Interactive visualization of event logs for cybersecurity

Hidden cyber threats revealed with new visualization software Eventpa

SNAPS : semantic network traffic analysis through projection and selection

Most network traffic analysis applications are designed to discover malicious activity by only relying on high-level flow-based message properties. However, to detect security breaches that are specifically designed to target one network (e.g., Advanced Persistent Threats), deep packet inspection and anomaly detection are indispensible. In this paper, we focus on how we can support experts in discovering whether anomalies at message level imply a security risk at network level. In SNAPS (Semantic Network traffic Analysis through Projection and Selection), we provide a bottom-up pixel-oriented approach for network traffic analysis where the expert starts with low-level anomalies and iteratively gains insight in higher level events through the creation of multiple selections of interest in parallel. The tight integration between visualization and machine learning enables the expert to iteratively refine anomaly scores, making the approach suitable for both post-traffic analysis and online monitoring tasks. To illustrate the effectiveness of this approach, we present example explorations on two real-world data sets for the detection and understanding of potential Advanced Persistent Threats in progress

Visual analysis of parallel interval events

System logs typically contain lines with time stamps that each describes an event. Where these events semantically form start and end events, they can be combined into interval events. For visual event analytics, the analysis of interval events is more complex than that of point events, since not only the order of events, but also temporal overlaps have to be taken into account. To address this increased complexity and for the purpose of system understanding and analysis, we present SELE, a domain-independent tool for visualizing parallel interval events. SELE is intended to be used on a single long trace of events. A visual technique named strata timeline is developed to handle visual scalability issues. Finally, a multi-core parallel graph searching algorithm is analyzed to demonstrate SELE

Understanding the context of network traffic alerts

For the protection of critical infrastructures against complex virus attacks, automated network traffic analysis and deep packet inspection are unavoidable. However, even with the use of network intrusion detection systems, the number of alerts is still too large to analyze manually. In addition, the discovery of domain-specific multi stage viruses (e.g., Advanced Persistent Threats) are typically not captured by a single alert. The result is that security experts are overloaded with low-level technical alerts where they must look for the presence of an APT. In this paper we propose an alert-oriented visual analytics approach for the exploration of network traffic content in multiple contexts. In our approach CoNTA (Contextual analysis of Network Traffic Alerts), experts are supported to discover threats in large alert collections through interactive exploration using selections and attributes of interest. Tight integration between machine learning and visualization enables experts to quickly drill down into the alert collection and report false alerts back to the intrusion detection system. Finally, we show the effectiveness of the approach by applying it on real world and artificial data sets

SNAPS : semantic network traffic analysis through projection and selection

Most network traffic analysis applications are designed to discover malicious activity by only relying on high-level flow-based message properties. However, to detect security breaches that are specifically designed to target one network (e.g., Advanced Persistent Threats), deep packet inspection and anomaly detection are indispensible. In this paper, we focus on how we can support experts in discovering whether anomalies at message level imply a security risk at network level. In SNAPS (Semantic Network traffic Analysis through Projection and Selection), we provide a bottom-up pixel-oriented approach for network traffic analysis where the expert starts with low-level anomalies and iteratively gains insight in higher level events through the creation of multiple selections of interest in parallel. The tight integration between visualization and machine learning enables the expert to iteratively refine anomaly scores, making the approach suitable for both post-traffic analysis and online monitoring tasks. To illustrate the effectiveness of this approach, we present example explorations on two real-world data sets for the detection and understanding of potential Advanced Persistent Threats in progress

Visual analysis of parallel interval events

System logs typically contain lines with time stamps that each describes an event. Where these events semantically form start and end events, they can be combined into interval events. For visual event analytics, the analysis of interval events is more complex than that of point events, since not only the order of events, but also temporal overlaps have to be taken into account. To address this increased complexity and for the purpose of system understanding and analysis, we present SELE, a domain-independent tool for visualizing parallel interval events. SELE is intended to be used on a single long trace of events. A visual technique named strata timeline is developed to handle visual scalability issues. Finally, a multi-core parallel graph searching algorithm is analyzed to demonstrate SELE

Exploring DSL evolutionary patterns in practice: a study of DSL evolution in a large-scale industrial DSL repository

Model-driven engineering is used in the design of systems to (a.o.) enable analysis early in the design process. For instance, by using domain-specific languages, enabling engineers to model systems in terms of their domain, rather then encoding them into general purpose modeling languages. Domain-specific languages, like classical software, evolve over time. When domain languages evolve, they may trigger co-evolution of models, model-to-model transformations, editors (both graphical and textual), and other artifacts that depend on the domain-specific language. This co-evolution can be tedious and very costly. In literature, various approaches are proposed towards automated co-evolution. However, these approaches do not reach full automation. Several other studies have shown that there are theoretical limitations to the level of automation that can be achieved in certain scenarios. For several scenarios full automation can never be achieved. We wish to gain insight to which extent practically occurring scenarios can be automated. To gain this insight, in this paper, we investigate on a large-scale industrial repository, which (co-)evolutionary scenarios occur in practice, and compare them with the various scenarios and their theoretical automatability. We then assess whether practically occurring scenarios can be fully automated