SPTrack: Visual Analysis of Information Flows within SELinux Policies and Attack Logs

  • Patrice Clemente
  • Bangaly Kaba
  • Jonathan Rouzaud-Cornabas
  • Marc Alexandre
  • Guillaume Aujay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7669)


Analyzing and administrating system security policies is difficult as policies become larger and more complex every day. The paper present work toward analyzing security policies and sessions in terms of security properties. Our intuition was that combining both visualization tools that could benefit from the expert’s eyes, and software analysis abilities, should lead to a new interesting way to study and manage security policies as well as users’ sessions. Rather than trying to mine large and complex policies to find possible flaws within, work may concentrate on which potential flaws are really exploited by attackers.

Actually, the paper presents some methods and tools to visualize and manipulate large SELinux policies, with algorithms allowing to search for paths, such as information flows within policies.

The paper also introduces a complementary original approach to analyze and visualize real attack logs as session graphs or information flow graphs, or even aggregated multiple-sessions graphs.

Our wishes is that in the future, when those tools will be mature enough, security administrator can then confront the statical security view given by the security policy analysis and the dynamical and real-world view given by the parts of attacks that most often occurred.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Briffaut, J., Lalande, J., Toinard, C.: Formalization of security properties: enforcement for mac operating systems and verification of dynamic mac policies. International Journal on Advances in Security 2(4), 325–343 (2010)Google Scholar
  2. 2.
    Tamassia, R., Palazzi, B., Papamanthou, C.: Graph Drawing for Security Visualization. In: Tollis, I.G., Patrignani, M. (eds.) GD 2008. LNCS, vol. 5417, pp. 2–13. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Montemayor, J., Freeman, A., Gersh, J., Llanso, T., Patrone, D.: Information visualization for Rule-Based Resource Access Control. In: Proc. of Int. Symposium on Usable Privacy and Security (SOUPS). Citeseer (2006)Google Scholar
  4. 4.
    Heitzmann, A., Palazzi, B., Papamanthou, C., Tamassia, R.: Effective visualization of file system access-control. Visualization for Computer Security, 18–25 (2008)Google Scholar
  5. 5.
    Rao, P., Ghinita, G., Bertino, E., Lobo, J.: Visualization for Access Control Policy Analysis Results Using Multi-level Grids. In: 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, pp. 25–28. IEEE (July 2009)Google Scholar
  6. 6.
    Wahsheh, L.A., Leon, D.C.D., Alves-Foss, J.: Formal Verification and Visualization of Security Policies. Journal of Computers 3(6), 22–31 (2008)CrossRefGoogle Scholar
  7. 7.
    Xu, W., Shehab, M., Ahn, G.J.: Visualization based policy analysis: case study in SELinux. In: SACMAT 2008: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 165–174. ACM, New York (2008)Google Scholar
  8. 8.
    Marty, R.: Applied Security Visualization. Addison-Wesley Professional (2008)Google Scholar
  9. 9.
    Kolano, P.Z.: A Scalable Aural-Visual Environment for Security Event Monitoring, Analysis, and Response. In: Bebis, G., Boyle, R., Parvin, B., Koracin, D., Paragios, N., Tanveer, S.-M., Ju, T., Liu, Z., Coquillart, S., Cruz-Neira, C., Müller, T., Malzbender, T. (eds.) ISVC 2007, Part I. LNCS, vol. 4841, pp. 564–575. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    McPherson, J., Ma, K.L., Krystosk, P., Bartoletti, T., Christensen, M.: Portvis: a tool for port-based detection of security events. In: VizSEC/DMSEC 2004: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 73–81. ACM, New York (2004)Google Scholar
  11. 11.
    Ma, K.: Cyber security through visualization. In: Proceedings of the 2006 Asia-Pacific Symposium on Information Visualisation, vol. 60, p. 7. Australian Computer Society, Inc. (2006)Google Scholar
  12. 12.
    Ball, R., Fink, G., North, C.: Home-centric visualization of network traffic for security administration. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 55–64. ACM (2004)Google Scholar
  13. 13.
    Mansmann, F., Fischer, F., Keim, D.A., North, S.C.: Visual support for analyzing network traffic and intrusion detection events using TreeMap and graph representations. In: Proceedings of the Symposium on Computer Human Interaction for the Management of Information Technology, CHiMiT 2009, pp. 19–28. ACM Press, New York (2009)Google Scholar
  14. 14.
    Hideshima, Y., Koike, H.: Starmine: a visualization system for cyber attacks. In: APVis 2006: Proceedings of the 2006 Asia-Pacific Symposium on Information Visualisation, pp. 131–138. Australian Computer Society, Inc., Darlinghurst (2006)Google Scholar
  15. 15.
    Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, VizSEC/DMSEC 2004, p. 109 (2004)Google Scholar
  16. 16.
    Luse, A., Scheibe, K., Townsend, A.: A Component-Based Framework for Visualization of Intrusion Detection Events. Information Security Journal: A Global Perspective 17(2), 95–107 (2008)CrossRefGoogle Scholar
  17. 17.
    CAIDA: Walrus - Graph Visualization Tool (2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Patrice Clemente
    • 1
  • Bangaly Kaba
    • 1
  • Jonathan Rouzaud-Cornabas
    • 2
  • Marc Alexandre
    • 1
  • Guillaume Aujay
    • 1
  1. 1.ENSI de Bourges – LIFOBourgesFrance
  2. 2.LIP – INRIA – ENS LyonLyonFrance

Personalised recommendations