Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.

 


 

Game Engines for Security Visualization

Merry Christmas, firts of all ...

I was reading a presentation on using 3D game engines to visualize security data. The idea is to use the game engines from, for example Doom, to visualize security data in a 3D space, called Real-Time Collaborative Network Monitoring and Control Using 3D Game Engines for Representation and Interaction.
While I think the idea is really interesting, I am not sure that the approach really solves a problem. 3D game engines are really good for capturing immediate input from players. Games require very quick reactions to objects showing up in a scene. Security data does not normally have this property. It is much more important to make sure that the data is correct and that the context of the event is interpreted the right way.
It would be interesting to hear more from the authors about how they map the security data into the 3D space. It is incredibly important for administrators and security analysts to understand the big picture and have context of events visualized. The presentation does unfortunately not explain how the events are mapped into the space. However, I think that is the most important task. You don't want to distract the user with too many objects in the space while still representing all the context so the analyst can make an informed decision. I would love to see more motivation why a 3D representation is better suited for representing security events than a more traditional 2D approach
Trying to draw some parallels between games and computer security myself, I was thinking about the progress of an attack. It would be interesting if the attackers could be visualized as the enemies. Then you would visualize the network topology as the "world", the "buildings". Continuing from there you would show how far the attackers progressed into breaking in. The problem with this approach is that you need to be able to assign individual security events to an "attack" (i.g., event fusion).
To summarize, I think the emphasize should be put on how to map the security events into the 3D world and not so much on the interaction.

The Eyes Have It

I was reading this pretty old (1996) essay from Ben Schneiderman with the title: The Eyes Have It.
It's a great overview of what visualization should solve and how it should be applied to data. The core of the paper is the mantra for visual information seeking:

Overview first, zoom and filter, then details on-demand

The paper is a great read for everyone working in the area of information visualization.

Non-Viz - Open Source Log Correlation Tool for IDS

https://trac.prelude-ids.org/wiki/Introduction
What is Prelude

Foreword

Prelude was born from the observation that more and more IDS systems each with their own specificity have been made available, but that no framework exists in order to unify information provided by these different systems in order to unify and centralize events.

VAST: AS9121 leakage 2

VAST: AS9121 leakage 2

An image showing the post-AS9121 leakage connectivity. It is very easy to see the leaked route (the larger line) and which ASes that route was propagated to.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

VAST: AS9121 leakage 1

VAST: AS9121 leakage 1

An image showing the pre-AS9121 leakage connectivity.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

VAST: AS core

VAST: AS core

A view of the interconnections of a few of the core autonomous systems.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

Flamingo: Port scan

Flamingo: Port scan

The above image shows traffic flows on a small /24 subnet. The source IP address is represented on the left, and the destination IP addresses are on the right. Each square represents one unique host. The lines indicate traffic flows between source and destination IP addresses. The fan-out from left to right indicates a network scan, which created a flows from a single source host attempting to connect to a large number of hosts in the destination subnet.

For more on Flamingo, see http://flamingo.merit.edu.

Flamingo: Dabber worm

Flamingo: Dabber worm

This image represents a 10 second snapshot of traffic as seen at a busy Internet router. The image shows an interesting traffic pattern that shows a lot of flows destined towards a single large IP address prefix on 3 specific destination ports.

For more on Flamingo, see http://flamingo.merit.edu.

Flamingo: Zotob worm 2

Flamingo: Zotob worm 2

Same dataset as the Zotob worm 1 image but from an overhead view, showing the fan-out of destination hosts.

For more on Flamingo, see http://flamingo.merit.edu.

Flamingo: Zotob worm 1

Flamingo: Zotob worm 1

This series of images shows flows originating from a single source IP address going to different destination IP addresses on destination port 445. The traffic indicates suspicious traffic, related with the Zotob series of worms. The figures show flows over a 60 second period.

For more on Flamingo, see http://flamingo.merit.edu.