A Survey, Taxonomy, and Analysis of Network Security Visualization Techniques

Network security visualization is a relatively new field and is quickly gaining momentum. Network security visualization allows the display and projection of the network or system data, in hope to efficiently monitor and protect the system from any intrusions or possible attacks. Intrusions and attacks are constantly continuing to increase in number, size, and complexity. Textually reading through log files or other textual sources is currently insufficient to secure a network or system. Using graphical visualization, security information is presented visually, and not only by text. Without network security visualization, reading through log files or other textual sources is an endless and aggravating task for network security analysts. Visualization provides a method of displaying large volume of information in a relatively small space. It also makes patterns easier to detect, recognize, and analyze. This can help security experts to detect problems that may otherwise be missed in reading text based log files. Network security visualization has become an active research field in the past six years and a large number of visualization techniques have been proposed. A comprehensive analysis of the existing techniques is needed to help network security designers make informed decisions about the appropriate visualization techniques under various circumstances. Moreover, a taxonomy of the existing visualization techniques is needed to classify the existing network security visualization techniques and present a high level overview of the field. In this thesis, the author surveyed the field of network security visualization. Specifically, the author analyzed the network security visualization techniques from the perspective of data model, visual primitives, security analysis tasks, user interaction, and other design issues. Various statistics were generated from the literatures. Based on this analysis, the author has attempted to generate useful guidelines and principles for designing effective network security visualization techniques. The author also proposed a taxonomy for the security visualization techniques. To the author’s knowledge, this is the first attempt to generate a taxonomy for network security visualization. Finally, the author evaluated the existing network security visualization techniques and discussed their characteristics and limitations. For future research, the author also discussed some open research problems in this field. This research is a step towards a thorough analysis of the problem space and the solution space in network security visualization. INDEX WORDS: Network security, Security visualization, Taxonomy, Anomalies, Security information. A SURVEY, TAXONOMY, AND ANALYSIS OF NETWORK SECURITY VISUALIZATION TECHNIQUES by Rawiroj Robert Kasemsri A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in the College of Arts and Sciences Georgia State University

[1]  Robert F. Erbacher,et al.  MULTI-NODE MONITORING AND INTRUSION DETECTION , 2022 .

[2]  Deborah A. Frincke,et al.  Intrusion and Misuse Detection in Large-Scale Systems , 2002, IEEE Computer Graphics and Applications.

[3]  Robert F. Erbacher,et al.  Visual Behavior Characterization for Intrusion Detection in Large Scale Systems , 2001, VIIP.

[4]  Stefan Axelsson Visualisation for Intrusion Detection , 2003, ESORICS.

[5]  David S. Ebert,et al.  Case Study: Visualization and Information Retrieval Techniques for Network Intrusion Detection , 2001, VisSym.

[6]  Gregory Stephens,et al.  Statistical profiling and visualization for detection of malicious insider attacks on computer networks , 2004, VizSEC/DMSEC '04.

[7]  Stefan Axelsson Visualisation for Intrusion Detection Hooking the Worm , 2003 .

[8]  Wayne G. Lutters,et al.  An Information Visualization Framework for Intrusion Detection , 2004, CHI EA '04.

[9]  Kwan-Liu Ma,et al.  PortVis: a tool for port-based detection of security events , 2004, VizSEC/DMSEC '04.

[10]  Tetsuji Takada,et al.  MieLog: A Highly Interactive Visual Log Browser Using Information Visualization and Statistical Analysis , 2002, LISA.

[11]  Kwan-Liu Ma,et al.  Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP , 2004, VizSEC/DMSEC '04.

[12]  Dominique Brodbeck,et al.  A Visual Approach for Monitoring Logs , 1998, LISA.

[13]  William Yurcik,et al.  A visualization tool for situational awareness of tactical and strategic security events on large and complex computer networks , 2003, IEEE Military Communications Conference, 2003. MILCOM 2003..

[14]  Oliver Niggemann,et al.  Supporting Intrusion Detection by Graph Clustering and Graph Drawing , 2000 .

[15]  Mike E. Davies,et al.  International Conference on Visualization, Imaging and Image Processing , 2003 .

[16]  Stefan Axelsson,et al.  Visualising the Inner Workings of a Self Learning Classifier: Improving the Usability of Intrusion Detection Systems∗ , 2004 .

[17]  Hideki Koike,et al.  SnortView: visualization system of snort logs , 2004, VizSEC/DMSEC '04.

[18]  Kwan-Liu Ma,et al.  A visualization methodology for characterization of network scans , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[19]  Thomas Goldring Scatter (and other) plots for visualizing user profiling data and network traffic , 2004, VizSEC/DMSEC '04.

[20]  Philip K. Chan,et al.  Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security , 2004, CCS 2004.

[21]  InSeon Yoo,et al.  Visualizing windows executable viruses using self-organizing maps , 2004, VizSEC/DMSEC '04.

[22]  Yifan Li,et al.  VisFlowConnect: netflow visualizations of link relationships for security situational awareness , 2004, VizSEC/DMSEC '04.

[23]  Stefan Axelsson,et al.  Combining a bayesian classifier with visualisation: understanding the IDS , 2004, VizSEC/DMSEC '04.

[24]  Stefan Axelsson Visualising Intrusions: Watching the Webserver , 2004, SEC.

[25]  Khaled Labib,et al.  NSOM: A Real-Time Network-Based Intrusion Detection System Using Self-Organizing Maps , 2002 .

[26]  Prasert Kanthamanon,et al.  Hybrid Neural Networks for Intrusion Detection System , 2002 .

[27]  Julie A. Dickerson,et al.  Fuzzy feature extraction and visualization for intrusion detection , 2003, The 12th IEEE International Conference on Fuzzy Systems, 2003. FUZZ '03..

[28]  Chris North,et al.  Home-centric visualization of network traffic for security administration , 2004, VizSEC/DMSEC '04.

[29]  Kofi Nyarko,et al.  Network intrusion visualization with NIVA, an intrusion detection visual analyzer with haptic integration , 2002, Proceedings 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems. HAPTICS 2002.

[30]  Kwan-Liu Ma,et al.  A Visual Technique for Internet Anomaly Detection , 2002 .

[31]  Kulsoom Abdullah,et al.  Passive visual fingerprinting of network attack tools , 2004, VizSEC/DMSEC '04.