Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.

 


 

Interactive Browsing - Trying to add Interaction

I am a "Media System Design" student while working at the IT Security Department and I've been impressed by the idea of presenting Logfiles in a graphical way to determine the relevant information at first glance.
Because of that, my thesis, which starts in Feb 2007, deals with that issue and is focused on a interactive manner browsing(!) the graphical map. As a "Media System Design" Student, Data Visualization is a very interesting issue and matches perfectly to the content of our studies.
Well, I am a hard-working student and so I've already read some books of Edward Tufte, did some research with colleagues and designed some studies about the so called "Visual Logfile Browsing".

The description of my project is:
"Nazar is a Visual Logfile Browser. It is designed as a Multipurpose-Application to present Logfile Content in a new-fashioned browsing manner provided by the Nazar-Flash-GUI. Instead of just reading Logfiles, you're able to browse them graphically and determine the relevant information at first glance."

"Browsing" means that you’re able to zoom in or out, move or delete nodes, switch the view by selecting another information level, watch the scene by shifting through the seconds of an event (not implemented yet), determine more information by moving the mouse over an element and so on.

http://www.nazar-gui.de.vu

The project is in development, so I have to admit, that most of the functions aren't implemented yet. But - I hope that I'll be able to present you a working version this year. Up to now, the scalability is one main problem. I haven't tested it with a huge data set, because 'Threading' isn't implemented yet and would certainly cause it to hang up reading a big amount of data. So - please - see it as a design study and nothing more.
Most of the text on my website is written in English. The upcoming "demo videos" are spoken in German. Nazar runs on Windows Systems, and requires Perl (Active Perl) to provide the parsing function.

Every hint and advice is welcome.

Game Engines for Security Visualization

Merry Christmas, firts of all ...

I was reading a presentation on using 3D game engines to visualize security data. The idea is to use the game engines from, for example Doom, to visualize security data in a 3D space, called Real-Time Collaborative Network Monitoring and Control Using 3D Game Engines for Representation and Interaction.
While I think the idea is really interesting, I am not sure that the approach really solves a problem. 3D game engines are really good for capturing immediate input from players. Games require very quick reactions to objects showing up in a scene. Security data does not normally have this property. It is much more important to make sure that the data is correct and that the context of the event is interpreted the right way.
It would be interesting to hear more from the authors about how they map the security data into the 3D space. It is incredibly important for administrators and security analysts to understand the big picture and have context of events visualized. The presentation does unfortunately not explain how the events are mapped into the space. However, I think that is the most important task. You don't want to distract the user with too many objects in the space while still representing all the context so the analyst can make an informed decision. I would love to see more motivation why a 3D representation is better suited for representing security events than a more traditional 2D approach
Trying to draw some parallels between games and computer security myself, I was thinking about the progress of an attack. It would be interesting if the attackers could be visualized as the enemies. Then you would visualize the network topology as the "world", the "buildings". Continuing from there you would show how far the attackers progressed into breaking in. The problem with this approach is that you need to be able to assign individual security events to an "attack" (i.g., event fusion).
To summarize, I think the emphasize should be put on how to map the security events into the 3D world and not so much on the interaction.

The Eyes Have It

I was reading this pretty old (1996) essay from Ben Schneiderman with the title: The Eyes Have It.
It's a great overview of what visualization should solve and how it should be applied to data. The core of the paper is the mantra for visual information seeking:

Overview first, zoom and filter, then details on-demand

The paper is a great read for everyone working in the area of information visualization.

Non-Viz - Open Source Log Correlation Tool for IDS

https://trac.prelude-ids.org/wiki/Introduction
What is Prelude

Foreword

Prelude was born from the observation that more and more IDS systems each with their own specificity have been made available, but that no framework exists in order to unify information provided by these different systems in order to unify and centralize events.

VAST: AS9121 leakage 2

VAST: AS9121 leakage 2

An image showing the post-AS9121 leakage connectivity. It is very easy to see the leaked route (the larger line) and which ASes that route was propagated to.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

VAST: AS9121 leakage 1

VAST: AS9121 leakage 1

An image showing the pre-AS9121 leakage connectivity.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

VAST: AS core

VAST: AS core

A view of the interconnections of a few of the core autonomous systems.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

Flamingo: Port scan

Flamingo: Port scan

The above image shows traffic flows on a small /24 subnet. The source IP address is represented on the left, and the destination IP addresses are on the right. Each square represents one unique host. The lines indicate traffic flows between source and destination IP addresses. The fan-out from left to right indicates a network scan, which created a flows from a single source host attempting to connect to a large number of hosts in the destination subnet.

For more on Flamingo, see http://flamingo.merit.edu.

Flamingo: Dabber worm

Flamingo: Dabber worm

This image represents a 10 second snapshot of traffic as seen at a busy Internet router. The image shows an interesting traffic pattern that shows a lot of flows destined towards a single large IP address prefix on 3 specific destination ports.

For more on Flamingo, see http://flamingo.merit.edu.

Flamingo: Zotob worm 2

Flamingo: Zotob worm 2

Same dataset as the Zotob worm 1 image but from an overhead view, showing the fan-out of destination hosts.

For more on Flamingo, see http://flamingo.merit.edu.