Security Visualization
Summary of Research
The Internet has become a vital tool for interaction between a local computer network and the rest of the world. Unfortunately, simply connecting to it makes you vulnerable to network intrusion attempts. In order to protect the systems on a network, it is necessary to defend against these intrusion attempts. In the case that an intrusion attempt actually succeeds, it is critical to quickly detect it, deal with the compromised system, and prevent repeated intrusions along the same vector. Also, whether or not an intrusion succeeds, it is useful to analyze the attempts to gain counterintelligence on attackers who could potentially attack again. The goal of security visualizations are to allow analysts to quickly detect and/or analyze potential threats.
Chris Muelder, Ph. D. student, VIDI
Russell Thomason, Ph. D. student, VIDI
Jim Shearer, Ph. D. student, VIDI
[ Past ]
Johnathan McPherson, Lei Chen, Soon Tee Teoh
Visualization of Sanitized Email Logs for Spam Analysis
Chris Muelder, Kwan-Liu Ma
In Proceedings of Asia-Pacific Symposium on Visualization
February, 2007, pp. 9-16
Email has become an integral method of communication. However, it is still plagued by vast amounts of spam. Many statistical techniques, such as Bayesian filtering, have been applied to this problem, and been proven useful. But these techniques in general require training. Another common method of spam prevention is blacklisting known spam sources. In order to do this, the sources must be identified ...
Visualization for Cybersecurity
Kwan-Liu Ma
IEEE Computer Graphics and Applications
Volume 26, Number 2, March/April, 2006, pp. 26-27
Networked computers have become an integral part of our everyday life, used for a variety of purposes at home, in the workplace, and at schools. They are so ubiquitous and easy to access that they are also vulnerable. Any computer exposed to the Internet is likely to be regularly scanned and attacked by both automated and manual means. Both organizations and individuals are making every effort to build and maintain trustworthy computing systems ...
A Visualization Methodology for Characterization of Network Scans
Chris Muelder, Kwan-Liu Ma, Tony Bartoletti
In Proceedings of Workshop on Visualization for Computer Security (VizSEC2005)
October, 2005, pp. 29-38
Many methods have been developed for monitoring network traffic, both using visualization and statistics. Most of these methods focus on the detection of suspicious or malicious activities. But what they often fail to do refine and exercise measures that contribute to the characterization of such activities and their sources, once they are detected. In particular, many tools exist that detect network scans or visualize them at a high level, but not very many tools exist that are capable of categorizing and analyzing network scans ...
Performing BGP Experiments on a Semi-Realistic Internet Tesbed Environment
Ke Zhang, Soon Tee Teoh, Shih-Ming Tseng, Rattapon Limprasittipom, Felix Wu, Chen-Nee Chuah, Kwan-Liu Ma
In Proceedings of the Third International Workshop on Security in Distributed Computing Systems
June, 2005
We have built a router testbed that is connected to the Deter/Emist experimental infrastructure. Our goal is to create a semi-realistic testbed to conduct BGP experiments, measure and visualize their impact on network performance and stability. Such testbed is also useful for evaluating different security countermeasures. Our testbed architecture includes four components: routing topology, background traffic, data analysis and visualization. This paper describes how we launch two specific BGP attacks, (a) Multiple Origin AS and (b) route flap damping attacks, and the lessons learned ...
PortVis: A Tool for Port-Based Detection of Security Events
Johnathan McPherson, Kwan-Liu Ma, Paul Krystosek, Tony Bartoletti, Marvin Christensen
In Proceedings of ACM CCS Workshop on Visualization and Data Mining for Computer Security, ACM Conference on Computer and Communications Security
October, 2004, pp. 73-81
Most visualizations of security-related network data require large amounts of finely detailed, high-dimensional data. However, in some cases, the data available can only be coarsely detailed because of security concerns or other limitations. How can interesting security events still be discovered in data that lacks important details, such as IP addresses, network security alarms, and labels? In this paper, we discuss a system we have designed that takes very coarsely detailed data—basic, summarized information of the activity on each TCP port during each given hour—and uses ...
A Visual Exploration Process for the Analysis of Internet Routing Data
Soon Tee Teoh, Kwan-Liu Ma, Felix Wu
In Proceedings of IEEE Visualization 2003 Conference
October, 2003, pp. 523-530
The Internet pervades many aspects of our lives and is becoming indispensable to critical functions in areas such as commerce, government, production and general information dissemination. To maintain the stability and efficiency of the Internet, every effort must be made to protect it against various forms of attacks, malicious uses, and errors. A key component in the Internet security effort is the routine examination of Internet routing data, which unfortunately can be too large ...
