Network Eye: End-to-End Computer Security Visualization (original) (raw)

Home-centric visualization of network traffic for security administration

Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security - VizSEC/DMSEC '04, 2004

Today's system administrators, burdened by rapidly increasing network activity, must quickly perceive the security state of their networks, but they often have only text-based tools to work with. These tools often provide no overview to help users grasp the big-picture. Our interviews with administrators have revealed that they need visualization tools; thus, we present VISUAL (Visual Information Security Utility for Administration Live), a network security visualization tool that allows users to see communication patterns between their home (or internal) networks and external hosts. VISUAL is part of our Network Eye security visualization architecture, also described in this paper. We have designed and tested a new computer security visualization that gives a quick overview of current and recent communication patterns in the monitored network to the users. Many tools can detect and show fan-out and fan-in, but VISUAL shows network events graphically, in context. Visualization helps users comprehend the intensity of network events more intuitively than text-based tools can. VISUAL provides insight for networks with up to 2,500 home hosts and 10,000 external hosts, shows the relative activity of hosts, displays them in a constant relative position, and reveals the ports and protocols used.

CDCVIS: A CONFIGURABLE VISUALIZATION MECHANISM FOR CORPORATE NETWORK SECURITY ADMINISTRATION

2009

ABSTRACT Corporate network security administration is a never-ending balancing act for network administrators straddling the line between information protection and availability. The constant increase in informational needs, speed, and sharing coupled with the proliferation of more advanced attacks, provides a daunting workload for most network security administrators.

Cover-VT: Converged Security Visualization Tool

2011

The amount of data that floods today's networks is well beyond what security analysts can manage by textual means alone. In an effort to solve this problem, researchers have explored different methods of visualizing network security threats. There is little debate that humans can perceive more information visually than textually. The problem is that the majority of visualization tools in practice or proposed do not take efficient visualization techniques into consideration. As a result, it is difficult to get a high-level view of the network that facilitates rapid isolation of network attacks. We propose the Converged Security Visualization Tool (Cover-VT) to solve the efficient visualization problem. Cover-VT was designed to provide analysts with a high-level view of network threats using geographic information systems. The tool allows for rapid identification of threats by minimizing the cognitive obstacles to efficient threat location. Cover-VT includes the capability to drill-down on a node of interest for additional details and even filter out unwanted data. Cover-VT was designed with usability in mind, making it easy to comprehend while assisting the analyst in rapid threat identification. Many different security tools make up a security analyst's tool kit. Cover-VT was developed as an effective security visualization system that integrates existing security tools and network security systems.

Introduction to Visualization for Computer Security

Mathematics and Visualization

Networked computers are ubiquitous, and are subject to attack, misuse, and abuse. Automated systems to combat this threat are one potential solution, but most automated systems require vigilant human oversight. This automated approach undervalues the strong analytic capabilities of humans. While automation affords opportunities for increased scalability, humans provide the ability to handle exceptions and novel patterns. One method to counteracting the ever increasing cyber threat is to provide the human security analysts with better tools to discover patterns, detect anomalies, identify correlations, and communicate their findings. This is what visualization for computer security (VizSec) researchers and developers are doing. VizSec is about putting robust information visualization tools into the hands of humans to take advantage of the power of the human perceptual and cognitive processes in solving computer security problems. This chapter is an introduction to the VizSec research community and the papers in this volume. 1 Computer Security In The Cuckoo's Egg, astronomer-turned-systems administrator Cliff Stoll (Stoll, 1989) recounted his experience identifying and tracking a hacker through the nascent Internet in the mid-1980s. Through perseverance, creativity (he once dangled his keys over the telephone modem lines to create interference to slow down and frustrate the intruder), and extensive coordination and collaboration with other systems administrators, Stoll's actions led to the uncovering of an international spy ring that had infiltrated U.S. military systems. The intruder was initially detected from a seventy-five cent accounting error.

Visualising Network Security Events

Abstract As organizations increasingly rely on information technology and networking, information security becomes more of a concern. This places a dependency on system administrators to monitor systems in an organisation's network for anomalous activity. This task commonly involves analysing vast amounts of textual data, such as operating system events or intrusion detection system alerts.

NVisionIP: netflow visualizations of system state for security situational awareness

… of the 2004 ACM workshop on …, 2004

The number of attacks against large computer systems is currently growing at a rapid pace. Despite the best efforts of security analysts, large organizations are having trouble keeping on top of the current state of their networks. In this paper, we describe a tool called NVisionIP that is designed to increase the security analyst's situational awareness. As humans are inherently visual beings, NVisionIP uses a graphical representation of a class-B network to allow analysts to quickly visualize the current state of their network. We present an overview of NVisionIP along with a discussion of various types of security-related scenarios that it can be used to detect.

Visual Firewall: Real-time Network Security Monito

IEEE Workshops on Visualization for Computer Security (VizSec'05), 2005

Anomalous communication patterns are one of the leading indicators of computer system intrusions according to the system administrators we have interviewed. But a major problem is being able to correlate across the host/network boundary to see how network connections are related to running processes on a host. This paper introduces Portall, a visualization tool that gives system administrators a view of the communicating processes on the monitored machine correlated with the network activity in which the processes participate. Portall is a prototype of part of the Network Eye framework we have introduced in an earlier paper [1]. We discuss the Portall visualization, the supporting infrastructure it requires, and a formative usability study we conducted to obtain administrators' reactions to the tool.

VisFlowconnect: providing security situational awareness by visualizing network traffic flows

IEEE International Conference on Performance, Computing, and Communications, 2004

We present the design and implementation of VisFlow-Connect, a powerful new tool for visualizing network traffic flow dynamics for situational awareness. The visualization capability provided by VisFlowConnect allows an operator to assess the state of a large and complex network given an overall view of the entire network and filter/drill-down features with a friendly user interface that allows users to request more detailed information of interest such as specific protocol traffic flows. The value of VisFlowConnect specifically for security situational awareness is that any security event, with only a few minor exceptions, will be reflected as a traffic flow. Thus using VisFlowConnect a user will "see" all security events. We show several experiments in which abnormal behaviors with security implications have been discovered and analyzed using VisFlowConnect. These experiments demonstrate how VisFlowConnect can be a uniquely effective tool to assist security administrators in securing their computer networks.