Literature Synthesis on Network Security

Visualisation

Justin van der Merwe | vmrjus001

May 14, 2012

Abstract

The growing importance of network security in organisations brings with it aneed for the monitoring of each organisation’s network. This task commonlyinvolves analysing vast amounts of textual data, such as network traces, operat-ing system events or intrusion detection system alerts. Graphically representingthis textual data can improve interpretation efficiency, as well as provide amore informative overview of the data. As such, information visualisation offersa practical solution to network monitoring and analysis. In this paper, we willconsider the different categories in the field of information visualisation for net-work security, reviewing current work in each category. We will then provide adiscussion comparing the different categories of security visualisation. Finally,we will conclude with an overall evaluation of the work and its relevance to ourproject in particular.

Introduction

As organizations increasingly rely on information technology and networking,information security becomes more of a concern. This places a dependencyon system administrators to monitor systems in an organisation’s network forintrusions [1].

An intrusion can be defined as any set of actions that attempt to compromisethe integrity, confidentiality, or availability of a resource[2]. Intrusions can beclassified as either misuse or an anomaly. Misuse intrusions are attacks followingwell-defined patterns on known weak points of a system, while anomly intrusionscan be described as deviations from normal usage patterns [3].

To identify intrusions, data sources available to administrators for analysis in-clude raw packets, network flows and event data [4]. Raw packets, the most

1

granular level of network data, consists of a TCP/IP header (how a packet getsfrom source to destination) and payload data (the contents). Packets are usefulfor understanding network behaviour, but become too large to be stored sys-temically. Network flows are aggregations of packet traces, based on the hosts,ports and protocols involved. Aggregation allows flows to be stored on a sys-tematic basis and later analyzed [5]. Event data describes network activity ata higher level, and is commonly found in logs generated by operating systemsand intrusion detection systems [4]. Each recorded event includes the eventtype, time of occurence, and where in the network the event occured [6]. Whileoffering greater semantics, reliance on event data brings the risks of false alarmsor overlooked critical events [7, 8]. Analysis of network data and event logs isa challenging task. Although smaller in size, event logs contain hundreds tothousands of messages daily, rendering textual analysis infeasible [9]. As such,recent work has proposed information visualisation as a solution.

Shneiderman et al. [10] define information visualisation as a compact graphi-cal presentation and user interface for rapidly manipulating large numbers ofitems. While reading textual information such as event logs is a perceptuallyserial process, interpretation of graphics is a perceptually parallel process [9,11]. Additionally, visualisations can present more information than a compara-ble volume of text, allow hierarchical search to locate areas for more detailedsearches, and apply filtering and zooming techniques to the data [Reference 11;erbacher2002].

The main objective of visualization for security is to enable efficient explorationof large security related logs files or network traffic [12]. Through user studies,Komlodi et al. [1] identified the requirements of a security visualisation. Thebasic analyst tasks were found to be monitoring, analysis and response. First,analysts monitor all activity and identify suspicious activity. Analysts thusrequire an overview of the data that supports recognition of anomalies andenables fast processing. The data then needs to be analysed and intrusionsdiagnosed. As such, filtering and data selection is necessary to display finerdetails. The analyst then responds to a detected intrusion, and thus requiresfunctionality such as incident reporting or feedback for future analysis [1].

This synthesis will first review and compare the current work in network se-curity visualisation, classifying each appropriately. Each visualisation will beanalysed in accordance with principles of visualisation and design, while takinginto account scalability and the visualisation requirements highlighted above.A discussion comparing the visualisation categories will follow. Finally, we willconclude with an overall evaluation of the reviewed work, and highlight therelevance of the work to our project in particular.

2

Information Visualisation for Security

A natural classification for security visualisations, as used in [5, 13], is classifi-cation according to the data used: packet traces, network flows, or alert data.This method of classification allows security visualisations to be categorised withminimal overlap between classifications.

Packet Trace Visualisation

Rumint, a visualisation proposed by Conti et al. [14, 15], is comprised of sevenviews. In the commonly referenced Binary Rainfall view (Figure 1), each packetof data is represented in its own row, with each pixel representing a bit in thepacket [15]. Colour is used to distinguish each packets’ network protocol.

Figure 1: Rumint’s Binary Rainfall view

Rumint’s visualisation provides a means of displaying large amounts of rawpacket data in a non-textual form [14, 15]. This allows an analyst to quicklyidentify packets of interest. However, Shiravi et al. comment that this is onlysuitable to particular kinds of attacks [4]. A further limitation is that an analystcould possibly miss suspicious packets hidden amongst an overwhelming amountof unimportant packets. Furthermore, an analyst can only focus on one of theseven views at a time.

In comparison, the Time-based Network traffic Visualizer (TNV) proposed byKomlodi et al. [16] is centered around a main view (Figure 2), allowing ananalyst to draw correlations and comparisons without losing focus. This viewcontains a matrix displaying the network activity of hosts over time [16], whererows are used for hosts and columns for time intervals. Link activity betweenhosts are overlayed on the matrix as edges [16]. The number of packets generated

3

by a host at a particular time is represented by colouring the cell according toa user-defined colour-to-number-of-packets mapping.

Figure 2: TNV’s main view

TNV further contrasts Rumint by displaying a high level overview of the data[16]. This obeys the Visual Information Seeking Mantra discussed by Schnei-derman in [17]. An overview of the entire collection is given, and picking one ormultiple hosts brings details associated with that time period.

A distinguishing feature of TNV is its application of the focus + context tech-nique discussed by Card et al. in [11], which aims to provide the user with bothan overview (context) and detailed information (focus) simultaneously. Thecenter of the main view represents the currently focused time intervals, and isshown with wider columns [16]. The left and right sides of the view (repre-senting earlier and later time intervals respectively) represents the context. Toavoid distracting the user, the width of the context areas decrease gradually. Toavoid clutter, link activity is only shown in the focus.

While differing in techniques, both visualisations cope with the large volumes

4

of data inherent to packet traces, allowing for scaling. However, while cateringfor the overview and detail requirements, both lack response functionality.

Network Flow Visualisation

Lakkaraju et al. [18] proposed NVisionIP. The galaxy view (Figure 4) showsa matrix, with the horizontal axis representing subnets and the vertical axisrepresenting hosts in each subnet. Each host in the matrix is allocated an equalamount of pixels. The pixels’ colours represents a user selectable characteristic,such as bytes transferred or connections made. NVisionIP provides a magnifierfunction, allowing users to hover over an area of interest.

Figure 3: NVisionIP’s Galaxy View

NVisionIP’s appliance of the Visualisation Information Seeking Mantra [17]strengthens the system’s usability. The Galaxy view allows provides an overviewof the network activity, the magnifier function allows the user to zoom in onan area of interest, and clicking on the magnified area displays more detailedinformation about the relevant hosts.

Recent work by Kintzel et al. [19] extended the approach taken by Lakkaraju etal. in [18] with their proposed visualisation, ClockView (Figure 5). ClockView’snetwork overview represents hosts using clock style glyphs in a matrix similarto that of NVisionIP’s galaxy view. Each glyph contains 24 segments, with

5

each segment representing one hour. Each segment is coloured according tothe amount of traffic generated in the hour by the relevant host, with whiterepresenting the least traffic and red the most.

Figure 4: Graphical User Interface of ClockView

ClockView’s [19] similarities to NVisionIP allows for comparisons to be drawn.NVisionIP shows an overview of the network at an instance of time. In con-trast, ClockView’s clock-like glyphs present 24 hours of activity, allowing theanalyst to monitor host activity over a period of time. A query offered by Clock-View and not seen in NVisionIP is the ability to view connections between thecurrently selected hosts and other hosts. Unlike ClockView, NVisionIP allowsuser selectable network characteristics to represent a host’s colour, enablingan analyst to tailor the visualisation to support queries relevant to the situa-tion. This can be considered response functionality, as it enables the analystto recognise patterns for future intrusions of similar nature. The smaller sizedrepresentations of hosts in both visualisations enables both to scale well. How-ever, ClockView’s clock-like glyphs require more space, which in turn affectsscalability.

Event and Alert Visualisation

Erbacher et al. [9, 20] propose a visualisation (Figure 6) which focuses on theanalysis of event log information.

Erbacher et al. use a glyph metaphor, where each system on the network is rep-resented by a glyph decorated according to its attributes. Small circle glyphs

6

Figure 5: Visualisation proposed by Erbacher et al.

7

representing hosts are placed on either of 5 invisible concentric rings around alarger circle glyph representing the central server. Edges connect each host tothe server, with different appearances describing attributes of the correspondingevent. The server’s load is represented by the thickness of the server glyph’sinner circle and the amount of connected hosts by the spokes extending fromthe glyph. The number of user connections from a particular host is indicatedby hashes along the edge between the host and server. Red is used to highlightunusual activity, and yellow for less critical, yet questionable activity. To rep-resent changes over time, Erbacher et al. utilise animation. For example, whena host’s connection to the server terminates, the host node and the connectededge fade gradually, allowing the user to notice temporal event relationships.

Although a significant amount of information is encoded visually, many of thequeries rely on the analyst to memorize the associated visual cues. For example,the user is required to remember that privileged FTP connections are repre-sented as long dashed lines and anonymous FTP connections as short dashedlines. Furthermore, the visualisation is not suited for use in a large network, asit lacks support for scaling.

Abdullah et al. [21] proposed IDS Rainstorm, a visualisation designed to sup-port networks of scale [9]. The system is comprised of two visualisations, themain view and the zoom view. The Visualisation Information Seeking Mantra[17] is apparent, with the main view showing an overview and the zoom viewproviding details on demand. The main view (Figure 7) has 8 columns. Eachcolumn represents a set of IP addresses in a contiguous fashion, with 20 ad-dresses being allocated a row of pixels. Each pixel represents the most severealerts generated out of a row’s 20 addresses in an hour of network activity. Redrepresents high concern, yellow medium concern and green low concern.

The overview highlights a red box around the cursor position in a column.Clicking the highlighted area opens the zoom view (Figure 8). In this view,a grid is displayed, with Local IP addresses on the left end, and external IPaddresses on the right end. The grid’s width represents 24 hours of time. Alertsare now seen as larger circle glyphs. Each alert glyph is connected to the relevantexternal IP address on the right end using a dotted line.

Although representing hourly network activity of 20 addresses with a singlepixel allows more efficient use of space, it is more intuitive to monitor hostsindividually than in batches of 20. Similarly to NVisionIP [18], critical eventscould accidentally be overlooked, since monitoring the system requires analysisof individual pixels.

Livnat et al. [6, 22] describe a what, when, where, or w3 paradigm. Livnat etal. state that each security event recorded should contain what (the alert type),when (the time of occurrence), and where (the network node where the eventoccurred) [6]. The use of the w3 concept can be used to correlate seeminglyunrelated alerts. The result is VisAlert (Figure 9), their proposed visualisationsystem.

8

Figure 6: IDS Rainstorm’s main view

9

Figure 7: IDS Rainstorm’s zoom view

10

Figure 8: The VisAlert visualisation paradigm

11

The trivial solution to represent what, when, and where graphically would beto use a three dimensional Cartesian representation. As highlighted in [6], thisapproach introduces visual obstacles such as occlusion and depth perception.Alternatively, by representing each alert’s w3 attributes as connections betweentwo visual domains, VisAlert is able to display the three parameters in a 2Dspace.

Each node in the network topology (the where domain) is represented inside theinner circle as a circle glyph. The size of a node’s circle represents the numberof unique alerts experienced. Around the inner circle is a ring representing time(the when domain). The ring is divided up into concentric sub-rings, whereeach sub-ring represents a time period, and the innermost sub-ring representsthe most recent time period. The ring is further divided into segments, eachcorresponding to an alert type (the what domain). Each alert is placed on asub-ring’s segment and coloured according to the alert type. Lines are drawnbetween each node in the circle to alerts on the innermost sub-ring. The thick-ness of the line represents the number of alerts of a specific type experiencedby the connected node. When a user performs drill-down or zoom-in opera-tions, the system ensures continuous transitions between levels of detail usinganimation. At closer levels of detail, the user is presented with finer grainedinformation about hosts in the topology and alerts. At further levels of detail,an informative overview of the network and its alerts is obtained.

To address the scalability issues that arise when the network topology becomestoo big to fit inside the inner circle, VisAlert allows the user to pan the view[@livnat2005]. The limitation to this solution is that context is sacrificed forfocus, as the overview of the network becomes unavailable in order to viewdetailed analysis of part of it. Another scalability issue may arise when largeamounts of alerts are generated, causing lines connecting network nodes to re-cent events to overlap. As the number of alerts grow, readability will inevitablybe compromised.

While the three visualisations discussed are different in their approaches, com-parisons can be made. IDS Rainstorm provides response capabilities by allow-ing a user to save the image of a day). Similar functionality is not presented inthe other alert visualisations. As previously mentioned, the visualisation pro-posed by Erbacher et al. in [erbacher2002] cannot handle networks of scale.VisAlert addresses scalability [@livnat2005], within limitations. Comparatively,IDS Rainstorm is designed to cope with the large amount of alerts generatedin large networks [21]. The cost, however, is the limited size and detail of eachhost’s representation.

Discussion

The semantics offered by alert logs allows visualisations sourced from them tovisually convey these semantics. In contrast, packet trace and network flow

12

visualisations require the analyst to detect intrusions without any semantics toserve as a suggestive aid. However, the less refined, filtered nature of packettrace and network flow data allows visualisations of such data to provide amore complete overview of the network activity. This may prevent false alarmsand overlooked intrusions, pitfalls inherent to alert data [7, 8], and thus alertvisualisations. A drawback to packet trace visualisations is the vast amount ofdata to be stored, processed and displayed. Since network flows are aggregationsof packet traces, less data is required to be stored, processed and displayed[5]. Considering alert log and packet trace visualisations as extremes on eitherend, network flow visualisations can thus be seen as a balance between theamount data, and the completeness of the network overview provided. Despitethe differences apparent in the three types of data, the resulting visualisationsoften convey similar patterns. For example, port scanning is an intrusion easilynoticeable in all three classifications [9, 15, 18].

Conclusions

The work discussed has shown advances in the field of security visualisation, aswell as identified problems inherent to the field. Many of the reviewed visuali-sations seemed to lack the response functionality identified by Komlodi et al. in[1]. A common trade-off is apparent in much of the reviewed work, with detailand the number of queries offered on the one hand, and scalability on the other.The use of techniques, most notably TNV’s [16] focus + context technique andVisAlert’s [@livnat2005] level of detail technique, allow some tools to strike abalance between the two. A side effect of the pan and zoom interaction tech-nique seen in much of the work reviewed is that context is sacrificed for focus.TNV’s [16] focus + context technique thus serves as a solution to this effect.

We intend on sourcing our visualisation from event log data. Consequently, ourproject lends itself to the event and alert visualisation category. However, manyof the approaches taken by the discussed work apply to security visualisation ingeneral, and thus can serve as both a foundation to build upon and a benchmarkfor the usability and effectiveness of our project’s visualisation component. Weintend to design our visualisation according to the identified visualisation re-quirements, keeping in mind the issue of scalability found throughout the workreviewed, and improving upon the noticeable lack of response functionality cur-rently offered. Finally, we intend on applying visualisation techniques such asthe focus + context technique applied in TNV [16], with the aim of maintaininga balance between level of detail and scalability.

13

References

[21]Abdullah, K. et al. 2005. IDS rainStorm: visualizing IDS alarms. Visual-ization for Computer Security, 2005. (VizSEC 05). IEEE Workshop on (2005),1–10.

[8]Bradford, P. and Hu, N. 2005. A layered approach to insider threat detectionand proactive forensics.

[11]Card, S.K. et al. eds. 1999. Readings in information visualization: usingvision to think. Morgan Kaufmann Publishers Inc.

[15]Conti, G. et al. 2006. Countering Security Information Overload throughAlert and Packet Visualization. IEEE Comput. Graph. Appl. 26, (mar. 2006),60–70.

[20]Erbacher, R.F. 2003. Intrusion behavior detection through visualization.Systems, Man and Cybernetics, 2003. IEEE International Conference on(2003), 2507–2513.

[9]Erbacher, R.F. et al. 2002–feb. Intrusion and misuse detection in large-scalesystems. Computer Graphics and Applications, IEEE. 22, (jan. 2002–feb), 38–47.

[5]Goodall, J.R. 2008. Introduction to Visualization for Computer Security.VizSEC 2007. J.R. Goodall et al., eds. Springer Berlin Heidelberg. 1–17.

[16]Goodall, J.R. et al. 2005. Preserving the big picture: visual network trafficanalysis with TNV. Visualization for Computer Security, 2005. (VizSEC 05).IEEE Workshop on (2005), 47–54.

[3]Hart, R. et al. 1999. An introduction to automated intrusion detectionapproaches. Inf. Manag. Comput. Security. 7, (1999), 76–82.

[13]Kasemsri, R.R. et al. 2005. A survey, taxonomy, and analysis of networksecurity visualization techniques. (2005).

[19]Kintzel, C. et al. 2011. Monitoring large IP spaces with ClockView. Pro-ceedings of the 8th International Symposium on Visualization for Cyber Security(New York, NY, USA, 2011), 2–1.

[1]Komlodi, A. et al. 2004. An Information Visualization Framework for In-trusion Detection. CHI ’04 extended abstracts on Human factors in computingsystems (New York, NY, USA, 2004), 1743.

[14]Krasser, S. et al. 2005. Real-time and forensic network data analysis usinganimated and coordinated visualization. IN PROCEEDINGS OF THE 6THIEEE INFORMATION ASSURANCE WORKSHOP (2005), 42–49.

[18]Lakkaraju, K. 2004. NVisionIP: NetFlow Visualizations of System State forSecurity Situational Awareness.

14

[22]Livnat, Y. et al. 2005. Visual Correlation for Situational Awareness. Pro-ceedings of the Proceedings of the 2005 IEEE Symposium on Information Visu-alization (Washington, DC, USA, 2005), 13.

[6]Livnat, Y. et al. 2005. A visualization paradigm for network intrusion detec-tion. Information Assurance Workshop, 2005. IAW ’05. Proceedings from theSixth Annual IEEE SMC (2005), 92–99.

[12]Musa, S. and Parish, D.J. 2007. Visualising Communication Network Se-curity Attacks. Proceedings of the 11th International Conference InformationVisualization (Washington, DC, USA, 2007), 726–733.

[2]Richard Heady, G.L.S.M. 1990. The Architecture of a Network Level Intru-sion Detection System. (1990).

[4]Shiravi, H. et al. 2011. A Survey of Visualization Systems for NetworkSecurity. IEEE Transactions on Visualization and Computer Graphics. 99,(2011).

[10]Shneiderman, B. 1999. Supporting Creativity with Advanced Information-Abundant User Interfaces.

[17]Shneiderman, B. 1996. The Eyes Have It: A Task by Data Type Taxonomyfor Information Visualizations. Proceedings of the 1996 IEEE Symposium onVisual Languages (Washington, DC, USA, 1996), 336.

[7]Singhal, A. 2007. Intrusion Detection Systems. Data Warehousing and DataMining Techniques for Cyber Security. Springer US. 43–57.

15