Exploring the role of experts' knowledge in visualizations for cyber security

Knowledge-assisted visualization is a concept in information visualization that incorporates the knowledge conversion processes into the design, implementation and the utilization of visualization tools. Knowledge conversion processes describe the exchange of knowledge between humans and machines in the form of externalization, internalization, collaboration, and combination. In this paper, we bring those concepts to the cyber security visualization domain. We draw from state of the art research works in knowledge-assisted visualization to derive a method for identifying the concepts. We then analyze VizSec\footnote{IEEE Symposium on Visualization for Cyber Security papers and present the lay of the land of knowledge conversion in ten years of research in VizSec

Visualising network security attacks with multiple 3D visualisation and false alert classification

Increasing numbers of alerts produced by network intrusion detection systems (NIDS) have burdened the job of security analysts especially in identifying and responding to them. The tasks of exploring and analysing large quantities of communication network security data are also difficult. This thesis studied the application of visualisation in combination with alerts classifier to make the exploring and understanding of network security alerts data faster and easier. The prototype software, NSAViz, has been developed to visualise and to provide an intuitive presentation of the network security alerts data using interactive 3D visuals with an integration of a false alert classifier. The needs analysis of this prototype was based on the suggested needs of network security analyst's tasks as seen in the literatures. The prototype software incorporates various projections of the alert data in 3D displays. The overview was plotted in a 3D plot named as "time series 3D AlertGraph" which was an extension of the 2D histographs into 3D. The 3D AlertGraph was effectively summarised the alerts data and gave the overview of the network security status. Filtering, drill-down and playback of the alerts at variable speed were incorporated to strengthen the analysis. Real-time visual observation was also included. To identify true alerts from all alerts represents the main task of the network security analyst. This prototype software was integrated with a false alert classifier using a classification tree based on C4.5 classification algorithm to classify the alerts into true and false. Users can add new samples and edit the existing classifier training sample. The classifier performance was measured using k-fold cross-validation technique. The results showed the classifier was able to remove noise in the visualisation, thus making the pattern of the true alerts to emerge. It also highlighted the true alerts in the visualisation. Finally, a user evaluation was conducted to find the usability problems in the tool and to measure its effectiveness. The feed backs showed the tools had successfully helped the task of the security analyst and increased the security awareness in their supervised network. From this research, the task of exploring and analysing a large amount of network security data becomes easier and the true attacks can be identified using the prototype visualisation tools. Visualisation techniques and false alert classification are helpful in exploring and analysing network security data.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Business impact visualization for information security and compliance events

Business leaders face significant challenges from IT incidents that interfere with or pose imminent risk to more than one workgroup. Communication, coordination and monitoring are hindered by factors such as the IT incidents\u27 technical complexity and unfamiliarity, distributed ad-hoc response teams, competing demands for their time, nuanced business dependencies, the lack of reliable IT incident measures and a piecemeal toolset to overcome these challenges. This research proposes a dynamic visual system as a solution to overcome many of these challenges. Starting with a broad outline of improving the awareness and comprehension of security and compliance events for business leaders, this effort enlisted the assistance of seven experienced IT professionals in the Des Moines metropolitan area. A user-centered design methodology was developed that enabled these individuals to influence the selection of a problem space, explore related challenges, contribute to requirements definition and prioritization, review designs and, finally, test a prototype. The group consisted of leaders and senior technical staff working in various industries. At the end of the methodology, a group of unrelated IT professionals, with no prior knowledge, of the re- search was asked to perform an objective evaluation of the prototype. That evaluation is reported in this document and forms the basis of conclusions regarding the research hypothesis