Discussion Entries

VizSEC 2007 Workshop on Visualization for Computer Security
To be held between October 28 and November 1, 2007 in Sacramento, CA
http://vizsec.org/workshop2007/

The VizSEC 2007 Workshop on Visualization for Computer Security will provide a forum for new research in visualization for computer security. Building on the success of the previous three VizSEC workshops, we will again be meeting in conjunction with the IEEE Vis and InfoVis Conferences. The workshop will be held in Sacramento, CA USA between October 28 and November 1, 2007. The exact date of the workshop is still to be determined by the Conference committee; please check the web site for further details.

Reasearchers and practitioners from academia and industry are encouraged to submit papers and attend the event. We are looking for diversity and are particularly hoping that practitioners who have experience designing and using visualization in the field will consider joining us. Please see the web site for further details: http://vizsec.org/workshop2007/

The DHS just released a solicitation for various security-related research projects among them TTA 4 - Network Data Visualization for Information Assurance. I am very pleased that the DHS puts visualization as one of their nine main concerns.
I am somewhat concerned with the solicitation however. They mention SiLK as one of the tool sets which the US-CERT uses a lot. And they would like to see visualization tools enhacing that suite. I am not sure that's the right thing to do. I think we need tools which do not just look at traffic flow information, but at all kinds of different data sources!
I am very curious what type of tools and solutions will be submitted for this and would love to see some advances and new approaches. Anyone going to submit?

So what are the benefits of visualization over other techniques? My favorite answer is this:

• "Visualization not only helps you answer questions that you have, but it elicits questions that you did not even think of before. So for some things you can come up with algorithms to solve your problems, but for others, you don't even know your problem upfront!"

There are many more benefits to visualization. Here are just a few:

• The bandwidth of data you can transfer in a picture is much bigger than having a human look at log files or textual data.


• Relationships become very apparent. Sometimes they are completely hidden without visualization.


• Interactive visualizations benefit from dynamic queries which are an incredible tool to explore data.


• Visualization inspires. You look at a picture or a graph and suddenly you realize what is really going on.


• It's a great tool to communicate information in a very compact and often easy to understand way.


• It definitely reduces analysis and response times. Sifting through thousands of line of logs is definitely slower than looking at a few graphs of the same data.

I am curious what other's think. Let's add to the list!

The National Science Foundation (NSF) has a challenge for science and engineering visualizations published. I am not sure if I have some visualizations that would qualify for the challenge. But maybe some of you have security data that could make the bar. I think it would be great to draw attention to visualization in the security space. So if you have something. Submit it!

On his blog, Anton started an entry about logging and gets into the topic of too many logs. I was suggesting visualization to analyze the vast amounts of logs in order to get a better handle/understanding of them. Anton countered with this:

Is this really the place to start a visualization fight? :-)

You know what my issue with visualization are:
- tools need really skilled analysts
- often the resulting picture is no more insightful than the original
 log pile
- I kinda prefer an analytic system which is smart to a visualization 
system which is... not so smart.

Let's move this discussion to secviz :-)

Another excellent paper or in this case a survey. The authors do a great job of surveying the space of structured data visualization. They explain very well what graph layouting is, what the different algorithms are, where the problems are hidden, what the solutions are, how interaction plays into all of this, and also discuss three-dimensional views and what their benefit is. Awesome survey, really worth reading if you are interested in graph layouts.

I read a fantastic paper on visual perception. A must read for everyone designing visual systems. The paper is called Perception in Visualization, written by Christopher G. Healey. The paper is very very practical. It presents the theory behind perception very well and always gives examples. Some of the topics covered are:

• preattentive perception


• Feature Integration Theory


• Texton Theory


• Similarity Theory


• Postattentive Vision


• Change Blindness

It is fairly interesting to see how security prodcuts are maturing. In the last couple of years I have seen quite some progress in products using visualization. Let's look back a few years. Network-based IDSs, for example, logged events in a log file; text [and some still do!]. Over time, reporting was added; a way to summarize historical data. Drop a pie-chart on the report and you have something that you can hand to your collegues. Shortly after that dashboards came about. Finally we had something to show to our managers, not just our peers. Most products have a dashboard today. Not all of them are very useful, but at least they have one ;) The next evolutionary step was to link the dashboards with the data itself. Drill-down was added.

And this is where we are today. Most products are at this stage. Only a few products took this a steps further. They added for example dashboards that link to other dashboards, which show more specific information. Some products even offer customizable dashboards (not all do!). You have the capabilities to either build your own or change predefined ones.

There are only a handful of products in the security space which take visualization a bit more serious. Thos products offer visual interfaces which support dynamic queries [basically the capability to let you change/interact with the graphs on the fly.]. This is clearly how it should be. It gives the user the tools he needs to interact with the data.

I am very convinced that dynamic, interactive, visual interfaces are going to be added to more and more products. They are incredibly powerful and invalueable for data anlysis and representation!

I was attending the RSA Conference all week long. During one day my mission was to find out what the state of visualization in security products is. Here is what I found:
- Most products have reporting features
- A lot of products use dashboards which let you interact and drill-down into the details. This generally means clicking on one of the bars in a bar chart to get to the underlying textual representation of the events.
- Some products use drilldowns to get from one dashboard to another (nice!)
- Some proudcts let you customize the dashboards or change the visualization parameters interactively. Keyword: Dynamic Queries (very nice!)
- Only one company that I talked to uses a visual interface (a treemap) as their main way of interacting with the product. They even let you change the parameters on the fly! (very very nice!l!)

My whish list:

- More visual interfaces.
- More interactive dashboards. Being able to drill-down from one dashboard into another to get more information.
- More meaningful dashboards. Tell me why a certain graph is important in the dashboard. What's the use-case for showing it?
- More products using better visualization (have you heard of treemaps?)
- Interactive visuals. Let me choose how I want my data represented. Make it configurable. But don't overload the interface with features. Make sure there are valid use-cases and make them obvious to me! Wizzards?

I am pretty amazed with the Processing project. It's a full-blown, java-based programming language which has added commands to generate 3D graphs. I played around with it and pretty quickly built a tool which plots 3D coordinates which are stored in a file, onto the screen. It's fully animated, interactive, etc. The real killer is that the tool will generate a JAR with the entire code executable on Linux or Windows OR as an applet. Really worth having a look at!

I just updated secviz.org to the latest version of the CMS. I also added a SPAM module. Let's hope this will help to control SPAM a bit better.
If you find any part of the page not working, please let me know: ram (at) secviz.org.

Thanks

The many eyes project is not focused on security visualization, but nevertheless, it's an interesting and very well done portal. What I really like is the interactivity. Play with some of the treemaps. You can reconfigure them on the fly. Very nice. I also like the explanation of the different chart types and when they are best used.

I am quite frustrated with a lot of the research papers and tools that get published. In a lot of cases you can just tell that the authors and developers of certain tools have good intentions, but unfortunately no, or limited, domain knowledge.
One example was a recent paper I read about some visualization tool. They were talking about occlusion and how filtering can help address that problem. Absolutely. I could not agree more. However, the context was security alarms. It was proposed that one of the most effective ways to deal with occlusion was to filter based on the alarm priority and only show a certain alarm level. Well, why would I need a visualization tool for that? I can use grep to do so. And if you are going to visualize only the highest priority alerts (or any level of priority for that matter), you are loosing context. It might have been enormeously important to see those level 10 alerts in context with all the level one alerts. That's why you want to use visualization, to see relationships. The relationships among level 10 alerts are limited and most likely there won't be many!
The second point I want to get accross about visualization (or in general security research) papers, is the use of the wrong data to verify and justify a tool's usefulness. Simulated data feeds, artificially generated user behavior, etc. is just a really really bad way of testing or at least justifying why a tool is well suited for finding important/relevant events. And if you are going to use metrics on top of that data which talk for example about recall and precision, you are just in the wrong profession. Get that tool on a real network where people are trying to solve real problems!

I am a "Media System Design" student while working at the IT Security Department and I've been impressed by the idea of presenting Logfiles in a graphical way to determine the relevant information at first glance.
Because of that, my thesis, which starts in Feb 2007, deals with that issue and is focused on a interactive manner browsing(!) the graphical map. As a "Media System Design" Student, Data Visualization is a very interesting issue and matches perfectly to the content of our studies.
Well, I am a hard-working student and so I've already read some books of Edward Tufte, did some research with colleagues and designed some studies about the so called "Visual Logfile Browsing".

The description of my project is:
"Nazar is a Visual Logfile Browser. It is designed as a Multipurpose-Application to present Logfile Content in a new-fashioned browsing manner provided by the Nazar-Flash-GUI. Instead of just reading Logfiles, you're able to browse them graphically and determine the relevant information at first glance."

"Browsing" means that you’re able to zoom in or out, move or delete nodes, switch the view by selecting another information level, watch the scene by shifting through the seconds of an event (not implemented yet), determine more information by moving the mouse over an element and so on.

http://www.nazar-gui.de.vu

The project is in development, so I have to admit, that most of the functions aren't implemented yet. But - I hope that I'll be able to present you a working version this year. Up to now, the scalability is one main problem. I haven't tested it with a huge data set, because 'Threading' isn't implemented yet and would certainly cause it to hang up reading a big amount of data. So - please - see it as a design study and nothing more.
Most of the text on my website is written in English. The upcoming "demo videos" are spoken in German. Nazar runs on Windows Systems, and requires Perl (Active Perl) to provide the parsing function.

Every hint and advice is welcome.

Merry Christmas, firts of all ...

I was reading a presentation on using 3D game engines to visualize security data. The idea is to use the game engines from, for example Doom, to visualize security data in a 3D space, called Real-Time Collaborative Network Monitoring and Control Using 3D Game Engines for Representation and Interaction.
While I think the idea is really interesting, I am not sure that the approach really solves a problem. 3D game engines are really good for capturing immediate input from players. Games require very quick reactions to objects showing up in a scene. Security data does not normally have this property. It is much more important to make sure that the data is correct and that the context of the event is interpreted the right way.
It would be interesting to hear more from the authors about how they map the security data into the 3D space. It is incredibly important for administrators and security analysts to understand the big picture and have context of events visualized. The presentation does unfortunately not explain how the events are mapped into the space. However, I think that is the most important task. You don't want to distract the user with too many objects in the space while still representing all the context so the analyst can make an informed decision. I would love to see more motivation why a 3D representation is better suited for representing security events than a more traditional 2D approach
Trying to draw some parallels between games and computer security myself, I was thinking about the progress of an attack. It would be interesting if the attackers could be visualized as the enemies. Then you would visualize the network topology as the "world", the "buildings". Continuing from there you would show how far the attackers progressed into breaking in. The problem with this approach is that you need to be able to assign individual security events to an "attack" (i.g., event fusion).
To summarize, I think the emphasize should be put on how to map the security events into the 3D world and not so much on the interaction.

I was reading this pretty old (1996) essay from Ben Schneiderman with the title: The Eyes Have It.
It's a great overview of what visualization should solve and how it should be applied to data. The core of the paper is the mantra for visual information seeking:

Overview first, zoom and filter, then details on-demand

The paper is a great read for everyone working in the area of information visualization.

https://trac.prelude-ids.org/wiki/Introduction
What is Prelude

Foreword

Prelude was born from the observation that more and more IDS systems each with their own specificity have been made available, but that no framework exists in order to unify information provided by these different systems in order to unify and centralize events.

NEXThink is a small Swiss startup which sells a solution in the security/visualization space. They are deploying an agent on the endpoints (machines) and record network activity from them (at least that's whay I understood). The network activity is then visualized with parallel coordinates and starfields.
I was reading a paper about some of the visualization approaches they are taking. To summarize a couple of interesting points from the paper:

• In order to visualize a huge amount of connections, they are using hierarchies for the attributes to summarize them. You can on demand expand those. The collapsing and expanding of the attributes is done automatically based on the number of lines on the screen. I thought this is a pretty interesting idea.
  
• To visualize activity from hosts, one of the methods they are using is parallel coordinates with user, application, source host, target host, and target port in the graph. They omit time as it would clutter the graph. I wonder whether they have the capability to show time anyways and aggregate by hour, day, etc. That would be interesting.
  
• To visualize activity with regrads to time, they are using starfields. I have heard other names for this type of visualization. Advizor calls them time-series, which is a bad term in my opinion as it alludes to a type of data.
  
• What I was a bit confused about was the use of the term alarm in the paper. I am not sure if the author just meant to talk about the connections or there is some kind of a sub-system that actually generates alarms. I guess the latter because he mentions anomaly detection very briefly. I would be interested to read more about that.
  

The next thing I hope to see from them is that they post some graphs here!

I just heard about Swivel, a new data analysis Web site which will be launched later this week. This article talks about some of the features available. I am curious to try it out and see what they will do with my security data.

I guess the RSS feed for the content on this page was an omission when I built the site. Here it is. Or alternatively on the left, under Syndicate. Enjoy.