Presentation is loading. Please wait.

Presentation is loading. Please wait.

ARO–MURI Thoughts on Visualization for Cyber Situation Awareness MURI Meeting July 8–9, 2015 Christopher G. Healey Lihua Hao Steve E. Hutchinson CS Department,

Published byChristine Newton Modified over 9 years ago

Similar presentations

Presentation on theme: "ARO–MURI Thoughts on Visualization for Cyber Situation Awareness MURI Meeting July 8–9, 2015 Christopher G. Healey Lihua Hao Steve E. Hutchinson CS Department,"— Presentation transcript:

1 ARO–MURI Thoughts on Visualization for Cyber Situation Awareness MURI Meeting July 8–9, 2015 Christopher G. Healey Lihua Hao Steve E. Hutchinson CS Department, NCSU Facebook Army Research Laboratory healey@ncsu.eduhttp://www.csc.ncsu.edu/faculty/healey sic parvis magna

2 INTRODUCTION Goal: Visualization support for network security analysts –“Do not fit our problem to your tool, build a tool to fit our problem” –Focus explicitly on network security analysts, not security data Balance –Meet the needs of the analysts –Apply knowledge and best practices from visualization 1.Web-based tools to support flexible, analyst-driven exploration 2.Overview + detail on demand 3.Chart-based visualizations to minimize cognitive overhead Healey, C. G., Hao, L., and Hutchinson, S. E. (2014). “Visualizations and Analysts,” in Cyber Defense and SituationAwareness, A. Kott, C. Wang and R. Erbacher, Eds. New York, New York: Springer Publishing Company, pp. 145–165.

3 DESIGN CONSTRAINTS 1.Mental models –“Fit” the mental models used by analysts to investigate problems 2.Work Environment –Integrate into analysts’ current working environment 3.Configurability –Avoid static, pre-defined visualizations of data 4.Accessibility –Visualizations must be familiar to avoid steep learning curves 5.Scalability –Support query and retrieval from multiple data sources 6.Integration –Support, don’t replace, analysts’ current problem-solving strategies

4 Fischer et al. (2008). Large-Scale Network Monitoring for Visual Analysis of Attacks. VizSec ’08 (Cambridge, MA), Chapter 11

5 WEB-BASED VISUALIZATION mental models work environment –web-based application configurable –analyst-driven displays accessibility –2D charts scalability –back-end SQL server integration –hypothesis-based exploration environment Snort alert count by destination IP Flow start–end time containing alert sby destination IP

6 REAL-WORLD DATA For security reasons, not possible to use data from ARL NCSU Trap server –data collected by network security researchers –real-world traffic from NCSU Computer Science building –transmitted to a Snort sensor to perform: (1) intrusion detection; and (2) network packet extraction –stored as: (1) Netflows; and (2) Snort alerts Example 24-hour data file –17.4GB of packet headers –938K unique source IPs, 168K unique destination Ips –1.6M Netflows, 615K Snort alerts

7 CHARTS Simple, well-understood visual framework Analyst-controlled presentation Perceptually optimal suggestions on demand vary opacityvary bothvary size Snort alerts by source and destination IP

8 Snort alerts by netflow start and end times

9 OVERVIEW + DETAIL Initial display presents overview of data Analysts can choose where to “zoom in” for more detail Zoom method provides individual details Overview of Snort alerts for destination IP 172.16.79.128 Zoom in on second alert set Zoom in to examine individual Snort alerts

10 CHART VISUALIZATION SUMMARY Major steps supported by our visualization tool: 1.High-level aggregation to highlight data of interest 2.Scatterplots to examine relationships between attributes 3.Correlated visualizations to provide multiple perspectives 4.Back-end data management support 5.User-interface support for analyst control of each step Analyst-driven visualization –support for analyst-driven data selection –support for hypothesis testing, exploration, validation –pre-defined visualization that can be modified by an analyst –control over what data is visualization, and how Hao, Healey, Hutchinson (2013). “Flexible Web Visualization for Alert-Based Network Security Analytics,” in Proceedings Visualization for Cyber Security 2013 (VizSec 2013, Atlanta, GA), pp. 33–40.

11 ENSEMBLE VISUALIZATION Ensemble: collection of related datasets (members) –originally created for physical science simulations –large, time-varying, multi-dimensional, multi-attribute Goals: –exploration of inter-member relationships –member correlation –outlier identification Time (Hour) Member 1Member 4 Member 3 Member 2 Precipitation Probability Forcast Ensemble...

12 NETWORK SECURITY VISUALIZATION Motivation –network security data is temporal –identification of related and outlier traffic is important –ensemble methods are designed for scalability Representing network security data as an ensemble 1.Define a member ( e.g., network traffic to a destination) 2.Define time steps or time windows ( e.g., hours, days) 3.Define data values per time step ( e.g., number of alerts) 4.Apply ensemble analysis and visualization Are ensemble techniques useful? –If so, work in ensemble visualization potentially applicable Hao, Healey, Hutchinson (2015). “Ensemble Visualization for Cyber Situation Awareness of Network Security Data,” submitted to Visualization for Cyber Security 2015 (VizSec 2015, Chicago, IL).

13 ALERT ENSEMBLE Member: combination of data attributes – e.g., destination IP plus destination port Time steps within member: analyst-driven – e.g., equal-width time windows Inter-member relationship analytics –similarity of changes in number of alerts over time Example alert ensemble dataset –extract all alerts from source IP 64.120.250.242 –member:destination IP plus desination port –time step:alerts per day

14 ENSEMBLE DATASET extract alerts define member define time step

15 ENSEMBLE DATASET extract alertsdefine memberdefine time step Time Steps (Days) Number of Alerts

16 K =20 CLUSTERS Time Steps (Days) Number of Alerts

17 65-MEMBER CLUSTER Time Steps (Days) Number of Alerts

18 FLOW ENSEMBLE Member: sequence of NetFlows – e.g., between destination IP.port, source IP.port Time steps within member: NetFlow-driven – e.g., Netflow duration, gap duration Inter-member relationship analytics –similarity of NetFlow duration, density and distribution of alerts Ensemble dataset –65 NetFlows from source IP 64.120.250.242 with similar alert pattern –member:destination IP plus desination port –time step:NetFlow duration plus gap duration

19 ENSEMBLE DATASET extract NetFlows with 65 alert patterns define member

20 65-MEMBER GANTT VISUALIZATION Time Destniation IP.port

21 6-MEMBER GANTT VISUALIZATION 1 2

22 TWO-CLUSTER COMPARISON

23 DESIGN CONSTRAINTS 1.Mental models –“Fit” the mental models used by analysts to investigate problems 2.Work Environment –Integrate into analysts’ current working environment 3.Configurability –Avoid static, pre-defined visualizations of data 4.Accessibility –Visualizations must be familiar to avoid steep learning curves 5.Scalability –Support query and retrieval from multiple data sources 6.Integration –Support, don’t replace, analysts’ current problem-solving strategies

24 sic parvis magna FIN Questions MURI Meeting July 8–9, 2015 Special Thanks: Cliff Wang Steve Hutchinson Peng Ning Doug Reeves healey@ncsu.eduhttp://www.csc.ncsu.edu/faculty/healey

Download ppt "ARO–MURI Thoughts on Visualization for Cyber Situation Awareness MURI Meeting July 8–9, 2015 Christopher G. Healey Lihua Hao Steve E. Hutchinson CS Department,"

Similar presentations

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
Copyright © 2012, SAS Institute Inc. All rights reserved. Cyber Security threats to Open Government Data Vishal Marria April 2014.

Copyright © 2012, SAS Institute Inc. All rights reserved. Cyber Security threats to Open Government Data Vishal Marria April 2014.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.

Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.

MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Live Re-orderable Accordion Drawing (LiveRAC) Peter McLachlan, Tamara Munzner Eleftherios Koutsofios, Stephen North AT&T Research Symposium August, 2007.

Live Re-orderable Accordion Drawing (LiveRAC) Peter McLachlan, Tamara Munzner Eleftherios Koutsofios, Stephen North AT&T Research Symposium August, 2007.
HENGHA: DATA HARVESTING DETECTION ON HIDDEN DATABASES Shiyuan Wang, Divyakant Agrawal, Amr El Abbadi University of California, Santa Barbara CCSW 2010.

HENGHA: DATA HARVESTING DETECTION ON HIDDEN DATABASES Shiyuan Wang, Divyakant Agrawal, Amr El Abbadi University of California, Santa Barbara CCSW 2010.
COMP 578 Data Warehousing And OLAP Technology Keith C.C. Chan Department of Computing The Hong Kong Polytechnic University.

COMP 578 Data Warehousing And OLAP Technology Keith C.C. Chan Department of Computing The Hong Kong Polytechnic University.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Data Mining – Intro.

Data Mining – Intro.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
DASHBOARDS Dashboard provides the managers with exactly the information they need in the correct format at the correct time. BI systems are the foundation.

DASHBOARDS Dashboard provides the managers with exactly the information they need in the correct format at the correct time. BI systems are the foundation.
Overview of Search Engines

Overview of Search Engines
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.

Similar presentations

Ads by Google