Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.



Old Security Visualization Presentations

I just uploaded a number of my old presentations, mainly on security visualization, to slideshare. The link below leads you right to them:

Security Visualization Presentations

There are presentations from a number of conferences:

  • FIT 2008
  • SUMIT 2008
  • VizSec 2008
  • HITB 2008
  • First 2007
  • DefCon 2005

And then there are still the newer presentations that have been there for a while now.

Data Visualization Resources

I teach a data analytics and visualization class every now and then. In the last section of the class I share a number of resources with the students. The Web sites are mainly blogs and generic visualization resources; Not tools.

The following is the list of resources. Have your own favorite visualization resource? Add a comment!

A much longer list of non curated links you can also find on my delicious feed.

AfterGlow Learns to Visualize Splunk Data - Again

AfterGlow now enables Splunk 4.2.x to generate link graphs!

One of the very first Splunk Applications was the AfterGlow for Splunk Addon. Initially it was just a simple search command but then with version 4 of Splunk, the application matured to a full blown Splunk App. Unfortunately, with the introduction of Splunk 4.1 and 4.2, the application got broken. As of earlier this month, however, AfterGlow for Splunk has been fixed and now works with Splunk 4.2.x.

Post your visualizations here in the secviz gallery!

Visual Analytics Maturity Scale

Visual Analytics Maturity Scale

I wrote a new blog entry talking about the maturity scale of visual analytics. The visualization maturity scale can be used to explain a number of issues in the visual analytics space. For example, why aren’t companies leveraging visualization to analyze their data? What are the requirements to implement visual analytics services? Or why don’t we have more visual analytics products?

Unfortunately, we do no have mature visual analytics products yet that really encompass all of the steps in the maturity scale to deliver a great experience to the end user.

Also check out the Maturity Scale for Log Management and Analysis to have a closer look at how log analysis and management play into the visual analytics process.

Windows 7 DLL EXPORT Headers

Windows 7 DLL EXPORT Headers

This image is a Gelphi generated undirected graph showing the EXPORT header entries from windows 7 DLL's and other DLL's. You can find the Python code used to generate it and high resolution imagine here on my blog

DEADLINE EXTENDED for "Attack Visualization" Honeynet Project Forensic Challenge #10

The "Attack Visualization" challenge from the HoneyNet Project has been extended until January 22nd 2012!

Happy Visualization!

Content Moderation

You might have noticed that there was quite a bit of SPAM posted to lately. No, we haven't been hacked. But we got spammed. The SPAM module I had installed is not the best, so unfortunately, a bunch of spam made it through.

No more! I changed the model of how content can be added to All content is now moderated! I am usually pretty quick with approving content, so it shouldn't be a big impact!

Looking forward to seeing a lot of your new content in my moderation queue!

-Your Admin

"Attack Visualization" Honeynet Project Forensic Challenge #10. Entries close December 18

Forensic Challenge 10 - "Attack Visualization"

Challenge 10 - Attack Visualization (provided by Ben Reardon from Australia Chapter)

Please submit your solution by December 18th 2011 at

Results will be announced on 2012, January 31th. For any questions and inquiries, please contact

Skill Level: Intermediate

Forensic Challenge 10 takes us back in time, to revisit one of last year’s popular Forensic Challenges (FC5). Although this time around, the goal is to create a visual representation of the attack.

There are no right or wrong answers here, and we are keen to see what can create! If you are constrained by any guidelines, or have ideas that are “out of the box” – that’s fine, we want you to use your imagination and have fun.

The Challenge:
Design and build a visualization that describes the attacks that were analyzed in FC5. Use the three prize winners’ solutions as references and to give you a head start on the data analysis. Use the FC5 dataset to create your FC10 visualization.

As an example, the visualization may have a geographic element, represented as a map, link graphs, histogram, or parallel coordinates, that sheds light on the following:

Where the attacks came from
The volumes of attacks originating from various locations
The success or failure of these attacks
The nature of the attacks. For example which are “primary” and which are the “secondary” phases.
Can the attacks be color coded to describe groups of attacks/attackers?
Use external data sources such as the many freely available geomapping databases.

The output can be anything that you like - from a still image, to interactive flash/java, dynamically updating, dashboard style, magazine infographic, holograms are also accepted.

Because data visualization is a very subjective topic, we will have a panel of 3 Honeynet members to judge entries. These panel members have an active interest in the data visualization field in the Honeynet Project. Keep in mind though, the nature of this challenge is not really to find a “winner”, but rather to inspire newcomers into the data visualization field within cybersecurity. If you know anyone who is not in security field , but may enjoy being part of this challenge, please forward this to them – we’d love to get some submissions from people outside the security field.

The minimum question set that the visualization should address is:

Where do attacks come from? (10 points)
What is the most prolific attack? (5 points)
Which attacks were successful and which failed ? (5 points)
What assumptions were made and what was the reasoning? Don't be afraid to make assumptions! (5 points)
What are the limitations of the visualization? (5 points)
How could you improve the visualization if given more time and resources - e.g. on a future GSOC project? (2 points)
Provide a description of the toolsets and scripts used (10 points)
Bonus points:

Aesthetic appeal and ability to hold the subject's attention (5 points)
Interactivity , eg the ability to drill down, explore, or zoom in on events. (10 points)
Animation, particularly based on a timeline. (10 points)
Creating a visualization which uncovers any trends, observations or artifacts which were not described in the FC5 prize winning solutions. (20 points)
Creating a visualization that tells a story about the data set, threat environment, and the attack. (20 points)
Sources of info:
Hint: take some time and look around for inspiration in data visualization of fields outside of cyber security. Consider how you might apply some of the same concepts and ideas to this dataset.

And of course our recent Google Summer of Code projects:


Cisco ASA Syslog Linechart

Cisco ASA Syslog Linechart

Most tools/charts only display the Total amount of particular IDs (the most common is a pie chart).
This is difficult when you want to know the behavior of such IDs over time. So I came up with this :D

I've created a small set of scripts that takes the Top-Syslog-IDs from Cisco ASA Logs for plot them a line chart.

The "Top-Syslog-IDs" represents the IDs with more entries in the logs in the last N minutes.

This particular graphic shows the top 15 syslog IDs in the last 30 minutes.

Tools: bash, sqlite3 (for storing time + ids), Gnuplot