Advertisement

Data Visualization for Network Access Rules of Critical Infrastructure

Conference paper
  • 1.3k Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10273)

Abstract

Control systems widely used in the national infrastructures are mainly aimed at regular performances of the specified tasks. Therefore, whitelisting security solutions or program that define all usable assets and approachable relationships between rules are widely applied to. The working procedure of the whitelisting control system can be described not just by simple accessing abilities, but various rules such as communication period, frequency, sequence of communication objects, concurrency and inclusion relation etc. As a whitelisting has recently developed more complicatedly, it is believed that the research of the information visualizing which helps the users recognize priority information and the research of the UI which let users manage those information more efficiently are necessary. We have set an extended form of whitelisting that is required for control system security, and it is also based on general requirements in that field. Basing on the analysis of relevant tools and interviews with security experts, we propose a visualize method to manage whitelist information more easily and effectively.

Keywords

Data visualization Network access rules Traffic log 

1 Introduction

Most infrastructures such as power plant, dam, water sewage systems, and traffic control system have received accepted developed IT technologies, which are currently configured with a lot of network servers, PCs, and controllers. Since cyber-attacks are mainly caused by at the level of massive terrorist groups or nations, not by an individual who is looking for fun, lots of researches have been done to strengthen the cyber security for those infrastructures.

The background of the security starts from understanding exact assets and applying specific access control rules for each asset. The main purpose of the control systems is for regular execution of defined jobs. So, recent security studies are more about the defining of the accessible relationship of the rules among available assets.

In order to visualize regular job executions of control systems by using whitelisting of access control rules (ARs), not just the fact that an actual access itself is made or not is checked, but also many rules are applied including communication cycle and frequency per access-allowed relationship, order, concurrency and inclusion relation between communication targets. As whitelisting becomes more complicated to use, it is now necessary that more studies which let the users enable to distinguish what is more important or not among information through the emphasized expression and primary location of the information.

This study aims to allow the users to easily manage expanded whitelist-based access rules, and suggests UX improvement plans that visualize communication status (traffic log) for easier understanding based on it.

2 Background

We have developed a network switch, called F.Switch which makes existing whitelist-based access rules be applied, and F.Manager by which many F.Switches can be managed comprehensively. The baseline in this study is the whitelist managing system in F.Manager we developed. This paper briefly introduces F.Manager.

Figure 1 is an overall conceptual diagram of how F.Manager manages the F.Switches installed in the control system network and manages the control system internal network security control.
Fig. 1.

A complete conceptual diagram of F.Manager and F.Switch

A network switch that can monitor all the traffic of the internal network without installing a SW agent in the control system and can apply a whitelist-based access list (AR List) remotely is called F.Switch, An integrated management system for efficiently managing and utilizing such F.Switches is called F.Manager.

F.Switch can log source (IP, MAC, port) – protocol – Destination (IP, MAC, port) information of all packets generated by the unit time set by the user. Unlike sampling-based monitoring (Ex. Netflow), F.Switch monitors all traffic passing through F.Switch and then solves many problems of control system security by blocking traffic and breaking alarms that violate the AR List. In addition, the security practitioner had to control and manage all the installed F.Switches of the control system all at once. So we designed F.Manager, an integrated management system that can manage multiple F.Switches installed in the control system network in one place.

3 Related Equipment Analysis

3.1 Comparative Analysis of Domestic and International Security Program Related to AR List

In the existing network access control list, visualization features of security-related programs in Korea and abroad were grasped to obtain information needed for extended access rules. Total 15 programs were analyzed and each programs were compared to identify the common elements of the visualization and their advantages and disadvantages (Table 1).
Table 1.

Comparative analysis of domestic and foreign security program equipment.

Category

Name

Equipment features

Screen example

Korea

VIPM PLUS [1]

– Network Integrated Security Solution

– Customizable information for user’s intent

– Icon + text form

Open image in new window

Juniper Firewall/VPN [2]

– Integrated solution for secure network environment

– Intuitively express information structure

– Category names are difficult to understand.

Open image in new window

SECUI-NGX [3]

– Providing external and internal network services and protecting services

– Iconic representation is effective

– Name Expression Intuitive

Open image in new window

SubGATEplus [4]

– Effective handling of internal and external network threats

– Use a variety of visual expressions

– Many icons can cause confusion

Open image in new window

SecuwayGate [5]

– Intrusion Prevention System

– Use a lot of visual representation (icon)

– Consistency of the menu is low

Open image in new window

Genian NAC [6]

– User and terminal control accessing the network

– Information structure Intuitively expressed

– Difficult to recognize icon and visual representation

Open image in new window

SNIPER AMS [7]

– Ensure safety through network management based on whitelist policy

– It is difficult for the user to recognize because of the unusual sorting method

Open image in new window

SNIPER IPS [8]

– High Performance Intrusion Prevention System

– Priority for critical information is not appropriate

Open image in new window

Foreign

Algosec [9]

– Security management system focusing on blocking malicious traffic

– Intuitively identifiable for Source and Destination elements

– Use Easy Names

Open image in new window

Firewall Builder5 [10]

– A standard firewall system that supports multiplatform and is easy to create and modify policies

– Icon Visualization Excellent

– Use a lot of visual representation (icon)

Open image in new window

Solarwinds (Firewall Security Manager) [11]

– Role of firewall security management and network configuration management

– This system only used text without icons

– Priority for critical information is not appropriate

Open image in new window

Tufin [12]

– Network Integrated Security Solution

– This system only used text without icons

– Category names are difficult to understand.

Open image in new window

Paloalto [13]

– New concept security platform that recognizes and controls applications and users

– Excellent grouping of relevant information

Open image in new window

ProSecure [14]

– Next Generation Firewall System for Modern Business

– The system uses a button function to provide a visual representation

Open image in new window

Cisco RV Router [15]

– Implement a new dimension of basic connectivity to the user experience

– This system only used text without icons

Open image in new window

3.2 Traffic Log Related Data Visualization Program

Traffic logs should be set to monitor entire of the characteristics of traffic at a glance. For this purpose, various data visualization programs were investigated. Total 40 programs were analyzed and the visualization data that can be used in connection with this task were referred to (Table 2).
Table 2.

Data visualization resources

Characteristics of data

References

Change over time [18, 19, 20, 21, 22, 23]

Open image in new window

Appropriate for expressing mutual relationship [24, 25, 26, 27, 28]

Open image in new window

Express size and quantity [23, 29, 30, 31]

Open image in new window

Changes in specific elements [32, 33, 34, 35, 36]

Open image in new window

4 Requirements for Creating Data Visualizations

With F.Manager, field administrators can easily manage the extended whitelist- based access rules. Therefore, UX should be improved its factors to visualize the communication history (traffic log) efficiently in general condition, especially required for in case an accident happens.

The required factors are gathered through consultations between several field managers and researchers. And relevant information regarding the access control list and the communication status is collected from them. Based on these requirements, we build the data visualizing system.

4.1 Requirements for AR List

Basically, the information provided in the AR List needs to be the key one for smooth management of the field manager, and the information expressed in the AR List should be configured in accordance with the priority.

For this purpose, we analyzed the information that is commonly used through analysis of domestic and foreign security program equipment. We also summarized the specific information that should be included in the AR considering the characteristics of F.Manager with the result of the interview with the field manager, field network analysis (Table 3).
Table 3.

The kind of information required for the AR List

AR configuration information

Description of function

Source

IP, Name

Service

Src Port, Protocol, Transmission direction, Dst Port

Action

Allow, Allow time zone, Temporary time allowed, Inactive

Comment

User-written sentence

Flag

None/Red/Yellow/Green/Blue

(User settings)

F.Switch List

F.Switches to which the AR applies

Features in AR

– Time period (seconds, minutes)

– Prohibit concurrent sessions/Allow concurrent sessions (2, 3, many)

Associated ARs

– ARs that should generate corresponding traffic sequentially

– At the same time, ARs to which the traffic should occur

– At the same time, ARs that should not generate such traffic

– ARs representing a single ‘large service’

4.2 Traffic Log Requirements

There are several elements such as period, frequency and concurrent session, of which they are characteristics of the AR, and they need to be represented in the traffic log. Also, there are sequential, simultaneous, inclusion expression in the relation between ARs as well as an indication of traffic volume. Based on these factors, we investigated graphs which can be used for each characteristic and visualization methods that can efficiently express information and error perceptions. Particularly, the requirements for traffic log visualization are summarized.

5 Making and Evaluating the 1st Improvement Plan

5.1 Prototype

We focused on data visualization features of their data presentation methods from the existing security programs, including 15 security related programs and 40 data visualization ones. Based on the analysis results, a prototype was created for the list of control system communication status and the traffic log. This prototype will play a big role in producing the final product after the verification of the expert interview and evaluation.

In this document, we propose two prototypes based on extended AR List and communication status (traffic log). Firstly, the AR List was derived the improvement keywords from the issues obtained by comparing and analyzing F.Manager and 15 security related programs. The keywords that we have focused on here are ‘information priority’, ‘grouping’ and ‘intuitive expression’ (Fig. 2).
Fig. 2.

1st prototype (AR List)

Secondly, the elements which need to be represented in the traffic log and the graphs in line with the characteristic of each element needed to be verified. Through the analysis of 40 data visualization programs, we were able to find out the information representing way of the graphs. We were also able to set a guideline of our prototype after finding the common points among the elements which is required for representing them on the screen. The selected items are as follows.
  1. 1.

    You should be able to view the entire log as time passes.

     
  2. 2.

    Make a quick error judgment.

     
  3. 3.

    You should use intuitive expressions that help you recognize information.

     
Based on this, we could produce two prototypes. Prototype A has the advantage that the overall trends and information of ARs can be grasped by constructing the entire element on one screen. It is basically concentrating on some specific elements, it is easy to find the problematic AR (Figs. 3 and 4).
Fig. 3.

Traffic Log 1st prototype (A Type)

Fig. 4.

Traffic Log 1st prototype (B Type)

5.2 Expert Interview and Evaluation

In order to verify the importance and priority of the elements of the information display in the control system communication status list and the traffic log, an in-depth interview with the experts having experience with the security related domain was conducted in addition to the heuristics and the data visualization Likert scale evaluation.

5.2.1 Expert Organization

The interviewees were selected as software developers, network security researchers and UI experts with knowledge of security related domain. Participants in the interviews conducted in-depth interviews and evaluations by watching the prototype screen produced primarily. The questionnaire proceeded as per the order of the processing sequence, and the contents of the question were divided into the control system communication status list and the traffic log screen in the first prototype screen according to each criterion. In addition, several comments from each individual were collected and possible improving points were recorded.

The expert interviews and evaluation took 90 min per expert and were conducted in the form of on-site visits.

5.2.2 Expert in-Depth Interview

The interviews conducted for six experts, and firstly made them recognize the purpose of F.Manager’s functions and tasks. The Think-Aloud method was used to investigate the impression of the primary prototype created through its own analysis.

The interview process is divided into AR List and traffic log. In the case of AR List, we verified the suitability of composition of visualization screen based on ‘information priority’, ‘grouping’, ‘intuitive expression about language and time’. In the case of traffic logs, interviews were conducted on the basis of the selection of the production direction and the characteristics of the preferred screens, and A and B in the two prototypes were examined.

5.2.3 Expert Evaluation

After the in-depth interview, the expert evaluation was conducted to obtain quantified data on the results of the experts’ tests. For the AR List, Jacob Nelson’s heuristics evaluation was reorganized into 5 different attributes [16], and the traffic log was evaluated by using the Data visualization Likert scale of Hyo-Jeong Kwon [17].

Tables 5 and 6 below are the question list used in the evaluation process.
Table 4.

Characteristics required for traffic logs

Category

Element

Requirements

Visualization material

Features in AR

Period [19, 23, 29 and 35]

– Period representation over time

– The communication with error is given the highest priority

Open image in new window

Frequency [34, 36]

– The frequency of the normally occurring communication and the frequency of the communication with the change are distinguished and expressed

– The communication with error is given the highest priority

Open image in new window

Concurrent sessions

– The distinction between concurrently occurring ARs and isolated ARs (Allow concurrent sessions: 2, 3, any)

– The communication with error is given the highest priority

– A concise expression that does not interfere with the flow of the timeline

 

Associated ARs

Sequential [24, 26 and 27]

– A distinction between a related AR and a sole AR

– A concise expression that does not interfere with the flow of the timeline

– The ARs that have a relationship are expressed in groups.

Open image in new window

Simultaneous

Inclusive

Traffic volume [23, 29 and 31]

– Express the amount of traffic without interrupting the flow of the timeline

– Need size change for easy recognition of traffic volume change

Open image in new window

Table 5.

Jacob Nelson, Heuristics Assessment

Property

Question

A. Strive for consistency

and standards

Q1. Is the overall screen configuration consistent?

Q2. Are the details elements (individual elements, icons) of the AR information consistent?

B. Match between system and the real world

Q1. Is it intuitive to understand the information provided?

Q2. Is it easy to recognize information using visualization that fits the characteristics of the information?

Q3. Are the comparisons between the provided information (AR) supported directly or indirectly?

C. User Control and freedom

Q1. Is it possible to find the information you want easily and quickly?

Q2. Is it possible to change the state of the AR information as needed?

D. Design dialog to yield closure

Q1. Does it clearly separate the beginning and end of information access?

Q2. Does category grouping interfere with viewing information?

E. Visibility of system status & informative feed-forward & back

Q1. Is the visual representation of the current state of the AR? (on/off, Error…)

Q2. Could the user be aware of the problem himself or herself through a given information screen?

As a result of the evaluation, we were able to identify areas that need an improvement, they were generally rated high, though. The results of Jacob Nelson’s heuristics-based AR List showed a high score for consistency of the overall screen configuration and visual representation of the current state and a low score for intuitive cognition received (Fig. 5).
Table 6.

Hyo-Jeong Kwon, Data visualization Likert scale evaluation

Property

Question

Functional

attribute

Functionality

[Information order/placement]

Q1. Can you easily identify the characteristics between ARs? (Sequential, simultaneous, inclusive)

Q2. Has the characteristics in the AR been adequately reflected? (Period, frequency, concurrent session)

Q3. Are the information represented by a graph suitable for the characteristics of the AR log?

Q4. Can the icon on the information screen predict the detail function?

Familiarity

Q1. Is it possible to intuitively understand the information provided through the expressions commonly used in the nature of information?

Q2. Is it easy to recognize information using visualization that fits the characteristics of the information?

Cognitive

attribute

Understanding

[Explore Information]

Q1. Is it possible to easily find the necessary information through the provided visualization information?

[Interpret information]

Q2. Is it easy to grasp the current state of the AR with a graph alone?

Immersion

Q1. Are there any unnecessary expressions for identifying important elements?

Sensory

attribute

Esthetic

Q1. Is visual information visually perceptible to the entire screen?

Q2. Is it properly structured in size and color to aid in information awareness?

Satisfaction

Q1. Is there a willingness to continuously check the information through this screen?

Q2. Do you think it is user-centric?

The traffic log evaluation results using the data visualization Likert scale of Hyo-Jeong Kwon [17] were evaluated differently in both prototype A and B. Prototype A received high marks in the immersive sense of cognitive attributes because it represented only relevant information without unnecessary elements. Also, they received the same high score in satisfaction of sensory attributes. However, the score of the functional elements of the graph using the AR log is low.

In Prototype B, although it received a high score in the esthetic part of the sensory attribute, unlike the prototype A, the expression of unnecessary information was found and received a low score in the immersion feeling part of the cognitive attribute (Figs. 6 and 7).
Fig. 5.

Jacob Nelson, results of heuristics

Fig. 6.

Hyo-Jeong Kwon, information visualization Likert scale evaluation result (A Type)

Fig. 7.

Hyo-Jeong Kwon, Information visualization Likert scale evaluation result (B Type)

5.2.4 Expert Interview Analysis Result

Through the expert interviews and evaluations, we were able to obtain the necessary insight in the final visualization of data visualization. The results of analysis by AR List and traffic log are as follows.

Firstly, the AR List was able to find total 57 issues. The contents of the issue were information expression, grouping of information, category order and information sorting. We have identified common factors in these issues and derived final improvements.
  1. 1.

    Visual configuration for fast error-detection.

     
  2. 2.

    How to express to the characteristics of information.

     
  3. 3.

    Priority-aware category arrays.

     
Secondly, total 40 issues in prototype A and 37 issues in prototype B were found in the traffic log. The final improvements were derived by combining the features and common issues of different prototypes A and B.
  1. 1.

    Structural Improvement for Integrated Information Verification.

     
  2. 2.

    Re-selection of a visualization method suitable for information property.

     
  3. 3.

    Added functions for seamless information search.

     

6 Data Visualizations Screen Suggestion

In this document, the data visualization screen of AR List and traffic log are shown in the paragraphs below. The screen includes case study, first prototype production, expert interview and evaluation analysis focusing on F.Manager’s whitelist based communication status factor which are from the prior research. Based on the results, we propose a whitelist-based AR communication status list which is the main function of F.Manager, a security network switch management software of the National Security Research Institute and a method of improving the data visualized UX of the traffic log.

6.1 AR List Final Screen Suggestion

It aims to visualize the whitelist-based AR List information in F.Manager so that it can recognize it a lot quickly and easily. Previously, AR List focused on implementing whitelist information for control system management. After prototyping, the experts suggest the improvement plan through the interview, and finally the proposed screen is the result of efficient operation and management from the viewpoint of the user (Fig. 8).
Fig. 8.

AR List final screen

6.1.1 Visual Configuration for Fast Error Detection

The problematic AR in the AR List is provided at the top of the list, and it is expressed in the background by applying a red color so that it is easy to recognize the abnormality. In addition, a warning icon ‘!’ is displayed in the area where the error occurred in regard to the detailed problem (Fig. 9).
Fig. 9.

AR List error occurrence screen (Color figure online)

6.1.2 How to Express to the Characteristics of Information

The name of the information about the provided information should be easily identifiable, and the visual representation of the function that may confuse the user should be limited. In Fig. 10, the indication of the IP forwarder and the receiver are not specified as ‘Server’ or ‘Client’ due to the protocol-related change in the protocol. Instead, it uses a different color in the output area to represent the role
Fig. 10.

IP and network connection method area in AR List

.
Fig. 11.

AR List tag function

In Fig. 11, the tag function is used to enable smooth communication among users. Intuitive recognition is also possible by using different colors according to the level of importance. In addition to the color, several icon shapes are also commonly used.

6.1.3 Priority-Aware Category Arrays

It is necessary to check if the information to be firstly checked by the user is conspicuous in the AR List, and the placement of such information is highly important. The information in the AR List is divided into AR basic information area, IP and network connection method area, AR characteristic area, AR relation area, AR occurrence frequency and last occurrence time area in order of importance (Fig. 12).
Fig. 12.

AR List information providing area

  • AR basic information: AR state(on/off), Name, Applied F.Switch

  • IP and network connection method: IP(A) – Service – IP(B)

  • AR characteristic: Period, Frequency, Concurrent session

  • AR relation: Display information about sequential, concurrent, and inclusive relationships

  • AR occurrence frequency and last occurrence time: Cumulative number of occurrences and the last occurrence time in the current time display

  • Learn more: Detailed information about AR List

6.2 Traffic Log Final Screen Suggestion

It is aimed to visualize the logs of actual traffic of ARs so that they can be quickly recognized by expressing them in a suitable form for information characteristics. After making the first prototype, UX Direction was derived through an expert interview. The final result reflects the overall log flow and detailed frequency, period, and traffic volume of individual ARs at a glance. In Fig. 13, the number of communication operations in the X axis (time) and the Y axis (AR List) is expressed in dot form, the size, interval, and the repetition are displayed according to the characteristics. In addition, the part where the abnormality occurs is marked with red.
Fig. 13.

Traffic log full screen (Color figure online)

6.2.1 Structural Improvement for Integrated Information Verification

In order to comprehensively understand the overall log flow and detailed AR information, the features of A and B in the first prototype were collected. In A type, the overall tendency and information can be grasped. In B type, it is easy to grasp the problematic AR List, and it has an advantage in showing individual characteristics.

6.2.2 Re-selection of a Visualization Method Suitable for Information Property

The visualization method is changed to a commonly used visualization one so that detailed information can be grasped at a glance. In the case of frequency, the numerical value of the average frequency reference deviation was made into a line graph in a certain period. In the case of the period, the repetitive communication status are represented by the characteristics such as sequential, simultaneous, inclusion according to the relationship between the ARs. In the case of traffic volume, the actual traffic volume of the currently selected AR against the average traffic volume is shown in the form of a bar graph. The error expression of each characteristic makes red indication in the region of anomalies, enabling intuitive interpretation (Figs. 14, 15 and 16).
Fig. 14.

Frequency graph (Color figure online)

Fig. 15.

Period graph (Color figure online)

Fig. 16.

Traffic volume graph (Color figure online)

6.2.3 Added Functions for Seamless Information Search

Throughout the error detection and zooming function, the user can easily find the AR errors on full screen. In the case of the AR in which the error occurred, a red area is displayed on the scroll, so that the error position can be intuitively detected. In addition, the selected errors are provided for each characteristic in the frequency, period, and traffic volume areas on the right side of the screen (Fig. 17).
Fig. 17.

Scroll (error search) and zooming functions (Color figure online)

6.3 Excellence of Data Visualization Screen Proposal

UX improvement plans that we established and based on assessment for existing products, requirements from the site, and expert interview are excellent for the following reasons.
  1. 1.

    Methods of data expression and prioritization were complemented. Therefore, it is possible to check whitelist data consistently by control system operators, not security experts.

     
  2. 2.

    It is easy to clearly recognize ARs that are identified as errors (ARs that are not followed at the site).

     
  3. 3.

    Utilize appropriate graphs for data visualization which based on important factors in communication status monitoring from the security perspective.

     

The improvement plans make it possible to rapidly search ARs that have necessary data for security work and to understand the entire communication status as well as individual AR’s characteristics at a glance.

7 Conclusion

Our study allows to effectively manage the control networks by establishing guidelines for the visualization of traffic log data and whitelist-based AR communication status list. Suggested plans may serve as references that will contribute to more effective work management by users of security programs such as network firewall and network access control solutions. Site tests for various systems are planned in order to move towards easier and more efficient solutions.

References

  1. 1.
    Handreamnet: VIPM Plus Administrator’s Guide v1.0 (2014)Google Scholar
  2. 2.
    Zungwon Engineering & Systems: Juniper Firewall/VPN (2008)Google Scholar
  3. 3.
    Secui: SECUI NGX (2011)Google Scholar
  4. 4.
    Handreamnet: SubGATE Plus 100&200 (2005)Google Scholar
  5. 5.
    Future Systems: SecuwayGate GateAdin Pro (2015)Google Scholar
  6. 6.
    Geni Networks: Genian NAC Suite (2013)Google Scholar
  7. 7.
    National Security Research Institute. AMS (2012)Google Scholar
  8. 8.
    Wins: SNIPER IPS v8.0 (2012)Google Scholar
  9. 9.
    Algosec: Algosec (2012–2015)Google Scholar
  10. 10.
    NetCitadel: Firewall Builder5 (2011)Google Scholar
  11. 11.
    Solarwinds: Firewall Security Manager (2012)Google Scholar
  12. 12.
    Tufin: Tufin (2016)Google Scholar
  13. 13.
    Palo Alto Networks: Paloalto PAN-OS (2014)Google Scholar
  14. 14.
  15. 15.
    CISCO: Cisco Small Business RV0xx Series Routers (2012)Google Scholar
  16. 16.
    Nelson, J., Robert, L.M.: Usability Inspection Methods. Wiley, New York (1994)Google Scholar
  17. 17.
    Kwon, H.-J.: Elements for Evaluating the Usability of the Web-Based Infographic Design (2013)Google Scholar
  18. 18.
    So-In, C.: A Survey of Network Traffic Monitoring and Analysis Tools. https://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/
  19. 19.
  20. 20.
  21. 21.
  22. 22.
  23. 23.
  24. 24.
  25. 25.
  26. 26.
  27. 27.
  28. 28.
  29. 29.
    The Multi Router Traffic Grapher. http://oss.oetiker.ch/mrtg/
  30. 30.
    Visualization Techniques for Assessing Textual Topic Models. http://vis.stanford.edu/papers/termite
  31. 31.
  32. 32.
  33. 33.
  34. 34.
  35. 35.
  36. 36.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Interaction Design, Graduate School of Techno DesignKookmin UniversitySeoulKorea
  2. 2.National Security Research InstituteDaejeonKorea
  3. 3.Interdisciplinary Program of Information SecurityChonnam National UniversityGwangjuKorea

Personalised recommendations