Skip to main content Accessibility help
×
Hostname: page-component-78c5997874-t5tsf Total loading time: 0 Render date: 2024-10-31T23:40:16.306Z Has data issue: false hasContentIssue false

10 - Data-Intensive Visual Analysis for Cyber-Security

Published online by Cambridge University Press:  05 December 2012

William A. Pike
Affiliation:
Pacific Northwest National Laboratory
Daniel M. Best
Affiliation:
Pacific Northwest National Laboratory
Douglas V. Love
Affiliation:
Pacific Northwest National Laboratory
Shawn J. Bohn
Affiliation:
Pacific Northwest National Laboratory
Ian Gorton
Affiliation:
Pacific Northwest National Laboratory, Washington
Deborah K. Gracio
Affiliation:
Pacific Northwest National Laboratory, Washington
Get access

Summary

Introduction

Protecting communications networks against attacks where the aim is to steal information, disrupt order, or harm critical infrastructure can require the collection and analysis of staggering amounts of data. The ability to detect and respond to threats quickly is a paramount concern across sectors, and especially for critical government, utility, and financial networks. Yet detecting emerging or incipient threats in immense volumes of network traffic requires new computational and analytic approaches. Network security increasingly requires cooperation between human analysts able to spot suspicious events through means such as data visualization and automated systems that process streaming network data in near real-time to triage events so that human analysts are best able to focus their work.

This chapter presents a pair of network traffic analysis tools coupled to a computational architecture that enables the high-throughput, real-time visual analysis of network activity. The streaming data pipeline towhich these tools are connected is designed to be easily extensible, allowing newtools to subscribe to data and add their own in-stream analytics. The visual analysis tools themselves – Correlation Layers for Information Query and Exploration (CLIQUE) and Traffic Circle – provide complementary views of network activity designed to support the timely discovery of potential threats in volumes of network data that exceed what is traditionally visualized. CLIQUE uses a behavioral modeling approach that learns the expected activity of actors (such as IP addresses or users) and collections of actors on a network, and compares current activity to this learned model to detect behavior-based anomalies.

Type
Chapter
Information
Data-Intensive Computing
Architectures, Algorithms, and Applications
, pp. 258 - 286
Publisher: Cambridge University Press
Print publication year: 2012

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1. “Mule Enterprise Service Bus: What is Mule ESB?” Accessed July 23, 2010, http://www.mulesoft.org/what-mule-esb.
2. “OASISWeb Services Business Process Execution Language: Specification version 2.0.” Accessed July 23, 2010, http://docs.oasis-open.org/wsbpel/2.0/wsbpel-v2.0.html.
3. Gorton, I.,Wynne, A., Almquist, J., and Chatterton, J 2008. “The MeDICi Integration Framework: A Platform for High Performance Data Streaming Applications.” In Proceedings of the Seventh Working IEEE/IFIP Conference on Software Architecture (February 18–21, 2008). WICSA'08. Washington, D.C: IEEE Computer Society, 95–104.Google Scholar
4. Wynne, A., Gorton, I., Almquist, J., Chatterton, J., and Thurman, D 2008. “A Flexible, High Performance Service-Oriented Architecture for Detecting Cyber Attacks.” In Proceedings of the 41st Annual Hawaii international Conference on System Sciences (January 07–10, 2008). HICSS. Washington, D.C: IEEE Computer Society, 263.CrossRefGoogle Scholar
5. McLachlan, P.,Munzner, T.,Koutsofios, E., and North, S 2008. “LiveRAC: Interactive Visual Exploration of System Management Time-Series Data.” In Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems (Florence, Italy, April 05–10, 2008). CHI '08. New York, NY: ACM, 1483–92.CrossRefGoogle Scholar
6. Cahill, M. H., Lambert, D., Pinheiro, J. C., and Sun, D. X. “Detecting Fraud in the Real World.” In Handbook of Massive Data Sets, edited by J., Abello, P. M., Pardalos, and M. G., Resende, 911–29. Norwell, MA: Kluwer Academic Publishers, 2002.CrossRefGoogle Scholar
7. Dutta, M., Mahanta, A. K., and Pujari, A. K.QROCK: A Quick Version of the ROCK Algorithm for Clustering of Categorical Data.” Pattern Recogn. Lett. 26, 15 (Nov. 2005): 2364–73.CrossRefGoogle Scholar
8. Domingos, P., and Hulten, G 2000. “Mining High-Speed Data Streams.” In Proceedings of the Sixth ACM SIGKDD international Conference on Knowledge Discovery and Data Mining (Boston, Massachusetts, United States, August 20–23, 2000). KDD '00. New York: ACM, 71–80.Google Scholar
9. Keogh, E., Lin, J., and Fu, A. D. “HOT SAX: Efficiently Finding the Most Unusual Time Series Subsequence.” In Proceedings of the Fifth IEEE International Conference on Data Mining (November 27–30, 2005). ICDM' 05. Washington, D.C.: IEEE Computer Society, 226–33.
10. Lin, J., Keogh, E., Lonardi, S., and Chiu, B 2003. “A Symbolic Representation of Time Series, with Implications for Streaming Algorithms.” In Proceedings of the 8th ACM SIGMOD Workshop on Research Issues in Data Mining and Knowledge Discovery (San Diego, California, June 13–13, 2003). DMKD '03., New York, NY: ACM, 2–11.Google Scholar
11. Levenshtein, V. I. 1966. Binary Codes Capable of Correcting Deletions, Insertions and Reversals. Soviet Physics Doklady. 10 (1966): 707–10.Google Scholar
12. Phan, D., Gerth, J., Lee, M., Paepcke, A., and Winograd, T. “Visual Analysis of Network Flow data with Timelines and Event Plots.” In Proceedings of Visualization for Computer Security (Sacramento, CA, October 29, 2007). VIZSEC' 07. Berlin, Springer-Verlag: 85–99.
13. Weber, M., Alexa, M., and Müller, W. 2001. “Visualizing Time-Series on Spirals.” In Proceedings of the IEEE Symposium on information Visualization 2001 (October 22–23, 2001). INFOVIS' 01. Washington, D.C.: IEEE Computer Society, 7.CrossRefGoogle Scholar
14. Pescatore, JMore Port 445 Activity Could Mean Security Trouble. Technical Report. Stamford, CT: Gartner, 1997.Google Scholar
15. Abdullah, K., Lee, A., Conti, G., and Copeland, J. A. “Visualizing Network data for Intrusion Detection.” In Proceedings of the 2005 IEEE Workshop on Information Assurance and Security (US Military Academy, West Point, 2005). New York: IEEE, 2–3.
16. Plonka, D 2000. “FlowScan: A Network Traffic Flow Reporting and Visualization Tool.” In Proceedings of the 14th USENIX Conference on System Administration (New Orleans, Louisiana, December 03–08, 2000). System Administration Conference. Berkeley, CA: USENIX Association, 305–318.Google Scholar
17. Swing, E.Flodar: Flow Visualization of Network Traffic.” IEEE Comput. Graph. 18, no. 5 (Sep. 1998): 6–8.CrossRefGoogle Scholar
18. Nanda, S and Deo, N. “A Highly ScalableModel for Network Attack Identification and Path Prediction.” In Proceedings of the IEEE SoutheastCon (Richmond, VA, March 22–27, 2007). New York, NY: IEEE, 663–68.
19. Noel, S., Jacobs, M., Kalapa, P., and Jajodia, S 2005. “Multiple Coordinated Views for Network Attack Graphs.” In Proceedings of the IEEE Workshops on Visualization For Computer Security (October 26–26, 2005). VIZSEC., Washington, D.C: IEEE Computer Society, 12.CrossRefGoogle Scholar
20. Taylor, T., Paterson, D.,Glanfield, J., Gates, C., Brooks, , and , S., McHugh, J. “FloVis: Flow Visualization System.” In Proceedings of Cybersecurity Applications and Technologies Conference for Homeland Security (Washington, DC, March 03–04, 2009). CATCH' 09. Los Alamitos, CA: IEEE Computer Society, 186–98.
21. Blake, E. H. 2004. “An Extended Platter Metaphor for Effective Reconfigurable Network Visualization.” In Proceedings of the information Visualisation, Eighth international Conference (July 14–16, 2004). IV. Washington, D.C.: IEEE Computer Society, 752–57.Google Scholar

Save book to Kindle

To save this book to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×