Visualization and Data Provenance Trends in Decision Support for Cybersecurity

  • Jeffery GaraeEmail author
  • Ryan K. L. Ko
Part of the Data Analytics book series (DAANA)


The vast amount of data collected daily from logging mechanisms on web and mobile applications lack effective analytic approaches to provide insights for cybersecurity. Current analytical time taken to identify zero-day attacks and respond with a patch or detection mechanism is unmeasurable. This is a current challenge and struggle for cybersecurity researchers. User- and data provenance-centric approaches are the growing trend in aiding defensive and offensive decisions on cyber-attacks. In this chapter we introduce (1) our Security Visualization Standard (SCeeL-VisT); (2) the Security Visualization Effectiveness Measurement (SvEm) Theory; (3) the concept of Data Provenance as a Security Visualization Service (DPaaSVS); and (4) highlight growing trends of using data provenance methodologies and security visualization methods to aid data analytics and decision support for cyber security. Security visualization showing provenance from a spectrum of data samples on an attack helps researchers to reconstruct the attack from source to destination. This helps identify possible attack patterns and behaviors which results in the creation of effective detection mechanisms and cyber-attacks.



The authors wish to thank the Cyber Security Researchers of Waikato (CROW) and the Department of Computer Science of the University of Waikato. This research is supported by STRATUS (Security Technologies Returning Accountability, Trust and User-Centric Services in the Cloud) (, a science investment project funded by the New Zealand Ministry of Business, Innovation and Employment (MBIE). The authors would also like to thank the New Zealand and Pacific Foundation Scholarship for the continuous support towards Cyber Security postgraduate studies at the University of Waikato.


  1. 1.
    Orebaugh, Angela, Gilbert Ramirez, and Jay Beale. Wireshark & Ethereal network protocol analyzer toolkit. Syngress, 2006.Google Scholar
  2. 2.
    Wang, Shaoqiang, DongSheng Xu, and ShiLiang Yan. “Analysis and application of Wireshark in TCP/IP protocol teaching.” In E-Health Networking, Digital Ecosystems and Technologies (EDT), 2010 International Conference on, vol. 2, pp. 269–272. IEEE, 2010.Google Scholar
  3. 3.
    Patcha, Animesh, and Jung-Min Park. “An overview of anomaly detection techniques: Existing solutions and latest technological trends.” Computer networks 51, no. 12 (2007): 3448–3470.CrossRefGoogle Scholar
  4. 4.
    Yan, Ye, Yi Qian, Hamid Sharif, and David Tipper. “A Survey on Cyber Security for Smart Grid Communications.” IEEE Communications Surveys and tutorials 14, no. 4 (2012): 998–1010.CrossRefGoogle Scholar
  5. 5.
    Tan, Yu Shyang, Ryan KL Ko, and Geoff Holmes. “Security and data accountability in distributed systems: A provenance survey.” In High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing (HPCC_EUC), 2013 IEEE 10th International Conference on, pp. 1571–1578. IEEE, 2013.Google Scholar
  6. 6.
    Suen, Chun Hui, Ryan KL Ko, Yu Shyang Tan, Peter Jagadpramana, and Bu Sung Lee. “S2logger: End-to-end data tracking mechanism for cloud data provenance.” In Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on, pp. 594–602. IEEE, 2013.Google Scholar
  7. 7.
    Ko, Ryan KL, and Mark A. Will. “Progger: an efficient, Tamper-evident Kernel-space logger for cloud data provenance tracking.” In Cloud Computing (CLOUD), 2014 IEEE 7th International Conference on, pp. 881–889. IEEE, 2014.Google Scholar
  8. 8.
    Bishop, Matt. “Analysis of the ILOVEYOU Worm.” Internet: (2000).
  9. 9.
    D. Kushner, The Real Story of Stuxnet, IEEE Spectrum: Technology, Engineering, and Science News, 26-Feb-2013. [Online]. Available:
  10. 10.
    A. K. Z. K. Z. Security, An Unprecedented Look at Stuxnet, the Worlds First Digital Weapon, WIRED. [Online]. Available:
  11. 11.
    Rigby, Darrell, and Barbara Bilodeau. “Management tools & trends 2011.” Bain & Company Inc (2011).Google Scholar
  12. 12.
    Bonner, Lance. “Cyber Risk: How the 2011 Sony Data Breach and the Need for Cyber Risk Insurance Policies Should Direct the Federal Response to Rising Data Breaches.” Wash. UJL & Pol’y 40 (2012): 257.Google Scholar
  13. 13.
    Siadati, Hossein, Bahador Saket, and Nasir Memon. “Detecting malicious logins in enterprise networks using visualization.” In Visualization for Cyber Security (VizSec), 2016 IEEE Symposium on, pp. 1–8. IEEE, 2016.Google Scholar
  14. 14.
    Gove, Robert. “V3SPA: A visual analysis, exploration, and diffing tool for SELinux and SEAndroid security policies.” In Visualization for Cyber Security (VizSec), 2016 IEEE Symposium on, pp. 1–8. IEEE, 2016.Google Scholar
  15. 15.
    Rees, Loren Paul, Jason K. Deane, Terry R. Rakes, and Wade H. Baker. “Decision support for cybersecurity risk planning.” Decision Support Systems 51, no. 3 (2011): 493–505.Google Scholar
  16. 16.
    Teoh, Soon Tee, Kwan-Liu Ma, and S. Felix Wu. “A visual exploration process for the analysis of internet routing data.” In Proceedings of the 14th IEEE Visualization 2003 (VIS’03), p. 69. IEEE Computer Society, 2003.Google Scholar
  17. 17.
    Wang, Lingyu, Sushil Jajodia, Anoop Singhal, and Steven Noel. “k-zero day safety: Measuring the security risk of networks against unknown attacks.” In European Symposium on Research in Computer Security, pp. 573–587. Springer Berlin Heidelberg, 2010.Google Scholar
  18. 18.
    Mansfield-Devine, Steve. “Ransomware: taking businesses hostage.” Network Security 2016, no. 10 (2016): 8–17.CrossRefGoogle Scholar
  19. 19.
    Sgandurra, Daniele, Luis Muñoz-González, Rabih Mohsen, and Emil C. Lupu. “Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection.” arXiv preprint arXiv:1609.03020 (2016).Google Scholar
  20. 20.
    Davis, Thad A., Michael Li-Ming Wong, and Nicola M. Paterson. “The Data Security Governance Conundrum: Practical Solutions and Best Practices for the Boardroom and the C-Suite.” Colum. Bus. L. Rev. (2015): 613.Google Scholar
  21. 21.
    L. Widmer, The 10 Most Expensive Data Breaches | Charles Leach, 23-Jun-2015. [Online]. Available:
  22. 22.
    J. Garae, R. K. L. Ko, and S. Chaisiri, UVisP: User-centric Visualization of Data Provenance with Gestalt Principles, in 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, August 23–26, 2016, 2016, pp. 1923–1930.Google Scholar
  23. 23.
    Zhang, Olive Qing, Markus Kirchberg, Ryan KL Ko, and Bu Sung Lee. “How to track your data: The case for cloud computing provenance.” In Cloud Computing Technology and Science (CloudCom), 2011 IEEE Third International Conference on, pp. 446–453. IEEE, 2011.Google Scholar
  24. 24.
    Microsoft, 2016 Trends in Cybersecurity: A quick Guide to the Most Important Insights in Security, 2016. [Online]. Available:
  25. 25.
    Chen, Hsinchun, Roger HL Chiang, and Veda C. Storey. “Business intelligence and analytics: From big data to big impact.” MIS quarterly 36, no. 4 (2012): 1165–1188.Google Scholar
  26. 26.
    Durumeric, Zakir, James Kasten, David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicolas Weaver et al. “The matter of heartbleed.” In Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM, 2014.Google Scholar
  27. 27.
    Mahmood, Tariq, and Uzma Afzal. “Security analytics: Big data analytics for cybersecurity: A review of trends, techniques and tools.” In Information assurance (ncia), 2013 2nd national conference on, pp. 129–134. IEEE, 2013.Google Scholar
  28. 28.
    Talia, Domenico. “Toward cloud-based big-data analytics.” IEEE Computer Science (2013): 98–101.Google Scholar
  29. 29.
    C. Pettey and R. Van der Meulen, Gartner Reveals Top Predictions for IT Organizations and Users for 2012 and Beyond, 01-Dec-2011. [Online]. Available: [Accessed:01-Feb-2017].
  30. 30.
    Kambatla, Karthik, Giorgos Kollias, Vipin Kumar, and Ananth Grama. “Trends in big data analytics.” Journal of Parallel and Distributed Computing 74, no. 7 (2014): 2561–2573.CrossRefGoogle Scholar
  31. 31.
    Simmhan, Yogesh, Saima Aman, Alok Kumbhare, Rongyang Liu, Sam Stevens, Qunzhi Zhou, and Viktor Prasanna. “Cloud-based software platform for big data analytics in smart grids.” Computing in Science & Engineering 15, no. 4 (2013): 38–47.CrossRefGoogle Scholar
  32. 32.
    Cuzzocrea, Alfredo, Il-Yeol Song, and Karen C. Davis. “Analytics over large-scale multidimensional data: the big data revolution!.” In Proceedings of the ACM 14th international workshop on Data Warehousing and OLAP, pp. 101–104. ACM, 2011.Google Scholar
  33. 33.
    Ericsson, Gran N. “Cyber security and power system communication essential parts of a smart grid infrastructure.” IEEE Transactions on Power Delivery 25, no. 3 (2010): 1501–1507.Google Scholar
  34. 34.
    Khurana, Himanshu, Mark Hadley, Ning Lu, and Deborah A. Frincke. “Smart-grid security issues.” IEEE Security & Privacy 8, no. 1 (2010).Google Scholar
  35. 35.
    Bejtlich, Richard. The practice of network security monitoring: understanding incident detection and response. No Starch Press, 2013.Google Scholar
  36. 36.
    Desai, Anish, Yuan Jiang, William Tarkington, and Jeff Oliveto. “Multi-level and multi-platform intrusion detection and response system.” U.S. Patent Application 10/106,387, filed March 27, 2002.Google Scholar
  37. 37.
    Mell, Peter, and Tim Grance. “The NIST definition of cloud computing.” (2011).CrossRefGoogle Scholar
  38. 38.
    Burger, Eric W., Michael D. Goodman, Panos Kampanakis, and Kevin A. Zhu. “Taxonomy model for cyber threat intelligence information exchange technologies.” In Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security, pp. 51–60. ACM, 2014.Google Scholar
  39. 39.
    Barnum, Sean. “Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX).” MITRE Corporation 11 (2012).Google Scholar
  40. 40.
    O’Toole Jr, James W. “Methods and apparatus for auditing and tracking changes to an existing configuration of a computerized device.” U.S. Patent 7,024,548, issued April 4, 2006.Google Scholar
  41. 41.
    Gerace, Thomas A. “Method and apparatus for determining behavioral profile of a computer user.” U.S. Patent 5,848,396, issued December 8, 1998.Google Scholar
  42. 42.
    Gu, Tao, Hung Keng Pung, and Da Qing Zhang. “Toward an OSGi-based infrastructure for context-aware applications.” IEEE Pervasive Computing 3, no. 4 (2004): 66–74.Google Scholar
  43. 43.
    Anderson, Douglas D., Mary E. Anderson, Carol Oman Urban, and Richard H. Urban. “Debit card fraud detection and control system.” U.S. Patent 5,884,289, issued March 16, 1999.Google Scholar
  44. 44.
    Camhi, Elie. “System for the security and auditing of persons and property.” U.S. Patent 5,825,283, issued October 20, 1998.Google Scholar
  45. 45.
    L. Widmer, The 10 Most Expensive Data Breaches | Charles Leach, 23-Jun-2015. [Online]. Available:
  46. 46.
    SINET Announces 16 Most Innovative Cybersecurity Technologies of 2016 | Business Wire, 19-Sep-2016. [Online]. Available:
  47. 47.
    C. Pettey and R. Van der Meulen, Gartner Reveals Top Predictions for IT Organizations and Users for 2012 and Beyond, 01-Dec-2011. [Online]. Available:
  48. 48.
    C. Heinl and E. EG Tan, Cybersecurity: Emerging Issues, Trends, Technologies and Threats in 2015 and Beyond. [Online]. Available:$_$Cybersecurity$_$EITTT2015.pdf.
  49. 49.
    Kavitha, T., and D. Sridharan. “Security vulnerabilities in wireless sensor networks: A survey.” Journal of information Assurance and Security 5, no. 1 (2010): 31–44.Google Scholar
  50. 50.
    B. Donohue, Hot Technologies in Cyber Security, Cyber Degrees, 03-Dec-2014.Google Scholar
  51. 51.
    Jeong, Jongil, Dongkyoo Shin, Dongil Shin, and Kiyoung Moon. “Java-based single sign-on library supporting SAML (Security Assertion Markup Language) for distributed Web services.” In Asia-Pacific Web Conference, pp. 891–894. Springer Berlin Heidelberg, 2004.Google Scholar
  52. 52.
    Gro, Thomas. “Security analysis of the SAML single sign-on browser/artifact profile.” In Computer Security Applications Conference, 2003. Proceedings. 19th Annual, pp. 298–307. IEEE, 2003.Google Scholar
  53. 53.
    Rees, Loren Paul, Jason K. Deane, Terry R. Rakes, and Wade H. Baker. “Decision support for cybersecurity risk planning.” Decision Support Systems 51, no. 3 (2011): 493–505.Google Scholar
  54. 54.
    T. Reuille, OpenGraphiti: Data Visualization Framework, 05-Aug-2014. [Online]. Available:
  55. 55.
    McKenna, S., Staheli, D., Fulcher, C. and Meyer, M. (2016), BubbleNet: A Cyber Security Dashboard for Visualizing Patterns. Computer Graphics Forum, 35: 281–290. doi:10.1111/cgf.12904CrossRefGoogle Scholar
  56. 56.
    Linkurious, Linkurious - Linkurious - Understand the connections in your data, 2016. [Online]. Available:
  57. 57.
    T. Software, Business Intelligence and Analytics | Tableau Software, 2017. [Online]. Available:
  58. 58.
    P. Corporation, Data Integration, Business Analytics and Big Data | Pentaho, 2017. [Online]. Available:
  59. 59.
    Norse Attack Map, 2017. [Online]. Available:$\#$/.
  60. 60.
    Kaspersky Cyberthreat real-time map, 2017. [Online]. Available:
  61. 61.
    FireEye Cyber Threat Map, 2017. [Online]. Available:
  62. 62.
    Cyber Threat Map, FireEye, 2017. [Online]. Available:
  63. 63.
    L. SAS, data visualization Archives, Linkurious - Understand the connections in your data., 2015.Google Scholar
  64. 64.
    Interpol, Cybercrime / Cybercrime / Crime areas / Internet / Home - INTERPOL, Cybercrime, 2017. [Online]. Available:
  65. 65.
    Nakamoto, Satoshi. “Bitcoin: A peer-to-peer electronic cash system.” (2008): 28.Google Scholar
  66. 66.
    Barber, Simon, Xavier Boyen, Elaine Shi, and Ersin Uzun. “Bitter to better: how to make bitcoin a better currency.” In International Conference on Financial Cryptography and Data Security, pp. 399–414. Springer Berlin Heidelberg, 2012.Google Scholar
  67. 67.
    Swan, Melanie. Blockchain: Blueprint for a new economy. “ O’Reilly Media, Inc.”, 2015.Google Scholar
  68. 68.
    IsecT Ltd, ISO/IEC 27001 certification standard, 2016. [Online]. Available:
  69. 69.
    ISO, ISO/IEC 27001 - Information security management, ISO, 01-Feb-2015. [Online]. Available:
  70. 70.
    IsecT Ltd, ISO/IEC 27032 cybersecurity guideline, 2016. [Online]. Available:
  71. 71.
    Ware, Colin. Information visualization: perception for design. Elsevier, 2012.Google Scholar
  72. 72.
    Ramanauskait, Simona, Dmitrij Olifer, Nikolaj Goranin, Antanas enys, and Lukas Radvilaviius. “Visualization of mapped security standards for analysis and use optimisation.” Int. J. Comput. Theor. Eng 6, no. 5 (2014): 372–376.Google Scholar
  73. 73.
    Deep Node, Inc, Why Deep Node?, Deep Node, Inc., 2016. [Online]. Available: Scholar
  74. 74.
    Deep Node, Inc, The Concept Deep Node, Inc., 2016. [Online]. Available:

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Cyber Security Lab, Department of Computer ScienceUniversity of WaikatoHamiltonNew Zealand

Personalised recommendations