dataviz for cyber security
TRANSCRIPT
DataViz in Cyber Security
Awalin Sopan@awalinsopan
Senior Software Engineer,
Analysis Team, FireEye, Inc
Over 200 attacks on major industrial
control systems in 2013.
“Cyber threat is one of the most serious
economic and national security
challenges we face as a nation”- White
House Press release, May 29, 2009
FireEye Report 2014
Cyber Attack
Lifecycle
FireEye Report 2017
DEFENSE AGAINST CYBER ATTACK:
Role of a Human (Cyber Analyst)
• Detect intrusion
• Recommend solution
• Threat insight
• Gather evidence
• Prevent intrusion
• Find vulnerability in the system
• Block suspected traffic
• Forensic analysis:
• Create rules to detect future attack
• Nature of attack
Multivariate:
Packet Capture/TCP dump, (ip, port, pkt size, time, etc.
multiple features) from network sensors.
Logs
OS
Servers
Applications
Firewalls
SECURITY DATA:DATA CAPTURED THROUGH SENSORS
Relational:
Flow data through Network: can be collected from routers:
connection between IPs, hosts.
SECURITY DATA:DATA CAPTURED THROUGH SENSORS
Temporal:
Log Files/Activity/Events: Host/endpoint events over time
SECURITY DATA:DATA CAPTURED THROUGH SENSORS
• Communicate findings
• Overview
• Analyze:
• Compare and Relate
• Find trend/ pattern
• Predict
• Find anomaly
WHY VISUALIZATION
VISUAL ANALYTICS:
INTERACTIVE VISUAL INTERFACE
FOR DECISION MAKING
Visual Information Seeking “Mantra”-Ben Shneiderman
• Overview data using charts, dashboard, tables: see
all relevant data
• Find pattern, trend, outlier, correlation
• Sort by rank
• Group similar features
• Zoom and filter: select only interesting ones
• Details on Demand: details of the selected alert
DATA -> VISUALIZATION
Mu
ltiv
aria
te Packet capture, tcp dump from network
sensors, server logs, operating system logs,
firewall logs: Host based Intrusion Detection
System. Data with multiple variables like ip,
port, packet size, time, etc.
Table, scatter plot,
bubble chart, parallel
coordinate
Re
latio
na
l/
Hie
rarc
hic
al
Network data flow from routers, connection
between ips, hosts. Top-down hierarchy of the
system: Network Based Intrusion Detection
System.
Node-link diagram,
matrix diagram.
Pie chart, treemap.
Te
mp
or al
Log file, activity events over time Line chart, time series,
timeline, histogram,
sparklines
Designing the User Interface 4th Edition: Ben Shneiderman and Catherine Plaisant
NETWORK
VAST 2012 Challenge Data: 2 days of Flow data
Nodes sized by in-degree
Sized by in-degree
Color coded: showing only top 25% strong links
Links color coded by strength: red low, green high
Color coded: showing only top 10% strong links
Filtered out weak links to declutter network
Color coded: showing only top 5% strong links
DDoS attack ?
wikipedia
DDoS attack
CONTENT OF PACKETS
Network Packet Sensing Rule
Network Packet
PACKET LABELING
Distraction !
Real target!
PORT ANALYSIS
Target IP
Source IP
Target IP
Source IP
EVENT LOG
System events log
Event timeline
Details on demand
TIME SERIES OF EVENTS
Events in Network (rendered using Grafana)
ANOMALY DETECTION
Login attempts in the system
MODES OF OPERATIONS
Put it all together in analysts workflow:
• Contextual views
• Dashboard for overview
• Visual analytics with multiple coordinated views
• Situational awareness for immediate assessment
DASHBOARDS
Example: SPLUNK
MULTIPLE COORDINATED
VISUALIZATIONS
TempoViz
Low priority
High priority
Mid priority
Alerts aggregated over time
SITUATIONAL AWARENESS
Situation awareness is the ability to :
•assess data
•evaluate options
•make decisions in a timely manner.
VIZSEC:
WORKSHOP ON SECURITY VISUALIZATION
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=7312763
OCELOT
CYNOMIXGOVE ET A.L, VIZSEC 2014
Find similar malwares
Visualizing the Insider Threathttp://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7312772&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel7%2F7310645%2F7312757%2F0731 2772.pdf%3Farnumber%
3D7312772
Interactive PCA of user activity
Anomalous cluster
• Allow humans and machines to work together.
• Bridge the gap btwn security experts & dataviz experts.
• Provide contextual clues to the analysts.
• Integrate visual analytics in analyst workflow.
• Make room for scalability and efficiency.
• Avoid visual representations requiring lot of explanation.
• Choose the network layout that avoids edge crossing or
node overlapping.
• Aggregation of data should be obvious.
TAKE AWAY