Google Visualization API - A new Approach to Visualization?

Google has been working heavily on the visualization front. After acquiring GapMinder, they released various visualization related tools, such as Google Charts. The latest release has been the Google Visualization API (another announcement of the Google Visualization API).

The amount of charts available is fairly impressive. What I really like is the gapminder-like chart. It supports full interaction and is an amazing tool to see how data evolved over time. To see some more of the chart types, have a look at the visualization gallery.

Why is it important to Security Visualization?
I think what is going to happen is that more and more people will get exposed to the capabilities of interactive visualization. This will definitely drive a demand and hopefully trickle down into the world of security visualization. I am definitely looking forward to some interactive tools that assist me in analyzing my log files. Interaction won't be the be all end all solution. I still think security visualization is missing a significant piece. It's the piece where knowledge is translated. People need help visualizing their data. They need help in choosing the right charts, the right colors, etc. It's not easy, but hopefully my upcoming book on "Applied Security Visualization" is going to somewhat help. What is missing is just a translation of the book into a visualization application!

The announcement of the new Google visualization API went out earlier this week and has generated quite a bit of interested in the general community:


Google is also updating Google Docs to support the new visualization API. Along with the introduction of pivot tables, is this the end of Excel charting? For a walk-through of Google docs and the visualization feature, have a look at Juan Pablo's blog.

Visualizations of malware code

An article that passed by me recently that I haven't seen any posts about:
http://blog.washingtonpost.com/securityfix/2008/01/putting_a_scary_face_on_malici_1.html

Brian Krebs wrote it about an artist named Alex Dragulescu, who's doing really interesting visualizations of malware:
http://sq.ro/malwarez.php

Visiualizing Nepenthes' log_downloads

Visiualizing Nepenthes' log_downloads

I use Afterglow to process Nepenthes' logged_submission[1] logs. I needed to see how many hosts are associated with the same malicious binary. So the graph above one can see attacking hosts (green), a host that is hosting the malware (grey) and the binary that gets pulled from it (blue).

While I'm at this I might as well mention that I made the graph above a couple of days before meeting Mr. Marty at a conf in Indonesia :-)

[1] A typical logged_submission logs look like this:
[2007-03-29T17:22:47] 172.16.0.100 -> 172.16.0.10 tftp://172.16.0.100:69/teekids.exe 7097c55ee0535457025dd158bb1988bb

VizSEC 2008 Call For Participation

VizSEC 2008 Workshop on Visualization for Cyber Security
http://vizsec.org/workshop2008/
September 15, 2008 / Cambridge, MA USA
In conjunction with RAID 2008

The 5th International Workshop on Visualization for Cyber Security will provide a forum for new research in visualization for computer security. We are pleased to be holding this year's meeting in conjunction with the 11th International Symposium on Recent Advances in Intrusion Detection. The VizSEC Workshop will be held at MIT in Cambridge, Massachusetts USA on Monday, September 15, 2008.

As a result of previous VizSEC workshops, we have seen both the application of existing visualization techniques to security problems and the development of novel security visualization approaches. However, VizSEC research has focused on helping human analysts to detect anomalies and patterns, particularly in computer network defense. Other communities, led by researchers from the RAID Symposia, have researched automated methods for detecting anomalies and malicious activity.

The theme for this year's workshop, which will be held in conjunction with RAID 2008, will be on bridging the gap between visualization and automation, such as leveraging the power of visualization to create rules for intrusion detection and defense systems. We hope that VizSEC participants will stay for the RAID Symposium and RAID participants will consider coming a day early to participate in VizSEC.

We also solicit papers that report results on visualization techniques and systems in solving all aspects of cyber security problems, including:

* Visualization of Internet routing
* Visualization of packet traces and network flows
* Visualization of intrusion detection alerts
* Visualization of attack tracks
* Visualization of security vulnerabilities
* Visualization of attack paths
* Visualization of application processes
* Visualization for forensic analysis
* Visualization for correlating events
* Visualization for computer network defense training
* Visualization for offensive information operations
* Visualization for building rules
* Visualization for feature selection
* Visualization for cryptology
* Visualization for detecting anomalous activity
* Deployment and field testing of VizSEC systems
* Evaluation and user testing of VizSEC systems
* User and design requirements for VizSEC systems
* Lessons learned from development and deployment of VizSEC systems

All submitted papers will be peer-reviewed. Full and short papers from the workshop will be published in an edited book (details to follow).

Full Papers
Full papers should present mature research results. (We will release page count and formatting instructions when we confirm the details of publishing the proceedings.)

Short Papers
Short papers can be used to present less mature research results than full papers, or late-breaking results. (We will release page count and formatting instructions when we confirm the details of publishing the proceedings.)

Demos
Demonstrations can be used to show new or updated development efforts. Demo submissions should consist of a 2 page abstract.

Posters
Posters can be used to describe work in progress or updates to previously published VizSEC research or R&D. Poster submissions should consist of a 2 page abstract.

Deadlines
April 11, 2008 : Deadline for full paper submission
May 9, 2008 : Deadline for short paper submissions
July 11, 2008 : Deadline for poster and demo abstracts

http://vizsec.org/workshop2008/

NMap 'Gridsweep' Scan with Decoys

NMap 'Gridsweep' Scan with Decoys

The image shows a Nmap scan. It covers the middle half of class C network range (.64 to .192) and at the same time probes the popular ports at each address. It is a parallel network and port sweep with decoys to hide the true identity of the scanner - so it simultaneously address scans and port scans while spoofing other source addresses to obscure the scanners identity. The scan was generated by the Nmap command below:

nmap -sS 127.21.146.64-192 -e lo -F -T5 --host-timeout 10m --max-retries 0 --initial-rtt-timeout 25ms --max-rtt-timeout 250ms --max-scan-delay 250ms --scan-delay 10ms --min-hostgroup 32 --max-hostgroup 32 -D 16.0.0.1,64.0.0.1,216.0.0.1

In summary, the command tells Nmap to SYN scan the middle half of the loop-back network (-sS 127.21.146.64-192 -e lo) on common ports (-F) in a non-random manner (-r), and scan in parallel address blocks of 32 (--min-hostgroup 32 --max-hostgroup 32) while creating decoy packets with 3 spoofed addresses (-D 16.0.0.1,64.0.0.1,216.0.0.1).

The data is visualised in IneVis, a time-animated interactive 3-D packet trace visualisation. InetVis supports, IP ICMP, TCP, and UDP. Essentially, it's a 3-D scatter-plot:

  • Green vertical y-axis: destination TPC/UDP port
  • Blue horizontal x-axis: destination IP address
  • Red horizontal z-axis: source IP address

In the sample image, the lines are 'sweeping' across popular ports at each address (in the direction of the blue axis). Note the concentration in the lower port range (bottom green axis) where most common service ports reside. The four identical 'columns' of activity are the sources (separated by red-axis). One of these is the true scanner, the other's are spoofed decoys. The image is shown with a 45 minute time-window and 'transparent' ageing which makes older packets fainter. The chosen colour scheme is by destination port.

InetVis was inspired by Stephen lau's Spinning Cube of Potential Doom. For more details about InetVis, see: http://www.cs.ru.ac.za/research/g02v2468/inetvis.html.

Very Complex firewall rules?

Hi there,

currently I am searching for a nice tool (OSS/commercial) to do some jobs on my checkpoint firewall rules (cpdb2html generated a 348 page file):

1. Aggregation of rules - Let's say every server in a subnet has ssh enabled then I would like to create ONE rule for the whole environment and remove the dupes.
2. Visualization - I'd like to have a nice graph of my subnets where I can see the hosts and the ports which are openend.

I am no firewall administrator and I only saw the checkpoint GUI once - so maybe I am missing something obvious here.

Anyone?

Thanks and Kind Regards,
Ruediger G. Biernat

Interesting Visualization Research

I came across this presentation from Tamara Munzner. A great read about some of her latest research in visualization. Here are the tools the presentation references. They are really interesting and if you look around on Tamara's Web page, you will find some videos and the tools themselves.

  • Accordion Drawing: Tree Juxtaposer and Sequence Juxtaposer (olduvai.sourceforge.net)

  • LiveRAC to monitor time-series data (alarms and metrics)

  • SessionViewer for log analysis (well, really Web session analysis)

  • Glimer, something about multidimensional reductions. Don't ask me how this exactly works

  • Grouse, interactive hierarchy exploration

  • TopoLayout, Multi-Level Graph Layout by Topological Features

  • and some more specialized tools

glTail for realtime logfile visualization

Recently I've stumbled upon this interesting little app called glTail , it's pretty bare at the moment but there's potential.

Cheers

Bro-IDS Connection State Graph

Bro-IDS Connection State Graph

As I don't like duplication of the post, the detail explanation of the graph can be found at security.org.my here.

Cheers ;]

AfterGlow 1.5.9 Released

AfterGlow 1.5.9 is out. It's not a huge release, but it allows for some new things that, for example, Tenshi needed to make it more useful. The feature that helps there is that you can now dynamically change node labels.
Another new feature is the addition of URLs to nodes. This is needed to support image maps. If you generate an image map through GraphViz (-Tcmapx), you can provide URLs that go along with the nodes. If you then use that image map in an HTML file along with the graph, you have an interactive graph. If you are interested in how this looks, I blogged about a Splunk - AfterGlow integration on my Splunk blog. The new search command I built, is using image maps to build an HTML file, which is then linked back to Splunk. Check it out.