A variety of data-mining tools and filtering techniques exist to detect and analyze cyber-attacks by monitoring network traffic. In recent years many of these tools use visualization designed to make traffic patterns and impact of an attack tangible to a security analyst. The visualizations attempt to facilitate understanding elements of an attack, including the location of malicious activity on a network and the consequences for the wider system. The human observer is able to detect patterns from useful visualizations, and so discover new knowledge about existing data sets. Because of human reasoning, such approaches still have an advantage over automated detection, data-mining and analysis. The core challenge still lies in using the appropriate visualization at the right time. It is this lack of situational awareness that our CyberVis framework is designed to address. In this paper we present a novel approach to the visualization of enterprise network attacks and their subsequent potential consequences. We achieve this by combining traditional network diagram icons with Business Process Modeling and Notation (BPMN), a risk-propagation logic that connects the network and business-process and task layer, and a flexible alert input schema able to support intrusion alerts from any third-party sensor. Rather than overwhelming a user with excessive amounts of information, CyberVis abstracts the visuals to show only noteworthy information about attack data and indicates potential impact both across the network and on enterprise tasks. CyberVis is designed with the Human Visual System (HVS) in mind, so severe attacks (or many smaller attacks that make up a large risk) appear more salient than other components in the scene. A Deep-Dive window allows for investigation of data, similar to a database interface. Finally, a Forensic Mode allows movie-style playback of past alerts under user-defined conditions for closer examination.
[1]
Adam Wynne,et al.
Real-time visualization of network behaviors for situational awareness
,
2010,
VizSec '10.
[2]
Martin Roesch,et al.
Snort - Lightweight Intrusion Detection for Networks
,
1999
.
[3]
Ben Shneiderman,et al.
Designing the User Interface: Strategies for Effective Human-Computer Interaction
,
1998
.
[4]
Richard Lippmann,et al.
Visualizing attack graphs, reachability, and trust relationships with NAVIGATOR
,
2010,
VizSec '10.
[5]
Christof Koch,et al.
A Model of Saliency-Based Visual Attention for Rapid Scene Analysis
,
2009
.
[6]
Richard Lippmann,et al.
EMBER: a global perspective on extreme malicious behavior
,
2010,
VizSec '10.
[7]
Raffael Marty,et al.
Applied Security Visualization
,
2008
.
[8]
C. M. Sperberg-McQueen,et al.
Extensible Markup Language (XML)
,
1997,
World Wide Web J..
[9]
Hyogon Kim,et al.
Real-time visualization of network attacks on high-speed links
,
2004,
IEEE Network.
[10]
Kate Ehrlich,et al.
Nimble cybersecurity incident management through visualization and defensible recommendations
,
2010,
VizSec '10.
[11]
Greg Conti.
Security data visualization
,
2007
.
[12]
Stephen Lau,et al.
The Spinning Cube of Potential Doom
,
2004,
CACM.
[13]
Maria Papadaki,et al.
Assessing the Usability of End-User Security Software
,
2010,
TrustBus.
[14]
Nitesh V. Chawla,et al.
Visualizing graph dynamics and similarity for enterprise network security and management
,
2010,
VizSec '10.
[15]
Andrew Blyth,et al.
Presenting DEViSE: Data Exchange for Visualizing Security Events
,
2009,
IEEE Computer Graphics and Applications.
[16]
Ken Arnold,et al.
The Java Programming Language
,
1996
.