A Visual Analytics Field Experiment to Evaluate Alternative Visualizations for Cyber Security Applications

The analysis and exploration of emerging threats in the Internet is important to better understand the behaviour of attackers and develop new methods to enhance cyber security. Fully automated algorithms alone are often not capable of providing actionable insights about the threat landscape. We therefore combine a multi-criteria clustering algorithm, tailor-made for the identification of such attack campaigns with three interactive visualizations, namely treemap representations, interactive node-link diagrams, and chord diagrams, to allow the analysts to visually explore and make sense of the resulting multi-dimensional clusters. To demonstrate the potential of the system, we share our lessons learned in conducting a field experiment with experts in a security response team and show how it helped them to gain new insights into various threat landscapes.

[1]  Roberto Tamassia,et al.  Effective Visualization of File System Access-Control , 2008, VizSEC.

[2]  Emden R. Gansner,et al.  Graphviz - Open Source Graph Drawing Tools , 2001, GD.

[3]  Jeffrey Heer,et al.  SpanningAspectRatioBank Easing FunctionS ArrayIn ColorIn Date Interpolator MatrixInterpola NumObjecPointI Rectang ISchedu Parallel Pause Scheduler Sequen Transition Transitioner Transiti Tween Co DelimGraphMLCon IData JSONCon DataField DataSc Dat DataSource Data DataUtil DirtySprite LineS RectSprite , 2011 .

[4]  Raffael Marty,et al.  Applied Security Visualization , 2008 .

[5]  Daniel A. Keim,et al.  Large-Scale Network Monitoring for Visual Analysis of Attacks , 2008, VizSEC.

[6]  Marc Dacier,et al.  On a multicriteria clustering approach for attack attribution , 2010, SKDD.

[7]  Angelos D. Keromytis,et al.  An Analysis of Rogue AV Campaigns , 2010, RAID.

[8]  Jarke J. van Wijk,et al.  Squarified Treemaps , 2000, VisSym.

[9]  M. Sheelagh T. Carpendale,et al.  Evaluating Information Visualizations , 2008, Information Visualization.

[10]  Steven J. M. Jones,et al.  Circos: an information aesthetic for comparative genomics. , 2009, Genome research.

[11]  Jeffrey Heer,et al.  D³ Data-Driven Documents , 2011, IEEE Transactions on Visualization and Computer Graphics.

[12]  Aurélien Francillon,et al.  Inside the SCAM Jungle: A Closer Look at 419 Scam Email Operations , 2013, IEEE Symposium on Security and Privacy Workshops.

[13]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[14]  Felix C. Freiling,et al.  Visual analysis of malware behavior using treemaps and thread graphs , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[15]  Ben Shneiderman,et al.  Strategies for evaluating information visualization tools: multi-dimensional in-depth long-term case studies , 2006, BELIV '06.

[16]  Marc Dacier,et al.  A strategic analysis of spam botnets operations , 2011, CEAS '11.

[17]  Jarke J. van Wijk,et al.  Evaluation: A Challenge for Visual Analytics , 2013, Computer.

[18]  Leyla Bilge,et al.  Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat , 2012, RAID.