Real-time visualization of network behaviors for situational awareness

@inproceedings{Best2010RealtimeVO,
  title={Real-time visualization of network behaviors for situational awareness},
  author={Daniel M. Best and Shawn Bohn and Douglas Love and Adam S. Wynne and William A. Pike},
  booktitle={VizSec '10},
  year={2010}
}
Plentiful, complex, and dynamic data make understanding the state of an enterprise network difficult. Although visualization can help analysts understand baseline behaviors in network traffic and identify off-normal events, visual analysis systems often do not scale well to operational data volumes (in the hundreds of millions to billions of transactions per day) nor to analysis of emergent trends in real-time data. We present a system that combines multiple, complementary visualization… 

Figures from this paper

NetVis: a Visualization Tool Enabling Multiple Perspectives of Network Traffic Data
TLDR
This paper presents a novel framework designed to support multiple heterogeneous visualizations of network traffic data, NetVis, and shows that it is possible to use NetVis to detect unusual activity such as cyber attacks on a network.
Real-time visual analytics for event data streams
TLDR
This paper introduces the Event Visualizer, which is a loosely coupled modular system for collecting, processing, analyzing and visualizing dynamic real-time event data streams and provides an extensible framework with several interactive linked visualizations to focus on different aspects of the event data stream.
NStreamAware: real-time visual analytics for data streams to enhance situational awareness
TLDR
This work proposes a system that uses modern distributed processing technologies to analyze streams using stream slices, which are presented to analysts in a web-based visual analytics application, called NVisAware, and visually guides the user in the feature selection process to summarize the slices.
Dynamic Visual Analytics - Facing the Real-Time Challenge
TLDR
This book chapter defines dynamic visual analytics, discusses its key requirements and presents a pipeline focusing on the integration of human analysts in real-time applications, and demonstrates its applicability in a real- time monitoring scenario of server logs.
A reference web architecture and patterns for real-time visual analytics on large streaming data
TLDR
The experience of building a reference web architecture for real-time visual analytics of streaming data, identify and discuss architectural patterns that address these challenges, and report on applying the reference architecture forreal-time Twitter monitoring and analysis.
Toward a visualization-supported workflow for cyber alert management using threat models and human-centered design
TLDR
This work reports on its work with cyber analysts to understand the analytic process and how one such model, the MITRE ATT&CK Matrix, is used to structure their analytic thinking, and presents efforts to map specific data needed by analysts into this threat model to inform their visualization designs.
StreamSqueeze: a dynamic stream visualization for monitoring of event data
TLDR
This work proposes a novel dynamic stream visualization called StreamSqueeze, which arranges items in several lists of various sizes and optimizes the positions within each list so that the transition of an item from one list to the other triggers least visual changes.
Finding anomalies in time-series using visual correlation for interactive root cause analysis
TLDR
A visual analytics application to tackle the challenge of finding correlations and anomalies in large data sets by integrating similarity models and analytics combined with well-known, but task-adapted, time-series visualizations is developed.
CyberVis: Visualizing the potential impact of cyber attacks on the wider enterprise
TLDR
The CyberVis framework abstracts the visuals to show only noteworthy information about attack data and indicates potential impact both across the network and on enterprise tasks, and achieves this by combining traditional network diagram icons with Business Process Modeling and Notation.
Empirical Study of Focus-Plus-Context and Aggregation Techniques for the Visualization of Streaming Data
TLDR
Overall, the results show that a focus-plus-context design has little negative impact on the ability to successfully monitor and analyze streaming data, making it possible to show longer periods of time than other approaches, but visual aggregation can be problematic for trend recognition tasks.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 22 REFERENCES
FloVis: Flow Visualization System
TLDR
Preliminary results on the development of a suite of visualization tools that are intended to complement command linetools, such as those from the SiLK Tools, that are currently used by analysts to perform forensic analysis of NetFlow data are reported.
Visual Analysis of Network Flow Data with Timelines and Event Plots
TLDR
Isis is a system that uses progressive multiples of timelines and event plots to support the iterative investigation of intrusions by experienced analysts using network flow data and combines visual affordances with SQL to provide a flexible tool for investigation.
FlowScan: A Network Traffic Flow Reporting and Visualization Tool
TLDR
FlowScan analyzes and reports on flow data exported by Internet Protocol routers, an assemblage of perl scripts and modules and is the glue that binds together other freely available components such as a flow collection engine, a high performance database, and a visualization tool.
Visualizing network data for intrusion detection
TLDR
This paper addresses network traffic visualization techniques that aid an administrator in recognizing attacks in real time by improving upon current techniques that lack effectiveness due to an overemphasis on flow, nodes, or assumed familiarity with the attack tool.
Flodar: Flow Visualization of Network Traffic
  • Edward Swing
  • Computer Science
    IEEE Computer Graphics and Applications
  • 1998
TLDR
The author and his colleagues at the National Security Agency designed an application called Flodar (short for Flow Radar) that monitors the flow of network traffic and monitors the status of individual servers within the system.
LiveRAC: interactive visual exploration of system management time-series data
TLDR
This work presents LiveRAC, a visualization system that supports the analysis of large collections of system management time-series data consisting of hundreds of parameters across thousands of network devices, and conducts an informal longitudinal evaluation of the system to better understand which proposed visualization techniques were most useful in the target environment.
An extended platter metaphor for effective reconfigurable network visualization
  • E. Blake
  • Computer Science
    Proceedings. Eighth International Conference on Information Visualisation, 2004. IV 2004.
  • 2004
TLDR
This work adapts the Flodar (Swing, 1998) metaphor to visualize dynamic networks and applies the metaphor to three dynamic reconfiguration management tasks and shows how these tasks are visually represented with this approach.
A highly scalable model for network attack identification and path prediction
  • S. Nanda, N. Deo
  • Computer Science
    Proceedings 2007 IEEE SoutheastCon
  • 2007
TLDR
This paper presents a technique to identify attacks on large networks using a highly scalable model, while filtering for false positives and negatives, and forecasts the propagation of the security failures proliferated by attacks over time and their likely targets in the future.
Multiple coordinated views for network attack graphs
TLDR
Improved visual clustering is applied to previously described network protection domains (attack graph cliques) and shows patterns of network attack while avoiding the clutter usually associated with drawing large graphs.
The MeDICi Integration Framework: A Platform for High Performance Data Streaming Applications
TLDR
The MeDICi integration framework (MIF) is described, which is a middleware platform that extends an open source messaging platform with a component-based API for integrating components into analytical pipelines and has been used to build a production analytical application for detecting cyber security attacks.
...
1
2
3
...