1 results
10 - Data-Intensive Visual Analysis for Cyber-Security
-
- By William A. Pike, Pacific Northwest National Laboratory, Daniel M. Best, Pacific Northwest National Laboratory, Douglas V. Love, Pacific Northwest National Laboratory, Shawn J. Bohn, Pacific Northwest National Laboratory
- Edited by Ian Gorton, Deborah K. Gracio
-
- Book:
- Data-Intensive Computing
- Published online:
- 05 December 2012
- Print publication:
- 29 October 2012, pp 258-286
-
- Chapter
- Export citation
-
Summary
Introduction
Protecting communications networks against attacks where the aim is to steal information, disrupt order, or harm critical infrastructure can require the collection and analysis of staggering amounts of data. The ability to detect and respond to threats quickly is a paramount concern across sectors, and especially for critical government, utility, and financial networks. Yet detecting emerging or incipient threats in immense volumes of network traffic requires new computational and analytic approaches. Network security increasingly requires cooperation between human analysts able to spot suspicious events through means such as data visualization and automated systems that process streaming network data in near real-time to triage events so that human analysts are best able to focus their work.
This chapter presents a pair of network traffic analysis tools coupled to a computational architecture that enables the high-throughput, real-time visual analysis of network activity. The streaming data pipeline towhich these tools are connected is designed to be easily extensible, allowing newtools to subscribe to data and add their own in-stream analytics. The visual analysis tools themselves – Correlation Layers for Information Query and Exploration (CLIQUE) and Traffic Circle – provide complementary views of network activity designed to support the timely discovery of potential threats in volumes of network data that exceed what is traditionally visualized. CLIQUE uses a behavioral modeling approach that learns the expected activity of actors (such as IP addresses or users) and collections of actors on a network, and compares current activity to this learned model to detect behavior-based anomalies.