Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.



Flamingo: Zotob worm 1

Flamingo: Zotob worm 1

This series of images shows flows originating from a single source IP address going to different destination IP addresses on destination port 445. The traffic indicates suspicious traffic, related with the Zotob series of worms. The figures show flows over a 60 second period.

For more on Flamingo, see

Nachi Worm traffic against Honeynet

Nachi Worm traffic against Honeynet

This graph was generated with psad ( running in --CSV mode against the iptables logfile that is distributed as a part of the Scan34 Honeynet challenge (see The graph shows 92-byte ICMP type 8 packets directed against the Honeynet subnet These packets are most likely associated with the Nachi worm (see Here is the specific command used to add the 92-byte search criteria:

# psad --CSV -m iptablessyslog --CSV-fields "src dst ip_len:92" --CSV-max 300 \
--CSV-regex "PROTO=ICMP.*TYPE=8" | perl -c |neato -Tgif -o nachi_worm.gif

Outbound traffic from Honeynet

Outbound traffic from Honeynet

This graph was generated by using psad in --CSV mode against the Honeynet Scan34 challenge iptables logfile (see This shows outbound traffic from the Honeynet subnet, and clearly shown are suspicious connections from the host to external SSH and IRC servers; these are good indications that the system has been compromised.

NEXThink - Visualizing Endpoint Activity

NEXThink is a small Swiss startup which sells a solution in the security/visualization space. They are deploying an agent on the endpoints (machines) and record network activity from them (at least that's whay I understood). The network activity is then visualized with parallel coordinates and starfields.
I was reading a paper about some of the visualization approaches they are taking. To summarize a couple of interesting points from the paper:

  • In order to visualize a huge amount of connections, they are using hierarchies for the attributes to summarize them. You can on demand expand those. The collapsing and expanding of the attributes is done automatically based on the number of lines on the screen. I thought this is a pretty interesting idea.
  • To visualize activity from hosts, one of the methods they are using is parallel coordinates with user, application, source host, target host, and target port in the graph. They omit time as it would clutter the graph. I wonder whether they have the capability to show time anyways and aggregate by hour, day, etc. That would be interesting.
  • To visualize activity with regrads to time, they are using starfields. I have heard other names for this type of visualization. Advizor calls them time-series, which is a bad term in my opinion as it alludes to a type of data.
  • What I was a bit confused about was the use of the term alarm in the paper. I am not sure if the author just meant to talk about the connections or there is some kind of a sub-system that actually generates alarms. I guess the latter because he mentions anomaly detection very briefly. I would be interested to read more about that.

The next thing I hope to see from them is that they post some graphs here!


I just heard about Swivel, a new data analysis Web site which will be launched later this week. This article talks about some of the features available. I am curious to try it out and see what they will do with my security data.

SecViz RSS Feed

I guess the RSS feed for the content on this page was an omission when I built the site. Here it is. Or alternatively on the left, under Syndicate. Enjoy.

No more Blog

I realized that having a blog and a discussion page is somehow confusing. That's why I moved the blog into the Discussion board. Sorry for the two comments that I had to move and are now posted under my name. I put the author in the first line of the comment though.

I am going to change some more things on the page. Mainly in terms of accessibility and usability of the individual resources. I hope overall the page will get easier to use.

The market is not ready for security data visualization!

Maybe that's a bit provocative and maybe I am wrong, but let me tell you why I think that the market is not yet ready for security data visualization. If you look at the visualization space, where business intelligence (BI) and other similar technologies reside, you will find that visualization is used in areas where the underlying data is very well understood. For example for sales and marketing data. It is very simple to explain to someone what sales data is all about. People can relate to those pieces of information. They understand it.
Computer security logs are not well understood at all! How do you expect people to understand visualization of security data if nobody really understands the underlying data? What are the best ways to visualize all this data if you cannot even understand the individual textual entries?
What we have to do (and if I say 'we', I mean you guys reading this blog, you guys inerested in this topic), is to go about the problem of log analysis and visualization on a use-case by use-case basis. We cannot solve all the problems at once. Let's be very specific and show for one type of log file, one type of log entries, how they can be visualized and how that helps the user.
I would claim that the companies which have tried to play in the security visualization space have not had much success because they tried (and probably still try) to address the entire problem at once: Visualizing log files. Again, let's go use-case by use-case. Submit them here so people can learn from you and you can learn from others!

Combination of heatmap and sparklines

Combination of heatmap and sparklines

This graph combines a heatmap with sparklines showing the utilization of an Unix node over a year. The heatmap reflect the average values within each day, while the sparklines show the intraday trend. While not directly security-oriented, the same combination can be used to show event trends over a large period of time, for example logon events. Can easily be combined with drilldown-functionality for each day or month.

Larger resolution images?

Very cool idea here with this site. Unfortunately I can't see the data in any of the graphs thus far submitted because they are too low resolution. They look cool, and possibly useful -- I'd love to look into them more closely.

Any chance of (much) higher resolution images??