This is where you can start discussions around security visualization topics.

NOTE: If you want to submit an image, post it in the graph exchange library!

You might also want to consider posting your question or comment on the SecViz Mailinglist!

Discussion Entries

warning: Creating default object from empty value in /usr/www/users/zrlram/secviz/modules/taxonomy/taxonomy.module on line 1387.

Free Conference Pass to FOSE

FOSE is a conference focused around Technology Solutions for the Business of Government. The FOSE conference donated a free conference pass for the secviz readers. In order to get the pass, tweet the following:

@secviz is raffling off a ticket to the FOSE conference, which is taking part March 23-25, 2010. Retweet to be part of the raffle. See http://secviz.org for details. #FOSETix

UPDATE: We have a winner: @fifth_sentinel ! Congrats!

The winner will be the tweeter that tweeted exactly at the position in the middle of all tweets. So, if there were 20 tweets, the 10th tweeter (we'll round down for odd numbers).

Here is a word from the sponsor:

Explore targeted technology areas, educational theaters, and thousands of cutting edge products. Plus, network with a wealth of industry experts.

You are well aware of the challenges we as a CyberSecurity community face from rapid changes in the technology landscape. FOSE 2010 is the place to discover opportunities and solutions along with changing expectations for government IT professionals.

Register today for the FOSE 2010 experience http://www.fose.com.

You can expect:

- 3 days of IT resources helping you navigate today's shifting tech landscape
- 2 full conference days packed with education on emerging technologies, trends, and new improvements to existing solutions
- Thousands of products on the FREE* EXPO floor allowing you to gain one-on-one insight into the capabilities of our exhibitors through demos, theater presentations and FREE Education.
- Attend the Accenture CyberSecurity Pavilion or Focus on Digital Forensics.

*FOSE is a must-attend free show for government, military, and government contractors.

SOI 2.1 Cisco IPS view

I've tried to add a new visualization for the cisco part of the upcomig (very very soon) of the 2.1 release of soi. Tell me what you think , im still tweaking it so this is a rough view...I'll still keep the map, timeline matrix etc for the pix but just wanted to add a different view for it...(oh and the colors will be more "pastel"....:) )


VizSec 2010 - International Symposium on Visualization for Cyber Security

International Symposium on Visualization for Cyber Security (VizSec)
14 Sept 2010
Ottawa Canada
Co-Located the Internat’l Symposium on Recent Advances in Intrusion Detection

The International Symposium on Visualization for Cyber Security (VizSec) brings together researchers and practitioners in information visualization to provide opportunities for the two communities to collaborate and share insights about meeting security needs through visualization approaches.
VizSec 2010 will be held on September 14th in Ottawa, Canada and is co-located with 11th International Symposium on Recent Advances in Intrusion Detection (RAID). This year our focus is on understanding what makes effective visual interfaces for different cyber security tasks.

Papers offering novel contributions in security visualization are solicited. Papers may present techniques, applications, practical experience, theory, or experiments and evaluations. Papers are encouraged on technologies and methods that have been demonstrated to be useful for improving information systems security and that address lessons from actual application.

Information regarding submission dates will be available on the website.


Hi , im an apprentice to Sec Viz technology.
I used Afterglow to do some visualizing. i need to know how to do aggregation in that.Though I used the coding in Raffy's book, I couldn't make it. I am using the DAVIX and it's sample.properties file.The code that I have used was

color=”yellow” if (field() =~ /ˆ111\.222\..*/);
color.event=”green” if ($fields[1]<1024)
if ($fields[1] eq "80")

Is this Ok? I don't get a different output .Pls let me know where have i gone wrong...


Treemaps for Windows firewall log

Does anyone have a parser for using Windows firewall logs with Treemap???

Augmented Reality - The next step in security Visualization

We've been playing around with augmented reality for a time now, the technology seems to be on a tipping point with iphone (not just the overlay - not truly AR, but they do have true AR apps) , android and other forms of capture and processing. To me this is the future of security visualization. I know it is a bold statement to make, but when you start to develop and delve deeper the possiblilities are endless. If you look at my site you will see the direction of our research. ( http://www.manntechcomputersinc.com/Researching_Now.html ) Im going to release a video asap of where we are with our AR. I think the subject of security AR is too important to completely commercialize. With that respect any "breakthrough's" that we are having will be made open source. If some of you are new to the AR scene there is a good open source tool called artoolkit. Google it and you will see it doesn't take an hour to start playing and testing with AR. For those of you interested please drop me a line at darrenmanners@manntechcomputersinc.com.

Augmented Reality

Windows login logging on the cheap

This tool walks the line of being a parser but it is a pretty handy way of converting Windows logins to something useful to graph. Put this in your login scripts and point it at your syslog infrastructure and you get all the gory details about windows who is logging into what system and the IP/NETBIOSNAME/MAC of the system is in a single log line.


Sphere of Influence 2.1 - upcoming release

Im just about to launch 2.1 version of Sphere Of Influence. I have added a summary page. Here I took a typical 800X600 window and made each pixel represent appx 164 ports. I wanted to visualize the entire port spectrum so that an anaylist can drill down on spotted patterns. I have included a screenshot of the new window...in this shot you can see some peer to peer activity at work. The new version will also have a "hourly wrap up" summary which is pretty extensive in its details, also I added a world map for snort. It should be launched in the next few weeks. Remember this is free for state, federal and educational establishments (worldwide)..companies have to pay, but for $89 I think you get a bargain. Im also working on a very cool project for VOIP systems.....stay tuned

Happy Hunting


Note: I have a new video out on youtube (http://www.youtube.com/watch?v=ekOXjrF9enI) that you can see the new visuals....release is very soon!!! (and we added the Cisco IPS into the mix as well)

Summary Window

Symantec A/V log parser

I was culling through the logs on one of my systems the other day and realized that I was getting a fair amount of alerts from my Symantec A/V servers. At first, I was not interested in what malware was being detected and cleaned but it got me thinking about what interesting patterns existed. I suspected that the majority of malware infections were caused by a minority of users as most malware these days require some user action. To test this theory I wrote a simple parser
to convert the logs to something that I could push into a visualizer and started looking for interesting patterns.

Here is a histogram and a heatmap of several months of data.

A/V Malware detect heat map

Picviz GUI 0.7 is out!

As announced on the Picviz mailing list, the new GUI is out. This is not a new release of the engine (libpicviz) but the GUI.

There is a lot of new feature that came from the Google summer of code, since Picviz was a project proposed by the Honeynet project. It is mostly about interaction that a graphical interface can give you to deal with parallel coordinates.

You can download it there: http://www.wallinfire.net/files/picviz

Picviz GUI 0.7