Visual Analysis of Program Flow Data with Data Propagation

Host based program monitoring tools are an essential part of maintaining proper system integrity due to growing malicious network activity. As systems become more complicated, the quantity of data collected by these tools often grows beyond the ability of analysts to easily comprehend in a short amount of time. In this paper, we present a method for visual exploration of a system program flow over time to aid in the detection and identification of significant events. This allows automatic accentuation of programs with irregular file access and child process propagation, which results in more efficient forensic analysis and system recovery times.

[1]  J.B. Grizzard,et al.  On a /spl mu/-kernel based system architecture enabling recovery from rootkits , 2005, First IEEE International Workshop on Critical Infrastructure Protection (IWCIP'05).

[2]  John T. Stasko,et al.  IDS rainStorm: visualizing IDS alarms , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[3]  David Esler,et al.  Self-healing mechanisms for kernel system compromises , 2004, WOSS '04.

[4]  Hideki Koike,et al.  Tudumi: information visualization system for monitoring and auditing computer logs , 2002, Proceedings Sixth International Conference on Information Visualisation.

[5]  David Garlan,et al.  Proceedings of the 1st ACM SIGSOFT workshop on Self-managed systems , 2004 .

[6]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[7]  Michael Balzer,et al.  Software landscapes: visualizing the structure of large software systems , 2004, VISSYM'04.

[8]  Thorsten Holz,et al.  NoSEBrEaK - attacking honeynets , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[9]  Jürgen Döllner,et al.  Visual exploration of function call graphs for feature location in complex software systems , 2006, SoftVis '06.

[10]  Henry Owen,et al.  A program behavior matching architecture for probabilistic file system forensics , 2008, OPSR.