skip to main content
10.1145/1179576.1179580acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

An intelligent, interactive tool for exploration and visualization of time-oriented security data

Published:03 November 2006Publication History

ABSTRACT

The detection of known and unknown attacks usually requires the interpretation and presentation of very large amounts of time-oriented security data. Using regular means for displaying the data, such as text or tables, is often ineffective. Furthermore, displaying only raw data is not sufficient, because the security expert is still required to derive meaningful conclusions from large amounts of data. In addition, in many cases (e.g., for detecting a virus spreading in the network), an aggregated view of multiple network devices is more effective than a view of each individual device. In this paper we propose an intelligent interface used by a distributed architecture that was described in our previous work, specific to the tasks of knowledge-based interpretation, summarization, query, visualization and interactive exploration of large numbers of time-oriented data. In order to support the interpretation and computation process, we provide automated mechanisms that perform derivation of context-specific, interval-based abstract interpretations (also known as Temporal Abstractions) from raw time-stamped security data, by using a domain-specific knowledge-base (e.g., a period of 5 hours, during the night, of a high number of FTP connections within the context of No User Activity, which might indicate the existence of a Trojan in the computer). The proposed visualization tool includes several functionalities for querying, visualization and exploration of both raw and abstracted time-oriented security data regarding single and multiple network devices.

References

  1. Abdullah K., Lee C., Conti G., Copeland J.A. and Stasko J. IDS RainStorm: Visualizing IDS Alarms. Workshop on Visualization for Computer Security (VizSEC05), USA, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Conti G. et al. Countering Security Analyst and Network Administrator Overload Through Alert and Packet Visualization. IEEE Computer Graphics and Applications, March 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Shabtai A., Shahar Y. and Elovici Y. Using the Knowledge-Based Temporal-Abstraction (KBTA) Method for Detection of Electronic Threats. the 5th European Conference on Information Warfare and Security (ECIW2006), Finland, June 2006.Google ScholarGoogle Scholar
  4. Shahar Y. A framework for knowledge-based temporal abstraction. Artificial Intelligence, 90(1.2): 79--133, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Shahar Y. and Musen M.A. Knowledge-based temporal abstraction in clinical domains. Artificial Intelligence in Medicine 8 3): 267--298. 1996. Google ScholarGoogle ScholarCross RefCross Ref
  6. Shahar Y. Dynamic temporal interpretation contexts for temporal abstraction. Annals of Mathematics and Artificial Intelligence. 22(1-2): 159--92, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Martins S.B., Shahar Y. et al. Evaluation of KNAVE-II: A tool for intelligent query and exploration of patient data. Proceedings of Medinfo 2004, San Francisco, CA, September, 2004.Google ScholarGoogle Scholar
  8. Conti G. Malware Cinema: A Picture is Worth a Thousand Packets. Black Hat Europe, March 2006.Google ScholarGoogle Scholar
  9. Conti G. Network Attack Visualization. DEFCON 12, August 2004.Google ScholarGoogle Scholar
  10. Abdullah K., Lee C., Conti G. and Copeland J. Visualizing Network Data for Intrusion Detection. IEEE Information Assurance Workshop (IAW), 2005.Google ScholarGoogle Scholar
  11. Erbacher R.F., Kim C. and Sundberg A. Designing Visualization Capabilities for IDS Challenges. Proceedings of the IEEE Visualization for Computer Security, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Yin X., Yurcik W., Li Y., Lakkaraju K., and Abad C. Visflow -connect: Providing security situational awareness by visualizing network traffic flows. Proceedings of the Workshop on Information Assurance (WIA04), 2004.Google ScholarGoogle Scholar
  13. Lakkaraju K., Yurcik W. and Lee A.J. NVisionIP: NetFlow Visualizations of System State for Security Situational Awareness. Proceedings of CCS Workshop on Visualization and Data Mining for Computer Security, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Lakkaraju K., Bearavolu R., Slagell A., Yurcik W. and North S. Closing-the-loop in NVisionIP: integrating discovery and search in security visualizations. Workshop on Visualization for Computer Security (VizSEC05), October, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. McPherson J., Ma K.L., Krystosek P., Bartoletti T. and Muelder C. PortVis: A Tool for Port-Based Detection of Security Events. Proceedings of CCS Workshop on Visualization and Data Mining for Computer Security, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Muelder C., Ma. K.L. and Bartoletti T. Interactive Visualization for Network and Port Scan Detection. Proceedings of RAID 2005, September, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Oline A. and Reiners D. Exploring Three-dimensional Visualization for Intrusion Detection. Workshop on Visualization for Computer Security (VizSEC05), October, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Conti G., Grizzard J., Ahamad M. and Owen H. Visual Exploration of Malicious Network Objects Using Semantic Zoom, Interactive Encoding and Dynamic Queries. Workshop on Visualization for Computer Security (VizSEC05), October 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Muelder C., Ma K.L., Bartoletti T. A Visualization Methodology for Characterization of Network Scans. Workshop on Visualization for Computer Security (VizSEC05), October, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Colombe J.B. and Stephens G. Statistical Profiling and Visualization for Detection of Malicious Insider Attacks on Computer Networks. ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC04), 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Koike H. and Ohno K. SnortView: Visualization System of Snort Logs. ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC04), USA, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Snort - An open source network intrusion prevention and detection system, http://www.snort.org/.Google ScholarGoogle Scholar
  23. Ankerst M., Jones D.H., Kao A. and Wang C. DataJewel: Tightly integrating visualization with temporal data mining. ICDM Workshop on Visual Data Mining, 2003.Google ScholarGoogle Scholar
  24. Bade R., Schlechtweg S. and Miksch S. Connecting time-oriented data and information to a coherent interactive visualization. CHI 2004: ACM Press, 2004, pp. 105--112. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Buono P., Aris A., Plaisant C., Khella A. and Shneiderman B. Interactive pattern search in time series. Conference on Visual Data Analysis, January 2005.Google ScholarGoogle Scholar
  26. Hochheiser H. and Shneiderman B. Dynamic query tools for time series data sets: Timebox widgets for interactive exploration. Information Visualization, vol. 3, pp. 1--18, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Chittaro L. and Combi C. Visualizing queries on databases of temporal histories: new metaphors and their evaluation. Data and Knowledge Engineering, vol. 44, pp. 239--264, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Klimov D. and Shahar Y. A Framework for Intelligent Visualization of Multiple Time-Oriented Medical Records. AMIA, 2005.Google ScholarGoogle Scholar
  29. Spokoiny A., and Shahar Y. Momentum -- an active time-oriented database for intelligent abstraction, exploration and analysis of clinical data. Proceeding of the workshop on Intelligent Data Analysis in Medicine and Pharmacology (IDAMAP2003), Cyprus, 2003.Google ScholarGoogle Scholar
  30. Spokoiny A. and Shahar Y. Momentum -- An active time-oriented database for intelligent abstraction, exploration and analysis of clinical data. Medical Informatics (MEDINFO). San Francisco, 2004.Google ScholarGoogle Scholar

Index Terms

  1. An intelligent, interactive tool for exploration and visualization of time-oriented security data

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          VizSEC '06: Proceedings of the 3rd international workshop on Visualization for computer security
          November 2006
          138 pages
          ISBN:1595935495
          DOI:10.1145/1179576

          Copyright © 2006 ACM

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 3 November 2006

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • Article

          Upcoming Conference

          CCS '24
          ACM SIGSAC Conference on Computer and Communications Security
          October 14 - 18, 2024
          Salt Lake City , UT , USA

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader