The 7th International Symposium on Visualization for Cyber Security was held in Ottawa, Ontario, Canada on September 14, 2010. This symposium brought together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques. The keynote speaker was Richard Bejtlich.

VizSec was held in conjunction with the 13th International Symposium on Recent Advances in Intrusion Detection (RAID).

The proceedings are in the ACM Digital Library.

Papers

Tamara Yu, Richard Lippmann, James Riordan, Stephen Boyer

"EMBER: A Global Perspective on Extreme Malicious Behavior" slides | paper link

Jeffrey Guenther, Fred Volk and Mark Shaneck

"Proposing a Multi-touch Interface for Intrusion Detection Environments" slides | paper link

Matthew Chu, Kyle Ingols, Richard Lippmann, Seth Webster and Stephen Boyer

"Visualizing Attack Graphs, Reachability, and Trust Relationships with NAVIGATOR" slides | paper link

Qi Liao, Aaron Striegel and Nitesh Chawla

"Visualizing Graph Dynamics and Similarity for Enterprise Network Security and Management" slides | paper link

John R. Goodall, Hassan Radwan, Lenny Halseth

"Visual Analysis of Code Security" slides | paper link

Cynthia Wagner, Gerard Wagener, Radu State, Alexandre Dulaunoy and Thomas Engel

"PeekKernelFlows: Peeking into IP flows" slides | paper link

Eduard Glatz

"Visualizing Host Traffic through Graphs" slides | paper link

Michael Oehler, Dhananjay Phatak and John Krautheim

"Visualizing Your Key for Secure Phone Calls And Language Independence" slides | paper link

Wilson Lian, Fabian Monrose and John McHugh

"Traffic Classification Using Visual Motifs: An Empirical Evaluation" slides | paper link

Daniel Best, Shawn Bohn, Douglas Love, Adam Wynne and William Pike

"Real-Time Visualization of Network Behaviors for Situational Awareness" slides | paper link

Lane Harrison, Xianlin Hu, Xiaowei Ying, Aidong Lu, Weichao Wang and Xintao Wu

"Interactive Detection of Network Anomalies via Coordinated Multiple Views" slides | paper link

Jamie Rasmussen, Kate Ehrlich, Steven Ross, Susanna Kirk, Daniel Gruen and John Patterson

"Nimble Cybersecurity Incident Management through Visualization and Defensible Recommendations" slides | paper link

Posters

Robert Ferris and John Goodall

"A Visual Query Builder: Simplifying Data Selection" poster | abstract

Jeff Wilson and Robert Biddle

"Collaborative Multitouch Log Browsing" poster | abstract

Jake Spitzer and Cal Singh

"Graphical Passwords Using Google Maps" abstract

Steven Glowacki and Joshua Gminski

"Detecting Cloned Portions of Images" poster | abstract

Serguei Mokhov, Joey Paquet and Mourad Debbabi

"The Need to Support of Data Flow Graph Visualization of Forensic Lucid Programs, Forensic Evidence, and their Evaluation by GIPSY" poster | abstract

Keynote Speaker

Richard Bejtlich, GE

Is Security Visualization Useful in Production?

Is there is a disconnect between security visualization in theory and practice? In this keynote, Richard Bejtlich discussed the strengths and weaknesses of using security visualization in the enterprise. For example, why do analysts consistently refer to traditional displays, despite nearly ten years of work in the visualization arena? Why are most security products so limited when rendering data? What must be done to change this situation? Richard explored these topics based on experiences as Principal Technologist and Director of Incident Response for General Electric.

Richard Bejtlich is Director of Incident Response for General Electric, and serves as Principal Technologist for GE's Global Infrastructure Services division. Prior to GE, Richard operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation's Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone's incident response team, and monitored client networks for Ball Corporation. Richard began his digital security career as a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection", and co-authored "Real Digital Forensics". He also writes for his blog (taosecurity.blogspot.com) and TechTarget.com, and teaches for Black Hat.

The International Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners in information visualization and cyber security to address the specific needs of the cyber security community through new and insightful visualization techniques. Co-located this year with the Symposium on Recent Advances in Intrusion Detection (RAID), the 7th VizSec will continue to provide opportunities for the two communities to collaborate and share insights into providing solutions for security needs through visualization approaches. Accepted papers will appear in the ACM Digital Library as part of the ACM International Conference Proceedings Series.

This year our focus is on understanding what makes effective visual interfaces for different cyber security tasks. This involves both advancing our understanding of what cyber security tasks are, and improving our understanding of what it means for a security visualization to be effective. Cyber security visualization tasks cover a wide range, including (but not limited to) acquiring situational awareness in massive datasets; analyzing data from disparate sources during incident handling; producing actionable reports for others; modelling the behaviour of systems; and predicting future events. Understanding the effectiveness of a cyber security visualization is not limited only to the usability of the interface itself, but, perhaps even more importantly, to the assessment of how the visualization advances security goals. Barriers confronting current researchers include understanding the tasks where visualization can be effective, concerns about available data for both usability and effectiveness assessment, lack of a common agreement about what constitutes sound experimental design, and the difficulties of measuring the relative effectiveness of security visualizations in practice. Additionally, discussions at VizSec 2009 raised the question about what role a science-based approach ought to play in the conjunction of visualization and security. While many researchers are making progress in these and other critical areas, much work remains.

Technical Papers

Full and short papers, poster abstracts and panel abstracts offering novel contributions in security visualization are solicited. Papers may present technique, applications, practical experience, theory, or experiments and evaluations. Papers are encouraged on technologies and methods that have been demonstrated to be useful for improving information systems security and that address lessons from actual application. We encourage papers that report results on visualization techniques and systems in solving all aspects of cyber security problems, including how visualization applies to:

• Situational awareness/understanding
• Incident handling including triage, exploration, correlation, and response
• Recording and reporting results of investigation
• Modelling system and network behaviour
• Criteria for assessing the effectiveness of cyber security visualizations (whether from a security goal perspective or a human factors perspective)
• Predicting future attacks or targets
• Evaluation/user testing of VizSec systems
• Lessons learned
• Privacy considerations for managing VizSec data

Accepted papers and abstracts will appear in the ACM Digital Library. The program committee will select an accepted paper to receive the VizSec 2010 best paper award. A key element of the best paper selection process will be whether the results are believed to be repeatable by other scientists based on the algorithms and data provided in the paper.

General Chair

John Gerth, Stanford University

Program Chair

Dino Schweitzer, United States Air Force Academy

Publications Chair

John Goodall, Secure Decisions division of Applied Visions Inc.

Local Chair

Grant Vandenberghe, Defence Research and Development Canada

Local Co-Chair

Frédéric Massicotte, Communications Research Centre Canada

Emeritus Chair

Deb Frincke, Pacific Northwest National Laboratory

Program Committee

• Richard Bejtlich, General Electric
• David Barrera, Carleton University
• Carter Bullard, QoSient, LLC
• Bill Cheswick, AT&T Research
• Marc Dacier, Symantec Research Labs
• Ron Dilley, Warner Bros.
• David Ebert, Purdue University
• Alex Endert, Virginia Tech
• Rob Erbacher, Utah State University
• Carrie Gates, CA Labs
• Joel Glanfield, Dalhousie University
• Warren Harrop, Swinburne University of Technology
• Aidong Lu, UNC Charlotte
• Florian Mansmann, University of Konstanz
• Raffael Marty, Loggly
• Jan Monsch, Google
• Stephen North, AT&T
• Danny Quist, Offensive Computing
• Mike Sips, Max Planck Institut Informatik
• Teryl Taylor, University of North Carolina
• Joanne Treurniet, Defense Research and Development, Canada
• Rick Wesson, Support Intelligence
• Kirsten Whitley, Department of Defense
• Pak Chung Wong, Pacific National Laboratory
• Anatoly Yelizarov, Moscow State University
• Tamara Yu, MIT Lincoln Laboratory

National Information Assurance Research Laboratory

Secure Decisions