dataviz for cyber security

DataViz in Cyber Security

Awalin Sopan@awalinsopan

Senior Software Engineer,

Analysis Team, FireEye, Inc

Over 200 attacks on major industrial

control systems in 2013.

“Cyber threat is one of the most serious

economic and national security

challenges we face as a nation”- White

House Press release, May 29, 2009

FireEye Report 2014

Cyber Attack

Lifecycle

FireEye Report 2017

DEFENSE AGAINST CYBER ATTACK:

Role of a Human (Cyber Analyst)

• Detect intrusion

• Recommend solution

• Threat insight

• Gather evidence

• Prevent intrusion

• Find vulnerability in the system

• Block suspected traffic

• Forensic analysis:

• Create rules to detect future attack

• Nature of attack

Multivariate:

Packet Capture/TCP dump, (ip, port, pkt size, time, etc.

multiple features) from network sensors.

Logs

OS

Servers

Applications

Firewalls

SECURITY DATA:DATA CAPTURED THROUGH SENSORS

Relational:

Flow data through Network: can be collected from routers:

connection between IPs, hosts.

SECURITY DATA:DATA CAPTURED THROUGH SENSORS

Temporal:

Log Files/Activity/Events: Host/endpoint events over time

SECURITY DATA:DATA CAPTURED THROUGH SENSORS

• Communicate findings

• Overview

• Analyze:

• Compare and Relate

• Find trend/ pattern

• Predict

• Find anomaly

WHY VISUALIZATION

VISUAL ANALYTICS:

INTERACTIVE VISUAL INTERFACE

FOR DECISION MAKING

Visual Information Seeking “Mantra”-Ben Shneiderman

• Overview data using charts, dashboard, tables: see

all relevant data

• Find pattern, trend, outlier, correlation

• Sort by rank

• Group similar features

• Zoom and filter: select only interesting ones

• Details on Demand: details of the selected alert

DATA -> VISUALIZATION

Mu

ltiv

aria

te Packet capture, tcp dump from network

sensors, server logs, operating system logs,

firewall logs: Host based Intrusion Detection

System. Data with multiple variables like ip,

port, packet size, time, etc.

Table, scatter plot,

bubble chart, parallel

coordinate

Re

latio

na

l/

Hie

rarc

hic

al

Network data flow from routers, connection

between ips, hosts. Top-down hierarchy of the

system: Network Based Intrusion Detection

System.

Node-link diagram,

matrix diagram.

Pie chart, treemap.

Te

mp

or al

Log file, activity events over time Line chart, time series,

timeline, histogram,

sparklines

Designing the User Interface 4th Edition: Ben Shneiderman and Catherine Plaisant

NETWORK

VAST 2012 Challenge Data: 2 days of Flow data

Nodes sized by in-degree

Sized by in-degree

Color coded: showing only top 25% strong links

Links color coded by strength: red low, green high

Color coded: showing only top 10% strong links

Filtered out weak links to declutter network

Color coded: showing only top 5% strong links

DDoS attack ?

wikipedia

DDoS attack

CONTENT OF PACKETS

Network Packet Sensing Rule

Network Packet

PACKET LABELING

Distraction !

Real target!

PORT ANALYSIS

Target IP

Source IP

Target IP

Source IP

EVENT LOG

System events log

Event timeline

Details on demand

TIME SERIES OF EVENTS

Events in Network (rendered using Grafana)

ANOMALY DETECTION

Login attempts in the system

MODES OF OPERATIONS

Put it all together in analysts workflow:

• Contextual views

• Dashboard for overview

• Visual analytics with multiple coordinated views

• Situational awareness for immediate assessment

DASHBOARDS

Example: SPLUNK

MULTIPLE COORDINATED

VISUALIZATIONS

TempoViz

Low priority

High priority

Mid priority

Alerts aggregated over time

SITUATIONAL AWARENESS

Situation awareness is the ability to :

•assess data

•evaluate options

•make decisions in a timely manner.

VIZSEC:

WORKSHOP ON SECURITY VISUALIZATION

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=7312763

OCELOT

CYNOMIXGOVE ET A.L, VIZSEC 2014

Find similar malwares

Visualizing the Insider Threathttp://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7312772&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel7%2F7310645%2F7312757%2F0731 2772.pdf%3Farnumber%

3D7312772

Interactive PCA of user activity

Anomalous cluster

• Allow humans and machines to work together.

• Bridge the gap btwn security experts & dataviz experts.

• Provide contextual clues to the analysts.

• Integrate visual analytics in analyst workflow.

• Make room for scalability and efficiency.

• Avoid visual representations requiring lot of explanation.

• Choose the network layout that avoids edge crossing or

node overlapping.

• Aggregation of data should be obvious.

TAKE AWAY

awalin.sopan@fireeye.com