Stefano Foresti.
Visalert: From Idea to Product

Abstract: Visalert is a visualization system designed to increase situational awareness and increased analysis abilities for monitoring network events: it enables to access data from multiple databases, correlate who, what, when and where, and zoom in-out information of interest. This presentation will describe the interdisciplinary user centered process to research, design and develop a technology to meet user needs. This includes direct examples and lessons learned interacting with the domain experts and users, the visual design iterations that evolved in the final metaphor, and the issues to consider in the process of evaluating and transfering technology to the end users.

Anita D'Amico and Kirsten Whitley.
The Real Work of Information Assurance Analysts

Abstract: This talk will cover three of the findings of a cognitive task analysis (CTA) of computer network defense (CND) analysts: 1) the hierarchy of data that is transformed through the analytical process from data into security situational awareness; 2) the definition and description of different roles of CND analysis; and 3) the workflow that analysts and analytical organizations engage in to process raw network data into meaningful security incidents. These CTA findings have implications for designing visualizations to improve the work processes and decision making of CND analysts. The findings also guided the design and development of VIAssist, a visual analytics system developed for and under evaluation by the CND community.

Dino Schweitzer, Leemon Baird and William Bahn.
Visually Understanding Jam Resistant Communication

Abstract: The primary goal of information security is to ensure the confidentiality, integrity, authenticity, and availability of information.  Availability is often relegated to a discussion of denial of service attacks on network resources.  Another form of denying availability is to prevent communication through the use of traditional jamming techniques.  At the United States Air Force Academy Center for Information Security, we have been working on a new algorithm, BBC, which is based on a new type of coding theory known as concurrent codes, that is resistant to traditional jamming techniques.  While the formal definition and proofs of concurrent codes can be daunting, the algorithm's effectiveness can be easily conveyed and appreciated through visual demonstration.  This paper briefly introduces concurrent codes and describes an interactive applet that visually demonstrates the algorithm's effectiveness in a noisy environment.

Doantam Phan, John Gerth, Marcia Lee, Andreas Paepcke and Terry Winograd.
Visual Analysis of Network Flow Data with Timelines and Event Plots *

Abstract: This paper describes Isis, a system that uses progressive multiples of timelines and event plots to support the iterative investigation of intrusions by experienced analysts using network flow data. The visual representations have been designed to make temporal relationships apparent, allow visual classification of events with dynamic brushing, and enable users to organize their visualizations to reveal traffic structure and patterns by reordering rows. Isis combines visual affordances with SQL to provide a flexible tool for investigation. We present an annotated case study using anonymized data of a real intrusion that demonstrates the features of Isis.

Xiaoyuan Suo, Ying Zhu, Hsiu-Chung Wang and Scott Owen.
Complexity Analysis for Information Visualization Design and Evaluation

Abstract: In this paper, we present a method for analyzing the complexity of information visualization. The complexity is measured in terms of visual integration, number of separable dimensions for each visual unit, the complexity of interpreting the visual attributes, number of visual units, and the efficiency of visual search. Two security visualization systems are evaluated in this paper using the method. This method is designed to better assist fellow developers to quickly evaluate multiple design choices.

Denis Lalanne, Enrico Bertini, Patrick Hertzog and Pedro Bados.
Visual Analysis of Corporate Network Intelligence: Abstracting and Reasoning on Yesterdays for Acting Today

Abstract: This article proposes to go beyond the standard visualization application for security management, which is usually day-to-day monitoring. For this purpose, it introduces a pyramidal vision of the network intelligence and of the respective role of information visualization to support not only security engineers, but also analysts and managers. The paper first introduces our holistic vision and discusses the need to reduce the complexity of network data in order to abstract analysis and trends over time and further to convert decisions into actions. The article further introduces the analysis tasks we are currently tack-ling. The two following sections present two different ways to overview net-work data concentrating on specific dimensions of network security: user and application centric firstly, and alarm and temporal centric secondly. Finally this article concludes with the limitations and challenges introduced by our approach.

Barry Irwin and Jean-Pierre van Riel.
InetVis: a Graphical aid for the Detection and Visualisation of Network Scans

Abstract: This paper presents an investigative analysis of network scans and scan detection algorithms. Visualisation is employed to review network telescope traffic and identify incidents of scan activity. Some of the identified phenomena appear to be novel forms of host discovery. The scan detection algorithms of Snort and Bro are critiqued by comparing the visualised scans with alert output. Where human assessment disagrees with the alert output, explanations are sought after by analysing the detection algorithms. The algorithms of the Snort and Bro intrusion detection systems are based on counting unique connection attempts to destination addresses and ports. For Snort, notable false positive and false negative cases result due to a grossly oversimplified method of counting unique destination addresses and ports.

Barry Irwin and Nick Pilkington.
High level Internet level traffic visualization using Hilbert curve mapping

Abstract: A high level analysis tool was developed for aiding in theanalysis of large volumes of network telescope traffic, and in particularthe comparisons of data collected from multiple telescopesources. Providing a visual means for the evaluation of wormpropagation algorithms has also been achieved. By using a Hilbertcurve as a means of ordering points within the visualization space,the concept of nearness between numerically sequential networkblocks was preserved. The design premise and initial results obtainedusing the tool developed are discussed, and a number of futureextensions proposed.

Chris Muelder, Lei Chen, Russell Thomason, Kwan-Liu Ma and Tony Bartoletti.
Intelligent Classification and Visualization of Network Scans *

Abstract: Network scans are a common first step in a network intrusion attempt. In order to gain information about a potential network intrusion, it is beneficial to analyze these network scans. Statistical methods such as wavelet scalogram analysis have been used along with visualization techniques in previous methods. However, applying these statistical methods causes a substantial amount of data loss. This paper presents a study of using associative memory learning techniques to directly compare network scans in order to create a classification which can be used by itself or in conjunction with existing visualization techniques to better characterize the sources of these scans. This produces an integrated system of visual and intelligent analysis which is applicable to real world data.

Florian Mansmann, Lorenz Meier and Daniel Keim.
Graph-based Monitoring of Host Behavior for Network Security

Abstract: Monitoring host behavior in a network is one of the most essential tasks in the fields of network monitoring and security since more and more malicious code in the wild internet constantly threatens the network infrastructure. In this paper, we present a graph-based visual analytics tool to keep track of changing traffic behavior of network hosts. The tool's interaction capabilities allow for visual exploration of network traffic over time and are demonstrated using netflow data as well as IDS alerts. Automatic accentuation of hosts with highly variable traffic results in fast hypothesis generation and confirmation of suspicious host behavior. By integrating the behavior graph in the HNMap tool, we were able to monitor more abstract network entities.

Jason Pearlman and Penny Rheingans.
Visualizing network security events using compound glyphs from a service-oriented perspective

Abstract: Network security is the complicated field of controlling access within acomputer network. One of the difficulties in network security is detecting the presence,severity, and type of a network attack. Knowledge of such an attack is usedto mitigate its damage and prevent such attacks from occurring in the future. Wepresent a new visualization of a computer network for security purposes by approachingthe problem from a service-oriented perspective. This approach involvesa node graph visualization where each node is represented as a compound glyph,which gives details about the network activity for the specific node based upon itsservice usage. Furthermore, we visualize temporal activity using time slicing techniquesin the compound glyph to give more details about the network and allowinteractive controls for an administrator to actively monitor a network in order to reactto security events quickly. Our resulting visualizations of networks successfullyidentified and described denial of service and compromised network attacks.

Teryl Taylor, Stephen Brooks and John McHugh.
NetBytes Viewer: An Entity-based NetFlow Visualization Utility for Identifying Intrusive Behavior

Abstract: NetBytes Host Viewer is an interactive visualization tool designed to show the historical network flow data per port of an individual host machine or subnet on a network over time, using a 3D impulse graph plot.  Such visualizations allow network administrators to quickly and effectively diagnose infected or malfunctioning computers by viewing data transmission patterns for each port on the entity.  NetBytes has a set of interactive features which help to deal with the problems associated with displaying a 3D graph on a 2D screen.  First, NetBytes offers a 'selector' mode which allows the user to highlight specific ports (or times) on the graph using a slider and snap buttons.  From the selector, the user can launch a set of 2D graphs (Bytes vs. Time and Bytes vs. Ports) to acquire more detailed information about the host with less clutter.  Lastly, the user is able to rotate the 3D graph in any direction to mitigate occlusion.  The long term objectives of this work include the integration of the NetBytes Viewer with complementary visualizations of the overall network. This application will integrate with a larger net-work analysis tool and utilized as a drill-down mechanism.

Jennifer Stoll, David McColgin, Michelle Gregory, Vern Crow and W. Keith Edwards.
Exploiting the User: Adapting Personas for Use in Security Visualization Design

Abstract: The development of security visualization applications must involve the user in the design process in order to create usable systems. However, it is all too easy to lose track of the user during the design and development process, even though upfront investment in extensive user requirements gathering has proven benefits. To address this challenge, we adapt a user-centered design method called personas that enables effective requirements capture for varying scopes of requirements-gathering efforts, and, when used properly, keeps the user involved at every step of the process from design to evaluation.

Bill Pike, Chad Scherrer and Sean Zabriskie.
Putting Security in Context: Visual Correlation of Network Activity with Real-World Information *

Abstract: To effectively identify and respond to cyber threats, computer security analysts must understand the scale, motivation, methods, source, and target of an attack.  Central to developing this situational awareness is the analyst's world knowledge that puts these attributes in context.  What known exploits or new vulnerabilities might an anomalous traffic pattern suggest?  What organizational, social, or geopolitical events help forecast or explain attacks and anomalies?  Few visualization tools support creating, maintaining, and applying this knowledge of the threat landscape.  Through a series of formative workshops with practicing security analysts, we have developed a visualization approach inspired by the human process of contextualization; this system, called NUANCE, creates evolving behavioral models of network actors at organizational and regional levels, continuously monitors external textual information sources for themes that indicate security threats, and automatically determines if behavior indicative of those threats is present on a network.

Richard Lippmann, Leevar Williams and Kyle Ingols.
An Interactive Attack Graph Cascade and Reachability Display *

Abstract: Attack graphs for large enterprise networks improve security by revealing critical paths used by adversaries to capture network assets. Even with simplification, current attack-graph displays are complex and difficult to relate to the underlying physical networks. We have developed a new interactive tool intended to provide a simplified and more intuitive understanding of key weaknesses discovered by attack graph analysis. Separate treemaps are used to display hosts in each subnet and hosts within each treemap are grouped using reachability groups, attacker privilege level, and prerequisites. Users position subnets themselves to reflect their own intuitive grasp of network topology. Users can single-step the attack graph to successively add edges that cascade to show how attackers progress through a network and learn what vulnerabilities or trust relationships allow critical steps. Finally, an integrated reachability display demonstrates how filtering devices affect host-to-host network reachability and influence attacker actions. This display easily scales to networks with hundreds of hosts and many subnets. Rapid interactivity is provided because an efficient C++ computation engine (a program named NetSPA) performs attack graph and reachability computations while a Java application manages the display and user interface.

Tamara Yu, Benjamin Fuller, John Bannick, Lee Rossey and Robert Cunningham.
Integrated Environment Management for Information Operations Testbeds

Abstract: Network testbeds are indispensable for developing and testing Information Operations (IO) technologies.  Lincoln Laboratory has been developing LARIAT to support IO test design, development, and execution with high-fidelity user simulations.  As LARIAT becomes more advanced, enabling larger and more realistic and complex tests, effective management software has proven essential.  In this paper, we present the Director, a graphical user interface that enables experimenters to quickly define, control, and monitor reliable IO tests on a LARIAT testbed.  We describe how the interface simplifies these key elements of testbed operation by providing the experimenter with an appropriate system abstraction, support for basic and advanced usage, scalable performance and visualization in large networks, and interpretable and correct feedback.