Discussion Entries

As part of the ISSummit in Hong Kong, I will be teaching a one day workshop on security visualization. The following is the abstract of the training:

As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today's state-of-the-art data visualization techniques, you can gain a far deeper understanding of what's happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods. The attendees will get an overview of visualization, data sources for IT security, and learn how to generate visual representations of IT data. The training is filled with hands-on exercises.

The talk is going over the following individual topics:

1. Section 1:Visualization
   Visualization is the core topic of this training. The first section introduces some basic visualization concepts and graph design principles that help generate visually effective graphs.


2. Section 2:Data Sources
   Visualization cannot exist without data. This section discusses a variety of data sources relevant to computer security. I show what type of data the various devices generate, show how to parse the data, and then discuss some of the problems associated with each of the data sources.


3. Section 3:Visually Representing Data
   Data can be visualized in many different ways. This section takes a closer look at various forms of visualizations. It first discusses generic graph properties and how they can help encode information. It then delves into a discussion of specific visualizations, such as charts, box plots, parallel coordinates, links graphs, and treemaps. The section ends with a discussion of how to choose the right graph for the data visualization problem at hand.


4. Section 4: Data Visualization Tools
   After a short introduction to different data formats used by visualization tools, this section then discusses visualization to
   ols and libraries. Based on the Data Visualization and Analysis UNIX (DAVIX) distribution I show how simple it is to generate
   visual representations of IT data.


5. Section 5: Perimeter Threat
   This section is a collection of use-cases. It starts out with a discussion of use-cases involving traffic-flow analysis. Everything from detecting worms to isolating denial-of-service attacks and monitoring traffic-based policies is covered. The use-cases are then extended to firewall logs, where a large firewall ruleset is analyzed first. In a second part, firewall logs are used to assess the ruleset to find potential misconfigurations or security holes. Intrusion detection signature tuning is the next two use-case. The remainder of the section looks at application layer data. Email server logs are analyzed to find open relays and identify email-based attacks. The section closes with a discussion of visualizing vulnerability scan data.
6. 
   

Should you be in Hong Kong on November 20th, come check out the training. Should you miss it, I will be teaching a two day workshop at SourceBoston, Boston in March 2009.

Welcome to DAVIX

Congratulations, you successfully started DAVIX and connected to the Internet.

If you have an account on SeViz already, please sign in on the left side. If you do not have an account yet, please sign up for an account so we can keep you informed of new versions of DAVIX and new and cool things coming up.

New Account information

Username: *

Your preferred username; punctuation is not allowed except for periods, hyphens, and underscores.

E-mail address: *

A valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail.

DAVIX User

Indicate whether you are a user of DAVIX, a live CD for data analysis and visualization.

I recorded a short, 10 minute video where I am interviewed by Johnvey Hwang about the Applied Security Visualization book. We are talking about why I wrote the book, what the book is about, and also quickly talk about DAVIX. Tune in.

 
 
 
 

Skyrails is a social network (or any graph really) visualization system. It has a built in programming language for processing (as far as visualisation attributes goes) the graph and its attributes. The system is not only aimed at expert users though, because through the scripting languages menus can be built and the system can be used by any users.

The main distinguishing point of the system comes from the built in scripting language, the added flexibility of how to represent attributes (nodes can be binded to planes and spheres based on their attributes) and the scriptability of the user interface system. This makes skyrails ideal for creating presentations targeted at the average users.

http://cgi.cse.unsw.edu.au/~wyos/skyrails/

skyrails in action:
http://www.youtube.com/watch?v=I2d312_dXEs

For those who are interested, here are the slides from the DAVIX workshop that Jan Monsch and Raffael Marty taught at DefCon 2008 in Vegas. The content is as follows:

• What's DAVIX all about? Architecture of the CD, etc.


• Very short introduction to Visualization


• An example analysis, how to detect worms in cell phone networks

Learn more about DAVIX.

Could I possibly get a little help with getting the afterglow / neato tools usefully working. have 291 lines of data and for the life of me the graphs I'm generating are quite poor.

I am not a Perl programmer but have managed to get cygwin working and afterglow & neato working.
using this sample set of the 291 I can get the two diagrams I have attached, but I would dearly like some advise how to generate a more representative image.

If this forum is inappropriate for a little mentoring then please advise / delete as appropriate.

With kind regards,
Stephen
10.140.122.23,10.142.162.88,80
10.142.40.198,10.142.44.233,80
10.129.20.81,10.142.162.88,80
10.142.45.99,10.142.162.88,80
10.142.41.106,10.142.162.88,80
10.142.41.106,10.142.162.88,80
10.142.45.191,10.142.162.88,80
10.239.41.33,10.143.23.79,80
10.142.36.98,10.142.162.88,80
10.142.36.98,10.142.162.88,80
10.142.45.99,10.142.162.88,80
10.142.45.70,10.142.162.88,80
10.142.45.70,10.142.162.88,80
10.143.24.45,10.142.44.233,80
10.142.41.194,10.142.162.88,80

After months of building and testing, the long anticipated release of DAVIX - The Data Analysis & Visualization Linux® - arrived last week during Blackhat/DEFCON in Las Vegas. It is a very exiting moment for us and we are curious to see how the product is received by audience. So far the ISO image has been downloaded at least 600 times from our main distribution server. Downloads from the mirrors are not accounted.

All those eager to get their hands dirty immediately can find a description as well as the download links for the DAVIX ISO image on the DAVIX homepage.

We wish you happy visualizing!

Kind regards
Jan

Have you noticed? There is a new logo for secviz.org. To be correct this is the first real logo. What was there before wasn't really a logo.

The Applied Security Visualization book is DONE and available in your favorite store!

You can download an electronic version of Chapter 5 for free! The book also ships with a version of DAVIX, the Data Analysis and Visualization Linux!

Martin McKeay recorded a podcast with me where I talk a little bit about the book.

Russ McRee wrote an article for the ISSA journel where he describes various security visualization approaches. SecViz is prominently featured, as well as a few tools, such as TNV, InetVis, and Rumint. The article also mentions DAVIX. You can read the article here.
In an older article, Russ talked about Argus – Auditing network activity. In that article, he mentions how to use AfterGlow for network traffic analysis.