SlideShare a Scribd company logo

Awalin viz sec

Download as PPTX, PDF
Awalin Sopan
Awalin Sopan

The document discusses visualization techniques for cybersecurity data. It describes conferences on information visualization and visual analytics including VizSec. It provides examples of using visualizations for network traffic data, security alerts, and binary files. Challenges of visualizing cybersecurity data at scale are discussed. User studies with security analysts helped identify effective versus confusing visualization types.

Science
1 of 38
1 Copyright © 2014, FireEye, Inc. All rights reserved. VIZSEC 2015 http://vizsec.org/vizsec2015/ Awalin Sopan
2 Copyright © 2014, FireEye, Inc. All rights reserved.  Co-located events with IEEE VIS – InfoVis (information visualization) – VAST (visual analytics in sci and tech) – VizSec: 11 papers, 6 posters,… – SciVis, .etc
3 Copyright © 2014, FireEye, Inc. All rights reserved. Why visualize data?
4 Copyright © 2014, FireEye, Inc. All rights reserved. Anscombe’s Quartet 1 2 3 4 x y x y x y x y 10.0 8.04 10.0 9.14 10.0 7.46 8.0 6.58 8.0 6.95 8.0 8.14 8.0 6.77 8.0 5.76 13.0 7.58 13.0 8.74 13.0 12.74 8.0 7.71 9.0 8.81 9.0 8.77 9.0 7.11 8.0 8.84 11.0 8.33 11.0 9.26 11.0 7.81 8.0 8.47 14.0 9.96 14.0 8.10 14.0 8.84 8.0 7.04 6.0 7.24 6.0 6.13 6.0 6.08 8.0 5.25 4.0 4.26 4.0 3.10 4.0 5.39 19.0 12.50 12.0 10.84 12.0 9.13 12.0 8.15 8.0 5.56 7.0 4.82 7.0 7.26 7.0 6.42 8.0 7.91 5.0 5.68 5.0 4.74 5.0 5.73 8.0 6.89
5 Copyright © 2014, FireEye, Inc. All rights reserved. Anscombe’s Quartet 1 2 3 4 x y x y x y x y 10.0 8.04 10.0 9.14 10.0 7.46 8.0 6.58 8.0 6.95 8.0 8.14 8.0 6.77 8.0 5.76 13.0 7.58 13.0 8.74 13.0 12.74 8.0 7.71 9.0 8.81 9.0 8.77 9.0 7.11 8.0 8.84 11.0 8.33 11.0 9.26 11.0 7.81 8.0 8.47 14.0 9.96 14.0 8.10 14.0 8.84 8.0 7.04 6.0 7.24 6.0 6.13 6.0 6.08 8.0 5.25 4.0 4.26 4.0 3.10 4.0 5.39 19.0 12.50 12.0 10.84 12.0 9.13 12.0 8.15 8.0 5.56 7.0 4.82 7.0 7.26 7.0 6.42 8.0 7.91 5.0 5.68 5.0 4.74 5.0 5.73 8.0 6.89 Property Value Mean of x 9.0 Variance of x 11.0 Mean of y 7.5 Linear regression y = 3 + 0.5x
6 Copyright © 2014, FireEye, Inc. All rights reserved. Anscombe’s Quartet
7 Copyright © 2014, FireEye, Inc. All rights reserved. Uac network alerts, 361 rows
8 Copyright © 2014, FireEye, Inc. All rights reserved. 361 network alerts from UAC, 12 nodes (IPs)
9 Copyright © 2014, FireEye, Inc. All rights reserved. Node sized by in degree, colored by centrality
10 Copyright © 2014, FireEye, Inc. All rights reserved. Multivariate: Packet/TCP dump, (ip, port, pkt size, time, etc…multiple variables), Server Logs table, scatter plot, bubble chart, parallel coordinate Relational: Netflow  (nodes and edges): Src ip and dest ip >Node-link diagram, Matrix diagram Can identify active nodes Temporal: Log Files/Activity/Events Host/endpoint events over time>Line chart, histogram Can identify anomalous pattern Security Data
11 Copyright © 2014, FireEye, Inc. All rights reserved. Charts and Dashboards: static representation
12 Copyright © 2014, FireEye, Inc. All rights reserved. • Vulnerabilities • IDS alarms (NIDS/HIDS) , correlating alerts • worm/virus propagation • routing anomalies • large volume computer network logs • visual correlations of security events • network traffic for security • attacks in near-real-time • dynamic attack tree creation (graphic) • signature detection Visual Analytics for Cyber Security -Greg Conti, US Army
13 Copyright © 2014, FireEye, Inc. All rights reserved. • noise in the data • skewed data distribution • efficient processing of large amounts of data • anomaly detection • feature selection/construction • forensic visualization
14 Copyright © 2014, FireEye, Inc. All rights reserved. Visual Analytics: Interactive Visual Interface for Decision Making  Overview data using charts, dashboard, tables: see all alerts – Find pattern, trend, outlier, correlation – Sort by rank – Group similar things: group by signature  Zoom and filter: select only interesting ones  Details on Demand: details of the selected alert  Relate: show related alerts
15 Copyright © 2014, FireEye, Inc. All rights reserved. Time-based Network Traffic Visualization -John Goodall et al, 2005 http://tnv.sourceforge.net/ src dest Packets, background colored by host ip, links colored by protocol
16 Copyright © 2014, FireEye, Inc. All rights reserved.
17 Copyright © 2014, FireEye, Inc. All rights reserved. VisAlert: Livnat et al., 2005 http://link.springer.com/chapter/10.1007%2F978-3-540-78243-8_11#page-1 https://www.youtube.com/watch?v=tB_uAb1DN8g
18 Copyright © 2014, FireEye, Inc. All rights reserved. Probe phase Attack phase
19 Copyright © 2014, FireEye, Inc. All rights reserved. FlowTag: Connecting port and IP
20 Copyright © 2014, FireEye, Inc. All rights reserved. Binary File Vis  http://binvis.io/#/view/examples/elf-Linux-ARMv7-ls.bin
21 Copyright © 2014, FireEye, Inc. All rights reserved. Some Papers from VizSec 2015
22 Copyright © 2014, FireEye, Inc. All rights reserved. Percival: compute attack graph, assess response plan Possible attack graphs
23 Copyright © 2014, FireEye, Inc. All rights reserved.
24 Copyright © 2014, FireEye, Inc. All rights reserved.
25 Copyright © 2014, FireEye, Inc. All rights reserved. Ocelot: User-Centered Design of a Decision Support Visualization for Network Quarantine http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=7312763 distinguish external nodes from internal nodes in the Petri dish by placing external nodes in a ring surrounding the internal nodes
26 Copyright © 2014, FireEye, Inc. All rights reserved.
27 Copyright © 2014, FireEye, Inc. All rights reserved. feedback from 4 security engineers -> added time series filtering and brushing
28 Copyright © 2014, FireEye, Inc. All rights reserved. Unlocking User-Centered Design Methods for Building Cyber Security Visualizations • Worked with a cyber security company, to improve their dashboard • Created 20 types of visualizations: categorized in Network, Map, Charts, and Time series • Showed them to analysts • Finally developed prototype of the new interface • URL: http://mckennapsean.com/projects/vizsec-design-methods/
29 Copyright © 2014, FireEye, Inc. All rights reserved.
30 Copyright © 2014, FireEye, Inc. All rights reserved. The analyst was unconvinced that the graphs could show meaningful insights at scale with each node representing a single IP address. The layout algorithm confused the analyst since it positioned each IP address at a location that was not meaningful to the analyst.
31 Copyright © 2014, FireEye, Inc. All rights reserved. The map representations garnered positive feedback from the analyst, in particular the cartograms due to their novelty.
32 Copyright © 2014, FireEye, Inc. All rights reserved. These charts concerned the analyst due to lack of the finest level of detail. The 3D data chart enticed the analyst despite continued warnings about the usability challenges of 3D visualization. Parallel coordinates and treemaps, confused the analyst and required further explanation. After explanation, the analyst commented: • parallel coordinates seemed promising for exploring multidimensional data. • the treemaps( showed the IP address hierarchy) less useful.
33 Copyright © 2014, FireEye, Inc. All rights reserved. Timestamp was one of the least important data fields for the analyst.
34 Copyright © 2014, FireEye, Inc. All rights reserved.  Avoid visual representations that require significant explanation, such as parallel coordinates or treemaps.  Precise details on the time scale may not be immediately vital.  Summary views for communication can use aggregation.  Aggregation of data should be immediately obvious.  A map-based view could aid the discovery of patterns.
35 Copyright © 2014, FireEye, Inc. All rights reserved. Visualizing the Insider Threat: Challenges and tools for identifying malicious user activityhttp://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7312772&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel7%2F7310645%2F7312757%2F07312772.pdf%3Farnumber%3D7312772 Interactive PCA of user activity Anomalous cluster
36 Copyright © 2014, FireEye, Inc. All rights reserved. Ensemble Visualization For Cyber Situation Awareness of Network Security Data Goals: – Cluster traffic with similar behavior – Identify traffic with unusual patterns Ensembles: – Snort alerts ensemble: source and destination IP, port, time, protocol, message, and classification. – Flow ensemble: An alert belongs to a flow if it is detected within the time range of the flow, has the same source and dest IP.
37 Copyright © 2014, FireEye, Inc. All rights reserved.
38 Copyright © 2014, FireEye, Inc. All rights reserved. • (Human && Machine) >> (Human || Machine) • Network visualization is complex due to huge data, need contextual analysis, use of better layout, clustering. • Although some groups directly worked with analysts (APL, PNNL, DoD,…), not enough intersection of knowledge from security and visual analytics. • VizSec 2016, Baltimore, MD! Takeaways…

Recommended

"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen..."Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
Edge AI and Vision Alliance
 
Threat Detection in Surveillance Videos
Threat Detection in Surveillance VideosThreat Detection in Surveillance Videos
Threat Detection in Surveillance Videos
Databricks
 
Crowdsourcing the Acquisition and Analysis of Mobile Videos for Disaster Resp...
Crowdsourcing the Acquisition and Analysis of Mobile Videos for Disaster Resp...Crowdsourcing the Acquisition and Analysis of Mobile Videos for Disaster Resp...
Crowdsourcing the Acquisition and Analysis of Mobile Videos for Disaster Resp...
University of Southern California
 
“Building an Autonomous Detect-and-Avoid System for Commercial Drones,” a Pre...
“Building an Autonomous Detect-and-Avoid System for Commercial Drones,” a Pre...“Building an Autonomous Detect-and-Avoid System for Commercial Drones,” a Pre...
“Building an Autonomous Detect-and-Avoid System for Commercial Drones,” a Pre...
Edge AI and Vision Alliance
 
"Optimizing SSD Object Detection for Low-power Devices," a Presentation from ...
"Optimizing SSD Object Detection for Low-power Devices," a Presentation from ..."Optimizing SSD Object Detection for Low-power Devices," a Presentation from ...
"Optimizing SSD Object Detection for Low-power Devices," a Presentation from ...
Edge AI and Vision Alliance
 
TWISummit 2019 - Return of Reconfigurable Computing
TWISummit 2019 - Return of Reconfigurable ComputingTWISummit 2019 - Return of Reconfigurable Computing
TWISummit 2019 - Return of Reconfigurable Computing
Thoughtworks
 
Operational Intelligence for Energy Networks - Frank o connor servus net
Operational Intelligence for Energy Networks - Frank o connor servus netOperational Intelligence for Energy Networks - Frank o connor servus net
Operational Intelligence for Energy Networks - Frank o connor servus net
SustainableEnergyAut
 
The Great State of Design with CSS Grid Layout and Friends
The Great State of Design with CSS Grid Layout and FriendsThe Great State of Design with CSS Grid Layout and Friends
The Great State of Design with CSS Grid Layout and Friends
Stacy Kvernmo
 

Recommended

"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen..."Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
"Using Deep Learning for Video Event Detection on a Compute Budget," a Presen...
Edge AI and Vision Alliance
 
Threat Detection in Surveillance Videos
Threat Detection in Surveillance VideosThreat Detection in Surveillance Videos
Threat Detection in Surveillance Videos
Databricks
 
Crowdsourcing the Acquisition and Analysis of Mobile Videos for Disaster Resp...
Crowdsourcing the Acquisition and Analysis of Mobile Videos for Disaster Resp...Crowdsourcing the Acquisition and Analysis of Mobile Videos for Disaster Resp...
Crowdsourcing the Acquisition and Analysis of Mobile Videos for Disaster Resp...
University of Southern California
 
“Building an Autonomous Detect-and-Avoid System for Commercial Drones,” a Pre...
“Building an Autonomous Detect-and-Avoid System for Commercial Drones,” a Pre...“Building an Autonomous Detect-and-Avoid System for Commercial Drones,” a Pre...
“Building an Autonomous Detect-and-Avoid System for Commercial Drones,” a Pre...
Edge AI and Vision Alliance
 
"Optimizing SSD Object Detection for Low-power Devices," a Presentation from ...
"Optimizing SSD Object Detection for Low-power Devices," a Presentation from ..."Optimizing SSD Object Detection for Low-power Devices," a Presentation from ...
"Optimizing SSD Object Detection for Low-power Devices," a Presentation from ...
Edge AI and Vision Alliance
 
TWISummit 2019 - Return of Reconfigurable Computing
TWISummit 2019 - Return of Reconfigurable ComputingTWISummit 2019 - Return of Reconfigurable Computing
TWISummit 2019 - Return of Reconfigurable Computing
Thoughtworks
 
Operational Intelligence for Energy Networks - Frank o connor servus net
Operational Intelligence for Energy Networks - Frank o connor servus netOperational Intelligence for Energy Networks - Frank o connor servus net
Operational Intelligence for Energy Networks - Frank o connor servus net
SustainableEnergyAut
 
The Great State of Design with CSS Grid Layout and Friends
The Great State of Design with CSS Grid Layout and FriendsThe Great State of Design with CSS Grid Layout and Friends
The Great State of Design with CSS Grid Layout and Friends
Stacy Kvernmo
 
Awalin-CapWIC
Awalin-CapWICAwalin-CapWIC
Awalin-CapWIC
Awalin Sopan
 
ICS case studies v2
ICS case studies v2ICS case studies v2
ICS case studies v2
Nguyen Binh
 
Open Computer Vision with OpenCV, Apache NiFi, TensorFlow, Python
Open Computer Vision with OpenCV, Apache NiFi, TensorFlow, PythonOpen Computer Vision with OpenCV, Apache NiFi, TensorFlow, Python
Open Computer Vision with OpenCV, Apache NiFi, TensorFlow, Python
Timothy Spann
 
IRJET- Embedded System for Automatic Door Access using Face Recognition Te...
IRJET- Embedded System for Automatic Door Access using Face Recognition Te...IRJET- Embedded System for Automatic Door Access using Face Recognition Te...
IRJET- Embedded System for Automatic Door Access using Face Recognition Te...
IRJET Journal
 
Node-RED Interoperability Test
Node-RED Interoperability TestNode-RED Interoperability Test
Node-RED Interoperability Test
Boris Adryan
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET Journal
 
Session 33 - Production Grids
Session 33 - Production GridsSession 33 - Production Grids
Session 33 - Production GridsISSGC Summer School
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
James Sirota
 
Case Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCase Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP way
CA Technologies
 
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
Outlyer
 
"The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming...
"The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming..."The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming...
"The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming...
Edge AI and Vision Alliance
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
DataWorks Summit
 
OSNF - Open Sensor Network Framework
OSNF - Open Sensor Network FrameworkOSNF - Open Sensor Network Framework
OSNF - Open Sensor Network Framework
Antonio Di Cello
 
Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
Joel W. King
 
Improving computer vision models at scale presentation
Improving computer vision models at scale presentationImproving computer vision models at scale presentation
Improving computer vision models at scale presentation
Dr. Mirko Kämpf
 
Improving computer vision models at scale presentation
Improving computer vision models at scale presentationImproving computer vision models at scale presentation
Improving computer vision models at scale presentation
Jan Kunigk
 
WSO2 Machine Learner - Product Overview
WSO2 Machine Learner - Product OverviewWSO2 Machine Learner - Product Overview
WSO2 Machine Learner - Product Overview
WSO2
 
System and Software Engineering for Industry 4.0
System and Software Engineering for Industry 4.0System and Software Engineering for Industry 4.0
System and Software Engineering for Industry 4.0
Pankesh Patel
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
DimitrisFinas1
 
Savvius_Introduction to workshop
Savvius_Introduction to workshopSavvius_Introduction to workshop
Savvius_Introduction to workshop
STelligence Company
 
extra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdfextra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdf
DiyaBiswas10
 
bordetella pertussis.................................ppt
bordetella pertussis.................................pptbordetella pertussis.................................ppt
bordetella pertussis.................................ppt
kejapriya1
 

More Related Content

Similar to Awalin viz sec

Awalin-CapWIC
Awalin-CapWICAwalin-CapWIC
Awalin-CapWIC
Awalin Sopan
 
ICS case studies v2
ICS case studies v2ICS case studies v2
ICS case studies v2
Nguyen Binh
 
Open Computer Vision with OpenCV, Apache NiFi, TensorFlow, Python
Open Computer Vision with OpenCV, Apache NiFi, TensorFlow, PythonOpen Computer Vision with OpenCV, Apache NiFi, TensorFlow, Python
Open Computer Vision with OpenCV, Apache NiFi, TensorFlow, Python
Timothy Spann
 
IRJET- Embedded System for Automatic Door Access using Face Recognition Te...
IRJET- Embedded System for Automatic Door Access using Face Recognition Te...IRJET- Embedded System for Automatic Door Access using Face Recognition Te...
IRJET- Embedded System for Automatic Door Access using Face Recognition Te...
IRJET Journal
 
Node-RED Interoperability Test
Node-RED Interoperability TestNode-RED Interoperability Test
Node-RED Interoperability Test
Boris Adryan
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET Journal
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
James Sirota
 
Case Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCase Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP way
CA Technologies
 
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
Outlyer
 
"The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming...
"The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming..."The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming...
"The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming...
Edge AI and Vision Alliance
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
DataWorks Summit
 
OSNF - Open Sensor Network Framework
OSNF - Open Sensor Network FrameworkOSNF - Open Sensor Network Framework
OSNF - Open Sensor Network Framework
Antonio Di Cello
 
Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
Joel W. King
 
Improving computer vision models at scale presentation
Improving computer vision models at scale presentationImproving computer vision models at scale presentation
Improving computer vision models at scale presentation
Dr. Mirko Kämpf
 
Improving computer vision models at scale presentation
Improving computer vision models at scale presentationImproving computer vision models at scale presentation
Improving computer vision models at scale presentation
Jan Kunigk
 
WSO2 Machine Learner - Product Overview
WSO2 Machine Learner - Product OverviewWSO2 Machine Learner - Product Overview
WSO2 Machine Learner - Product Overview
WSO2
 
System and Software Engineering for Industry 4.0
System and Software Engineering for Industry 4.0System and Software Engineering for Industry 4.0
System and Software Engineering for Industry 4.0
Pankesh Patel
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
DimitrisFinas1
 
Savvius_Introduction to workshop
Savvius_Introduction to workshopSavvius_Introduction to workshop
Savvius_Introduction to workshop
STelligence Company
 

Similar to Awalin viz sec (20)

Awalin-CapWIC
Awalin-CapWICAwalin-CapWIC
Awalin-CapWIC
 
ICS case studies v2
ICS case studies v2ICS case studies v2
ICS case studies v2
 
Open Computer Vision with OpenCV, Apache NiFi, TensorFlow, Python
Open Computer Vision with OpenCV, Apache NiFi, TensorFlow, PythonOpen Computer Vision with OpenCV, Apache NiFi, TensorFlow, Python
Open Computer Vision with OpenCV, Apache NiFi, TensorFlow, Python
 
IRJET- Embedded System for Automatic Door Access using Face Recognition Te...
IRJET- Embedded System for Automatic Door Access using Face Recognition Te...IRJET- Embedded System for Automatic Door Access using Face Recognition Te...
IRJET- Embedded System for Automatic Door Access using Face Recognition Te...
 
Node-RED Interoperability Test
Node-RED Interoperability TestNode-RED Interoperability Test
Node-RED Interoperability Test
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
 
Session 33 - Production Grids
Session 33 - Production GridsSession 33 - Production Grids
Session 33 - Production Grids
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
Case Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCase Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP way
 
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
 
"The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming...
"The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming..."The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming...
"The OpenCV Open Source Computer Vision Library: What’s New and What’s Coming...
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
OSNF - Open Sensor Network Framework
OSNF - Open Sensor Network FrameworkOSNF - Open Sensor Network Framework
OSNF - Open Sensor Network Framework
 
Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
 
Improving computer vision models at scale presentation
Improving computer vision models at scale presentationImproving computer vision models at scale presentation
Improving computer vision models at scale presentation
 
Improving computer vision models at scale presentation
Improving computer vision models at scale presentationImproving computer vision models at scale presentation
Improving computer vision models at scale presentation
 
WSO2 Machine Learner - Product Overview
WSO2 Machine Learner - Product OverviewWSO2 Machine Learner - Product Overview
WSO2 Machine Learner - Product Overview
 
System and Software Engineering for Industry 4.0
System and Software Engineering for Industry 4.0System and Software Engineering for Industry 4.0
System and Software Engineering for Industry 4.0
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
 
Savvius_Introduction to workshop
Savvius_Introduction to workshopSavvius_Introduction to workshop
Savvius_Introduction to workshop
 

Recently uploaded

extra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdfextra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdf
DiyaBiswas10
 
bordetella pertussis.................................ppt
bordetella pertussis.................................pptbordetella pertussis.................................ppt
bordetella pertussis.................................ppt
kejapriya1
 
Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...
Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...
Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...
University of Maribor
 
Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.
Nistarini College, Purulia (W.B) India
 
Nutraceutical market, scope and growth: Herbal drug technology
Nutraceutical market, scope and growth: Herbal drug technologyNutraceutical market, scope and growth: Herbal drug technology
Nutraceutical market, scope and growth: Herbal drug technology
Lokesh Patil
 
general properties of oerganologametal.ppt
general properties of oerganologametal.pptgeneral properties of oerganologametal.ppt
general properties of oerganologametal.ppt
IqrimaNabilatulhusni
 
S.1 chemistry scheme term 2 for ordinary level
S.1 chemistry scheme term 2 for ordinary levelS.1 chemistry scheme term 2 for ordinary level
S.1 chemistry scheme term 2 for ordinary level
ronaldlakony0
 
DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...
DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...
DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...
Wasswaderrick3
 
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
yqqaatn0
 
Comparative structure of adrenal gland in vertebrates
Comparative structure of adrenal gland in vertebratesComparative structure of adrenal gland in vertebrates
Comparative structure of adrenal gland in vertebrates
sachin783648
 
如何办理(uvic毕业证书)维多利亚大学毕业证本科学位证书原版一模一样
如何办理(uvic毕业证书)维多利亚大学毕业证本科学位证书原版一模一样如何办理(uvic毕业证书)维多利亚大学毕业证本科学位证书原版一模一样
如何办理(uvic毕业证书)维多利亚大学毕业证本科学位证书原版一模一样
yqqaatn0
 
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Ana Luísa Pinho
 
GBSN - Microbiology (Lab 4) Culture Media
GBSN - Microbiology (Lab 4) Culture MediaGBSN - Microbiology (Lab 4) Culture Media
GBSN - Microbiology (Lab 4) Culture Media
Areesha Ahmad
 
in vitro propagation of plants lecture note.pptx
in vitro propagation of plants lecture note.pptxin vitro propagation of plants lecture note.pptx
in vitro propagation of plants lecture note.pptx
yusufzako14
 
nodule formation by alisha dewangan.pptx
nodule formation by alisha dewangan.pptxnodule formation by alisha dewangan.pptx
nodule formation by alisha dewangan.pptx
alishadewangan1
 
erythropoiesis-I_mechanism& clinical significance.pptx
erythropoiesis-I_mechanism& clinical significance.pptxerythropoiesis-I_mechanism& clinical significance.pptx
erythropoiesis-I_mechanism& clinical significance.pptx
muralinath2
 
Chapter 12 - climate change and the energy crisis
Chapter 12 - climate change and the energy crisisChapter 12 - climate change and the energy crisis
Chapter 12 - climate change and the energy crisis
tonzsalvador2222
 
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Sérgio Sacani
 
Salas, V. (2024) "John of St. Thomas (Poinsot) on the Science of Sacred Theol...
Salas, V. (2024) "John of St. Thomas (Poinsot) on the Science of Sacred Theol...Salas, V. (2024) "John of St. Thomas (Poinsot) on the Science of Sacred Theol...
Salas, V. (2024) "John of St. Thomas (Poinsot) on the Science of Sacred Theol...
Studia Poinsotiana
 
Richard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlandsRichard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlands
Richard Gill
 

Recently uploaded (20)

extra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdfextra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdf
 
bordetella pertussis.................................ppt
bordetella pertussis.................................pptbordetella pertussis.................................ppt
bordetella pertussis.................................ppt
 
Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...
Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...
Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...
 
Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.
 
Nutraceutical market, scope and growth: Herbal drug technology
Nutraceutical market, scope and growth: Herbal drug technologyNutraceutical market, scope and growth: Herbal drug technology
Nutraceutical market, scope and growth: Herbal drug technology
 
general properties of oerganologametal.ppt
general properties of oerganologametal.pptgeneral properties of oerganologametal.ppt
general properties of oerganologametal.ppt
 
S.1 chemistry scheme term 2 for ordinary level
S.1 chemistry scheme term 2 for ordinary levelS.1 chemistry scheme term 2 for ordinary level
S.1 chemistry scheme term 2 for ordinary level
 
DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...
DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...
DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...
 
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
原版制作(carleton毕业证书)卡尔顿大学毕业证硕士文凭原版一模一样
 
Comparative structure of adrenal gland in vertebrates
Comparative structure of adrenal gland in vertebratesComparative structure of adrenal gland in vertebrates
Comparative structure of adrenal gland in vertebrates
 
如何办理(uvic毕业证书)维多利亚大学毕业证本科学位证书原版一模一样
如何办理(uvic毕业证书)维多利亚大学毕业证本科学位证书原版一模一样如何办理(uvic毕业证书)维多利亚大学毕业证本科学位证书原版一模一样
如何办理(uvic毕业证书)维多利亚大学毕业证本科学位证书原版一模一样
 
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
 
GBSN - Microbiology (Lab 4) Culture Media
GBSN - Microbiology (Lab 4) Culture MediaGBSN - Microbiology (Lab 4) Culture Media
GBSN - Microbiology (Lab 4) Culture Media
 
in vitro propagation of plants lecture note.pptx
in vitro propagation of plants lecture note.pptxin vitro propagation of plants lecture note.pptx
in vitro propagation of plants lecture note.pptx
 
nodule formation by alisha dewangan.pptx
nodule formation by alisha dewangan.pptxnodule formation by alisha dewangan.pptx
nodule formation by alisha dewangan.pptx
 
erythropoiesis-I_mechanism& clinical significance.pptx
erythropoiesis-I_mechanism& clinical significance.pptxerythropoiesis-I_mechanism& clinical significance.pptx
erythropoiesis-I_mechanism& clinical significance.pptx
 
Chapter 12 - climate change and the energy crisis
Chapter 12 - climate change and the energy crisisChapter 12 - climate change and the energy crisis
Chapter 12 - climate change and the energy crisis
 
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
 
Salas, V. (2024) "John of St. Thomas (Poinsot) on the Science of Sacred Theol...
Salas, V. (2024) "John of St. Thomas (Poinsot) on the Science of Sacred Theol...Salas, V. (2024) "John of St. Thomas (Poinsot) on the Science of Sacred Theol...
Salas, V. (2024) "John of St. Thomas (Poinsot) on the Science of Sacred Theol...
 
Richard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlandsRichard's aventures in two entangled wonderlands
Richard's aventures in two entangled wonderlands
 

Awalin viz sec

  • 1. 1 Copyright © 2014, FireEye, Inc. All rights reserved. VIZSEC 2015 http://vizsec.org/vizsec2015/ Awalin Sopan
  • 2. 2 Copyright © 2014, FireEye, Inc. All rights reserved.  Co-located events with IEEE VIS – InfoVis (information visualization) – VAST (visual analytics in sci and tech) – VizSec: 11 papers, 6 posters,… – SciVis, .etc
  • 3. 3 Copyright © 2014, FireEye, Inc. All rights reserved. Why visualize data?
  • 4. 4 Copyright © 2014, FireEye, Inc. All rights reserved. Anscombe’s Quartet 1 2 3 4 x y x y x y x y 10.0 8.04 10.0 9.14 10.0 7.46 8.0 6.58 8.0 6.95 8.0 8.14 8.0 6.77 8.0 5.76 13.0 7.58 13.0 8.74 13.0 12.74 8.0 7.71 9.0 8.81 9.0 8.77 9.0 7.11 8.0 8.84 11.0 8.33 11.0 9.26 11.0 7.81 8.0 8.47 14.0 9.96 14.0 8.10 14.0 8.84 8.0 7.04 6.0 7.24 6.0 6.13 6.0 6.08 8.0 5.25 4.0 4.26 4.0 3.10 4.0 5.39 19.0 12.50 12.0 10.84 12.0 9.13 12.0 8.15 8.0 5.56 7.0 4.82 7.0 7.26 7.0 6.42 8.0 7.91 5.0 5.68 5.0 4.74 5.0 5.73 8.0 6.89
  • 5. 5 Copyright © 2014, FireEye, Inc. All rights reserved. Anscombe’s Quartet 1 2 3 4 x y x y x y x y 10.0 8.04 10.0 9.14 10.0 7.46 8.0 6.58 8.0 6.95 8.0 8.14 8.0 6.77 8.0 5.76 13.0 7.58 13.0 8.74 13.0 12.74 8.0 7.71 9.0 8.81 9.0 8.77 9.0 7.11 8.0 8.84 11.0 8.33 11.0 9.26 11.0 7.81 8.0 8.47 14.0 9.96 14.0 8.10 14.0 8.84 8.0 7.04 6.0 7.24 6.0 6.13 6.0 6.08 8.0 5.25 4.0 4.26 4.0 3.10 4.0 5.39 19.0 12.50 12.0 10.84 12.0 9.13 12.0 8.15 8.0 5.56 7.0 4.82 7.0 7.26 7.0 6.42 8.0 7.91 5.0 5.68 5.0 4.74 5.0 5.73 8.0 6.89 Property Value Mean of x 9.0 Variance of x 11.0 Mean of y 7.5 Linear regression y = 3 + 0.5x
  • 6. 6 Copyright © 2014, FireEye, Inc. All rights reserved. Anscombe’s Quartet
  • 7. 7 Copyright © 2014, FireEye, Inc. All rights reserved. Uac network alerts, 361 rows
  • 8. 8 Copyright © 2014, FireEye, Inc. All rights reserved. 361 network alerts from UAC, 12 nodes (IPs)
  • 9. 9 Copyright © 2014, FireEye, Inc. All rights reserved. Node sized by in degree, colored by centrality
  • 10. 10 Copyright © 2014, FireEye, Inc. All rights reserved. Multivariate: Packet/TCP dump, (ip, port, pkt size, time, etc…multiple variables), Server Logs table, scatter plot, bubble chart, parallel coordinate Relational: Netflow  (nodes and edges): Src ip and dest ip >Node-link diagram, Matrix diagram Can identify active nodes Temporal: Log Files/Activity/Events Host/endpoint events over time>Line chart, histogram Can identify anomalous pattern Security Data
  • 11. 11 Copyright © 2014, FireEye, Inc. All rights reserved. Charts and Dashboards: static representation
  • 12. 12 Copyright © 2014, FireEye, Inc. All rights reserved. • Vulnerabilities • IDS alarms (NIDS/HIDS) , correlating alerts • worm/virus propagation • routing anomalies • large volume computer network logs • visual correlations of security events • network traffic for security • attacks in near-real-time • dynamic attack tree creation (graphic) • signature detection Visual Analytics for Cyber Security -Greg Conti, US Army
  • 13. 13 Copyright © 2014, FireEye, Inc. All rights reserved. • noise in the data • skewed data distribution • efficient processing of large amounts of data • anomaly detection • feature selection/construction • forensic visualization
  • 14. 14 Copyright © 2014, FireEye, Inc. All rights reserved. Visual Analytics: Interactive Visual Interface for Decision Making  Overview data using charts, dashboard, tables: see all alerts – Find pattern, trend, outlier, correlation – Sort by rank – Group similar things: group by signature  Zoom and filter: select only interesting ones  Details on Demand: details of the selected alert  Relate: show related alerts
  • 15. 15 Copyright © 2014, FireEye, Inc. All rights reserved. Time-based Network Traffic Visualization -John Goodall et al, 2005 http://tnv.sourceforge.net/ src dest Packets, background colored by host ip, links colored by protocol
  • 16. 16 Copyright © 2014, FireEye, Inc. All rights reserved.
  • 17. 17 Copyright © 2014, FireEye, Inc. All rights reserved. VisAlert: Livnat et al., 2005 http://link.springer.com/chapter/10.1007%2F978-3-540-78243-8_11#page-1 https://www.youtube.com/watch?v=tB_uAb1DN8g
  • 18. 18 Copyright © 2014, FireEye, Inc. All rights reserved. Probe phase Attack phase
  • 19. 19 Copyright © 2014, FireEye, Inc. All rights reserved. FlowTag: Connecting port and IP
  • 20. 20 Copyright © 2014, FireEye, Inc. All rights reserved. Binary File Vis  http://binvis.io/#/view/examples/elf-Linux-ARMv7-ls.bin
  • 21. 21 Copyright © 2014, FireEye, Inc. All rights reserved. Some Papers from VizSec 2015
  • 22. 22 Copyright © 2014, FireEye, Inc. All rights reserved. Percival: compute attack graph, assess response plan Possible attack graphs
  • 23. 23 Copyright © 2014, FireEye, Inc. All rights reserved.
  • 24. 24 Copyright © 2014, FireEye, Inc. All rights reserved.
  • 25. 25 Copyright © 2014, FireEye, Inc. All rights reserved. Ocelot: User-Centered Design of a Decision Support Visualization for Network Quarantine http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=7312763 distinguish external nodes from internal nodes in the Petri dish by placing external nodes in a ring surrounding the internal nodes
  • 26. 26 Copyright © 2014, FireEye, Inc. All rights reserved.
  • 27. 27 Copyright © 2014, FireEye, Inc. All rights reserved. feedback from 4 security engineers -> added time series filtering and brushing
  • 28. 28 Copyright © 2014, FireEye, Inc. All rights reserved. Unlocking User-Centered Design Methods for Building Cyber Security Visualizations • Worked with a cyber security company, to improve their dashboard • Created 20 types of visualizations: categorized in Network, Map, Charts, and Time series • Showed them to analysts • Finally developed prototype of the new interface • URL: http://mckennapsean.com/projects/vizsec-design-methods/
  • 29. 29 Copyright © 2014, FireEye, Inc. All rights reserved.
  • 30. 30 Copyright © 2014, FireEye, Inc. All rights reserved. The analyst was unconvinced that the graphs could show meaningful insights at scale with each node representing a single IP address. The layout algorithm confused the analyst since it positioned each IP address at a location that was not meaningful to the analyst.
  • 31. 31 Copyright © 2014, FireEye, Inc. All rights reserved. The map representations garnered positive feedback from the analyst, in particular the cartograms due to their novelty.
  • 32. 32 Copyright © 2014, FireEye, Inc. All rights reserved. These charts concerned the analyst due to lack of the finest level of detail. The 3D data chart enticed the analyst despite continued warnings about the usability challenges of 3D visualization. Parallel coordinates and treemaps, confused the analyst and required further explanation. After explanation, the analyst commented: • parallel coordinates seemed promising for exploring multidimensional data. • the treemaps( showed the IP address hierarchy) less useful.
  • 33. 33 Copyright © 2014, FireEye, Inc. All rights reserved. Timestamp was one of the least important data fields for the analyst.
  • 34. 34 Copyright © 2014, FireEye, Inc. All rights reserved.  Avoid visual representations that require significant explanation, such as parallel coordinates or treemaps.  Precise details on the time scale may not be immediately vital.  Summary views for communication can use aggregation.  Aggregation of data should be immediately obvious.  A map-based view could aid the discovery of patterns.
  • 35. 35 Copyright © 2014, FireEye, Inc. All rights reserved. Visualizing the Insider Threat: Challenges and tools for identifying malicious user activityhttp://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7312772&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel7%2F7310645%2F7312757%2F07312772.pdf%3Farnumber%3D7312772 Interactive PCA of user activity Anomalous cluster
  • 36. 36 Copyright © 2014, FireEye, Inc. All rights reserved. Ensemble Visualization For Cyber Situation Awareness of Network Security Data Goals: – Cluster traffic with similar behavior – Identify traffic with unusual patterns Ensembles: – Snort alerts ensemble: source and destination IP, port, time, protocol, message, and classification. – Flow ensemble: An alert belongs to a flow if it is detected within the time range of the flow, has the same source and dest IP.
  • 37. 37 Copyright © 2014, FireEye, Inc. All rights reserved.
  • 38. 38 Copyright © 2014, FireEye, Inc. All rights reserved. • (Human && Machine) >> (Human || Machine) • Network visualization is complex due to huge data, need contextual analysis, use of better layout, clustering. • Although some groups directly worked with analysts (APL, PNNL, DoD,…), not enough intersection of knowledge from security and visual analytics. • VizSec 2016, Baltimore, MD! Takeaways…

Editor's Notes

  1. Source: wikipaedia
  2. Simple statistical properties failed to convey the actual overview. May be there is some outlier. Or trend, pattern.
  3. Dashboards
  4. a computer-driven transformation of abstract data into an interactive visual depiction aiming at insight – which in turn translates into “discovery, decision-making, and explanation”