Visualising network security attacks with multiple 3D visualisation and false alert classification

Increasing numbers of alerts produced by network intrusion detection systems (NIDS) have burdened the job of security analysts especially in identifying and responding to them. The tasks of exploring and analysing large quantities of communication network security data are also difficult. This thesis studied the application of visualisation in combination with alerts classifier to make the exploring and understanding of network security alerts data faster and easier. The prototype software, NSAViz, has been developed to visualise and to provide an intuitive presentation of the network security alerts data using interactive 3D visuals with an integration of a false alert classifier. The needs analysis of this prototype was based on the suggested needs of network security analyst's tasks as seen in the literatures. The prototype software incorporates various projections of the alert data in 3D displays. The overview was plotted in a 3D plot named as "time series 3D AlertGraph" which was an extension of the 2D histographs into 3D. The 3D AlertGraph was effectively summarised the alerts data and gave the overview of the network security status. Filtering, drill-down and playback of the alerts at variable speed were incorporated to strengthen the analysis. Real-time visual observation was also included. To identify true alerts from all alerts represents the main task of the network security analyst. This prototype software was integrated with a false alert classifier using a classification tree based on C4.5 classification algorithm to classify the alerts into true and false. Users can add new samples and edit the existing classifier training sample. The classifier performance was measured using k-fold cross-validation technique. The results showed the classifier was able to remove noise in the visualisation, thus making the pattern of the true alerts to emerge. It also highlighted the true alerts in the visualisation. Finally, a user evaluation was conducted to find the usability problems in the tool and to measure its effectiveness. The feed backs showed the tools had successfully helped the task of the security analyst and increased the security awareness in their supervised network. From this research, the task of exploring and analysing a large amount of network security data becomes easier and the true attacks can be identified using the prototype visualisation tools. Visualisation techniques and false alert classification are helpful in exploring and analysing network security data.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

A Survey, Taxonomy, and Analysis of Network Security Visualization Techniques

Network security visualization is a relatively new field and is quickly gaining momentum. Network security visualization allows the display and projection of the network or system data, in hope to efficiently monitor and protect the system from any intrusions or possible attacks. Intrusions and attacks are constantly continuing to increase in number, size, and complexity. Textually reading through log files or other textual sources is currently insufficient to secure a network or system. Using graphical visualization, security information is presented visually, and not only by text. Without network security visualization, reading through log files or other textual sources is an endless and aggravating task for network security analysts. Visualization provides a method of displaying large volume of information in a relatively small space. It also makes patterns easier to detect, recognize, and analyze. This can help security experts to detect problems that may otherwise be missed in reading text based log files. Network security visualization has become an active research field in the past six years and a large number of visualization techniques have been proposed. A comprehensive analysis of the existing techniques is needed to help network security designers make informed decisions about the appropriate visualization techniques under various circumstances. Moreover, a taxonomy of the existing visualization techniques is needed to classify the existing network security visualization techniques and present a high level overview of the field. In this thesis, the author surveyed the field of network security visualization. Specifically, the author analyzed the network security visualization techniques from the perspective of data model, visual primitives, security analysis tasks, user interaction, and other design issues. Various statistics were generated from the literatures. Based on this analysis, the author has attempted to generate useful guidelines and principles for designing effective network security visualization techniques. The author also proposed a taxonomy for the security visualization techniques. To the author’s knowledge, this is the first attempt to generate a taxonomy for network security visualization. Finally, the author evaluated the existing network security visualization techniques and discussed their characteristics and limitations. For future research, the author also discussed some open research problems in this field. This research is a step towards a thorough analysis of the problem space and the solution space in network security visualization

3D Visualisation - An Application and Assessment for Computer Network Traffic Analysis

The intent of this research is to develop and assess the application of 3D data visualisation to the field of computer security. The growth of available data relating to computer networks necessitates a more efficient and effective way of presenting information to analysts in support of decision making and situational awareness. Advances in computer hardware and display software have made more complex and interactive presentation of data in 3D possible. While many attempts at creation of data-rich 3D displays have been made in the field of computer security, they have not become the tool of choice in the industry. There is also a limited amount of published research in the assessment of these tools in comparison to 2D graphical and tabular approaches to displaying the same data. This research was conducted through creation of a novel abstraction framework for visualisation of computer network data, the Visual Interactive Network Analysis Framework (VINAF). This framework was implemented in software and the software prototype was assessed using both a procedural approach applied to a published forensics challenge and also through a human participant based experiment. The key contributions to the fields of computer security and data visualisation made by this research include the creation of a novel abstraction framework for computer network traffic which features several new visualisation approaches. An implementation of this software was developed for the specific cybersecurity related task of computer network traffic analysis and published under an open source license to the cybersecurity community. The research contributes a novel approach to human-based experimentation developed during the COVID-19 pandemic and also implemented a novel procedure-based testing approach to the assessment of the prototype data visualisation tool. Results of the research showed, through procedural experimentation, that the abstraction framework is effective for network forensics tasks and exhibited several advantages when compared to alternate approaches. The user participation experiment indicated that most of the participants deemed the abstraction framework to be effective in several task related to computer network traffic analysis. There was not a strong indication that it would be preferred over existing approaches utilised by the participants, however, it would likely be used to augment existing methods

Analysis of Feature Categories for Malware Visualization

It is important to know which features are more effective for certain visualization types. Furthermore, selecting an appropriate visualization tool plays a key role in descriptive, diagnostic, predictive and prescriptive analytics. Moreover, analyzing the activities of malicious scripts or codes is dependent on the extracted features. In this paper, the authors focused on reviewing and classifying the most common extracted features that have been used for malware visualization based on specified categories. This study examines the features categories and its usefulness for effective malware visualization. Additionally, it focuses on the common extracted features that have been used in the malware visualization domain. Therefore, the conducted literature review finding revealed that the features could be categorized into four main categories, namely, static, dynamic, hybrid, and application metadata. The contribution of this research paper is about feature selection for illustrating which features are effective with which visualization tools for malware visualization

Visualisation d'événements de sécurité centrée autour de l'utilisateur

Managing the vast quantities of data generated in the context of information system security becomes more difficult every day. Visualisation tools are a solution to help face this challenge. They represent large quantities of data in a synthetic and often aesthetic way to help understand and manipulate them. In this document, we first present a classification of security visualisation tools according to each of their objectives. These can be one of three: monitoring (following events in real time to identify attacks as early as possible), analysis (the exploration and manipulation a posteriori of a an important quantity of data to discover important events) or reporting (representation a posteriori of known information in a clear and synthetic fashion to help communication and transmission). We then present ELVis, a tool capable of representing security events from various sources coherently. ELVis automatically proposes appropriate representations in function of the type of information (time, IP address, port, data volume, etc.). In addition, ELVis can be extended to accept new sources of data. Lastly, we present CORGI, an successor to ELVIS which allows the simultaneous manipulation of multiple sources of data to correlate them. With the help of CORGI, it is possible to filter security events from a datasource by multiple criteria, which facilitates following events on the currently analysed information systems.Il est aujourd'hui de plus en plus difficile de gérer les énormes quantités de données générées dans le cadre de la sécurité des systèmes. Les outils de visualisation sont une piste pour faire face à ce défi. Ils représentent de manière synthétique et souvent esthétique de grandes quantités de données et d'événements de sécurité pour en faciliter la compréhension et la manipulation. Dans ce document, nous présentons tout d'abord une classification des outils de visualisation pour la sécurité en fonction de leurs objectifs respectifs. Ceux-ci peuvent être de trois ordres : monitoring (c'est à dire suivi en temps réel des événements pour identifier au plus tôt les attaques alors qu'elles se déroulent), exploration (parcours et manipulation a posteriori d'une quantité importante de données pour découvrir les événements importants) ou reporting (représentation a posteriori d'informations déjà connues de manière claire et synthétique pour en faciliter la communication et la transmission). Ensuite, nous présentons ELVis, un outil capable de représenter de manière cohérente des évènements de sécurité issus de sources variées. ELVis propose automatiquement des représentations appropriées en fonction du type des données (temps, adresse IP, port, volume de données, etc.). De plus, ELVis peut être étendu pour accepter de nouvelles sources de données. Enfin, nous présentons CORGI, une extension d'ELVIs permettant de manipuler simultanément plusieurs sources de données pour les corréler. A l'aide de CORGI, il est possible de filtrer les évènements de sécurité provenant d'une source de données en fonction de critères résultant de l'analyse des évènements de sécurité d'une autre source de données, facilitant ainsi le suivi des évènements sur le système d'information en cours d'analyse

Using access information in the dynamic visualisation of web sites

Includes bibliographical references.Log file analysis provides a cost-effective means to detennine web site usage. However, current methods of displaying log analysis results tend to be limited in that they either contain no reference to a web site's structure, or else they portray this structure as a standard graph or tree. This dissertation presents a visual representation of web server log information, which addresses these limitations by incorporating log file data into a visualisation of a web site's layout. The devised visualisation utilizes properties unique to web sites in order to create a compromise between the clutter-prone network graph and the infonnation incomplete tree representations that have traditionally been used to depict web sites. As such, the visualisation emphasises typical web site features such as the home page, sub-sites and navigation bars. This approach pennitted the introduction of the concept of implying the presence of links without explicitly rendering them. This notion has many implications, not least of which is the reduction of cluttering. The visualisation combined several other techniques to address the issues of structure and data representation, data exploration, scalability and context maintenance. Assessment of the visualisation consisted of a heuristic evaluation by an expert from the web site usage industry, a test to detelmine the intuitiveness of the representation, and a series of user experiments. Results of the assessment were generally promising although a few areas of concern, such as the difficulty experienced by users in navigating the visualisation with a trackball, were identified. These issues should not prove to be too difficult to overcome however. The visualisation could thus be said to have successfully met the aim of developing a representation of web site usage infonnation that incorporates site structure and treats web sites as unique entities, thereby taking advantage of their particular characteristics. It is hoped such a visualisation will be of benefit to web site designers and administrators in analysing and ultimately improving their web sites

An Investigation into Healthcare-Data Patterns

Visualising complex data facilitates a more comprehensive stage for conveying knowledge. Within the medical data domain, there is an increasing requirement for valuable and accurate information. Patients need to be confident that their data is being stored safely and securely. As such, it is now becoming necessary to visualise data patterns and trends in real-time to identify erratic and anomalous network access behaviours. In this paper, an investigation into modelling data flow within healthcare infrastructures is presented; where a dataset from a Liverpool-based (UK) hospital is employed for the case study. Specifically, a visualisation of transmission control protocol (TCP) socket connections is put forward, as an investigation into the data complexity and user interaction events within healthcare networks. In addition, a filtering algorithm is proposed for noise reduction in the TCP dataset. Positive results from using this algorithm are apparent on visual inspection, where noise is reduced by up to 89.84%

Complexity Aided Design: the FuturICT Technological Innovation Paradigm

"In the next century, planet earth will don an electronic skin. It will use the Internet as a scaffold to support and transmit its sensations. This skin is already being stitched together. It consists of millions of embedded electronic measuring devices: thermostats, pressure gauges, pollution detectors, cameras, microphones, glucose sensors, EKGs, electroencephalographs. These will probe and monitor cities and endangered species, the atmosphere, our ships, highways and fleets of trucks, our conversations, our bodies--even our dreams ....What will the earth's new skin permit us to feel? How will we use its surges of sensation? For several years--maybe for a decade--there will be no central nervous system to manage this vast signaling network. Certainly there will be no central intelligence...some qualities of self-awareness will emerge once the Net is sensually enhanced. Sensuality is only one force pushing the Net toward intelligence". These statements are quoted by an interview by Cherry Murray, Dean of the Harvard School of Engineering and Applied Sciences and Professor of Physics. It is interesting to outline the timeliness and highly predicting power of these statements. In particular, we would like to point to the relevance of the question "What will the earth's new skin permit us to feel?" to the work we are going to discuss in this paper. There are many additional compelling questions, as for example: "How can the electronic earth's skin be made more resilient?"; "How can the earth's electronic skin be improved to better satisfy the need of our society?";"What can the science of complex systems contribute to this endeavour?

Security Technologies and Methods for Advanced Cyber Threat Intelligence, Detection and Mitigation

The rapid growth of the Internet interconnectivity and complexity of communication systems has led us to a significant growth of cyberattacks globally often with severe and disastrous consequences. The swift development of more innovative and effective (cyber)security solutions and approaches are vital which can detect, mitigate and prevent from these serious consequences. Cybersecurity is gaining momentum and is scaling up in very many areas. This book builds on the experience of the Cyber-Trust EU project’s methods, use cases, technology development, testing and validation and extends into a broader science, lead IT industry market and applied research with practical cases. It offers new perspectives on advanced (cyber) security innovation (eco) systems covering key different perspectives. The book provides insights on new security technologies and methods for advanced cyber threat intelligence, detection and mitigation. We cover topics such as cyber-security and AI, cyber-threat intelligence, digital forensics, moving target defense, intrusion detection systems, post-quantum security, privacy and data protection, security visualization, smart contracts security, software security, blockchain, security architectures, system and data integrity, trust management systems, distributed systems security, dynamic risk management, privacy and ethics