UFCFFY-15-M¶

Cyber Security Analytics¶

05: Visualisation for Cyber Security¶

Prof. Phil Legg¶

05: Visualisation for Cyber Security¶

In this session we will cover:

  • What different forms of visualisation exist and how are these best utilised?
  • How can visualisation be used for cyber security analytics?
  • What are the current developments in visualisation research for cyber security?

Visualisation Techniques¶

Here we will give a brief overview of different visualisation techniques, highlighting where they are effective and how they should be used.

Multi-series Line Chart

  • Most effective for time-series data (x-axis time, y-axis some numerical attribute(s)).
  • Need to consider scale - linear/logerithmic/etc.

Alt text

Bar Chart

  • Suitable for discrete categorical data (e.g, class, protocol).

Alt text

Scatter Plot

  • Comparison between two (or more) different numerical attributes together.
  • Helps to identify the relationship (correlation) between two indendepent variables.
  • Scale up to multiple attributes using Scatter plot matrix

Alt text

Bubble Chart

  • Essentially a bar chart, but using area rather than height.
  • Possibly more engaging for audience, is it more effective for conveying information?
  • How is data mapped? By diameter? By radius? Possibly misleading.

Alt text

Force-Directed Graph

  • Node link diagram shows connectivity between entities (e.g., social network, computer network).
  • Physics-based layout - no fixed axis.
  • Dynamic approach to assess groupings.
  • Can result in "hairball" effect if clustering is too great.

Alt text

Parallel Coordinates

  • High dimensionality - each vertical axis denotes an attribute.
  • Can identify correlations.
  • What about reordering/highlighting of attributes? Requires interactivity.

Alt text

Treemap and Sunburst

  • Hierchary (e.g., directory structure - introduced by Ben Shneiderman for this purpose).

Alt text Alt text

Star Plots

  • Glyph-based (small multi-variate data visual).
  • Radial parallel coordinates.

Alt text

Visualisation for Cyber Security¶

Visualisation for Cyber Security¶

In this example, we see parallel coordinates being used to depict network traffic across a set of 7 attributes. This image shows a comparison between regular wireless network traffic, compared against a WEP key cracking attack against the network. We can see the difference between the two activities clearly in the two images, where essentially the WEP cracking attack is scanning all available ports and uilising a single protocol. The approach is detailed further in the paper, “Visualizing Networking Activity using Parallel Coordinates” by Tricaud et al.

Alt text

In the paper “Fast detection and visualization of network attacks on parallel coordinates” by Choi et al., they propose the use of parallel coordinates for network traffic analysis, but use this to define small glyphs that are indicative of network behaviours. The distinguishable shape of the data plots can be treated as a signature here, to easily recognise behaivours such as worm, port scan, or DDoS.

Alt text

In the example shown here, we have 8 attributes about network packet captures mapped, and so we can show individual packets as glyphs for comparison. Glyphs are widely used in various applications, for example, insider threat detection. This example shows 18 individuals from a company and their behaviours during a 12 month period. Even with such volume data, some differences can be identified (suspicious cases are highlighted with the grey circle, two of these users are denoted in blue as potentially malicious).

Alt text Alt text Alt text

Node-link diagrams for network entity mapping - watch out for hairball effects.

Alt text Alt text Alt text

Treemaps were discussed earlier, and here we see snort alerts mapped against a tree map to show the volume of alert types, where alerts will naturally exist as part of a group (i.e., within a hierarchy).

Alt text

A final example to consider is the use of visualisation for binary file analysis (we will discuss this in further detail later in the course). Greg Conti shows an excellent example of this, where binary data is mappped to pixel values to produce an image of the data. We can examine what the same image may look like using different image compression schemes (e.g., bmp, png, gif, jpeg), as well as how a Microsoft Word document may appear once password-protected or encrypted (here we see that the password-protected file does not encrypt the original data).

Alt text Alt text Alt text

VizSec (Visualization for Cyber Security)¶

  • Academic venue for research in this area since 2004 - co-lcated with IEEE VIS. https://vizsec.org/

Some examples from 2021 proceedings

  • Developing Visualisations to Enhance an Insider Threat Product: A Case Study
  • AI Total: Analyzing Security ML Models with Imperfect Data in Production
  • Automatic Narrative Summarization for Visualizing Cyber Security Logs and Incident Reports
  • VulnEx: Exploring Open-Source Software Vulnerabilities in Large Development Organizations to Understand Risk Exposure

Look at the research papers in this domain - they may help give you ideas for your Masters Project!

Further reading¶

  • P. A. Legg, “Visualizing the insider threat: challenges and tools for identifying malicious user activity,” 2015 IEEE Symposium on Visualization for Cyber Security (VizSec), 2015, pp. 1-7, doi: 10.1109/VIZSEC.2015.7312772.
  • SDAV - Visualisation

Practical¶

  • Explore some D3.js examples
  • Lab exercise: Node-link and Parallel Coordinates using PCAP file
  • Continue with Assignment Task 2