User Behavior in a HeatMap

User Behavior in a HeatMap

A visualization of user-behavior over time. Color is used to indicate the intensity of the activity.

Host Traffic Visualization

Host Traffic Visualization

This image shows network traffic to and from a single host in a smaller network. The visualization uses HTML (SVG) and D3 to render the SVG. It's fully interactive so that explorations become possible.
A single selection is visible here. The non selected links and nodes fade out and the selected connections are detailed out in the text box.

Evaluating Security Visualizations in Supporting Analytical Reasoning & Decision Making in Cybersecurity

In conjunction with the 2013 IEEE International Conferences on Intelligence and Security Informatics (ISI), we present a special topics workshop on:

Evaluating Security Visualizations in Supporting Analytical Reasoning & Decision Making in Cybersecurity

Workshop Description
As the potential for visualizations in cybersecurity analysis becomes exceedingly more apparent, efforts to evaluate these visualizations become more imperative than ever to supporting the cybersecurity mission. As technology and big data continue to grow rampantly so does the deployment of insufficiently evaluated cybersecurity visualizations that claim to be most aligned with how analysts think and perceive data. Before organizations may intelligently incorporate visualization into their cybersecurity analysis process they must be prepared to pose tailored sets of questions that directly relate to the particular objective of the cyber analyst. This workshop addresses these gaps with the intent of bringing together experts from a variety of disciplines relevant to the topic of evaluating cybersecurity visualizations in their ability to support analytic reasoning and decision making in cybersecurity.

Paper Topics
We welcome paper submissions on the following or related topics:

Empowering the Human Analysts
Methods and techniques for evaluating the impact cybersecurity visualizations have on enabling the human perception and cognitive processes that are required for intelligent decision making.

Addressing current deficiencies in cybersecurity analysis
Methods and techniques for measuring the impact cybersecurity visualization tools have on addressing current deficiencies that still exist in cybersecurity analysis such as exploration and prediction.

The Unique nature of Cybersecurity Visualization
Identifying aspects that are specific to cybersecurity visualization, and identifying relevant contributions from current research in the broader fields of information visualization and scientific visualization, and from visualizations in other domains.

Important Dates

Workshop papers due: March 31, 2013
Notices of acceptance and comments provided to authors: April 12, 2013
Camera ready paper submitted: April 29, 2013

Website: http://www.isiconference2013.org/pgs/workshop-on-cybersecurity-visualizations.php

Paper Submission:
Submission file formats are PDF and Microsoft Word. Required Word/LaTex templates (IEEE two-column format) can be found on IEEE's Publications web pages. Submissions can be long (6,000 words, 6 pages max) or short (3000 words, 3 pages max). Papers in English must be submitted by email to Lisa Coote at Lisa.Coote@innovative-analytics.com. The accepted workshop papers from will be published by the IEEE Press in formal Proceedings. Authors who wish to present a poster and/or demo may submit a 1-page extended abstract, which, if selected, will appear in the conference proceedings.

Conference content will be submitted for inclusion into IEEE Xplore as well as other Abstracting and Indexing (A&I) databases. The selected IEEE ISI 2013 best papers will be invited for contribution to the Springer Security Informatics Journal.
Organizing Committee:

Kevin O'Connell, Innovative Analytics & Training
Lisa Coote, Innovative Analytics & Training

Program Committee:

Raffael Marty, PixlCloud
Tomas Budavari, John Hopkins University
Antonio Sanfilippo, Pacific Northwest National Laboratory
John T. Langton, VisiTrend LLC
Claudio Silva, NYU Polytechnic
Bernice Rogowitz, Visual Perspectives Consulting
Cullen Jackson, APTIMA
Enrico Bertini, NYU Polytechnic
John Goodall, Oak Ridge National Laboratory

VizSec 2013

VizSec 2013 will be held in Atlanta, Georgia on October 14, 2013 in conjunction with IEEE VIS. Paper submissions are due July 8, 2013 and poster abstracts are due August 23, 2013.

The 10th International Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cyber security community through new and insightful visualization and analysis techniques. VizSec will provide an excellent venue for fostering greater exchange and new collaborations on a broad range of security- and privacy-related topics. Accepted papers will appear in the ACM Digital Library as part of the ACM International Conference Proceedings Series.

Important research problems often lie at the intersection of disparate domains. Our focus is to explore effective, scalable visual interfaces for security domains, where visualization may provide a distinct benefit, including computer forensics, reverse engineering, insider threat detection, cryptography, privacy, preventing 'user assisted' attacks, compliance management, wireless security, secure coding, and penetration testing in addition to traditional network security. Human time and attention are precious resources. We are particularly interested in visualization and interaction techniques that effectively capture human analyst insights so that further processing may be handled by machines, freeing the analyst for other tasks. For example, a malware analyst might use a visualization system to analyze a new piece of malicious software and then facilitate generating a signature for future machine processing. When appropriate, research that incorporates multiple data sources, such as network packet captures, firewall rule sets and logs, DNS logs, web server logs, and/or intrusion detection system logs, is particularly desirable.

See http://www.vizsec.org/ for additional information.

Visualizing Bro Logs

Visualizing Bro Logs

It might not be the pretties graph, but it tells a story. This graphs was generated with R and shows the number of HTTP connections per Host header field. I generated this graph with data from Bro's HTTP.log file.

A few other graphs and R scripts can be found on my blog, http://anthonykasza.webs.com/blog23.html

SSL Trust Delegation

SSL Trust Delegation

This graph shows a part of the global SSL trust relationships. It was generated with AfterGlow and Gephi (by using the -k parameter of AfterGlow to generate a GDF file). Node size is based on the number of children for each node. The big green node is the DFN CERT. And no, it doesn't mean that the DNF CERT is trusted more than any other certificate authority...

C&C ASN "Clusters"

C&C ASN "Clusters"

As I've been putting together an R package for mining open source IP "intelligence" data, I decided to play with visualizing malicious host categories in AlienValut's IP reputation database. This image is a network graph plot (using R & igraph) of AlienVault identified C&C nodes as they relate to host ASNs (with ASN peers included). Red nodes are the C&C hosts, gold nodes are the the ASNs.

I did the same with a subset of "Malicious Hosts" in AlienValut's db and am thinking that tracking these over a day (/week/month/year) would make for an interesting view of the ebb & flow of C&C hosts.

Security Visualization Events

In December I'll be presenting on security intelligence and the interplay of visualization and data mining.

I wrote a blog post that introduces the talk in Palo Alto a little bit. It's about Supercharging Visualization with DataMining. Check it out and make sure you RSVP for the event tomorrow.

Security Visualization Training in Dubai

There are a couple of seats open for next week's security visualization workshop in Dubai. The training is held Friday and Saturday, November 9th and 10th in Dubai.

The topics are anything from data sources to log processing to a lot of eye-catching visualizations, and a great module on big data. The signup link contains all the information you need.

Hope to see you in Dubai next week!

VizSec 2012 - Keynote

A week ago, in Seattle, VizSec 2012 was taking place. I had the honor to present the keynote, which I used as an opportunity to talk about the state of the security visualization space. Here is the video of the talk.

This is a quick outline of the talk:

  • Security visualization - The most exciting field
  • The vision - This section talks about some of the challenges that we have in security visualization and what I would like to see in a security visualization application. Well, some of what I would like to see, there are some parts I left out and will hopefully deliver through pixlcloud in the not so far future.
  • Why is security visualization so hard? I am talking about a few reasons why we have such a hard time with visualizing security data. One of the issues is that we are different; security visualization is different from all the other fields out there. We have problems and data that no other area deals with. We have a lot of IP addresses, for example or port numbers. If we try to work with other domain experts, for example from the data mining space, they don't understand our data well enough to build good algorithms. One very common problem are 'distance functions'. They are incredible hard to define and because our data is mostly categorical and not numerical, that presents a significant problem. I also see port numbers being treated as continuous variables, which is just plain wrong.
  • Security analysts - I am providing a little bit of a provocative view of security analysts. There is no defined way of analyzing security data and therefore, every analyst is doing his/her work differently. If we try to build a tool for any one of them, the next one might not be able to use it at all.
  • Visualizing big data - I am offering a little bit of an answer on how to visualize a large amount of data. It all comes back to Ben Shneiderman with his information seeking mantra.
  • Data mining - I have been looking into data mining a lot lately. I am trying to define what the right interplay between data mining and visualization is. Either of the disciplines alone won't solve our problems. Together they can unlock a lot of insights, however. But don't be fooled. Data mining is super hard to get right.
  • Moving forward - I quickly outline what's going on out there. Visualization contests seem to gain popularity. I close with my challenge to everyone of solving the many problems that we still face. If you are a researcher, have a look at this slide and help us solve some of the problems.
    • Following are the slides from the talk. Unfortunately, my video recording from the VizSec keynote failed. I was presenting at Microsoft however, the same week and I was able to record my talk there. Same slides.