Discussions

This is where you can start discussions around security visualization topics.

NOTE: If you want to submit an image, post it in the graph exchange library!

You might also want to consider posting your question or comment on the SecViz Mailinglist!

Discussion Entries

Visualization Tool Data Formats - A Constant Frustration

I was just looking at some java script and flash visualization tools: MooWheel, JavaScript Information Visualization ToolKit JIT, Open Flash Chart.

And there it is again, that frustration about data formats. I wanted to try the tools with my own data, just to realize that each and every tool had another input requirements. None of them takes simple CSV input! They want arrays:

var data = [{
             id: 'joeb',
             text: 'Joe B',
             connections: ['ryank', 'charliec']
            },

My favorite - how can I be surprised - JSON. It had to happen. I hate the Web 2.0 people for this. Sorry.

var json = [
{
	"id": "aUniqueIdentifier",
	"name": "usually a nodes name",
	"data": [
	    {key:"some key",       value: "some value"},
		{key:"some other key", value: "some other value"}
	],

All of these formats are just absolutely horrible to generate. I have CSV data, or at least I can generate that easily! Will I really have to write converters for all of this?

Security Visualization and Log Analysis Workshop - Sign up now!

"Log Analysis and Security Visualization" is a two-day training class held on March 9th and 10th 2009 in Boston during the SOURCE Boston conference that addresses the data management and analysis challenges of today's IT environments.
Applied Security VisualizationThe students will leave this class with the knowledge to visualize and manage their own IT data. They will learn the basics of log analysis, learn about common data sources, get an overview of visualization techniques, and learn how to generate visual representations of IT data for a number of different use-cases from DoS and worm detection to compliance reporting. The training is filled with hands-on exercises utilizing DAVIX, the open-source data analysis and visualization platform.
The trainer is the author of the book Applied Security Visualization and has been working on log analysis for many years.

Register today to secure your spot.

25C3 DAVIX Visualization Contest

Are you looking for a little challenge for the days between Christmas and New Year? Yes? Well, then try the 25C3 visualization contest and win a copy of Raffael's book "Applied Security Visualization". For details regarding the task and submission details see the 25C3 DAVIX Visualization Bootcamp page.

New Zenmap adds feature that does topology mapping

Zenmap is a GUI front end for nmap, the popular network and port scanning tool by fyodor.

Introduction
Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. It is a multi-platform, free and open-source application designed to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scans can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. A typical Zenmap screen shot is shown in Figure 12.1. See the official Zenmap web page for more screen shots.

New IP visualization tools released as open source by Utah State University

Both of these tools were recently released by Utah State University under the GPL license. You can read more about them by following the links, including sample movies that demonstrate how the tools work. The tools were created by Rian Shelley.

IPVisualizer
IPVisualizer is a visualization in which a range of IP addresses are represented as dots on a screen. The shape, intensity, and color of the dot indicate the direction, count, and type of the traffic, respectively.

OIP
OIP is a visualization in which individual machine IPs are placed randomly on a display, and packets are visualized as different sized dots flowing from one machine to another.

Display Time in Link Graphs

I just wrote a blog entry about some ideas of displaying time in link graphs. This is a problem that has bugged me for a while and I still don't have a good solution. The blog entry outlines some ideas and alternatives. Maybe you have a better way to visualize relationships and time in the same graph?

Housekeeping - Comments to entries

I have made a minor change with regards to letting people post comments to discussion entries. It used to be the case that anyone was able to post comments on the site. Unfortunately that meant that I got spammed quite badly. I realized that I had a huge approval queue for comments. I went through some of them and published them. Sorry if I deleted a comment of yours. Please repost if your comment got lost.

From now on, new comments can only be posted when logged in. Sorry for the inconvenience, but this should help a lot to make discussions more interactive through the comments.

Thanks for everybody that commented on broken links and such. I hope I fixed everything at this point. As always, if you have any input for the site, please let me know. Either by sending me an email or posting something here. Thx!

SecViz now has a Twitter feed

Follow SecViz on the brand new twitter feed: @SecViz.

 

Security Visualization Workshop in Hong Kong

As part of the ISSummit in Hong Kong, I will be teaching a one day workshop on security visualization. The following is the abstract of the training:

As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today's state-of-the-art data visualization techniques, you can gain a far deeper understanding of what's happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods. The attendees will get an overview of visualization, data sources for IT security, and learn how to generate visual representations of IT data. The training is filled with hands-on exercises.

The talk is going over the following individual topics:


  1. Section 1:Visualization
    Visualization is the core topic of this training. The first section introduces some basic visualization concepts and graph design principles that help generate visually effective graphs.

  2. Section 2:Data Sources
    Visualization cannot exist without data. This section discusses a variety of data sources relevant to computer security. I show what type of data the various devices generate, show how to parse the data, and then discuss some of the problems associated with each of the data sources.

  3. Section 3:Visually Representing Data
    Data can be visualized in many different ways. This section takes a closer look at various forms of visualizations. It first discusses generic graph properties and how they can help encode information. It then delves into a discussion of specific visualizations, such as charts, box plots, parallel coordinates, links graphs, and treemaps. The section ends with a discussion of how to choose the right graph for the data visualization problem at hand.

  4. Section 4: Data Visualization Tools
    After a short introduction to different data formats used by visualization tools, this section then discusses visualization to
    ols and libraries. Based on the Data Visualization and Analysis UNIX (DAVIX) distribution I show how simple it is to generate
    visual representations of IT data.

  5. Section 5: Perimeter Threat
    This section is a collection of use-cases. It starts out with a discussion of use-cases involving traffic-flow analysis. Everything from detecting worms to isolating denial-of-service attacks and monitoring traffic-based policies is covered. The use-cases are then extended to firewall logs, where a large firewall ruleset is analyzed first. In a second part, firewall logs are used to assess the ruleset to find potential misconfigurations or security holes. Intrusion detection signature tuning is the next two use-case. The remainder of the section looks at application layer data. Email server logs are analyzed to find open relays and identify email-based attacks. The section closes with a discussion of visualizing vulnerability scan data.


Should you be in Hong Kong on November 20th, come check out the training. Should you miss it, I will be teaching a two day workshop at SourceBoston, Boston in March 2009.