• Home

  • Documents

  • Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and...
45
Network Security Visualization Genevieve Max & Keith Fligg April 22, 2012

Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Network Security Visualization

Genevieve Max & Keith Fligg

April 22, 2012

Page 2: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Attack Scenario

Firewall and Router

Attacker

Fix Vulnerabilities

Visualization

OS Network

Apps

0101010101011101010

1010010101110010101

0011010101011100010

0010100010101110001

0111011010001010101

1111000101110010001

0011000111010101010

1010111010101010010

1011100101010011010

1010111000100010100

Gather Raw Network

Data

Page 3: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Three Ws of Tool Design

1 Where in the network is the attack happening?

Page 4: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Three Ws of Tool Design

1 Where in the network is the attack happening?

2 When is the attack happening?

Page 5: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Three Ws of Tool Design

1 Where in the network is the attack happening?

2 When is the attack happening?

3 What type of attack is happening?

Page 6: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Answering Three Ws

Page 7: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Firewall Log

Page 8: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Port Scan: Processed Log Files (psad)

Page 9: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Port Scan: Visualization

Page 10: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Circular Visualization

Page 11: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive Objects

1 Color

Page 12: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive Objects

1 Color

2 Position

Page 13: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive Objects

1 Color

2 Position

3 Form

Page 14: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive Objects

1 Color

2 Position

3 Form

4 Motion

Page 15: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive: Color

Page 16: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Applying Color

Page 17: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive: Postion

Page 18: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Applying Position

Page 19: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive: Form - Shape

Page 20: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Applying Shape

Page 21: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive: Form - Size

Page 22: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Applying Size

Page 23: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive: Form - Orientation

Page 24: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization using Orientation

Cost

Personnel

Employee.Hours

Incidents

Page 25: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Pre-Attentive: Form - Enclosure

Page 26: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization using Enclosure

Page 27: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Techniques

1 No serial parsing

Page 28: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Techniques

1 No serial parsing

2 Minimize the Number of Types Of Objects

Page 29: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Techniques

1 No serial parsing

2 Minimize the Number of Types Of Objects

3 Minimize Non-data Ink/Pixels

Page 30: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

No Serial Parsing

30913646251849

50018364527489

40392726584019

18127365859202

Page 31: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

No Serial Parsing

VS

30913646251849

50018364527489

40392726584019

18127365859202

30913646251849

50018364527489

40392726584019

18127365859202

Page 32: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Applying No Serial Parsing

Page 33: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Minimize the Number of Types Of Objects

Page 34: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Minimize the Number of Types Of Objects

VS

Page 35: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Applying Minimum Objects

213.3.104.65

217.162.11.45

Target

111.222.195.59 111.222.195.59

213.3.104.65

217.162.11.45

EventSource

80

21 21

80

(a) Link graph nomenclature.

(b) Destination port, source address, and destination address. (c) Destination port, destination address, and source address.

Page 36: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Minimize Non-data Ink/Pixels

Time

# o

f P

acke

ts

2.25

3

2.5

4

5 5.75

4.5

2.5

Page 37: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Minimize Non-data Ink/Pixels

VS

Time

# o

f P

acke

ts

2.25

3

2.5

4

5 5.75

4.5

2.5

Time

# o

f P

acke

ts

Page 38: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Visualization Applying Non-data Ink/Pixels

Page 39: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Parallel Plots

0.0.0.0

255.255.255.255

Source IP addr TCP source port TCP dest port Dest IP addr

65,535

0

65,535

0

255.255.255.255

0.0.0.0

192.168.2.1

42,424

777130.2.5.42

Page 40: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Animated Parallel Plots

TCP source port TCP destination port

Packet Packet

TCP source port TCP destination port

Packet Packet

Page 41: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Link graphs: nomenclature

TargetEventSource

Page 42: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Link graphs: hidden information

213.3.104.65

217.162.11.45

111.222.195.59 111.222.195.59

213.3.104.65

217.162.11.4580

21 21

80

Page 43: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

Demo Network Visualization Tool

Demo

Page 44: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

References

[1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for securityadministration. In In VizSEC/DMSEC 04: Proceedings of the 2004 ACM workshop on Visualization and, pages

5564. ACM Press, 2004.[2] Ryan Blue, Cody Dunne, Adam Fuchs, Kyle King, and Aaron Schulman. Visualizing real-time network resourceusage. In Proceedings of the 5th international workshop on Visualization for Computer Security, VizSec 08, pages

119135, Berlin, Heidelberg, 2008. Springer-Verlag.[3] Bill Cheswick, Hal Burch, and Steve Branigan. Mapping and visualizing the internet. In Proceedings of theannual conference on USENIX Annual Technical Conference, ATEC 00, pages 11, Berkeley, CA, USA, 2000.

USENIX Association.[4] Greg Conti. Security Data Visualization: Graphical Techniques for Network Analysis. No Starch Press, 2007.[5] Anita D. DAmico and K. Whitley. The real work of computer network defense analysts. In Goodall et al. [8],

pages 1937.[6] Stefano Foresti, Jim Agutter, Yarden Livnat, Shaun Moon, and Robert Erbacher. Visual correlation of network

alerts. In IEEE Computer Graphics and Applications, pages 4859. IEEE, 2006.[7] J. R. Goodall. Introduction to visualization for computer security. In John R. Goodall, Gregory Conti, and

Kwan-Liu Ma, editors, VizSEC 2007, Mathematics and Visualization, pages 117. Springer Berlin Heidelberg, 2008.10.1007/978-3-540-78243-8 1.

[8] John R. Goodall, Gregory J. Conti, and Kwan-Liu Ma, editors. VizSEC 2007, Proceedings of the Workshop onVisualization for Computer Security, Sacramento, California, USA, October 29, 2007, Mathematics and

Visualization. Springer, 2008.[9] Ivan Herman, Guy Melancon, and M. Scott Marshall. Graph visualization and navigation in informationvisualization: A survey. IEEE Transactions on Visualization and Computer Graphics, 6:2443, January 2000.

[10] Noah Iliinsky Julie Steele. Beautiful Visualization. OReilly Media, Inc., 2010.[11] Noah Iliinsky Julie Steele. Designing Data Visualizations. OReilly Media, Inc., 2011.

[12] A. Komlodi, P. Rheingans, Utkarsha Ayachit, J.R. Goodall, and Amit Joshi. A user-centered look atglyph-based security visualization. In Visualization for Computer Security, 2005. (VizSEC 05). IEEE Workshop on,

pages 21 28, oct. 2005.

Page 45: Network Security Visualization · 29/10/2007  · References [1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic for security administration

References cont.

[13] Kiran Lakkaraju, William Yurcik, and Adam J. Lee. Nvisionip: netflow visualizations of system state forsecurity situational awareness. In Proceedings of the 2004 ACM workshop on Visualization and data mining for

computer security, VizSEC/DMSEC 04, pages 6572, New York, NY, USA, 2004. ACM.[14] C.P. Lee, J. Trost, N. Gibbs, Raheem Beyah, and J.A. Copeland. Visual firewall: real-time network securitymonitor. In Visualization for Computer Security, 2005. (VizSEC 05). IEEE Workshop on, pages 129 136, oct.

2005.[15] Yarden Livnat, Jim Agutter, Shaun Moon, Robert F. Erbacher, and Stefano Foresti. A vi- sualization paradigm

for network intrusion detection. In In Proceedings of the 2005 IEEE Workshop on Information Assurance AndSecurity, pages 9299. IEEE, 2005.

[16] Raffael Marty. Applied Security Visualization. Addison-Wesley Professional, 2008.[17] Jonathan McPherson, Kwan-Liu Ma, Paul Krystosk, Tony Bartoletti, and Marvin Christensen. Portvis: a toolfor port-based detection of security events. In Proceedings of the 2004 ACM workshop on Visualization and data

mining for computer security, VizSEC/DMSEC 04, pages 7381, New York, NY, USA, 2004. ACM.[18] Toby Segaran. Programming Collective Intelligence. OReilly Media, Inc., 2007.

[19] Colin Ware. Information Visualization: Perception for Design. Morgan Kaufmann Publishers, 2004.[20] Christopher D. Wickens, Diane L. Sandry, and Michael Vidulich. Compatibility and resource competition

between modalities of input, central processing, and output. Human Factors: The Journal of the Human Factorsand Ergonomics Society, 25(2):227248, 1983.


No Slide TitleSoftware development: for 5G security, wireless network security, software quality assurance, machine learning applications, data analysis and visualization, cloud computing,

No Slide TitleSoftware development: for 5G security, wireless network security, software quality assurance, machine learning applications, data analysis and visualization, cloud computing,

Documents
Security Intro + QRadar 60 ENG · PDF fileIBM Security MODULES - QRM QRadar Risk Manager enhances Security Intelligence by adding network topology visualization and path analysis,

Security Intro + QRadar 60 ENG · PDF fileIBM Security MODULES - QRM QRadar Risk Manager enhances Security Intelligence by adding network topology visualization and path analysis,

Documents
Cyber Security Visualization

Cyber Security Visualization

Software
Readability Metrics for Network Visualization

Readability Metrics for Network Visualization

Education
Security Data Visualization

Security Data Visualization

Documents
A dynamic three-dimensional network visualization program ... · A DYNAMIC THREE-DIMENSIONAL NETWORK VISUALIZATION PROGRAM FOR INTEGRATION INTO CYBERCIEGE AND OTHER NETWORK VISUALIZATION

A dynamic three-dimensional network visualization program ... · A DYNAMIC THREE-DIMENSIONAL NETWORK VISUALIZATION PROGRAM FOR INTEGRATION INTO CYBERCIEGE AND OTHER NETWORK VISUALIZATION

Documents
NetSecRadar: A Visualization System for Network Security ...trust.csu.edu.cn/conference/css2013/css13-3-111.pdf · Network security visualization is a growing community of network

NetSecRadar: A Visualization System for Network Security ...trust.csu.edu.cn/conference/css2013/css13-3-111.pdf · Network security visualization is a growing community of network

Documents
Network Security Visualization

Network Security Visualization

Technology
Network visualization with Gephi

Network visualization with Gephi

Documents
Flexible Web Visualization for Alert-Based Network ... · 1/16 Flexible Web Visualization for Alert-Based Network Security Analytics Lihua Hao 1, Christopher G. Healey , Steve E

Flexible Web Visualization for Alert-Based Network ... · 1/16 Flexible Web Visualization for Alert-Based Network Security Analytics Lihua Hao 1, Christopher G. Healey , Steve E

Documents
Flexible Web Visualization for Alert-Based Network ... · Flexible Web Visualization for Alert-Based Network Security Analytics Lihua Hao ... elements of our design, explain how an

Flexible Web Visualization for Alert-Based Network ... · Flexible Web Visualization for Alert-Based Network Security Analytics Lihua Hao ... elements of our design, explain how an

Documents
Road Network Visualization

Road Network Visualization

Documents
Network Security Simulation Visualization · Access paths, Offence presentation, Network traffic statistics Potentially exposed data (IP, Asset, service properties, significance)

Network Security Simulation Visualization · Access paths, Offence presentation, Network traffic statistics Potentially exposed data (IP, Asset, service properties, significance)

Documents
Organizational Network Analysis & Data Visualization

Organizational Network Analysis & Data Visualization

Documents
By Dr Nicolas Figay, Airbus Group Innovationsdownload.afnet.fr/ASD2017/ASD2017-21-Visualization... · IEC 61784 Industrial Communication Network IEC 62443 Network and security ISO/IEC

By Dr Nicolas Figay, Airbus Group Innovationsdownload.afnet.fr/ASD2017/ASD2017-21-Visualization... · IEC 61784 Industrial Communication Network IEC 62443 Network and security ISO/IEC

Documents
Security Network 8 th Annual Summit -Panel 7: Mapping, Tracking, & Visualization

Security Network 8 th Annual Summit -Panel 7: Mapping, Tracking, & Visualization

Documents
Visualizing Threats: Network Visualization for Cyber Security

Visualizing Threats: Network Visualization for Cyber Security

Technology
Graph and Network Visualization

Graph and Network Visualization

Documents
(Network) Data Visualization Literacy

(Network) Data Visualization Literacy

Documents
Flexible Web Visualization for Alert-Based Network Security Analytics

Flexible Web Visualization for Alert-Based Network Security Analytics

Documents
Network Visualization Software

Network Visualization Software

Documents
Visualization for Security

Visualization for Security

Internet
Network Visualization using Gephi

Network Visualization using Gephi

Documents
Network Visualization

Network Visualization

Documents
Network visualization - rumint

Network visualization - rumint

Documents
A Survey of Visualization Techniques for Network Security ... · A Survey of Visualization Techniques for Network Security Analytics Amit Tomar, Beena Kumari, Shivam Agarwal, and

A Survey of Visualization Techniques for Network Security ... · A Survey of Visualization Techniques for Network Security Analytics Amit Tomar, Beena Kumari, Shivam Agarwal, and

Documents
Neural Network Visualization

Neural Network Visualization

Documents
Network Security Network Security Protocol 1 Network Security Chapter 2. Network Security Protocols

Network Security Network Security Protocol 1 Network Security Chapter 2. Network Security Protocols

Documents
Data Visualization for Social Network

Data Visualization for Social Network

Data & Analytics
Network Visualization using Gephi · Network Visualization using Gephi Ted Polley and Dr. Katy Börner Cyberinfrastructure for Network Science Center Information Visualization Laboratory

Network Visualization using Gephi · Network Visualization using Gephi Ted Polley and Dr. Katy Börner Cyberinfrastructure for Network Science Center Information Visualization Laboratory

Documents