Advertisement

Cluster Computing

, Volume 22, Supplement 1, pp 1861–1872 | Cite as

Visualization of security event logs across multiple networks and its application to a CSOC

  • Boyeon Song
  • Jangwon Choi
  • Sang-Soo Choi
  • Jungsuk SongEmail author
Article

Abstract

We introduce VisIDAC presented in Song at al (In: Nguyen, P.Q., Zhou, J. (eds.) Information Security—20th International Conference, ISC 2017, Security and Cryptology, vol. 10599. Springer International Publishing, 2017), which is a 3-D real-time visualization of security event log collection detected by intrusion detection systems installed in multiple networks. VisIDAC consists of three parallel plane-squares which represent global source networks, target networks, and global destination networks. Security events are displayed in different shapes, colors and spaces, according to their main features. It helps security operators to immediately understand the key properties of security events. We also apply VisIDAC to a public cyber security operations center, Science and Technology Cyber Security Center (S&T-CSC), and demonstrate its usefulness. VisIDAC allows users to grasp more intuitively the overall flow of security events and their trend, makes it easy to recognize large-scale security events such as network scanning, port scanning, and distributed denial of service attacks, and is also effective to distinguish security event types: which target network they are related to; whether they are inbound or outbound traffic; whether they are momentary or continuous; and what protocol and port number are mainly used.

Keywords

Intrusion detection system Information visualization Cyber security Network security 

Notes

Acknowledgements

This research was supported by Korea Institute of Science and Technology Information (KISTI).

References

  1. 1.
    Abdullah, K., Lee, C., Conti, G., Copeland, J.A., Stasko, J.: IDS RainStorm: visualizing IDS alarms. In: IEEE Workshops on Visualization for Computer Security (VizSEC ’05), pp. 1–10. IEEE Computer Society, Washington, DC (2005)Google Scholar
  2. 2.
    Bertini, E., Hertzog, P., Lalanne, D.: SpiralView: towards security policies assessment through visual correlation of network resources with evolution of alarms. In: IEEE Symposium on Visual Analytics Science and Technology (VAST ’07), pp. 139–146. IEEE Computer Society, Washington, DC (2007)Google Scholar
  3. 3.
    Blue, R., Dunne, C., Fuchs, A., King, K., Schulman, A.: Visualizing real-time network resource usage. In: Goodall, J.R., Conti, G., Ma, K.L. (eds.) Visualization for Computer Security: 5th International Workshop, VizSec 2008, pp. 119–135. Springer, Berlin (2008)Google Scholar
  4. 4.
    Boschetti, A., Salgarelli, L., Muelder, C., Ma, K.L.: TVi: A visual querying system for network monitoring and anomaly detection. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security (VizSec ’11), pp. 1–10. ACM, New York (2011)Google Scholar
  5. 5.
    Bruneau, G.: DNS Sinkhole. Reading Room Site. The SANS Institute (2010)Google Scholar
  6. 6.
    Foresti, S., Agutter, J.: VisAlert: from idea to product. In: Goodall, J.R., Conti, G., Ma, K.L. (eds.) VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security, pp. 159–174. Springer, Berlin (2008)Google Scholar
  7. 7.
    Gobel, J., Dewald, A.: Client-Honeypots: Exploring Malicious Websites. R Oldenbourg Verlag GmbH (2011)Google Scholar
  8. 8.
    Inoue, D., Eto, M., Yoshioka, K., Baba, S., Suzuki, K., Nakazato, J., Ohtaka, K., Nakao, K.: nicter: an incident analysis system toward binding network monitoring with malware analysis. In: Information Security Threats Data Collection and Sharing, pp. 58–66 (2008)Google Scholar
  9. 9.
    Koike, H., Ohno, K.: SnortView: visualization system of snort logs. In: ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC ’04), pp. 143–147. ACM, New York (2004)Google Scholar
  10. 10.
    Lau, S.: The spinning cube of potential doom. Commun. ACM 47(6), 25–26 (2004)CrossRefGoogle Scholar
  11. 11.
    McPherson, J., Ma, K.L., Krystosk, P., Bartoletti, T., Christensen, M.: Portvis: a tool for port-based detection of security events. In: ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC ’04), pp. 73–81. ACM, New York (2004)Google Scholar
  12. 12.
    Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Network telescopes: Technical report. Cooperative Association for Internet Data Analysis (CAIDA) (2004)Google Scholar
  13. 13.
    Moore, D.: Network telescopes observing small or distant security events. In: 11th USENIX Security Symposium, Invited Talk (2003)Google Scholar
  14. 14.
    Nunnally, T., Chi, P., Abdullah, K., Uluagac, A.S., Copeland, J.A., Beyah, R.: P3D: A parallel 3d coordinate visualization for advanced network scans. In: 2013 IEEE International Conference on Communications (ICC), pp. 2052–2057 (2013)Google Scholar
  15. 15.
    Onwubiko, C.: Cyber security operations centre: security monitoring for protecting business and supporting cyber defense strategy. In: 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pp. 1–10 (2015)Google Scholar
  16. 16.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. Int. J. Comput. Telecommun. Netw. 31(23–24), 2435–2463 (1999)Google Scholar
  17. 17.
    Schneier, B.: Honeypots and the Honeynet Project (2001). Available at http://www.cs.rochester.edu/~brown/Crypto/news/3.txt
  18. 18.
    Shiravi, H., Shiravi, A., Ghorbani, A.A.: IDS alert visualization and monitoring through heuristic host selection. In: Soriano, M., Qing, S., López, J. (eds.) Information and Communications Security: 12th International Conference, ICICS 2010, Barcelona, Spain, December 15–17, 2010. Proceedings, pp. 445–458. Springer, Berlin (2010)Google Scholar
  19. 19.
    Shiravi, H., Shiravi, A., Ghorbani, A.A.: A survey of visualization systems for network security. IEEE Trans. Vis. Comput. Gr. 18(8), 1313–1329 (2012)CrossRefGoogle Scholar
  20. 20.
    Song, B., Choi, S.S., Choi, J., Song, J.: Visualization of intrusion detection alarms collected from multiple networks. In: Nguyen, P.Q., Zhou, J. (eds.) Information Security—20th International Conference, ISC 2017, Security and Cryptology, vol. 10599. Springer International Publishing (2017)Google Scholar
  21. 21.
    Spitzner, L.: Honeypots: catching the insider threat. In: 19th Computer Security Applications Conference, pp. 170–179. IEEE (2003)Google Scholar
  22. 22.
    Suzuki, K.: Studies on network monitoring systems to reveal suspicious activities. Ph.D. thesis, Graduate School of Informatics, Kyoto University (2011)Google Scholar
  23. 23.
    Taylor, T., Brooks, S., McHugh, J.: NetBytes Viewer: an entity-based netflow visualization utility for identifying intrusive behavior. In: Goodall, J.R., Conti, G., Ma, K.L. (eds.) VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security, pp. 101–114. Springer, Berlin (2007)Google Scholar
  24. 24.
    Zimmerman, C.: Ten Strategies of a World-Class Cybersecurity Operations Center. MITRE Corporation (2014)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  1. 1.Korea Institute of Science and Technology Information (KISTI)DaejeonKorea

Personalised recommendations