Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.

 


 

VizSEC 2007 Workshop on Visualization for Computer Security

VizSEC 2007 Workshop on Visualization for Computer Security
To be held between October 28 and November 1, 2007 in Sacramento, CA
http://vizsec.org/workshop2007/

The VizSEC 2007 Workshop on Visualization for Computer Security will provide a forum for new research in visualization for computer security. Building on the success of the previous three VizSEC workshops, we will again be meeting in conjunction with the IEEE Vis and InfoVis Conferences. The workshop will be held in Sacramento, CA USA between October 28 and November 1, 2007. The exact date of the workshop is still to be determined by the Conference committee; please check the web site for further details.

Reasearchers and practitioners from academia and industry are encouraged to submit papers and attend the event. We are looking for diversity and are particularly hoping that practitioners who have experience designing and using visualization in the field will consider joining us. Please see the web site for further details: http://vizsec.org/workshop2007/

Open ports for a bunch of servers

Open ports for a bunch of servers

This is a first attempt at visualizating open ports detected by nmap in around 60 servers.
I've used Freshcookies-Treemap and custom scripts.
Ports are all TCP.

SSH as seen by Argus

SSH as seen by Argus

A directed graph of intranet SSH sessions as recorded by Argus, graphed using the "two node mode" of afterglow. Data collected with Argus V3.0 from multiple Cisco Netflow sources, graph generated using AfterGlow v1.5.7 and Neato v1.16, all running on OpenBSD.

The latest version of Argus can directly output CSV, so argus2csv is no longer needed. This particular graph was generated by the following:
racluster -r argus.cap -m saddr daddr dport -c, -s saddr daddr - 'tcp and dst port 22' | kevin-anonymize.pl | afterglow.pl -t -e 2 -c test.properties | neato -Tgif -o tcp22argus.gif

This directed graph reminds me of the social network you might see in a suburban high school, and revealed to us some interesting things, including the existence of a new network monitoring tool quietly installed by a rogue internal unix admin team... us and them, we're having a "come to Jesus" meeting tomorrow ;)

Cyber Security Research Soliciation for Visualization

The DHS just released a solicitation for various security-related research projects among them TTA 4 - Network Data Visualization for Information Assurance. I am very pleased that the DHS puts visualization as one of their nine main concerns.
I am somewhat concerned with the solicitation however. They mention SiLK as one of the tool sets which the US-CERT uses a lot. And they would like to see visualization tools enhacing that suite. I am not sure that's the right thing to do. I think we need tools which do not just look at traffic flow information, but at all kinds of different data sources!
I am very curious what type of tools and solutions will be submitted for this and would love to see some advances and new approaches. Anyone going to submit?

Benefits of Visualization

So what are the benefits of visualization over other techniques? My favorite answer is this:

  • "Visualization not only helps you answer questions that you have, but it elicits questions that you did not even think of before. So for some things you can come up with algorithms to solve your problems, but for others, you don't even know your problem upfront!"

There are many more benefits to visualization. Here are just a few:

  • The bandwidth of data you can transfer in a picture is much bigger than having a human look at log files or textual data.

  • Relationships become very apparent. Sometimes they are completely hidden without visualization.

  • Interactive visualizations benefit from dynamic queries which are an incredible tool to explore data.

  • Visualization inspires. You look at a picture or a graph and suddenly you realize what is really going on.

  • It's a great tool to communicate information in a very compact and often easy to understand way.

  • It definitely reduces analysis and response times. Sifting through thousands of line of logs is definitely slower than looking at a few graphs of the same data.

I am curious what other's think. Let's add to the list!

NSF - Science and Engineering Visualization Challenge

The National Science Foundation (NSF) has a challenge for science and engineering visualizations published. I am not sure if I have some visualizations that would qualify for the challenge. But maybe some of you have security data that could make the bar. I think it would be great to draw attention to visualization in the security space. So if you have something. Submit it!

Iptables config

Iptables config

This graph shows the IPTables output graphically.
Blue is for UDP and Yellow for TCP.

Generated by Ruined (http://ruined.sf.net)

Spider attack on a web server

Spider attack on a web server

The red pillar in the image shows the barrage of HTTP requests over the whole content space (Z axis, vertical) from a single IP address (Y axis, horizontal). The red color is due to 5xx status code of the response. My article
A New, Improved Visualization for Web Server Logs
has more details. Raju Varghese (raju -at- intellisoft.ch).

Problems with Visualization?

On his blog, Anton started an entry about logging and gets into the topic of too many logs. I was suggesting visualization to analyze the vast amounts of logs in order to get a better handle/understanding of them. Anton countered with this:

Is this really the place to start a visualization fight? :-)

You know what my issue with visualization are:
- tools need really skilled analysts
- often the resulting picture is no more insightful than the original
 log pile
- I kinda prefer an analytic system which is smart to a visualization 
system which is... not so smart.

Let's move this discussion to secviz :-)
Here ya go. To answer Anton's objections:
  • You need skilled analysts to read log file in the first place! So no excuse. I would even argue that visualization makes it easier on the analyst! I agree that we need better tools nevertheless!
  • I agree, _sometimes_ the pictures are not more insightful. But in general they are. I think what is missing are good guidelines on what graphs help with what situations. I am working on that.
  • Visualization has the benefit that it not only helps you answer questions that you have, but it elicits questions that you did not even think of before. So for some things you can come up with algorithms to solve your problems, but for others, you don't even know your problem upfront!
  • I am curious to hear what others think.

    Graph Visualization Survey

    Another excellent paper or in this case a survey. The authors do a great job of surveying the space of structured data visualization. They explain very well what graph layouting is, what the different algorithms are, where the problems are hidden, what the solutions are, how interaction plays into all of this, and also discuss three-dimensional views and what their benefit is. Awesome survey, really worth reading if you are interested in graph layouts.