Data-Intensive Visual Analysis for Cyber-Security

doi:10.1017/CBO9780511844409.010

10 - Data-Intensive Visual Analysis for Cyber-Security

Published online by Cambridge University Press: 05 December 2012

William A. Pike ,

Daniel M. Best ,

Douglas V. Love and

Shawn J. Bohn

Edited by

Ian Gorton and

Deborah K. Gracio

Show author details

William A. Pike: Affiliation:
Pacific Northwest National Laboratory
Daniel M. Best: Affiliation:
Pacific Northwest National Laboratory
Douglas V. Love: Affiliation:
Pacific Northwest National Laboratory
Shawn J. Bohn: Affiliation:
Pacific Northwest National Laboratory
Ian Gorton: Affiliation:
Pacific Northwest National Laboratory, Washington
Deborah K. Gracio: Affiliation:
Pacific Northwest National Laboratory, Washington

Book contents

Get access

Summary

Introduction

Protecting communications networks against attacks where the aim is to steal information, disrupt order, or harm critical infrastructure can require the collection and analysis of staggering amounts of data. The ability to detect and respond to threats quickly is a paramount concern across sectors, and especially for critical government, utility, and financial networks. Yet detecting emerging or incipient threats in immense volumes of network traffic requires new computational and analytic approaches. Network security increasingly requires cooperation between human analysts able to spot suspicious events through means such as data visualization and automated systems that process streaming network data in near real-time to triage events so that human analysts are best able to focus their work.

This chapter presents a pair of network traffic analysis tools coupled to a computational architecture that enables the high-throughput, real-time visual analysis of network activity. The streaming data pipeline towhich these tools are connected is designed to be easily extensible, allowing newtools to subscribe to data and add their own in-stream analytics. The visual analysis tools themselves – Correlation Layers for Information Query and Exploration (CLIQUE) and Traffic Circle – provide complementary views of network activity designed to support the timely discovery of potential threats in volumes of network data that exceed what is traditionally visualized. CLIQUE uses a behavioral modeling approach that learns the expected activity of actors (such as IP addresses or users) and collections of actors on a network, and compares current activity to this learned model to detect behavior-based anomalies.

Information

Type: Chapter
Information: Data-Intensive Computing
Architectures, Algorithms, and Applications
, pp. 258 - 286

DOI: https://doi.org/10.1017/CBO9780511844409.010 [Opens in a new window]

Publisher: Cambridge University Press

Print publication year: 2012

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Book purchase

Temporarily unavailable

References

1. “Mule Enterprise Service Bus: What is Mule ESB?” Accessed July 23, 2010, http://www.mulesoft.org/what-mule-esb.

2. “OASISWeb Services Business Process Execution Language: Specification version 2.0.” Accessed July 23, 2010, http://docs.oasis-open.org/wsbpel/2.0/wsbpel-v2.0.html.

3. Gorton, I.,Wynne, A., Almquist, J., and Chatterton, J 2008. “The MeDICi Integration Framework: A Platform for High Performance Data Streaming Applications.” In Proceedings of the Seventh Working IEEE/IFIP Conference on Software Architecture (February 18–21, 2008). WICSA'08. Washington, D.C: IEEE Computer Society, 95–104.Google Scholar

4. Wynne, A., Gorton, I., Almquist, J., Chatterton, J., and Thurman, D 2008. “A Flexible, High Performance Service-Oriented Architecture for Detecting Cyber Attacks.” In Proceedings of the 41st Annual Hawaii international Conference on System Sciences (January 07–10, 2008). HICSS. Washington, D.C: IEEE Computer Society, 263.CrossRef Google Scholar

5. McLachlan, P.,Munzner, T.,Koutsofios, E., and North, S 2008. “LiveRAC: Interactive Visual Exploration of System Management Time-Series Data.” In Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems (Florence, Italy, April 05–10, 2008). CHI '08. New York, NY: ACM, 1483–92.CrossRef Google Scholar

6. Cahill, M. H., Lambert, D., Pinheiro, J. C., and Sun, D. X. “Detecting Fraud in the Real World.” In Handbook of Massive Data Sets, edited by J., Abello, P. M., Pardalos, and M. G., Resende, 911–29. Norwell, MA: Kluwer Academic Publishers, 2002.CrossRef Google Scholar

7. Dutta, M., Mahanta, A. K., and Pujari, A. K. “QROCK: A Quick Version of the ROCK Algorithm for Clustering of Categorical Data.” Pattern Recogn. Lett. 26, 15 (Nov. 2005): 2364–73.CrossRef Google Scholar

8. Domingos, P., and Hulten, G 2000. “Mining High-Speed Data Streams.” In Proceedings of the Sixth ACM SIGKDD international Conference on Knowledge Discovery and Data Mining (Boston, Massachusetts, United States, August 20–23, 2000). KDD '00. New York: ACM, 71–80.Google Scholar

9. Keogh, E., Lin, J., and Fu, A. D. “HOT SAX: Efficiently Finding the Most Unusual Time Series Subsequence.” In Proceedings of the Fifth IEEE International Conference on Data Mining (November 27–30, 2005). ICDM' 05. Washington, D.C.: IEEE Computer Society, 226–33.

10. Lin, J., Keogh, E., Lonardi, S., and Chiu, B 2003. “A Symbolic Representation of Time Series, with Implications for Streaming Algorithms.” In Proceedings of the 8th ACM SIGMOD Workshop on Research Issues in Data Mining and Knowledge Discovery (San Diego, California, June 13–13, 2003). DMKD '03., New York, NY: ACM, 2–11.Google Scholar

11. Levenshtein, V. I. 1966. Binary Codes Capable of Correcting Deletions, Insertions and Reversals. Soviet Physics Doklady. 10 (1966): 707–10.Google Scholar

12. Phan, D., Gerth, J., Lee, M., Paepcke, A., and Winograd, T. “Visual Analysis of Network Flow data with Timelines and Event Plots.” In Proceedings of Visualization for Computer Security (Sacramento, CA, October 29, 2007). VIZSEC' 07. Berlin, Springer-Verlag: 85–99.

13. Weber, M., Alexa, M., and Müller, W. 2001. “Visualizing Time-Series on Spirals.” In Proceedings of the IEEE Symposium on information Visualization 2001 (October 22–23, 2001). INFOVIS' 01. Washington, D.C.: IEEE Computer Society, 7.CrossRef Google Scholar

14. Pescatore, JMore Port 445 Activity Could Mean Security Trouble. Technical Report. Stamford, CT: Gartner, 1997.Google Scholar

15. Abdullah, K., Lee, A., Conti, G., and Copeland, J. A. “Visualizing Network data for Intrusion Detection.” In Proceedings of the 2005 IEEE Workshop on Information Assurance and Security (US Military Academy, West Point, 2005). New York: IEEE, 2–3.

16. Plonka, D 2000. “FlowScan: A Network Traffic Flow Reporting and Visualization Tool.” In Proceedings of the 14th USENIX Conference on System Administration (New Orleans, Louisiana, December 03–08, 2000). System Administration Conference. Berkeley, CA: USENIX Association, 305–318.Google Scholar

17. Swing, E. “Flodar: Flow Visualization of Network Traffic.” IEEE Comput. Graph. 18, no. 5 (Sep. 1998): 6–8.CrossRef Google Scholar

18. Nanda, S and Deo, N. “A Highly ScalableModel for Network Attack Identification and Path Prediction.” In Proceedings of the IEEE SoutheastCon (Richmond, VA, March 22–27, 2007). New York, NY: IEEE, 663–68.

19. Noel, S., Jacobs, M., Kalapa, P., and Jajodia, S 2005. “Multiple Coordinated Views for Network Attack Graphs.” In Proceedings of the IEEE Workshops on Visualization For Computer Security (October 26–26, 2005). VIZSEC., Washington, D.C: IEEE Computer Society, 12.CrossRef Google Scholar

20. Taylor, T., Paterson, D.,Glanfield, J., Gates, C., Brooks, , and , S., McHugh, J. “FloVis: Flow Visualization System.” In Proceedings of Cybersecurity Applications and Technologies Conference for Homeland Security (Washington, DC, March 03–04, 2009). CATCH' 09. Los Alamitos, CA: IEEE Computer Society, 186–98.

21. Blake, E. H. 2004. “An Extended Platter Metaphor for Effective Reconfigurable Network Visualization.” In Proceedings of the information Visualisation, Eighth international Conference (July 14–16, 2004). IV. Washington, D.C.: IEEE Computer Society, 752–57.Google Scholar

Accessibility standard: Unknown

Why this information is here

This section outlines the accessibility features of this content - including support for screen readers, full keyboard navigation and high-contrast display options. This may not be relevant for you.

Accessibility Information

Accessibility compliance for the PDF of this chapter is currently unknown and may be updated in the future.