User Behavior Map: Visual Exploration for Cyber Security Session Data

User behavior analysis is complex and especially crucial in the cyber security domain. Understanding dynamic and multi-variate user behavior are challenging. Traditional sequential and timeline based method cannot easily address the complexity of temporal and relational features of user behaviors. We propose a map-based visual metaphor and create an interactive map for encoding user behaviors. It enables analysts to explore and identify user behavior patterns and helps them to understand why some behaviors are regarded as anomalous. We experiment with a real dataset containing multiple user sessions, consisting of sequences of diverse types of actions. In the behavior map, we encode an action as a city and user sessions as trajectories going through the cities. The position of the cities is determined by the sequential and temporal relationship of actions. Spatial and temporal patterns on the map reflect behavior patterns in the action space. In the case study, we illustrate how we explore relationships between actions, identify patterns of the typical session and detect anomaly behaviors.

[1]  Daniel A. Keim,et al.  Visual Analytics of Movement , 2013, Springer Berlin Heidelberg.

[2]  Xiaoru Yuan,et al.  E-Map: A Visual Analytics Approach for Exploring Significant Event Evolutions in Social Media , 2017, 2017 IEEE Conference on Visual Analytics Science and Technology (VAST).

[3]  Wolfgang Aigner,et al.  Problem characterization and abstraction for visual analytics in behavior-based malware pattern analysis , 2014, VizSEC.

[4]  Yingcai Wu,et al.  EvoRiver: Visual Analysis of Topic Coopetition on Social Media , 2014, IEEE Transactions on Visualization and Computer Graphics.

[5]  Louise Barrett,et al.  Space Transformation for Understanding Group Movement , 2013, IEEE Transactions on Visualization and Computer Graphics.

[6]  Thomas Ertl,et al.  OCEANS: online collaborative explorative analysis on network security , 2014, VizSec '14.

[7]  Piotr Jankowski,et al.  Scalable and privacy-respectful interactive discovery of place semantics from human mobility traces , 2016, Inf. Vis..

[8]  Yang Cai,et al.  Visualizing a Malware Distribution Network , 2016, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec).

[9]  Olivier Thonnard,et al.  Understanding User Behaviour through Action Sequences: From the Usual to the Unusual , 2019, IEEE Transactions on Visualization and Computer Graphics.

[10]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[11]  Ben Shneiderman,et al.  Coping with Volume and Variety in Temporal Event Sequences: Strategies for Sharpening Analytic Focus , 2017, IEEE Transactions on Visualization and Computer Graphics.