This is where you can start discussions around security visualization topics.

NOTE: If you want to submit an image, post it in the graph exchange library!

You might also want to consider posting your question or comment on the SecViz Mailinglist!

Discussion Entries

warning: Creating default object from empty value in /usr/www/users/zrlram/secviz/modules/taxonomy/taxonomy.module on line 1387.

Treemaps for Windows firewall log

Does anyone have a parser for using Windows firewall logs with Treemap???

Augmented Reality - The next step in security Visualization

We've been playing around with augmented reality for a time now, the technology seems to be on a tipping point with iphone (not just the overlay - not truly AR, but they do have true AR apps) , android and other forms of capture and processing. To me this is the future of security visualization. I know it is a bold statement to make, but when you start to develop and delve deeper the possiblilities are endless. If you look at my site you will see the direction of our research. ( http://www.manntechcomputersinc.com/Researching_Now.html ) Im going to release a video asap of where we are with our AR. I think the subject of security AR is too important to completely commercialize. With that respect any "breakthrough's" that we are having will be made open source. If some of you are new to the AR scene there is a good open source tool called artoolkit. Google it and you will see it doesn't take an hour to start playing and testing with AR. For those of you interested please drop me a line at darrenmanners@manntechcomputersinc.com.

Augmented Reality

Windows login logging on the cheap

This tool walks the line of being a parser but it is a pretty handy way of converting Windows logins to something useful to graph. Put this in your login scripts and point it at your syslog infrastructure and you get all the gory details about windows who is logging into what system and the IP/NETBIOSNAME/MAC of the system is in a single log line.


Sphere of Influence 2.1 - upcoming release

Im just about to launch 2.1 version of Sphere Of Influence. I have added a summary page. Here I took a typical 800X600 window and made each pixel represent appx 164 ports. I wanted to visualize the entire port spectrum so that an anaylist can drill down on spotted patterns. I have included a screenshot of the new window...in this shot you can see some peer to peer activity at work. The new version will also have a "hourly wrap up" summary which is pretty extensive in its details, also I added a world map for snort. It should be launched in the next few weeks. Remember this is free for state, federal and educational establishments (worldwide)..companies have to pay, but for $89 I think you get a bargain. Im also working on a very cool project for VOIP systems.....stay tuned

Happy Hunting


Note: I have a new video out on youtube (http://www.youtube.com/watch?v=ekOXjrF9enI) that you can see the new visuals....release is very soon!!! (and we added the Cisco IPS into the mix as well)

Summary Window

Symantec A/V log parser

I was culling through the logs on one of my systems the other day and realized that I was getting a fair amount of alerts from my Symantec A/V servers. At first, I was not interested in what malware was being detected and cleaned but it got me thinking about what interesting patterns existed. I suspected that the majority of malware infections were caused by a minority of users as most malware these days require some user action. To test this theory I wrote a simple parser
to convert the logs to something that I could push into a visualizer and started looking for interesting patterns.

Here is a histogram and a heatmap of several months of data.

A/V Malware detect heat map

Picviz GUI 0.7 is out!

As announced on the Picviz mailing list, the new GUI is out. This is not a new release of the engine (libpicviz) but the GUI.

There is a lot of new feature that came from the Google summer of code, since Picviz was a project proposed by the Honeynet project. It is mostly about interaction that a graphical interface can give you to deal with parallel coordinates.

You can download it there: http://www.wallinfire.net/files/picviz

Picviz GUI 0.7

Sphere Of Influence 2.0

As promised once I managed to get 2.0 out I would make 1.0 a free download. 2.0 we've added the world map, timeline and organizational data. What was interesting was we started to look for "soft" targets, home users, colleges etc. The places that hackers tend to "train" on...( I know that some colleges and home users are built like fort Knox : )
When we started to use the filters on the timeline, specifically looking for universites it opened up a whole new avenue for exploration. I found a couple of systems with possible "interesting" traffic not detected by my snort, Cisco IPS or symantec software. We're in the process of adding an hourly report. I wanted this to be similar to the hourly wrap conducted by most organizations..ie looking for "strange" traffic (low port to low port, multiple connections to new ip addresses but source port remaining the same etc etc...anything that we would consider "crafted" or maybe unusual.) I think the timeline gives an interesting filter approach to visually looking at the data...we have some other stuff up our sleeve (especially with the timeline...but also about displaying the hourly datasets....I thought about a "virus" like approach with "cells" representing events, but turning darker and mutating if they meet preconditions...i know it sounds strange but in my head it seems to work :) )

you can download the free "lite" version (no timeline, no world map, no organizational data etc but should give you an idea how easy it is to set up)


and yes we will update the demo page to include the new stuff.....:)

SOI 2.0

Money Mule, Phishing and AFF SPAMclouds

Mainly as a bit of fun, I thought it would be interesting to sort some of our SPAM into distinct groups and make some wordclouds, or more specifically SPAMclouds from the content of the spam.
Attached is the cloud for SPAM attempting to recruit Money Mules.

You can see the Phishing and Advance Fee Fraud (AFF) clouds and the full story here http://honeynet.org.au/?q=spamclouds


Money Mule SPAMcloud

CISSE Working Group Outcomes - Security Visualization Challenges

At the CISSE 2009 conference, we held a workshop on Security Visualization, during which we identified a number of research problems associated with security visualization. You can find them listed below. Tomorrow, we will identify use-cases for security visualization. If you have any use-cases that you want us to consider, comment on here!

Security Visualization Research Problems

Important Realization: Visualization is generally an add-on to a specific problem or task. This dilutes the research community, since there are data visualizations of many different areas of interest.

Data Acquisition

  • Data normalization: aggregation, filter, and augmentation. Common formats are needed that span the requirements.

  • Accessing data (transport problems)

  • Data security issues (confidentiality, integrity)

  • Context collection

  • Real-time processing (collection and visualization)

  • Data disposal / destruction

  • What to do with missing data / gaps?

  • “Cleaning” data

Visual Representations

  • Time series representations instead of snap-shots

  • Are three-dimensional / interactive visualizations more intuitive / easier to use than, for example, a set of two dimensional representations?
  • Education of Expert Witnesses: how to present scientific data and explain visualizations in terms that are understandable by juries, prosecutors, and judges

  • The challenge of transitioning data into evidence is an on-going problem. The starting point is raw data, which is then transformed into a visual representation, which is then contextually interpreted as information. There are many issues with this process, including appropriate representation of actual or relational time sequence and the provability of the linkage between the raw data and the interpreted information.

  • Photo classification: A challenge is the emerging area of photo-realistic cartoons or imagined figures, which are getting so life-like that they are crossing the boundary from good to evil when used inappropriately.

  • Extremely large data set analyses, focusing on making them faster while maintaining accuracy

  • Integration of many variables into a useful visualization, where many means 4 or more variables.

Visual Interpretations

  • “Bridging the Gap”: creating visualizations that are intuitively interpretable by non-trained people. This implies needed integration of knowledge from the fields of sociology, cultural anthropology, learning theory, neuroscience, psychology, disability amelioration, etc.

  • Understanding visual representations: interpreting actual meaning from the visualization can be challenging. Research into how to make this more intuitive is needed, as is research in how to best educate analysts. Additionally, better human-interpretable visualizations are needed.

  • Visualization as an accelerator of identification of anomaly judgment (OK versus Not OK)

  • Interpretative visualization tools

  • Enable a better interpretation of complexities in relationships and interactions in data sets.

Overall Problems

  • Scientific validation of tools (Type 1 and Type 2 error rates; perhaps tool certification as being built with “pure” software, perhaps Common Criteria type certification)

  • Need to create an inter-disciplinary community of visualization researchers that talk to each other and share methods so that the wheel does not need to re-invented between communities

help debugging tcpdump2csv.pl?

I'm trying to use afterglow 1.5 on a gentoo system and running into an issue that I hope you can help me figure out.
When I read a dump file into tcpdump2csv.pl, using the switches documented, I get absolutely no output. If I turn on debug, I get my tcpdump lines, preceded by "ERROR:" as below:
ERROR: 2009-05-04 18:37:28.332949 In ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 77)
ERROR: > 14710 1/0/0 mail.lab.spb.ru. A (49)
If I run with tcpdump -ttnnlr, I get a little closer to the lines in your documentation, in that the timestamp is on the same line as the capture info:
ERROR: 1241462458.413252 In ethertype IPv4 (0x0800), length 93: > 7712 1/0/0 A (49)

There is no description of what the error is, and still no CSV output is appearing.
If it makes a difference, I am running with tcpdump 4.0. If I can add an ebuild for afterglow 2.0 for the gentoo world, I will give that a try and see if I get a little further.