Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and...
Transcript of Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and...
![Page 1: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/1.jpg)
Network Security Visualization
Genevieve Max & Keith Fligg
April 22, 2012
![Page 2: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/2.jpg)
Attack Scenario
Firewall and Router
Attacker
Fix Vulnerabilities
Visualization
OS Network
Apps
0101010101011101010
1010010101110010101
0011010101011100010
0010100010101110001
0111011010001010101
1111000101110010001
0011000111010101010
1010111010101010010
1011100101010011010
1010111000100010100
Gather Raw Network
Data
![Page 3: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/3.jpg)
Three Ws of Tool Design
1 Where in the network is the attack happening?
![Page 4: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/4.jpg)
Three Ws of Tool Design
1 Where in the network is the attack happening?
2 When is the attack happening?
![Page 5: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/5.jpg)
Three Ws of Tool Design
1 Where in the network is the attack happening?
2 When is the attack happening?
3 What type of attack is happening?
![Page 6: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/6.jpg)
Visualization Answering Three Ws
![Page 7: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/7.jpg)
Firewall Log
![Page 8: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/8.jpg)
Port Scan: Processed Log Files (psad)
![Page 9: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/9.jpg)
Port Scan: Visualization
![Page 10: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/10.jpg)
Circular Visualization
![Page 11: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/11.jpg)
Pre-Attentive Objects
1 Color
![Page 12: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/12.jpg)
Pre-Attentive Objects
1 Color
2 Position
![Page 13: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/13.jpg)
Pre-Attentive Objects
1 Color
2 Position
3 Form
![Page 14: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/14.jpg)
Pre-Attentive Objects
1 Color
2 Position
3 Form
4 Motion
![Page 15: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/15.jpg)
Pre-Attentive: Color
![Page 16: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/16.jpg)
Visualization Applying Color
![Page 17: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/17.jpg)
Pre-Attentive: Postion
![Page 18: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/18.jpg)
Visualization Applying Position
![Page 19: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/19.jpg)
Pre-Attentive: Form - Shape
![Page 20: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/20.jpg)
Visualization Applying Shape
![Page 21: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/21.jpg)
Pre-Attentive: Form - Size
![Page 22: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/22.jpg)
Visualization Applying Size
![Page 23: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/23.jpg)
Pre-Attentive: Form - Orientation
![Page 24: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/24.jpg)
Visualization using Orientation
Cost
Personnel
Employee.Hours
Incidents
![Page 25: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/25.jpg)
Pre-Attentive: Form - Enclosure
![Page 26: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/26.jpg)
Visualization using Enclosure
![Page 27: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/27.jpg)
Visualization Techniques
1 No serial parsing
![Page 28: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/28.jpg)
Visualization Techniques
1 No serial parsing
2 Minimize the Number of Types Of Objects
![Page 29: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/29.jpg)
Visualization Techniques
1 No serial parsing
2 Minimize the Number of Types Of Objects
3 Minimize Non-data Ink/Pixels
![Page 30: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/30.jpg)
No Serial Parsing
30913646251849
50018364527489
40392726584019
18127365859202
![Page 31: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/31.jpg)
No Serial Parsing
VS
30913646251849
50018364527489
40392726584019
18127365859202
30913646251849
50018364527489
40392726584019
18127365859202
![Page 32: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/32.jpg)
Visualization Applying No Serial Parsing
![Page 33: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/33.jpg)
Minimize the Number of Types Of Objects
![Page 34: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/34.jpg)
Minimize the Number of Types Of Objects
VS
![Page 35: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/35.jpg)
Visualization Applying Minimum Objects
213.3.104.65
217.162.11.45
Target
111.222.195.59 111.222.195.59
213.3.104.65
217.162.11.45
EventSource
80
21 21
80
(a) Link graph nomenclature.
(b) Destination port, source address, and destination address. (c) Destination port, destination address, and source address.
![Page 36: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/36.jpg)
Minimize Non-data Ink/Pixels
Time
# o
f P
acke
ts
2.25
3
2.5
4
5 5.75
4.5
2.5
![Page 37: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/37.jpg)
Minimize Non-data Ink/Pixels
VS
Time
# o
f P
acke
ts
2.25
3
2.5
4
5 5.75
4.5
2.5
Time
# o
f P
acke
ts
![Page 38: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/38.jpg)
Visualization Applying Non-data Ink/Pixels
![Page 39: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/39.jpg)
Parallel Plots
0.0.0.0
255.255.255.255
Source IP addr TCP source port TCP dest port Dest IP addr
65,535
0
65,535
0
255.255.255.255
0.0.0.0
192.168.2.1
42,424
777130.2.5.42
![Page 40: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/40.jpg)
Animated Parallel Plots
TCP source port TCP destination port
Packet Packet
TCP source port TCP destination port
Packet Packet
![Page 41: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/41.jpg)
Link graphs: nomenclature
TargetEventSource
![Page 42: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/42.jpg)
Link graphs: hidden information
213.3.104.65
217.162.11.45
111.222.195.59 111.222.195.59
213.3.104.65
217.162.11.4580
21 21
80
![Page 43: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/43.jpg)
Demo Network Visualization Tool
Demo
![Page 44: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/44.jpg)
References
[1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for securityadministration. In In VizSEC/DMSEC 04: Proceedings of the 2004 ACM workshop on Visualization and, pages
5564. ACM Press, 2004.[2] Ryan Blue, Cody Dunne, Adam Fuchs, Kyle King, and Aaron Schulman. Visualizing real-time network resourceusage. In Proceedings of the 5th international workshop on Visualization for Computer Security, VizSec 08, pages
119135, Berlin, Heidelberg, 2008. Springer-Verlag.[3] Bill Cheswick, Hal Burch, and Steve Branigan. Mapping and visualizing the internet. In Proceedings of theannual conference on USENIX Annual Technical Conference, ATEC 00, pages 11, Berkeley, CA, USA, 2000.
USENIX Association.[4] Greg Conti. Security Data Visualization: Graphical Techniques for Network Analysis. No Starch Press, 2007.[5] Anita D. DAmico and K. Whitley. The real work of computer network defense analysts. In Goodall et al. [8],
pages 1937.[6] Stefano Foresti, Jim Agutter, Yarden Livnat, Shaun Moon, and Robert Erbacher. Visual correlation of network
alerts. In IEEE Computer Graphics and Applications, pages 4859. IEEE, 2006.[7] J. R. Goodall. Introduction to visualization for computer security. In John R. Goodall, Gregory Conti, and
Kwan-Liu Ma, editors, VizSEC 2007, Mathematics and Visualization, pages 117. Springer Berlin Heidelberg, 2008.10.1007/978-3-540-78243-8 1.
[8] John R. Goodall, Gregory J. Conti, and Kwan-Liu Ma, editors. VizSEC 2007, Proceedings of the Workshop onVisualization for Computer Security, Sacramento, California, USA, October 29, 2007, Mathematics and
Visualization. Springer, 2008.[9] Ivan Herman, Guy Melancon, and M. Scott Marshall. Graph visualization and navigation in informationvisualization: A survey. IEEE Transactions on Visualization and Computer Graphics, 6:2443, January 2000.
[10] Noah Iliinsky Julie Steele. Beautiful Visualization. OReilly Media, Inc., 2010.[11] Noah Iliinsky Julie Steele. Designing Data Visualizations. OReilly Media, Inc., 2011.
[12] A. Komlodi, P. Rheingans, Utkarsha Ayachit, J.R. Goodall, and Amit Joshi. A user-centered look atglyph-based security visualization. In Visualization for Computer Security, 2005. (VizSEC 05). IEEE Workshop on,
pages 21 28, oct. 2005.
![Page 45: Network Security Visualization · 29/10/2007 · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration.](https://reader033.fdocuments.us/reader033/viewer/2022060300/5f0827b67e708231d4209cc1/html5/thumbnails/45.jpg)
References cont.
[13] Kiran Lakkaraju, William Yurcik, and Adam J. Lee. Nvisionip: netflow visualizations of system state forsecurity situational awareness. In Proceedings of the 2004 ACM workshop on Visualization and data mining for
computer security, VizSEC/DMSEC 04, pages 6572, New York, NY, USA, 2004. ACM.[14] C.P. Lee, J. Trost, N. Gibbs, Raheem Beyah, and J.A. Copeland. Visual firewall: real-time network securitymonitor. In Visualization for Computer Security, 2005. (VizSEC 05). IEEE Workshop on, pages 129 136, oct.
2005.[15] Yarden Livnat, Jim Agutter, Shaun Moon, Robert F. Erbacher, and Stefano Foresti. A vi- sualization paradigm
for network intrusion detection. In In Proceedings of the 2005 IEEE Workshop on Information Assurance AndSecurity, pages 9299. IEEE, 2005.
[16] Raffael Marty. Applied Security Visualization. Addison-Wesley Professional, 2008.[17] Jonathan McPherson, Kwan-Liu Ma, Paul Krystosk, Tony Bartoletti, and Marvin Christensen. Portvis: a toolfor port-based detection of security events. In Proceedings of the 2004 ACM workshop on Visualization and data
mining for computer security, VizSEC/DMSEC 04, pages 7381, New York, NY, USA, 2004. ACM.[18] Toby Segaran. Programming Collective Intelligence. OReilly Media, Inc., 2007.
[19] Colin Ware. Information Visualization: Perception for Design. Morgan Kaufmann Publishers, 2004.[20] Christopher D. Wickens, Diane L. Sandry, and Michael Vidulich. Compatibility and resource competition
between modalities of input, central processing, and output. Human Factors: The Journal of the Human Factorsand Ergonomics Society, 25(2):227248, 1983.