| Introduction to Visualization for Computer Security |
|
1 | |
|
|
|
|
|
|
1 | |
|
2 Information Visualization |
|
|
3 | |
|
3 Visualization for Computer Network Defense |
|
|
5 | |
|
3.1 Data Sources for Computer Network Defense |
|
|
6 | |
|
3.2 VizSec to Support Computer Network Defense |
|
|
6 | |
|
|
|
11 | |
|
|
|
11 | |
|
|
|
13 | |
|
4.3 Communication, Characterization, and Context |
|
|
14 | |
|
4.4 Attack Graphs and Scans |
|
|
15 | |
|
|
|
15 | |
|
|
|
16 | |
| The Real Work of Computer Network Defense Analysts |
|
19 | |
|
A. D'Amico and K. Whitley |
|
|
|
|
|
19 | |
|
|
|
20 | |
|
|
|
22 | |
|
|
|
23 | |
|
4.1 Data Transformation in CND Analysis |
|
|
24 | |
|
|
|
27 | |
|
4.3 CND Analysis Workflow Across Organizations |
|
|
29 | |
|
5 Implications for Visualization |
|
|
33 | |
|
5.1 Visualization Across the CND Workflow |
|
|
33 | |
|
5.2 Visualization as Part of a CND Analysis Environment |
|
|
35 | |
|
|
|
36 | |
| Adapting Personas for Use in Security Visualization Design |
|
39 | |
|
J. Stoll, D. McColgin, M. Gregory, V. Crow, and W.K. Edwards |
|
|
|
|
|
39 | |
|
2 Overview of the Personas Method and Related Work |
|
|
40 | |
|
|
|
41 | |
|
|
|
42 | |
|
|
|
43 | |
|
3.1 Five Steps to Persona Implementation |
|
|
43 | |
|
|
|
49 | |
|
4 Application to Security Visualizations |
|
|
49 | |
|
|
|
51 | |
|
|
|
51 | |
| Measuring the Complexity of Computer Security Visualization Designs |
|
53 | |
|
X. Suo, Y. Zhu, and G. Scott Owen |
|
|
|
|
|
53 | |
|
|
|
54 | |
|
|
|
55 | |
|
3.1 Hierarchical Analysis of Data Visualization |
|
|
57 | |
|
|
|
57 | |
|
3.3 Separable Dimensions for Visual Units |
|
|
58 | |
|
3.4 Interpreting the Values of Visual Attributes |
|
|
60 | |
|
3.5 Efficiency of Visual Search |
|
|
61 | |
|
3.6 Case Study with RUMINT |
|
|
63 | |
|
|
|
65 | |
|
|
|
65 | |
|
|
|
66 | |
| Integrated Environment Management for Information Operations Testbeds |
|
67 | |
|
T.H. Yu, B.W. Fuller, J.H. Bannick, L.M. Rossey, and R.K. Cunningham |
|
|
|
|
|
67 | |
|
|
|
68 | |
|
|
|
70 | |
|
|
|
70 | |
|
|
|
72 | |
|
3.3 Interface and Visualization |
|
|
72 | |
|
|
|
80 | |
|
|
|
81 | |
|
|
|
82 | |
| Visual Analysis of Network Flow Data with Timelines and Event Plots |
|
85 | |
|
D. Phan, J. Gerth, M. Lee, A. Paepcke, and T. Winograd |
|
|
|
|
|
85 | |
|
|
|
86 | |
|
|
|
86 | |
|
|
|
87 | |
|
3 The Investigation Process |
|
|
87 | |
|
|
|
88 | |
|
5 Progressive Multiples of Timelines and Event Plots |
|
|
89 | |
|
6 A Case of Mysterious IRC Traffic |
|
|
90 | |
|
|
|
96 | |
|
8 Future Work and Conclusions |
|
|
98 | |
|
|
|
98 | |
| NetBytes Viewer: An Entity-Based NetFlow Visualization Utility for Identifying Intrusive Behavior |
|
101 | |
|
T. Taylor, S. Brooks, and J. McHugh |
|
|
|
|
|
101 | |
|
|
|
102 | |
|
|
|
105 | |
|
3.1 NetBytes Viewer User Interface |
|
|
105 | |
|
|
|
107 | |
|
3.3 Implementation Details |
|
|
110 | |
|
|
|
110 | |
|
|
|
113 | |
|
|
|
114 | |
|
|
|
114 | |
| Visual Analysis of Corporate Network Intelligence: Abstracting and Reasoning on Yesterdays for Acting Today |
|
115 | |
|
D. Lalanne, E. Bertini, P. Hertzog, and P. Bados |
|
|
|
|
|
115 | |
|
|
|
117 | |
|
3 On the Need to Support Visual Analysis |
|
|
118 | |
|
|
|
120 | |
|
|
|
120 | |
|
4 User and Application Centric Views of the Corporate Network |
|
|
122 | |
|
4.1 The RadViz: Visually Grouping Similar Objects |
|
|
122 | |
|
4.2 The OriginalityView: Plotting the Uncommon |
|
|
124 | |
|
5 Alarm/Event Centric Views |
|
|
126 | |
|
6 Limitations and Challenges |
|
|
128 | |
|
|
|
129 | |
|
|
|
129 | |
| Visualizing Network Security Events Using Compound Glyphs From a Service-Oriented Perspective |
|
131 | |
|
J. Pearlman and P. Rheingans |
|
|
|
|
|
131 | |
|
|
|
133 | |
|
|
|
134 | |
|
|
|
134 | |
|
|
|
136 | |
|
|
|
137 | |
|
|
|
138 | |
|
|
|
144 | |
|
|
|
145 | |
|
|
|
145 | |
| High Level Internet Scale Traffic Visualization Using Hilbert Curve Mapping |
|
147 | |
|
B. Irwin and N. Pilkington |
|
|
|
|
|
147 | |
|
|
|
148 | |
|
|
|
150 | |
|
|
|
151 | |
|
|
|
153 | |
|
|
|
154 | |
|
|
|
156 | |
|
|
|
157 | |
|
|
|
158 | |
| VisAlert: From Idea to Product |
|
159 | |
|
S. Foresti and J. Agutter |
|
|
|
|
|
159 | |
|
|
|
160 | |
|
1.2 The VisAlert Metaphor |
|
|
160 | |
|
|
|
161 | |
|
2.1 Visualization of Network Security |
|
|
161 | |
|
|
|
162 | |
|
2.3 Inter-Disciplinary Collaboration |
|
|
163 | |
|
|
|
163 | |
|
|
|
163 | |
|
|
|
164 | |
|
|
|
165 | |
|
3.4 Refined Conceptual Ideas |
|
|
167 | |
|
|
|
169 | |
|
|
|
171 | |
|
|
|
172 | |
|
|
|
174 | |
| Visually Understanding Jam Resistant Communication |
|
175 | |
|
D. Schweitzer, L. Baird, and W. Bahn |
|
|
|
|
|
175 | |
|
|
|
176 | |
|
2.1 BBC and Concurrent Codes |
|
|
177 | |
|
|
|
178 | |
|
|
|
179 | |
|
|
|
179 | |
|
3.2 A Visual Representation |
|
|
180 | |
|
|
|
184 | |
|
|
|
185 | |
|
|
|
186 | |
| Visualization of Host Behavior for Network Security |
|
187 | |
|
F. Mansman, L. Meier, and D.A. Keim |
|
|
|
|
|
187 | |
|
|
|
189 | |
|
2.1 Analysis of Application Ports |
|
|
190 | |
|
2.2 Graph-Based Approaches for Network Monitoring |
|
|
190 | |
|
2.3 Towards Visual Analytics for Network Security |
|
|
191 | |
|
|
|
191 | |
|
|
|
191 | |
|
|
|
193 | |
|
|
|
194 | |
|
|
|
194 | |
|
3.4 Abstraction and Integration of the Behavior Graph in HNMap |
|
|
196 | |
|
3.5 Application and Evaluation |
|
|
197 | |
|
|
|
200 | |
|
|
|
200 | |
|
|
|
201 | |
| Putting Security in Context: Visual Correlation of Network Activity with Real-World Information |
|
203 | |
|
W.A. Pike, C. Scherrer, and S. Zabriskie |
|
|
|
|
|
203 | |
|
|
|
204 | |
|
2.1 The Importance of Maintaining Context |
|
|
204 | |
|
2.2 Visualizing Packets and Flows |
|
|
205 | |
|
2.3 Visualizing Correlated Activity |
|
|
206 | |
|
|
|
206 | |
|
3.1 "I Just Want to Know Where to Focus My Time" |
|
|
207 | |
|
3.2 "We Need to Organize Our Hay into Smaller Piles" |
|
|
208 | |
|
|
|
209 | |
|
|
|
213 | |
|
3.5 Visualizing Behavior in Context |
|
|
214 | |
|
|
|
217 | |
|
|
|
218 | |
|
|
|
219 | |
| An Interactive Attack Graph Cascade and Reachability Display |
|
221 | |
|
L. Williams, R. Lippmann, and K. Ingols |
|
|
|
|
|
221 | |
|
|
|
222 | |
|
2.1 Limitations of Existing Approaches |
|
|
222 | |
|
|
|
223 | |
|
|
|
224 | |
|
|
|
225 | |
|
3.2 Initial System Design |
|
|
225 | |
|
3.3 Example Network Results |
|
|
227 | |
|
|
|
230 | |
|
|
|
232 | |
|
|
|
234 | |
|
|
|
235 | |
| Intelligent Classification and Visualization of Network Scans |
|
237 | |
|
C. Muelder, L. Chen, R. Thomason, K.-L. Ma, and T. Bartoletti |
|
|
|
|
|
237 | |
|
|
|
239 | |
|
|
|
240 | |
|
3.1 Scan Data and Representation |
|
|
241 | |
|
3.2 An Intelligent Method |
|
|
242 | |
|
3.3 Visualization Integration |
|
|
246 | |
|
|
|
249 | |
|
|
|
250 | |
|
|
|
251 | |
|
|
|
252 | |
| Using InetVis to Evaluate Snort and Bro Scan Detection on a Network Telescope |
|
255 | |
|
B. Irwin and J.-P. van Riel |
|
|
|
|
|
255 | |
|
1.1 The Merits and Difficulties of Scan Detection |
|
|
256 | |
|
|
|
257 | |
|
2.1 Intrusion Detection and the False Positive Problem |
|
|
257 | |
|
|
|
257 | |
|
2.3 Classifications of Network Scan Activity |
|
|
258 | |
|
2.4 Algorithmic Approaches to Scan Detection |
|
|
258 | |
|
2.5 Network Security Visualisation |
|
|
259 | |
|
3 InetVis Network Traffic Visualisation |
|
|
259 | |
|
3.1 Key Features and Enhancements |
|
|
260 | |
|
4 Investigative Methodology |
|
|
261 | |
|
4.1 Network Telescope Traffic Capture |
|
|
262 | |
|
4.2 Scan Detection Configuration and Processing |
|
|
262 | |
|
4.3 Graphical Exploration and Investigation with InetVis |
|
|
264 | |
|
|
|
264 | |
|
5.1 Address Scans and the Distribution of Unique Addresses |
|
|
265 | |
|
5.2 Scans Discovered and Characterised with InetVis |
|
|
266 | |
|
|
|
270 | |
|
|
|
271 | |
|
|
|
271 | |
