Anomaly Detection Using Pattern-of-Life Visual Metaphors

Complex dependencies exist across the technology estate, users and purposes of machines. This can make it difficult to efficiently detect attacks. Visualization to date is mainly used to communicate patterns of raw logs, or to visualize the output of detection systems. In this paper we explore a novel approach to presenting cybersecurity-related information to analysts. Specifically, we investigate the feasibility of using visualizations to make analysts become anomaly detectors using Pattern-of-Life Visual Metaphors. Unlike glyph metaphors, the visualizations themselves (rather than any single visual variable on screen) transform complex systems into simpler ones using different mapping strategies. We postulate that such mapping strategies can yield new, meaningful ways to showing anomalies in a manner that can be easily identified by analysts. We present a classification system to describe machine and human activities on a host machine, a strategy to map machine dependencies and activities to a metaphor. We then present two examples, each with three attack scenarios, running data generated from attacks that affect confidentiality, integrity and availability of machines. Finally, we present three in-depth use-case studies to assess feasibility (i.e. can this general approach be used to detect anomalies in systems?), usability and detection abilities of our approach. Our findings suggest that our general approach is easy to use to detect anomalies in complex systems, but the type of metaphor has an impact on user’s ability to detect anomalies. Similar to other anomaly-detection techniques, false positives do exist in our general approach as well. Future work will need to investigate optimal mapping strategies, other metaphors, and examine how our approach compares to and can complement existing techniques.

[1]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[2]  Cristina Russo Dos Santos,et al.  Mapping information onto 3D virtual worlds , 2000, 2000 IEEE Conference on Information Visualization. An International Conference on Computer Visualization and Graphics.

[3]  Jeffery A. Brown,et al.  Network Performance Visualization: Insight Through Animation. , 2000 .

[4]  Robert Kosara,et al.  The Shaping of Information by Visual Metaphors , 2008, IEEE Transactions on Visualization and Computer Graphics.

[5]  Lane Harrison,et al.  The future of security visualization: Lessons from network visualization , 2012, IEEE Network.

[6]  Stephen Travis Pope,et al.  A Description of the Model-View-Controller User Interface Paradigm in the Smalltalk-80 System , 1998 .

[7]  Chris North,et al.  Visualizing Traffic Causality for Analyzing Network Anomalies , 2015, IWSPA@CODASPY.

[8]  Sadie Creese,et al.  NetVis: a Visualization Tool Enabling Multiple Perspectives of Network Traffic Data , 2013, TPCG.

[9]  Min Chen,et al.  Glyph-based Visualization: Foundations, Design Guidelines, Techniques and Applications , 2013, Eurographics.

[10]  John A. Copeland,et al.  Flowtag: a collaborative attack-analysis, reporting, and sharing tool for security researchers , 2006, VizSEC '06.

[11]  Greg,et al.  Security data visualization : graphical techniques for network analysis , 2007 .

[12]  Pascal Gros,et al.  Automatic construction of dynamic 3D metaphoric worlds: an application to network management , 2000, Electronic Imaging.

[13]  W. Hays Semiology of Graphics: Diagrams Networks Maps. , 1985 .

[14]  Vladimir L. Averbukh,et al.  Visualization Metaphors , 2001, Programming and Computer Software.

[15]  Shaun Moon,et al.  Visual correlation for situational awareness , 2005, IEEE Symposium on Information Visualization, 2005. INFOVIS 2005..

[16]  Sadie Creese,et al.  CyberVis: Visualizing the potential impact of cyber attacks on the wider enterprise , 2013, 2013 IEEE International Conference on Technologies for Homeland Security (HST).

[17]  Qiang Chen,et al.  Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection , 2002, IEEE Trans. Computers.

[18]  John T. Stasko,et al.  Dust & Magnet: Multivariate Information Visualization Using a Magnet Metaphor , 2005, Inf. Vis..

[19]  Fiona. Carroll,et al.  What Makes for Effective Visualisation in Cyber Situational Awareness for Non-Expert Users? , 2019, 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[20]  Sami Noponen,et al.  Visualizing network events in a muggle friendly way , 2017, 2017 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[21]  Tarrah R. Glass-Vanderlan,et al.  A Survey of Intrusion Detection Systems Leveraging Host Data , 2018, ACM Comput. Surv..

[22]  Emin Anarim,et al.  An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks , 2005, Expert Syst. Appl..

[23]  Cristina Russo Dos Santos,et al.  CyberNet: A framework for managing networks using 3D metaphoric worlds , 2000, Ann. des Télécommunications.

[24]  Cristina Russo Dos Santos,et al.  Multiple views in 3D metaphoric information visualization , 2002, Proceedings Sixth International Conference on Information Visualisation.

[25]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[26]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[27]  Nahum Gershon,et al.  What storytelling can do for information visualization , 2001, Commun. ACM.

[28]  James A. Ferwerda,et al.  Three varieties of realism in computer graphics , 2003, IS&T/SPIE Electronic Imaging.

[29]  Stephen Lau,et al.  The Spinning Cube of Potential Doom , 2004, CACM.

[30]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[31]  Sadie Creese,et al.  Sonification to Support the Monitoring Tasks of Security Operations Centres , 2021, IEEE Transactions on Dependable and Secure Computing.

[32]  Sadie Creese,et al.  Towards a Conceptual Model and Reasoning Structure for Insider Threat Detection , 2013, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[33]  I. Davidson Anomaly Detection, Explanation and Visualization , 2022 .

[34]  Vladimir L. Averbukh,et al.  Interface and Visualization Metaphors , 2007, HCI.

[35]  Lane Harrison,et al.  Visualization evaluation for cyber security: trends and future directions , 2014, VizSEC.

[36]  Cristina Russo Dos Santos,et al.  Metaphor-aware 3D navigation , 2000, IEEE Symposium on Information Visualization 2000. INFOVIS 2000. Proceedings.

[37]  John T. Stasko,et al.  IDS rainStorm: visualizing IDS alarms , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[38]  Raheem A. Beyah,et al.  Visual firewall: real-time network security monitor , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[39]  B. Schneirdeman,et al.  Designing the User Interface: Strategies for Effective Human-Computer Interaction , 1998 .

[40]  K. Gancarz,et al.  Visual techniques for analyzing wireless communication patterns , 2012, 2012 IEEE Conference on Technologies for Homeland Security (HST).

[41]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[42]  John C. Grundy,et al.  A 3D metaphor for software production visualization , 2003, Proceedings on Seventh International Conference on Information Visualization, 2003. IV 2003..

[43]  Raffael Marty,et al.  Applied Security Visualization , 2008 .

[44]  Wei-Yang Lin,et al.  Intrusion detection by machine learning: A review , 2009, Expert Syst. Appl..

[45]  Vladimir L. Averbukh,et al.  Searching and Analysis of Interface and Visualization Metaphors , 2008 .

[46]  John S. Risch On the role of metaphor in information visualization , 2008, ArXiv.