ABSTRACT
The detection of known and unknown attacks usually requires the interpretation and presentation of very large amounts of time-oriented security data. Using regular means for displaying the data, such as text or tables, is often ineffective. Furthermore, displaying only raw data is not sufficient, because the security expert is still required to derive meaningful conclusions from large amounts of data. In addition, in many cases (e.g., for detecting a virus spreading in the network), an aggregated view of multiple network devices is more effective than a view of each individual device. In this paper we propose an intelligent interface used by a distributed architecture that was described in our previous work, specific to the tasks of knowledge-based interpretation, summarization, query, visualization and interactive exploration of large numbers of time-oriented data. In order to support the interpretation and computation process, we provide automated mechanisms that perform derivation of context-specific, interval-based abstract interpretations (also known as Temporal Abstractions) from raw time-stamped security data, by using a domain-specific knowledge-base (e.g., a period of 5 hours, during the night, of a high number of FTP connections within the context of No User Activity, which might indicate the existence of a Trojan in the computer). The proposed visualization tool includes several functionalities for querying, visualization and exploration of both raw and abstracted time-oriented security data regarding single and multiple network devices.
- Abdullah K., Lee C., Conti G., Copeland J.A. and Stasko J. IDS RainStorm: Visualizing IDS Alarms. Workshop on Visualization for Computer Security (VizSEC05), USA, 2005. Google ScholarDigital Library
- Conti G. et al. Countering Security Analyst and Network Administrator Overload Through Alert and Packet Visualization. IEEE Computer Graphics and Applications, March 2006. Google ScholarDigital Library
- Shabtai A., Shahar Y. and Elovici Y. Using the Knowledge-Based Temporal-Abstraction (KBTA) Method for Detection of Electronic Threats. the 5th European Conference on Information Warfare and Security (ECIW2006), Finland, June 2006.Google Scholar
- Shahar Y. A framework for knowledge-based temporal abstraction. Artificial Intelligence, 90(1.2): 79--133, 1997. Google ScholarDigital Library
- Shahar Y. and Musen M.A. Knowledge-based temporal abstraction in clinical domains. Artificial Intelligence in Medicine 8 3): 267--298. 1996. Google ScholarCross Ref
- Shahar Y. Dynamic temporal interpretation contexts for temporal abstraction. Annals of Mathematics and Artificial Intelligence. 22(1-2): 159--92, 1998. Google ScholarDigital Library
- Martins S.B., Shahar Y. et al. Evaluation of KNAVE-II: A tool for intelligent query and exploration of patient data. Proceedings of Medinfo 2004, San Francisco, CA, September, 2004.Google Scholar
- Conti G. Malware Cinema: A Picture is Worth a Thousand Packets. Black Hat Europe, March 2006.Google Scholar
- Conti G. Network Attack Visualization. DEFCON 12, August 2004.Google Scholar
- Abdullah K., Lee C., Conti G. and Copeland J. Visualizing Network Data for Intrusion Detection. IEEE Information Assurance Workshop (IAW), 2005.Google Scholar
- Erbacher R.F., Kim C. and Sundberg A. Designing Visualization Capabilities for IDS Challenges. Proceedings of the IEEE Visualization for Computer Security, 2005. Google ScholarDigital Library
- Yin X., Yurcik W., Li Y., Lakkaraju K., and Abad C. Visflow -connect: Providing security situational awareness by visualizing network traffic flows. Proceedings of the Workshop on Information Assurance (WIA04), 2004.Google Scholar
- Lakkaraju K., Yurcik W. and Lee A.J. NVisionIP: NetFlow Visualizations of System State for Security Situational Awareness. Proceedings of CCS Workshop on Visualization and Data Mining for Computer Security, 2004. Google ScholarDigital Library
- Lakkaraju K., Bearavolu R., Slagell A., Yurcik W. and North S. Closing-the-loop in NVisionIP: integrating discovery and search in security visualizations. Workshop on Visualization for Computer Security (VizSEC05), October, 2005. Google ScholarDigital Library
- McPherson J., Ma K.L., Krystosek P., Bartoletti T. and Muelder C. PortVis: A Tool for Port-Based Detection of Security Events. Proceedings of CCS Workshop on Visualization and Data Mining for Computer Security, 2004. Google ScholarDigital Library
- Muelder C., Ma. K.L. and Bartoletti T. Interactive Visualization for Network and Port Scan Detection. Proceedings of RAID 2005, September, 2005. Google ScholarDigital Library
- Oline A. and Reiners D. Exploring Three-dimensional Visualization for Intrusion Detection. Workshop on Visualization for Computer Security (VizSEC05), October, 2005. Google ScholarDigital Library
- Conti G., Grizzard J., Ahamad M. and Owen H. Visual Exploration of Malicious Network Objects Using Semantic Zoom, Interactive Encoding and Dynamic Queries. Workshop on Visualization for Computer Security (VizSEC05), October 2005. Google ScholarDigital Library
- Muelder C., Ma K.L., Bartoletti T. A Visualization Methodology for Characterization of Network Scans. Workshop on Visualization for Computer Security (VizSEC05), October, 2005. Google ScholarDigital Library
- Colombe J.B. and Stephens G. Statistical Profiling and Visualization for Detection of Malicious Insider Attacks on Computer Networks. ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC04), 2004. Google ScholarDigital Library
- Koike H. and Ohno K. SnortView: Visualization System of Snort Logs. ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC04), USA, 2004. Google ScholarDigital Library
- Snort - An open source network intrusion prevention and detection system, http://www.snort.org/.Google Scholar
- Ankerst M., Jones D.H., Kao A. and Wang C. DataJewel: Tightly integrating visualization with temporal data mining. ICDM Workshop on Visual Data Mining, 2003.Google Scholar
- Bade R., Schlechtweg S. and Miksch S. Connecting time-oriented data and information to a coherent interactive visualization. CHI 2004: ACM Press, 2004, pp. 105--112. Google ScholarDigital Library
- Buono P., Aris A., Plaisant C., Khella A. and Shneiderman B. Interactive pattern search in time series. Conference on Visual Data Analysis, January 2005.Google Scholar
- Hochheiser H. and Shneiderman B. Dynamic query tools for time series data sets: Timebox widgets for interactive exploration. Information Visualization, vol. 3, pp. 1--18, 2004. Google ScholarDigital Library
- Chittaro L. and Combi C. Visualizing queries on databases of temporal histories: new metaphors and their evaluation. Data and Knowledge Engineering, vol. 44, pp. 239--264, 2003. Google ScholarDigital Library
- Klimov D. and Shahar Y. A Framework for Intelligent Visualization of Multiple Time-Oriented Medical Records. AMIA, 2005.Google Scholar
- Spokoiny A., and Shahar Y. Momentum -- an active time-oriented database for intelligent abstraction, exploration and analysis of clinical data. Proceeding of the workshop on Intelligent Data Analysis in Medicine and Pharmacology (IDAMAP2003), Cyprus, 2003.Google Scholar
- Spokoiny A. and Shahar Y. Momentum -- An active time-oriented database for intelligent abstraction, exploration and analysis of clinical data. Medical Informatics (MEDINFO). San Francisco, 2004.Google Scholar
Index Terms
An intelligent, interactive tool for exploration and visualization of time-oriented security data
Recommendations
Distributed, intelligent, interactive visualization and exploration of time-oriented clinical data and their abstractions
Objectives: We present KNAVE-II, an intelligent interface to a distributed architecture specific to the tasks of query, knowledge-based interpretation, summarization, visualization, interactive exploration of large numbers of distributed time-oriented ...
KNAVE II: the definition and implementation of an intelligent tool for visualization and exploration of time-oriented clinical data
AVI '04: Proceedings of the working conference on Advanced visual interfacesKNAVE-II is an intelligent interface to a distributed web-based architecture that enables users (e.g., physicians) to query, visualize and explore clinical time-oriented databases. Based on prior studies, we have defined a set of requirements for ...
Intelligent visualization and exploration of time-oriented data of multiple patients
Objective: Clinicians and medical researchers alike require useful, intuitive, and intelligent tools to process large amounts of time-oriented multiple-patient data from multiple sources. For analyzing the results of clinical trials or for quality ...
Comments