Abstract
In this article, we present a visual analytics system, MVSec, which helps analysts understand better what information flows under network security datasets. The major contributions of this work include: (1) a data fusion strategy for multiple heterogeneous datasets by using unified event tuple and statistic tuple data structure, which compress large scale datasets and lays the foundation of cooperative visual analysis; (2) multiple coordinated views, which provide analysts with multiple visual perspectives to characterize loud events, dig out subtle events and investigate relations of events in datasets; and (3) a contextual visual analysis with deductive viewpoints, which inspires analysts to explore hypotheses and reason their deductions from visual narratives. In case studies, we demonstrate in detail how the system helps analysts draw an analytical storyline and understand network situations better in VAST Challenge 2013. Additionally, we discuss lessons learned in designing our system and participating in VAST Challenge 2013, which is helpful and applicable not only to similar network security systems but also to other domains facing visual analytics challenges.
Graphical abstract
Similar content being viewed by others
References
Bass T (2000) Intrusion detection systems and multisensor data fusion[J]. Commun ACM 43(4):99–105
Cook K, Grinstein G, Whiting M et al (2012) VAST challenge 2012: visual analytics for big data[C]. In: Proceeding of the 2012 IEEE conference on visual analytics science and technology (VAST). IEEE, New York, pp 251–255
Dumas M, Robert JM, McGuffin MJ (2012) Alertwheel: radial bipartite graph visualization applied to intrusion detection system alerts[J]. Netw IEEE 26(6):12–18
Erbacher RF (2012) Visualization design for immediate high-level situational assessment[C]. In: Proceedings of the ninth international symposium on visualization for cyber security. ACM, New York, pp 17–24
Finamore A, Mellia M, Meo M et al (2011) Experiences of internet traffic monitoring with tstat[J]. Netw IEEE 25(3):8–14
Fink GA, Muessig P, North C (2005) Visual correlation of host processes and network traffic[C]. In: IEEE workshop on visualization for computer security, 2005 (VizSEC 05). IEEE, New York, pp 11–19
Fischer F, Fuchs J, Vervier P A et al (2012) VisTracer: a visual analytics tool to investigate routing anomalies in traceroutes[C]. In: Proceedings of the ninth international symposium on visualization for cyber security. ACM, New York, pp 80–87
Fischer F, Fuchs J, Mansmann F et al (2013) BANKSAFE: visual analytics for big data in large-scale computer networks[J]. Inform Vis
Ghidini G, Das S K, Gupta V (2012) Fuseviz: a framework for web-based data fusion and visualization in smart environments[C]. In: Proceeding of the 2012 IEEE ninth international conference on Mobile Adhoc and Sensor Systems (MASS). IEEE, New York, pp 468–472
Goodall JR (2008) Introduction to visualization for computer security[M]. In: VizSEC 2007. Springer, Berlin, pp 1–17
Grinstein G, Cook K, Havig P et al (2011) VAST 2011 challenge: cyber security and epidemic[J]. IEEE VAST 2011:299–301
Havre S, Hetzler E, Whitney P et al (2002) Themeriver: visualizing thematic changes in large document collections[J]. IEEE Trans Vis Comput Graph 8(1):9–20
Koike H, Ohno K, Koizumi K (2005) Visualizing cyber attacks using IP matrix[C]. In: IEEE workshop on visualization for computer security, 2005 (VizSEC 05). IEEE, New York, pp 91–98
Lakkaraju K, Yurcik W, Lee AJ (2004) NVisionIP: netflow visualizations of system state for security situational awareness[C]. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security. ACM, New York, pp 65–72
Li B, Springer J, Bebis G et al (2013) A survey of network flow applications[J]. J Netw Comput Appl 36(2):567–581
Livnat Y, Agutter J, Moon S et al (2005) Visual correlation for situational awareness[C]. In: IEEE symposium on information visualization, 2005. INFOVIS 2005. IEEE, New York, pp 95–102
Mansmann F, Keim DA, North SC et al (2007a) Visual analysis of network traffic for resource planning, interactive monitoring, and interpretation of security threats[J]. IEEE Trans Vis Comput Graph 13(6):1105–1112
Mansmann F, Keim DA, North SC et al (2007b) Visual analysis of network traffic for resource planning, interactive monitoring, and interpretation of security threats[J]. IEEE Trans Vis Comput Graph 13(6):1105–1112
Manyika J, Chui M, Brown B et al (2011) Big data: the next frontier for innovation, competition, and productivity[J]
McPherson J, Ma KL, Krystosk P et al (2004) Portvis: a tool for port-based detection of security events[C]. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security. ACM, New York, pp 73–81
Patcha A, Park JM (2007) An overview of anomaly detection techniques: existing solutions and latest technological trends[J]. Comput Netw 51(12):3448–3470
Plonka D (2000) FlowScan: a network traffic flow reporting and visualization tool[C]. In: LISA, pp 305–317
Ren P, Gao Y, Li Z et al (2005) IDGraphs: intrusion detection and analysis using histographs[C]. In: IEEE Workshop on visualization for computer security, 2005. (VizSEC 05). IEEE, New York, pp 39–46
Shiravi H, Shiravi A, Ghorbani AA (2012) A survey of visualization systems for network security[J]. IEEE Trans Vis Comput Graph 18(8):1313–1329
Taylor T, Brooks S, McHugh J (2008) NetBytes viewer: an entity-based netflow visualization utility for identifying intrusive behavior[M]. In: VizSEC 2007. Springer, Berlin, pp 101–114
Teoh ST, Ma KL, Wu SF et al (2002) Case study: interactive visualization for internet security[C]. In: Proceedings of the conference on Visualization’02. IEEE Computer Society, pp 505–508
VAST Challenge 2013 (2013) Situation awareness and prospective analysis[C]. In: IEEE conference on visual analytics science and technology (VAST). IEEE, New York
Walker R, ap Cenydd L, Pop S et al (2013) Storyboarding for visual analytics[J]. Inform Vis
Yin X, Yurcik W, Treaster M et al (2004) VisFlowConnect: netflow visualizations of link relationships for security situational awareness[C]. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security. ACM, New York, pp 26–34
Zhao Y, Zhou FF, Fan XP et al (2013) IDSRadar: a real-time visualization framework for IDS alerts[J]. Sci China Inform Sci 1–12
VAST Challenge Homepage [EB/OL]. http://www.vacommunity.org/VAST+Challenge+2013
Acknowledgments
This work was supported by National Natural Science Foundation of China (Grant No. 61103108), Hunan Provincial Science and Technology Program (Grant Nos. 2012RS4049), Hunan Provincial Natural Science Foundation of China (Grant No. 12JJ3062), and Postdoc Research Funding in Central South University. The authors would also like to thank the data providers, IEEE VAST Challenge.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zhao, Y., Liang, X., Fan, X. et al. MVSec: multi-perspective and deductive visual analytics on heterogeneous network security data. J Vis 17, 181–196 (2014). https://doi.org/10.1007/s12650-014-0213-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12650-014-0213-6