerth@graphics.stanford.edu

Florian Mansmann
University of Konstanz
Florian.Mansmann@uni-konstanz.de

Old Security Visualization Presentations

I just uploaded a number of my old presentations, mainly on security visualization, to slideshare. The link below leads you right to them:

Security Visualization Presentations

There are presentations from a number of conferences:

  • FIT 2008
  • SUMIT 2008
  • VizSec 2008
  • HITB 2008
  • First 2007
  • DefCon 2005

And then there are still the newer presentations that have been there for a while now.