The 6th International Workshop on Visualization for Cyber Security was held in Atlantic City, NJ, USA on October 11, 2009. VizSec brought together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques. The keynote speaker was Bill Cheswick.

VizSec was held in conjunction with VisWeek 2009.

The proceedings are in the IEEE Digital Library.

Papers

Anatoly Yelizarov, Dennis Gamayunov

'Visualization of Complex Attacks and State of Attacked Network' slides | paper link

Joel Glanfield, Stephen Brooks, Teryl Taylor, Diana Paterson, Christopher Smith, Carrie Gates, John McHugh

'OverFlow: An Overview Visualization for Network Analysis' slides | paper link

David Barrera, P.C. van Oorschot

'Security Visualization Tools and IPv6 Addresses' slides | paper link

Daniel A. Quist, Lorie M. Liebrock

'Visualizing Compiled Executables for Malware Analysis' slides | paper link

Philipp Trinius, Thorsten Holz, Jan Gobel, Felix C. Freiling

'Visual Analysis of Malware Behavior Using Treemaps and Thread Graphs' slides | paper link

T.J. Jankun-Kelly, David Wilson, Andrew S. Stamps, Josh Franck, Jeffery Carver, J. Edward Swan II

'A Visual Analytic Framework for Exploring Relationships in Textual Contents of Digital Forensics Evidence' slides | paper link

Glenn A. Fink, Christopher L. North, Alex Endert, Stuart Rose

'Visualizing Cyber Security: Usable Workspaces' slides | paper link

John R. Goodall

'Visualization is Better! A Comparative Evaluation' slides | paper link

Dino Schweitzer, Jeff Boleng, Colin Hughes, Louis Murphy

'Visualizing Keyboard Pattern Passwords' slides | paper link

Shaun P. Morrissey, Georges Grinstein

'Visualizing Firewall Configurations Using Created Voids' slides | paper link

Posters

Steve Huntsman, Chris Covington, and John Franklin

'Scalable visual traffic analysis' abstract

Diana Paterson, Teryl Taylor, Joel Glaneld, Christopher Smith, Carrie Gates, Stephen Brooks, and John McHugh

'Activity Viewer: A Tool for Monitoring Network Host Activities' abstract

Qi Liao, Dirk VanBruggen, Andrew Blaich, and Aaron Striegel

'Visual Exploration and Analysis on Host, Users and Applications in Enterprise Networks' absract

Giovani Rimon Abuaitah and Bin Wang

'SecVizer: A Security Visualization Tool for QualNet-Generated Traffic Traces' abstract

Keynote Speaker

Bill Cheswick, AT&T Labs

Visual Tools for Security: Is there a there there?

It seems obvious: networks, software, authentication, and people have important and often complicated relationships and interactions. There's far too much going on to keep track of all of it, but we know there are important devils down in the details. We know they are there.

Though many have been chasing this dream of security visualization for a couple of decades, we don't have that much to show for our efforts. We use NOCs and tools widely for managing large networks, but they get complicated fast. And most of the anomalous activity is weird but benign, leaving us awash in a sea of false positives. And those people in the NOCs seem totally resistant to 3D displays, data gloves,and other cool tools of our trade.

What can we do? How can we help, really?

Bill Cheswick is interested in security that's too hard to ensure, passwords that are too hard to remember, graphs that are too hard to visualize, and VCRs that are too hard to program. And lots of other stuff. Ches is an early innovator in Internet security. He is known for his work in firewalls, proxies, and Internet mapping at Bell Labs and Lumeta Corp. He is best known for the book he co-authored with Steve Bellovin and now Avi Rubin, Firewalls and Internet Security; Repelling the Wily Hacker. Ches is now a member of the technical staff at AT&T Labs - Research in Florham Park, NJ, where he is working on security, visualization, user interfaces, and a variety of other things.

Panel

Deb Frincke (organizer)

"Security + Visualization =/= Science ...Changing the equation"

The 6th International Workshop on Visualization for Cyber Security is a forum that brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques. Co-located this year with IEEE VisWeek 2009, VizSec will continue to provide opportunities for the two communities to collaborate and share insights into providing solutions for security needs through visualization approaches. Accepted papers will be published by the IEEE and archived in the IEEE Digital Library. The authors of the best papers will be invited to extend and revise their paper for journal publication in a special issue of Information Visualization.

This year our focus is on advancing Visualization for Cyber Security as a scientific discipline. While art, engineering, and intuitions regarding the human element will always remain important if we are to obtain useful cyber security visualizations, advances in the scientific practice of research are needed. The scientific aspects of visualization for cyber security draw both on empirical observation (similar to many natural and social sciences) and formal science (such as the formal derivations in mathematics). Barriers confronting current researchers include concerns about available data, lack of a common agreement about what constitutes sound experimental design, the difficulties of measuring the relative effectiveness of security visualizations in practice, and the lack of a common understanding of user requirements. While many researchers are making progress in these and other critical areas, much work yet remains.

Technical Papers

Papers offering novel contributions in security visualization are solicited. Papers may present technique, applications, practical experience, theory, or experiments and evaluations. Papers are encouraged on technologies and methods that have been demonstrated to be useful for improving information systems security and that address lessons from actual application. We encourage papers that report results on visualization techniques and systems in solving all aspects of cyber security problems, including how visualization applies to:

• Different aspects of security: software, networks and log files (e.g., Internet routing, packet traces and network flows, intrusion detection alerts, attack graphs, application security, etc.)
• Application of visualization techniques in formalizing, defining and analyzing security policies
• Forensic analysis, correlating events, cyber-defense task analysis
• Computer network defense training and offensive information operations
• Building rules, feature selection, and detecting anomalous activity
• Software, software security, and viruses
• Deployment and field testing of VizSec systems
• Evaluation and user testing of VizSec systems
• User and design requirements for VizSec systems
• Lessons learned from development and deployment of VizSec systems
• Field Research Best Practices
• Interaction with domain experts - best practices, lessons learned
• Differentiating the needs of different domains and time frames
• Best practices for obtaining and sharing potentially sensitive data for purposes of visualization and assessment, including how to approach personal privacy, regulatory, and organizational issues
• Metrics and measurements (e.g., criteria for the relative effectiveness of cyber visualizations)
• Handling large datasets, scalability issues, and providing real time or near-real time visualizations

Please consider using public data sets to demonstrate your VizSec system. Using public data sets makes it easier to compare VizSec systems. One example comes from this year's VAST Challenge 2009: An employee is leaking important information to the outside world.

General Chair

Deb Frincke, Pacific Northwest National Laboratory

Program Co-Chairs

John Goodall, Secure Decisions division of Applied Visions Inc.

Carrie Gates, CA Labs

Papers Chair

Robert Erbacher, Utah State University

Program Committee

• Richard Bejtlich, General Electric
• Gregory Conti, United States Military Academy
• Marc Dacier, Symantec Europe Research Labs
• Anita D'Amico, Secure Decisions division of Applied Visions
• Ron Dilley, Information Security Professional
• David Ebert, Purdue University
• Glenn Fink, Pacific Northwest National Laboratory
• John Gerth, Stanford University
• Warren Harrop, Swinburne University of Technology
• Mark Haselkorn, University of Washington
• Richard Johnson, Microsoft
• Richard Kemmerer, UC Santa Barbara
• Toby Kohlenberg, Intel
• Florian Mansmann, University of Konstanz
• Raffael Marty, Splunk
• Douglas Maughan, Department of Homeland Security
• John McHugh, Dalhousie University / University of North Carolina
• Jan P. Monsch, Dublin City University
• Chris North, Virginia Tech
• Stephen North, AT&T Research
• Sean Peisert, UC Davis
• Greg Schmidt, SPADAC
• George Tadda, Air Force Research Lab
• Ed Talbot, Sandia National Laboratories
• Joanne Treurniet, Defence Research and Development Canada
• Grant Vandenberghe, Defence Research and Development Canada
• Kirsten Whitley, Department of Defense
• Pak Chung Wong, Pacific Northwest National Laboratory
• Tamara Yu, Massachusetts Institute of Technology

National Information Assurance Research Laboratory

Secure Decisions