Integrated Visualization of Network Security Metadata from Heterogeneous Data Sources
In computer networks many components produce valuable information about themselves or other participants, especially security analysis relevant information. Although such information is intrinsically related as components are connected by a network, most of them still operate independently and do not share data amongst each other. Furthermore, the highly dynamic nature of a network hampers a profound understanding of security relevant situations, such as attack scenarios. Hence, a comprehensive view of the network including multiple information sources as well as temporal network evolution would significantly improve security analysis and evaluation capabilities. In this paper, we introduce a comprehensive approach for an integrated visualization, covering all aspects from data acquisition in various sources up to visual representation of the integrated information. We analyze the requirements on the basis of an exemplary scenario, propose solutions covering these demands based on the IF-MAP protocol, and introduce our software application VisITMeta as a prototypical implementation. We show how the graph-based IF-MAP protocol provides a graphical model for an integrated view of network security.
The fruitful collaboration with Gabi Dreo Rodosek, Josef von Helden, Frauke Sprengel, and our students is gratefully acknowledged. This work is financially supported by the German Federal Ministry of Education and Research (BMBF) within the projects VisITMeta (grant no. 17PNT032) and SIMU (grant no. 16KIS0045).
- 1.Ahlers, V., Heine, F., Hellmann, B., Kleiner, C., Renners, L., Rossow, T., Steuerwald, R.: Replicable security monitoring: Visualizing time-variant graphs of network metadata. In: CEUR Workshop Proceedings of the Joint Proceedings of the Fourth International Workshop on Euler Diagrams and the First International Workshop on Graph Visualization in Practice co-located with Diagrams, vol. 1244, pp. 32–41 (2014)Google Scholar
- 2.Bente, I., Hellmann, B., Vieweg, J., von Helden, J., Dreo, G.: TCADS: trustworthy, context-related anomaly detection for smartphones. In: Barolli, L., Taniar, D., Enokido, T., Rahayu, J.W., Takizawa, M. (eds.) 15th International Conference on Network-Based Information Systems, NBiS, pp. 247–254. IEEE (2012)Google Scholar
- 3.Birkholz, H., Sieverdingbeck, I., Sohr, K., Bormann, C.: IO: an interconnected asset ontology in support of risk management processes. In: Proceedings of the Seventh International Conference on Availability, Reliability and Security, ARES 2012, pp. 534–541. IEEE (2012)Google Scholar
- 4.Boschetti, A., Salgarelli, L., Muelder, C., Ma, K.-L.: TVi: a visual querying system for network monitoring and anomaly detection. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec 2011, pp. 1–10. ACM (2011)Google Scholar
- 5.Debar, H., Curry, D., Feinstein, B.: The intrusion detection message exchange format (IDMEF), RFC 4765 (Experimental), March 2007Google Scholar
- 6.Goodall, J., Sowul, M.: VIAssist: visual analytics for cyber defense. In: Proceedings of the IEEE Conference on Technologies for Homeland Security, HST 2009, pp. 143–150. IEEE (2009)Google Scholar
- 7.Karg, D., Muñoz, J.D., Gil, D., Ospitia, F., González, S., Casal, J.: OSSIM: open source security information management, general system description, version 0.18, November 2003. http://www.alienvault.com/docs/OSSIM-desc-en.pdf
- 8.Liao, Q., Blaich, A., Striegel, A., Thain, D.: ENAVis: enterprise network activities visualization. In: Proceedings of the 22nd Large Installation System Administration Conference, LISA, pp. 59–74. USENIX Association (2008)Google Scholar
- 9.Liao, Q., Striegel, A., Chawla, N.: Visualizing graph dynamics and similarity for enterprise network security and management. In: Proceedings of the Seventh International Symposium on Visualization for Cyber Security, VizSec 2010, pp. 34–45. ACM (2010)Google Scholar
- 10.Novikova, E., Kotenko, I.: Analytical visualization techniques for security information and event management. In: 21st Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, PDP, pp. 519–525. IEEE Computer Society Press (2013)Google Scholar
- 12.Trusted Network Connect Working Group. TNC IF-MAP binding for SOAP, version 2.1, Revision 15, May 2012. http://www.trustedcomputinggroup.org/resources/tnc_ifmap_binding_for_soap_specification
- 13.Trusted Network Connect Working Group. TNC IF-MAP metadata for network security, version 1.1, Revision 8, May 2012. http://www.trustedcomputinggroup.org/resources/tnc_ifmap_metadata_for_network_security
- 14.Yasm, C.: Prelude as a hybrid IDS framework. Technical report, SAMS Institute (2009). http://www.sans.org/reading-room/whitepapers/awareness/prelude-hybrid-ids-framework-33048