Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.



Visualization of DNS tunnel traffic

Visualization of DNS tunnel traffic

Tag Cloud Applied to Firewall Data

I used a JavaScript tag cloud implementation to visualize some firewall data. I used the source IP address to mimic the words from the tag cloud. Check out a working implementation.

Visualization Tool Data Formats - A Constant Frustration

I was just looking at some java script and flash visualization tools: MooWheel, JavaScript Information Visualization ToolKit JIT, Open Flash Chart.

And there it is again, that frustration about data formats. I wanted to try the tools with my own data, just to realize that each and every tool had another input requirements. None of them takes simple CSV input! They want arrays:

var data = [{
             id: 'joeb',
             text: 'Joe B',
             connections: ['ryank', 'charliec']

My favorite - how can I be surprised - JSON. It had to happen. I hate the Web 2.0 people for this. Sorry.

var json = [
	"id": "aUniqueIdentifier",
	"name": "usually a nodes name",
	"data": [
	    {key:"some key",       value: "some value"},
		{key:"some other key", value: "some other value"}

All of these formats are just absolutely horrible to generate. I have CSV data, or at least I can generate that easily! Will I really have to write converters for all of this?

Security Visualization and Log Analysis Workshop - Sign up now!

"Log Analysis and Security Visualization" is a two-day training class held on March 9th and 10th 2009 in Boston during the SOURCE Boston conference that addresses the data management and analysis challenges of today's IT environments.
Applied Security VisualizationThe students will leave this class with the knowledge to visualize and manage their own IT data. They will learn the basics of log analysis, learn about common data sources, get an overview of visualization techniques, and learn how to generate visual representations of IT data for a number of different use-cases from DoS and worm detection to compliance reporting. The training is filled with hands-on exercises utilizing DAVIX, the open-source data analysis and visualization platform.
The trainer is the author of the book Applied Security Visualization and has been working on log analysis for many years.

Register today to secure your spot.

FastFlux Networks

FastFlux Networks

The image shows data from several FastFlux domains (blue)and their infected nodes (red)
We can see that several FastFlux domains are in the same network, so the nodes are inside several FastFlux networks associated with several domains.

The data has been collected across several weeks monitoring FastFlux domains entries.


Radial Firewall Log (DIP -> Dest Port)

Radial Firewall Log (DIP -> Dest Port)

This image shows data from a firewall log. It shows the connections between destination addresses and destination ports.

The script to generate the graph is written in Action Script (Flare). I hacked the sample Flare file: to have it read CSV data, instead of some JSON formatted input. The script is a real hack at this point. If you want a copy, drop me a note. I will gladly share it. Here is the live graph.

Jason, thanks for all your help with the ActionScript stuff!

Radial Firewall Log (SIP -> DIP)

Radial Firewall Log (SIP -> DIP)

This is an image generated with Flare. The action script parses a CSV file that was generated from a firewall log. It visualizes the connections between the source and destination IP addresses.

25C3 DAVIX Visualization Contest

Are you looking for a little challenge for the days between Christmas and New Year? Yes? Well, then try the 25C3 visualization contest and win a copy of Raffael's book "Applied Security Visualization". For details regarding the task and submission details see the 25C3 DAVIX Visualization Bootcamp page.

New Zenmap adds feature that does topology mapping

Zenmap is a GUI front end for nmap, the popular network and port scanning tool by fyodor.

Zenmap is the official graphical user interface (GUI) for the Nmap Security Scanner. It is a multi-platform, free and open-source application designed to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scans can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. A typical Zenmap screen shot is shown in Figure 12.1. See the official Zenmap web page for more screen shots.

New IP visualization tools released as open source by Utah State University

Both of these tools were recently released by Utah State University under the GPL license. You can read more about them by following the links, including sample movies that demonstrate how the tools work. The tools were created by Rian Shelley.

IPVisualizer is a visualization in which a range of IP addresses are represented as dots on a screen. The shape, intensity, and color of the dot indicate the direction, count, and type of the traffic, respectively.

OIP is a visualization in which individual machine IPs are placed randomly on a display, and packets are visualized as different sized dots flowing from one machine to another.