A Survey of Visualization Systems for Network Security

Security Visualization is a very young term. It expresses the idea that common visualization techniques have been designed for use cases that are not supportive of security-related data, demanding novel techniques fine tuned for the purpose of thorough analysis. Significant amount of work has been published in this area, but little work has been done to study this emerging visualization discipline. We offer a comprehensive review of network security visualization and provide a taxonomy in the form of five use-case classes encompassing nearly all recent works in this area. We outline the incorporated visualization techniques and data sources and provide an informative table to display our findings. From the analysis of these systems, we examine issues and concerns regarding network security visualization and provide guidelines and directions for future researchers and visual system developers.

[1]  Manish Karir,et al.  VAST: visualizing autonomous system topology , 2006, VizSEC '06.

[2]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[3]  Vern Paxson,et al.  A high-level programming environment for packet trace anonymization and transformation , 2003, SIGCOMM '03.

[4]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[5]  Chen-Nee Chuah,et al.  BGP eye: a new visualization tool for real-time detection and analysis of BGP anomalies , 2006, VizSEC '06.

[6]  Hideki Koike,et al.  Tudumi: information visualization system for monitoring and auditing computer logs , 2002, Proceedings Sixth International Conference on Information Visualisation.

[7]  Danah Boyd,et al.  Vizster: visualizing online social networks , 2005, IEEE Symposium on Information Visualization, 2005. INFOVIS 2005..

[8]  Deborah A. Frincke,et al.  A Multi-Phase Network Situational Awareness Cognitive Task Analysis , 2010, Inf. Vis..

[9]  Yan Gao,et al.  IDGraphs: intrusion detection and analysis using histographs , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[10]  Daniel Massey,et al.  Visualizing Internet Routing Changes , 2006, IEEE Transactions on Visualization and Computer Graphics.

[11]  Ben Shneiderman,et al.  Why Not Make Interfaces Better than 3D Reality? , 2003, IEEE Computer Graphics and Applications.

[12]  Ying Zhu,et al.  Measuring the Complexity of Computer Security Visualization Designs , 2007, VizSEC.

[13]  Erland Jonsson,et al.  Anomaly-based intrusion detection: privacy concerns and other problems , 2000, Comput. Networks.

[14]  Mountaz Hascoët,et al.  Focus-based filtering + clustering technique for power-law networks with small world phenomenon , 2006, Electronic Imaging.

[15]  William Yurcik,et al.  Closing-the-loop in NVisionIP: integrating discovery and search in security visualizations , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[16]  Markus Peuhkuri A method to compress and anonymize packet traces , 2001, IMW '01.

[17]  Dirk Reiners,et al.  Exploring three-dimensional visualization for intrusion detection , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[18]  Kai Rannenberg,et al.  Pseudonymous audit for privacy enhanced intrusion detection , 1997, SEC.

[19]  Daniel A. Keim,et al.  Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats , 2007, IEEE Transactions on Visualization and Computer Graphics.

[20]  John McHugh,et al.  NetBytes Viewer: An Entity-Based NetFlow Visualization Utility for Identifying Intrusive Behavior , 2007, VizSEC.

[21]  Raheem A. Beyah,et al.  Visual firewall: real-time network security monitor , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[22]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[23]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[24]  Chris North,et al.  Bridging the Host-Network Divide: Survey, Taxonomy, and Solution , 2006, LISA.

[25]  Robert F. Erbacher,et al.  Designing visualization capabilities for IDS challenges , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[26]  Daniel A. Keim,et al.  Large-Scale Network Monitoring for Visual Analysis of Attacks , 2008, VizSEC.

[27]  Luc Girardin An Eye on Network Intruder-Administrator Shootouts , 1999, Workshop on Intrusion Detection and Network Monitoring.

[28]  G. Conti,et al.  Real-time and forensic network data analysis using animated and coordinated visualization , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[29]  Pat Hanrahan,et al.  Enhancing Visual Analysis of Network Traffic Using a Knowledge Representation , 2006, 2006 IEEE Symposium On Visual Analytics Science And Technology.

[30]  John T. Stasko,et al.  IDS rainStorm: visualizing IDS alarms , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[31]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[32]  Claudia Eckert,et al.  Internet Anonymity: Problems and Solutions , 2001, SEC.

[33]  Hideki Koike,et al.  SnortView: visualization system of snort logs , 2004, VizSEC/DMSEC '04.

[34]  Yifan Li,et al.  VisFlowConnect: netflow visualizations of link relationships for security situational awareness , 2004, VizSEC/DMSEC '04.

[35]  Mostafa H. Ammar,et al.  On the design and performance of prefix-preserving IP traffic trace anonymization , 2001, IMW '01.

[36]  Cengiz Alaettinoglu,et al.  Internet routing anomaly detection and visualization , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[37]  T. J. Jankun-Kelly,et al.  Detecting flaws and intruders with visual data analysis , 2004, IEEE Computer Graphics and Applications.

[38]  Ali A. Ghorbani,et al.  SVision: A novel visual network-anomaly identification technique , 2007, Comput. Secur..

[39]  Stephen Lau,et al.  The Spinning Cube of Potential Doom , 2004, CACM.

[40]  John T. Stasko,et al.  Countering security information overload through alert and packet visualization , 2006, IEEE Computer Graphics and Applications.

[41]  Dennis Gamayunov,et al.  Visualization of complex attacks and state of attacked network , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[42]  Colin Ware,et al.  Information Visualization: Perception for Design , 2000 .

[43]  Chris North,et al.  Home-centric visualization of network traffic for security administration , 2004, VizSEC/DMSEC '04.

[44]  Keun Ho Ryu,et al.  False Alarm Classification Model for Network-Based Intrusion Detection System , 2004, IDEAL.

[45]  Yarden Livnat,et al.  A visualization paradigm for network intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[46]  Kofi Nyarko,et al.  Network intrusion visualization with NIVA, an intrusion detection visual analyzer with haptic integration , 2002, Proceedings 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems. HAPTICS 2002.

[47]  Julie Steele,et al.  Beautiful Visualization - Looking at Data Through the Eyes of Experts , 2010, Beautiful Visualization.

[48]  Penny Rheingans,et al.  Visualizing Network Security Events Using Compound Glyphs from a Service-Oriented Perspective , 2007, VizSEC.

[49]  Kwan-Liu Ma,et al.  Case study: Interactive visualization for Internet security , 2002, IEEE Visualization, 2002. VIS 2002..

[50]  Ali A. Ghorbani,et al.  IDS Alert Visualization and Monitoring through Heuristic Host Selection , 2010, ICICS.

[51]  Chris North,et al.  Visual correlation of host processes and network traffic , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[52]  Wayne G. Lutters,et al.  Preserving the big picture: visual network traffic analysis with TNV , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[53]  Kulsoom Abdullah,et al.  Visualizing network data for intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[54]  Robert F. Erbacher,et al.  Intrusion behavior detection through visualization , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[55]  Stefano Foresti,et al.  Visual correlation of network alerts , 2006, IEEE Computer Graphics and Applications.

[56]  Andy Cockburn,et al.  3D or not 3D?: evaluating the effect of the third dimension in a document management system , 2001, CHI.

[57]  Jarke J. van Wijk,et al.  Interactive Visualization of Small World Graphs , 2004, IEEE Symposium on Information Visualization.

[58]  Yang Peng,et al.  NetViewer: A Visualization Tool for Network Security Events , 2009, 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing.

[59]  Deborah A. Frincke,et al.  Intrusion and Misuse Detection in Large-Scale Systems , 2002, IEEE Computer Graphics and Applications.

[60]  Timothy Cribbin,et al.  Mapping semantic information in virtual space: dimensions, variance and individual differences , 2000, Int. J. Hum. Comput. Stud..

[61]  Mary Deaton,et al.  The elements of user experience: user-centered design for the Web , 2003, INTR.

[62]  Kwan-Liu Ma,et al.  PortVis: a tool for port-based detection of security events , 2004, VizSEC/DMSEC '04.

[63]  Kwan-Liu Ma,et al.  Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP , 2004, VizSEC/DMSEC '04.

[64]  Nitesh V. Chawla,et al.  Visualizing graph dynamics and similarity for enterprise network security and management , 2010, VizSec '10.

[65]  Chris North,et al.  The Perceptual Scalability of Visualization , 2006, IEEE Transactions on Visualization and Computer Graphics.

[66]  John R. Goodall,et al.  A user-centered look at glyph-based security visualization , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[67]  John R. Goodall,et al.  Visualization is better! A comparative evaluation , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[68]  Daniel A. Keim,et al.  Monitoring Network Traffic with Radial Traffic Analyzer , 2006, 2006 IEEE Symposium On Visual Analytics Science And Technology.

[69]  Jeff Janies Existence Plots: A Low-Resolution Time Series for Port Behavior Analysis , 2008, VizSEC.

[70]  Andy Cockburn,et al.  Evaluating the effectiveness of spatial memory in 2D and 3D physical and virtual environments , 2002, CHI.

[71]  Raffael Marty,et al.  Applied Security Visualization , 2008 .

[72]  Hideki Koike,et al.  Visualizing cyber attacks using IP matrix , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[73]  Greg Conti Security data visualization , 2007 .

[74]  Bruce Gooch,et al.  Visualizing DNS traffic , 2006, VizSEC '06.

[75]  Paul C. van Oorschot,et al.  Security visualization tools and IPv6 addresses , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[76]  Joachim Biskup,et al.  On Pseudonymization of Audit Data for Intrusion Detection , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[77]  Jean-Daniel Fekete,et al.  Interactive information visualization of a million items , 2002, IEEE Symposium on Information Visualization, 2002. INFOVIS 2002..

[78]  Shaun Moon,et al.  Visual correlation for situational awareness , 2005, IEEE Symposium on Information Visualization, 2005. INFOVIS 2005..

[79]  Daniel A. Keim,et al.  Visualization of Host Behavior for Network Security , 2007, VizSEC.

[80]  Denis Lalanne,et al.  SpiralView: Towards Security Policies Assessment through Visual Correlation of Network Resources with Evolution of Alarms , 2007, 2007 IEEE Symposium on Visual Analytics Science and Technology.

[81]  Ben Shneiderman,et al.  Balancing Systematic and Flexible Exploration of Social Networks , 2006, IEEE Transactions on Visualization and Computer Graphics.

[82]  R. Schiffer,et al.  INTRODUCTION , 1988, Neurology.

[83]  Giuseppe Di Battista,et al.  Visualizing Interdomain Routing with BGPlay , 2005, J. Graph Algorithms Appl..

[84]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.