Pub Date : 2018-10-01DOI: 10.1109/VIZSEC.2018.8709236
Yifan Yang, J. Collomosse, A. Manohar, J. Briggs, J. Steane
In this paper we report our study involving an early prototype of TAPESTRY, a service to support people and businesses to connect safely online through the use of a Machine Learning generated visualization. Establishing the veracity of the person or business behind a pseudonomized identity, online, is a challenge for many people. In the burgeoning digital economy, finding ways to support good decision-making in potentially risky online exchanges is of vital importance. In this paper, we propose a Machine Learning method to extract temporal patterns from data on individuals’ behavioral norms in their online activity. This monitors and communicates the coherence of these activities to others, especially those who are about to disclose personal information to the individual, in a visualization. We report findings from a user trial that examined how people accessed and interpreted the TAPESTRY visualization to inform their decisions on who to back in a mock crowdfunding campaign to evaluate its efficacy. The study proved the protocol of the Machine Learning method and qualitative insights are informing iterations of the visualization design to enhance user experience and support understanding.
{"title":"TAPESTRY: Visualizing Interwoven Identities for Trust Provenance","authors":"Yifan Yang, J. Collomosse, A. Manohar, J. Briggs, J. Steane","doi":"10.1109/VIZSEC.2018.8709236","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709236","url":null,"abstract":"In this paper we report our study involving an early prototype of TAPESTRY, a service to support people and businesses to connect safely online through the use of a Machine Learning generated visualization. Establishing the veracity of the person or business behind a pseudonomized identity, online, is a challenge for many people. In the burgeoning digital economy, finding ways to support good decision-making in potentially risky online exchanges is of vital importance. In this paper, we propose a Machine Learning method to extract temporal patterns from data on individuals’ behavioral norms in their online activity. This monitors and communicates the coherence of these activities to others, especially those who are about to disclose personal information to the individual, in a visualization. We report findings from a user trial that examined how people accessed and interpreted the TAPESTRY visualization to inform their decisions on who to back in a mock crowdfunding campaign to evaluate its efficacy. The study proved the protocol of the Machine Learning method and qualitative insights are informing iterations of the visualization design to enhance user experience and support understanding.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115369574","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-01DOI: 10.1109/VIZSEC.2018.8709231
Awalin Sopan, Matthew Berninger, Murali Mulakaluri, Raj Katakam
This work demonstrates an ongoing effort to employ and explain machine learning model predictions for classifying alerts in Security Operations Centers (SOC). Our ultimate goal is to reduce analyst workload by automating the process of decision making for investigating alerts using the machine learning model in cases where we can completely trust the model. This way, SOC analysts will be able to focus their time and effort to investigate more complex cases of security alerts. To achieve this goal, we developed a system that shows the prediction for an alert and the prediction explanation to security analysts during their daily workflow of investigating individual security alerts. Another part of our system presents the aggregated model analytics to the managers and stakeholders to help them understand the model and decide, on when to trust the model and let the model make the final decision. Using our prediction explanation visualization, security analysts will be able to classify oncoming alerts more efficiently and gain insight into how a machine learning model generates predictions. Our model performance analysis dashboard helps decision makers analyze the model in signature level granularity and gain more insights about the model.
{"title":"Building a Machine Learning Model for the SOC, by the Input from the SOC, and Analyzing it for the SOC","authors":"Awalin Sopan, Matthew Berninger, Murali Mulakaluri, Raj Katakam","doi":"10.1109/VIZSEC.2018.8709231","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709231","url":null,"abstract":"This work demonstrates an ongoing effort to employ and explain machine learning model predictions for classifying alerts in Security Operations Centers (SOC). Our ultimate goal is to reduce analyst workload by automating the process of decision making for investigating alerts using the machine learning model in cases where we can completely trust the model. This way, SOC analysts will be able to focus their time and effort to investigate more complex cases of security alerts. To achieve this goal, we developed a system that shows the prediction for an alert and the prediction explanation to security analysts during their daily workflow of investigating individual security alerts. Another part of our system presents the aggregated model analytics to the managers and stakeholders to help them understand the model and decide, on when to trust the model and let the model make the final decision. Using our prediction explanation visualization, security analysts will be able to classify oncoming alerts more efficiently and gain insight into how a machine learning model generates predictions. Our model performance analysis dashboard helps decision makers analyze the model in signature level granularity and gain more insights about the model.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127868932","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-01DOI: 10.1109/VIZSEC.2018.8709181
Jia-Kai Chou, Chris Bryan, Jing Li, K. Ma
Researchers such as sociologists create visualizations of multivariate node-link diagrams to present findings about the relationships in communities. Unfortunately, such visualizations can inadvertently expose the ostensibly private identities of the persons that make up the dataset. By purposely violating graph readability metrics for a small region of the graph, we conjecture that local, exposed privacy leaks may be perceptually masked from easy recognition. In particular, we consider three commonly known metrics—edge crossing, node clustering, and node-edge overlapping—as a strategy to hide leaks. We evaluate the effectiveness of violating these metrics by conducting a user study that measures subject performance at visually searching for and identifying a privacy leak. Results show that when more masking operations are applied, participants needed more time to locate the privacy leak, though exhaustive, brute force search can eventually find it. We suggest future directions on how perceptual masking can be a viable strategy, primarily where modifying the underlying network structure is unfeasible.
{"title":"An Empirical Study on Perceptually Masking Privacy in Graph Visualizations","authors":"Jia-Kai Chou, Chris Bryan, Jing Li, K. Ma","doi":"10.1109/VIZSEC.2018.8709181","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709181","url":null,"abstract":"Researchers such as sociologists create visualizations of multivariate node-link diagrams to present findings about the relationships in communities. Unfortunately, such visualizations can inadvertently expose the ostensibly private identities of the persons that make up the dataset. By purposely violating graph readability metrics for a small region of the graph, we conjecture that local, exposed privacy leaks may be perceptually masked from easy recognition. In particular, we consider three commonly known metrics—edge crossing, node clustering, and node-edge overlapping—as a strategy to hide leaks. We evaluate the effectiveness of violating these metrics by conducting a user study that measures subject performance at visually searching for and identifying a privacy leak. Results show that when more masking operations are applied, participants needed more time to locate the privacy leak, though exhaustive, brute force search can eventually find it. We suggest future directions on how perceptual masking can be a viable strategy, primarily where modifying the underlying network structure is unfeasible.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"54 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124515159","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-01DOI: 10.1109/VIZSEC.2018.8709204
M. Angelini, G. Blasilli, Pietro Borrello, Emilio Coppa, Daniele Cono D'Elia, Serena Ferracci, S. Lenti, G. Santucci
Exploits based on ROP (Return-Oriented Programming) are increasingly present in advanced attack scenarios. Testing systems for ROP-based attacks can be valuable for improving the security and reliability of software. In this paper, we propose ROPMATE, the first Visual Analytics system specifically designed to assist human red team ROP exploit builders. In contrast, previous ROP tools typically require users to inspect a puzzle of hundreds or thousands of lines of textual information, making it a daunting task. ROPMATE presents builders with a clear interface of well-defined and semantically meaningful gadgets, i.e., fragments of code already present in the binary application that can be chained to form fully-functional exploits. The system supports incrementally building exploits by suggesting gadget candidates filtered according to constraints on preserved registers and accessed memory. Several visual aids are offered to identify suitable gadgets and assemble them into semantically correct chains. We report on a preliminary user study that shows how ROPMATE can assist users in building ROP chains.
{"title":"ROPMate: Visually Assisting the Creation of ROP-based Exploits","authors":"M. Angelini, G. Blasilli, Pietro Borrello, Emilio Coppa, Daniele Cono D'Elia, Serena Ferracci, S. Lenti, G. Santucci","doi":"10.1109/VIZSEC.2018.8709204","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709204","url":null,"abstract":"Exploits based on ROP (Return-Oriented Programming) are increasingly present in advanced attack scenarios. Testing systems for ROP-based attacks can be valuable for improving the security and reliability of software. In this paper, we propose ROPMATE, the first Visual Analytics system specifically designed to assist human red team ROP exploit builders. In contrast, previous ROP tools typically require users to inspect a puzzle of hundreds or thousands of lines of textual information, making it a daunting task. ROPMATE presents builders with a clear interface of well-defined and semantically meaningful gadgets, i.e., fragments of code already present in the binary application that can be chained to form fully-functional exploits. The system supports incrementally building exploits by suggesting gadget candidates filtered according to constraints on preserved registers and accessed memory. Several visual aids are offered to identify suitable gadgets and assemble them into semantically correct chains. We report on a preliminary user study that shows how ROPMATE can assist users in building ROP chains.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123090937","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-01DOI: 10.1109/VIZSEC.2018.8709212
Dustin L. Arendt, Lyndsey R. Franklin, Fumeng Yang, Brooke R. Brisbois, Ryan R. LaMothe
Insider Threat Detection is one of the greatest challenges for organizational cybersecurity [2]. In this paper, we designed and evaluated visually compressed cyber event sequence (ViC2ES) to assist analysts with building mental models about user activity for Insider Threat Detection. Our visualizations, which show user activity on a daily level, are purpose-built to be embedded in our in-house active learning tool called "CHISSL." [3], [4] We explored different visual compression techniques with binning or run length encoding, resulting in four unique designs built upon the same icon array presentation. We evaluated these four designs for both low-level and high-level tasks in two experiments: in Experiment I, participants performed perceptual tasks such as selecting the most and least similar activities for each of the designs; in Experiment II, participants used one of the designs in CHISSL for eleven reasoning tasks. The results suggest that participants preferred the high level of aggregation, but made the fewest errors with the low level of aggregation; they were able to interact with CHISSL and accomplish the tasks using both designs. We believe our aggregated designs are effective regarding both task performance and screen space; the high and low levels of aggregation designs are valid for user activity modeling.
{"title":"Crush Your Data with ViC2ES Then CHISSL Away","authors":"Dustin L. Arendt, Lyndsey R. Franklin, Fumeng Yang, Brooke R. Brisbois, Ryan R. LaMothe","doi":"10.1109/VIZSEC.2018.8709212","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709212","url":null,"abstract":"Insider Threat Detection is one of the greatest challenges for organizational cybersecurity [2]. In this paper, we designed and evaluated visually compressed cyber event sequence (ViC2ES) to assist analysts with building mental models about user activity for Insider Threat Detection. Our visualizations, which show user activity on a daily level, are purpose-built to be embedded in our in-house active learning tool called \"CHISSL.\" [3], [4] We explored different visual compression techniques with binning or run length encoding, resulting in four unique designs built upon the same icon array presentation. We evaluated these four designs for both low-level and high-level tasks in two experiments: in Experiment I, participants performed perceptual tasks such as selecting the most and least similar activities for each of the designs; in Experiment II, participants used one of the designs in CHISSL for eleven reasoning tasks. The results suggest that participants preferred the high level of aggregation, but made the fewest errors with the low level of aggregation; they were able to interact with CHISSL and accomplish the tasks using both designs. We believe our aggregated designs are effective regarding both task performance and screen space; the high and low levels of aggregation designs are valid for user activity modeling.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131170717","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-01DOI: 10.1109/VIZSEC.2018.8709205
Eric Krokos, Alexander Rowden, K. Whitley, A. Varshney
The analysis of vast amounts of network data for monitoring and safeguarding a core pillar of the internet, the root DNS, is an enormous challenge. Understanding the distribution of the queries received by the root DNS, and how those queries change over time, in an intuitive manner is sought. Traditional query analysis is performed packet by packet, lacking global, temporal, and visual coherence, obscuring latent trends and clusters. Our approach leverages the pattern recognition and computational power of deep learning with 2D and 3D rendering techniques for quick and easy interpretation and interaction with vast amount of root DNS network traffic. Working with real-world DNS experts, our visualization reveals several surprising latent clusters of queries, potentially malicious and benign, discovers previously unknown characteristics of a real-world root DNS DDOS attack, and uncovers unforeseen changes in the distribution of queries received over time. These discoveries will provide DNS analysts with a deeper understanding of the nature of the DNS traffic under their charge, which will help them safeguard the root DNS against future attack.
{"title":"Visual Analytics for Root DNS Data","authors":"Eric Krokos, Alexander Rowden, K. Whitley, A. Varshney","doi":"10.1109/VIZSEC.2018.8709205","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709205","url":null,"abstract":"The analysis of vast amounts of network data for monitoring and safeguarding a core pillar of the internet, the root DNS, is an enormous challenge. Understanding the distribution of the queries received by the root DNS, and how those queries change over time, in an intuitive manner is sought. Traditional query analysis is performed packet by packet, lacking global, temporal, and visual coherence, obscuring latent trends and clusters. Our approach leverages the pattern recognition and computational power of deep learning with 2D and 3D rendering techniques for quick and easy interpretation and interaction with vast amount of root DNS network traffic. Working with real-world DNS experts, our visualization reveals several surprising latent clusters of queries, potentially malicious and benign, discovers previously unknown characteristics of a real-world root DNS DDOS attack, and uncovers unforeseen changes in the distribution of queries received over time. These discoveries will provide DNS analysts with a deeper understanding of the nature of the DNS traffic under their charge, which will help them safeguard the root DNS against future attack.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114743233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-01DOI: 10.1109/VIZSEC.2018.8709182
Alex Ulmer, Marija Schufrin, D. Sessler, J. Kohlhammer
Routing of network packets from one computer to another is the backbone of the internet and impacts the everyday life of many people. Although, this is a fully automated process it has many security issues. IP hijacks and misconfigurations occur very often and are difficult to detect. In the past visual analytics approaches aimed at detecting these phenomenons but only a few of these integrated geographical references. Geo-IP data is being used mostly as a lookup table which is an undervaluation of its capabilities. In this paper we present a visual-interactive system which only relies on Geo-IP data to create more awareness for this data source. We show that looking at Geo-IP data over time in combination with owner and location information of IP blocks already reveals suspicious cases. Together with our design study we also contribute a pre-processing algorithm for the Maxmind GeoIP2 City and ISP databases, to motivate the community to integrate this data source in future approaches.
{"title":"Visual-Interactive Identification of Anomalous IP-Block Behavior Using Geo-IP Data","authors":"Alex Ulmer, Marija Schufrin, D. Sessler, J. Kohlhammer","doi":"10.1109/VIZSEC.2018.8709182","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709182","url":null,"abstract":"Routing of network packets from one computer to another is the backbone of the internet and impacts the everyday life of many people. Although, this is a fully automated process it has many security issues. IP hijacks and misconfigurations occur very often and are difficult to detect. In the past visual analytics approaches aimed at detecting these phenomenons but only a few of these integrated geographical references. Geo-IP data is being used mostly as a lookup table which is an undervaluation of its capabilities. In this paper we present a visual-interactive system which only relies on Geo-IP data to create more awareness for this data source. We show that looking at Geo-IP data over time in combination with owner and location information of IP blocks already reveals suspicious cases. Together with our design study we also contribute a pre-processing algorithm for the Maxmind GeoIP2 City and ISP databases, to motivate the community to integrate this data source in future approaches.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"116 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117197801","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-01DOI: 10.1109/VIZSEC.2018.8709223
Siming Chen, Shuai Chen, N. Andrienko, G. Andrienko, P. H. Nguyen, C. Turkay, Olivier Thonnard, Xiaoru Yuan
User behavior analysis is complex and especially crucial in the cyber security domain. Understanding dynamic and multi-variate user behavior are challenging. Traditional sequential and timeline based method cannot easily address the complexity of temporal and relational features of user behaviors. We propose a map-based visual metaphor and create an interactive map for encoding user behaviors. It enables analysts to explore and identify user behavior patterns and helps them to understand why some behaviors are regarded as anomalous. We experiment with a real dataset containing multiple user sessions, consisting of sequences of diverse types of actions. In the behavior map, we encode an action as a city and user sessions as trajectories going through the cities. The position of the cities is determined by the sequential and temporal relationship of actions. Spatial and temporal patterns on the map reflect behavior patterns in the action space. In the case study, we illustrate how we explore relationships between actions, identify patterns of the typical session and detect anomaly behaviors.
{"title":"User Behavior Map: Visual Exploration for Cyber Security Session Data","authors":"Siming Chen, Shuai Chen, N. Andrienko, G. Andrienko, P. H. Nguyen, C. Turkay, Olivier Thonnard, Xiaoru Yuan","doi":"10.1109/VIZSEC.2018.8709223","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709223","url":null,"abstract":"User behavior analysis is complex and especially crucial in the cyber security domain. Understanding dynamic and multi-variate user behavior are challenging. Traditional sequential and timeline based method cannot easily address the complexity of temporal and relational features of user behaviors. We propose a map-based visual metaphor and create an interactive map for encoding user behaviors. It enables analysts to explore and identify user behavior patterns and helps them to understand why some behaviors are regarded as anomalous. We experiment with a real dataset containing multiple user sessions, consisting of sequences of diverse types of actions. In the behavior map, we encode an action as a city and user sessions as trajectories going through the cities. The position of the cities is determined by the sequential and temporal relationship of actions. Spatial and temporal patterns on the map reflect behavior patterns in the action space. In the case study, we illustrate how we explore relationships between actions, identify patterns of the typical session and detect anomaly behaviors.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124363770","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-01DOI: 10.1109/VIZSEC.2018.8709230
B. Cappers, Paulus N. Meessen, S. Etalle, J. V. Wijk
Forensic analysis of malware activity in network environments is a necessary yet very costly and time consuming part of incident response. Vast amounts of data need to be screened, in a very labor-intensive process, looking for signs indicating how the malware at hand behaves inside e.g., a corporate network. We believe that data reduction and visualization techniques can assist security analysts in studying behavioral patterns in network traffic samples (e.g., PCAP). We argue that the discovery of patterns in this traffic can help us to quickly understand how intrusive behavior such as malware activity unfolds and distinguishes itself from the rest of the traffic.In this paper we present a case study of the visual analytics tool EventPad and illustrate how it is used to gain quick insights in the analysis of PCAP traffic using rules, aggregations, and selections. We show the effectiveness of the tool on real-world data sets involving office traffic and ransomware activity.
{"title":"Eventpad: Rapid Malware Analysis and Reverse Engineering using Visual Analytics","authors":"B. Cappers, Paulus N. Meessen, S. Etalle, J. V. Wijk","doi":"10.1109/VIZSEC.2018.8709230","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709230","url":null,"abstract":"Forensic analysis of malware activity in network environments is a necessary yet very costly and time consuming part of incident response. Vast amounts of data need to be screened, in a very labor-intensive process, looking for signs indicating how the malware at hand behaves inside e.g., a corporate network. We believe that data reduction and visualization techniques can assist security analysts in studying behavioral patterns in network traffic samples (e.g., PCAP). We argue that the discovery of patterns in this traffic can help us to quickly understand how intrusive behavior such as malware activity unfolds and distinguishes itself from the rest of the traffic.In this paper we present a case study of the visual analytics tool EventPad and illustrate how it is used to gain quick insights in the analysis of PCAP traffic using rules, aggregations, and selections. We show the effectiveness of the tool on real-world data sets involving office traffic and ransomware activity.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125262391","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-09-14DOI: 10.1109/VIZSEC.2018.8709177
R. Gove, Lauren Deason
Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multiple distinct period lengths in a given time series. We pair the output of this algorithm with aggregation summary tables that give users information scent about which detections are worth investigating based on the metadata of the log events rather than the periodic signal. A visualization of selected detections enables users to see all detected period lengths per entity, and compare detections between entities to check for coordinated activity. We evaluate our approach on real-world netflow and DNS data from a large organization, demonstrating how to successfully find malicious periodic activity in a large pool of noise and non-malicious periodic activity.
{"title":"Visualizing Automatically Detected Periodic Network Activity","authors":"R. Gove, Lauren Deason","doi":"10.1109/VIZSEC.2018.8709177","DOIUrl":"https://doi.org/10.1109/VIZSEC.2018.8709177","url":null,"abstract":"Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multiple distinct period lengths in a given time series. We pair the output of this algorithm with aggregation summary tables that give users information scent about which detections are worth investigating based on the metadata of the log events rather than the periodic signal. A visualization of selected detections enables users to see all detected period lengths per entity, and compare detections between entities to check for coordinated activity. We evaluate our approach on real-world netflow and DNS data from a large organization, demonstrating how to successfully find malicious periodic activity in a large pool of noise and non-malicious periodic activity.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"18 4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116401043","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: