This is where you can start discussions around security visualization topics.

NOTE: If you want to submit an image, post it in the graph exchange library!

You might also want to consider posting your question or comment on the SecViz Mailinglist!

Discussion Entries

warning: Creating default object from empty value in /usr/www/users/zrlram/secviz/modules/taxonomy/taxonomy.module on line 1387.

conficker.c - ccTLD attractor

This is my smart analysis about the first 20days of April 2009 ccTLD (country code top level domain) generated by the algorithm used by worm for pseudo random domain name generation.
The following chart show the frequency for each ccTLD. As you can see there is a sort of attractor for some ccTLD such as AG, BO, LC, HN, PE, and TW. A singular point is for DJ ccTLD domain. For more information http://extraexploit.blogspot.com. This kind of analysis I think that is usefull for get evidence as indicator of conficker.c activities inside your corporate network.

Feedback are well come.


conficker.c - ccTLD attractor

SecViz Mailinglist - Subscribe Today!

SecViz has a mailinglist!

The charter for the list is the same as for the SecViz Web site: share, discuss, challenge, and learn about security visualization. The mailinglist should help to have more in-depth discussions and get quicker responses on specific topics. I am looking forward to some good discussions around visualization applications, visualization methods, use-cases, etc. Fire away!

Note that the list keeps a public archive!

VizSec 2009 Call For Participation

VizSec 2009
Workshop on Visualization for Cyber Security
October 11, 2009 / Atlantic City, NJ USA

The 6th International Workshop on Visualization for Cyber Security is a forum that brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques. Co-located this year with IEEE InfoVis/Vis/VAST, VizSec will continue to provide opportunities for the two communities to collaborate and share insights into providing solutions for security needs through visualization approaches. Accepted papers will be published by the IEEE and archived in the IEEE Digital Library. The authors of the best papers will be invited to extend and revise their paper for journal publication in a special issue of Information Visualization.

This year our focus is on advancing Visualization for Cyber Security as a scientific discipline. While art, engineering, and intuitions regarding the human element will always remain important if we are to obtain useful cyber security visualizations, advances in the scientific practice of research are needed. The scientific aspects of visualization for cyber security draw both on empirical observation (similar to many natural and social sciences) and formal science (such as the formal derivations in mathematics). Barriers confronting current researchers include concerns about available data, lack of a common agreement about what constitutes sound experimental design, the difficulties of measuring the relative effectiveness of security visualizations in practice, and the lack of a common understanding of user requirements. While many researchers are making progress in these and other critical areas, much work yet remains.

What To Submit

Papers offering novel contributions in security visualization are solicited. Papers may present technique, applications, practical experience, theory, or experiments and evaluations. Papers are encouraged on technologies and methods that have been demonstrated to be useful for improving information systems security and that address lessons from actual application. We encourage papers that report results on visualization techniques and systems in solving all aspects of cyber security problems, including how visualization applies to:
*Different aspects of security: software, networks and log files (e.g., Internet routing, packet traces and network flows, intrusion detection alerts, attack graphs, application security, etc.)
*Application of visualization techniques in formalizing, defining and analyzing security policies
*Forensic analysis, correlating events, cyber-defense task analysis
*Computer network defense training and offensive information operations
*Building rules, feature selection, and detecting anomalous activity
*Software, software security, and viruses
*Deployment and field testing of VizSec systems
*Evaluation and user testing of VizSec systems
*User and design requirements for VizSec systems
*Lessons learned from development and deployment of VizSec systems
*“Field Research” Best Practices
*Interaction with domain experts – best practices, lessons learned
*Differentiating the needs of different domains and time frames
*Best practices for obtaining and sharing potentially sensitive data for purposes of visualization and assessment, including how to approach personal privacy, regulatory, and organizational issues
*Metrics and measurements (e.g., criteria for the relative effectiveness of cyber visualizations)
*Handling large datasets, scalability issues, and providing real time or near-real time visualizations
Accepted papers will be published by the IEEE and made available through the IEEE Digital Library.

Paper Format:

Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. All submissions should be appropriately anonymized (i.e., papers should not contain author names or affiliations, or obvious citations). Submissions are to be made to the submission web site at http://www.vizsec.org/vizsec2009/submit. Only pdf files will be accepted. Papers should be formatted using the IEEE templates (see http://www.vizsec.org/vizsec2009/ for instructions).
*Full papers should be at most 12 pages, including the bibliography and appendices.
*Short papers should be at most 6 pages, including the bibliography and appendices.
Committee members are not required to read the appendices, and so the paper should be intelligible without them. Submissions not meeting these guidelines risk rejection without consideration of their merits. Authors of accepted papers must guarantee that their papers will be presented at the conference.

Papers must be received by the deadline of April 24, 2009, for long papers and May 22, 2009, for short papers.

Journal Special Issue

The authors of the best papers from the accepted program will be invited to extend and revise their paper for a special issue of Information Visualization (IVS), an international, peer-reviewed journal publishing articles on fundamental research and applications of information visualization. These papers will be chosen by the program committee.

Paper Award

There will be an award for the best paper from the accepted program. The best paper award will be given to the paper judged to have the highest overall quality. A key element of the best paper selection process will be whether the results are believed to be repeatable by other scientists based on the algorithms and data provided in the paper. This award will be chosen by the program committee.


A limited number of scholarships will be available for students and first-year faculty who have had papers accepted to VizSec.

Organizing Committee

General Chair Deborah Frincke, Pacific Northwest National Laboratory and University of Washington
Program Co-Chair: Carrie Gates, CA Labs
Program Co-Chair: John Goodall, Secure Decisions Division of Applied Visions
Papers Chair: Robert Erbacher, Utah State University

Program Committee

Richard Beijtich, General Electric, USA
Greg Conti, United States Military Academy, USA
Marc Dacier, Symantec Research Labs, France
Anita D’Amico, Secure Decisions div. of Applied Visions, USA
Ron Dilley, Information Security Professional, USA
Dave Ebert, Purdue University, USA
Glenn Fink, Pacific Northwest National Lab, USA
John Gerth, Stanford University, USA
Warren Harrop, Swinburne Univ. of Technology, Australia
Mark Haselkorn, University of Washington, USA
Richard Johnson, Microsoft, USA
Richard Kemmerer, UC Santa Barbara, USA
Toby Kohlenberg, Intel, USA
Florian Mansmann, University of Konstanz, Germany
Raffael Marty, Splunk, USA
Doug Maughan, Department of Homeland Security, USA
John McHugh, Dalhousie Univ., Canada, and Univ. NC, USA
Jan P. Monsch, Dublin City University, Ireland
Chris North, Virginia Tech, USA
Stephen North, AT&T Research, USA
Sean Peisert, UC Davis, USA
Greg Schmidt, SPADAC, USA
George Tadda, Air Force Research Lab, USA
Ed Talbot, Sandia National Laboratories, USA
Joanne Treurniet, Defence R&D Canada, Canada
Grant Vandenberghe, Defence R&D Canada, Canada
Kirsten Whitley, Department of Defense, USA
Pak Chung Wong, Pacific Northwest National Lab, USA
Tamara Yu, Massachusetts Institute of Technology, USA


DNS tunnel detection

I've been frustrated with large-scale traffic analysis tools for a long time. I recently did some DNS traffic analysis to study possibilities for detecting DNS tunnels.

I wrote up my traffic analysis thoughts in a study of dns. The result of that paper was thresholds of typical DNS hostname request lengths, at least for my traffic. Not satisfied with a static threshold, I built a visualization for the traffic using processing. The writeup of the visualization is available in part ii.

A picture is attached of dns hostname requests when ssh'ing over dns using dns2tcp. The code is available as well; you can visualize your own captures or live traffic off the wire.


Visualization of DNS tunnel traffic

Tag Cloud Applied to Firewall Data

I used a JavaScript tag cloud implementation to visualize some firewall data. I used the source IP address to mimic the words from the tag cloud. Check out a working implementation.

Visualization Tool Data Formats - A Constant Frustration

I was just looking at some java script and flash visualization tools: MooWheel, JavaScript Information Visualization ToolKit JIT, Open Flash Chart.

And there it is again, that frustration about data formats. I wanted to try the tools with my own data, just to realize that each and every tool had another input requirements. None of them takes simple CSV input! They want arrays:

var data = [{
             id: 'joeb',
             text: 'Joe B',
             connections: ['ryank', 'charliec']

My favorite - how can I be surprised - JSON. It had to happen. I hate the Web 2.0 people for this. Sorry.

var json = [
	"id": "aUniqueIdentifier",
	"name": "usually a nodes name",
	"data": [
	    {key:"some key",       value: "some value"},
		{key:"some other key", value: "some other value"}

All of these formats are just absolutely horrible to generate. I have CSV data, or at least I can generate that easily! Will I really have to write converters for all of this?

Security Visualization and Log Analysis Workshop - Sign up now!

"Log Analysis and Security Visualization" is a two-day training class held on March 9th and 10th 2009 in Boston during the SOURCE Boston conference that addresses the data management and analysis challenges of today's IT environments.
Applied Security VisualizationThe students will leave this class with the knowledge to visualize and manage their own IT data. They will learn the basics of log analysis, learn about common data sources, get an overview of visualization techniques, and learn how to generate visual representations of IT data for a number of different use-cases from DoS and worm detection to compliance reporting. The training is filled with hands-on exercises utilizing DAVIX, the open-source data analysis and visualization platform.
The trainer is the author of the book Applied Security Visualization and has been working on log analysis for many years.

Register today to secure your spot.

25C3 DAVIX Visualization Contest

Are you looking for a little challenge for the days between Christmas and New Year? Yes? Well, then try the 25C3 visualization contest and win a copy of Raffael's book "Applied Security Visualization". For details regarding the task and submission details see the 25C3 DAVIX Visualization Bootcamp page.

New Zenmap adds feature that does topology mapping

Zenmap is a GUI front end for nmap, the popular network and port scanning tool by fyodor.

Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. It is a multi-platform, free and open-source application designed to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scans can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. A typical Zenmap screen shot is shown in Figure 12.1. See the official Zenmap web page for more screen shots.

New IP visualization tools released as open source by Utah State University

Both of these tools were recently released by Utah State University under the GPL license. You can read more about them by following the links, including sample movies that demonstrate how the tools work. The tools were created by Rian Shelley.

IPVisualizer is a visualization in which a range of IP addresses are represented as dots on a screen. The shape, intensity, and color of the dot indicate the direction, count, and type of the traffic, respectively.

OIP is a visualization in which individual machine IPs are placed randomly on a display, and packets are visualized as different sized dots flowing from one machine to another.