Li Zheng,Gang Yu,Yuntian Zheng

DOI: https://doi.org/10.1007/s11265-023-01836-0

2023-02-01

Journal of Signal Processing Systems

Abstract:Data visualization is an important approach for data analysis, which can reveal the patterns and characteristics of complex datasets through visual processing, and provide aid for data analysts. In recent years, with the expansion of Internet users and the rich diversity of various Internet applications, the importance of network security is increasing. In the field of network security data analysis, it is a developing direction to use data visualization methods and visual analysis tools to assist manual analysis. In this paper, a visualization system for network security data is designed and implemented, which is mainly based on network flow records and security policies. The node centrality measurement and high-dimensional data visualization methods are comprehensively applied, and an interactive visualization approach is proposed. The IP topology is presented in three different view modes: static analysis, temporal analysis and exploration analysis. In addition, the high-dimensional projection map takes flow, security policy and IP address as analysis objects and selects several dimensional features as indicators. After visual presentation, the distribution of the stream set and IP set contained in the record after projection in the selected dimension space can be obtained, so that the analyst can find the points with significant abnormal eigenvalue distribution, and deduce the possible situation based on this. After testing, the system can accept the new original data record file, and quickly generate the corresponding visualization content, which can be used for the visualization analysis of network security optimization tool software, and has been used in the actual system.

computer science, information systems,engineering, electrical & electronic

ZHANG Haocheng,WU Xiaojie,TANG Xiang,SHU Runxuan,DING Tianchen,DONG Xiaoju

DOI: https://doi.org/10.11959/j.issn.2096-109x.2018015

2018-01-01

Abstract:With the fast development of information technology and computer network, the scale and complexity of network security data grows rapidly. Traditional visualization techniques are no longer suitable. In addition, it designs interactive functions based on the feature of network security analysis, in order to assist the network security analyst. The existing approaches for network security visualization have some defects, which fail to provide a good indication of network security data in terms of timing and also fail to display information completely and realize user-friendly interaction. A multi-view network security visualization system was proposed, which provided the analysts of both the static status and dynamic changes of the network by combining the force-oriented model and the staged animation. It provides comprehensive information with display and filter of protocols, IP segment and port. The system on Shanghai Network database were evaluated.

Tianye Zhang,Xumeng Wang,Zongzhuang Li,Fangzhou Guo,Yuxin Ma,Wei Chen

DOI: https://doi.org/10.1007/s11432-016-0428-2

2017-01-01

Science China Information Sciences

Abstract:Network anomaly analysis is an emerging subtopic of network security. Network anomaly refers to the unusual behavior of network devices or suspicious network status. A number of intelligent visual tools are developed to enhance the ability of network security analysts in understanding the original data, ultimately solving network security problems. This paper surveys current progress and trends in network anomaly visualization. By providing an overview of network anomaly data, visualization tasks, and applications, we further elaborate on existing methods to depict various data features of network alerts, anomalous traffic, and attack patterns data. Directions for future studies are outlined at the end of this paper.

Ying ZHAO,Xiaoping FAN,Fangfang ZHOU,Wei HUANG,Mengjiao TANG

DOI: https://doi.org/10.3778/j.issn.1673-9418.1312039

2014-01-01

Abstract:Network security visualization is a growing community of network security research in recent years. It provides the human security analysts with better tools to discover patterns, detect anomalies, identify correlations of security events with higher efficiency. To meet the demand of cooperative visual analytics on large-scale network and multi-source data, this paper develops a data fusion model based on the even tuple and statistics tuple within uni-form data formats, raises a design strategy including the radial graph that is good at parsing events correlations and comparative stacked stream that is good at comparing statistics time series, explores the automated deployment method based on network logic topology and edge bundling method in radial graph. Finally by utilizing the pro-posed prototype system to analyze network security datasets in VAST Challenge 2013 and conducting some experi-ments and discussions, the effectiveness of tools is verified and substantiated.

Chunyuan Wu,Shiying Sheng,Xiaoju Dong

DOI: https://doi.org/10.1109/SMC.2018.00507

2018-01-01

Abstract:Computer networks have been widely used and the network security is becoming a critical issue due to the frequent attacks. Among these attacks, the DDoS attack is a destructive attack method, which can cause enormous loss and is difficult to detect. The network administrators work on large volume of traffic data to monitor the DDoS attack. The information visualization method is then introduced to the domain of network security and DDoS attack detection to better comprehend the information behind the multi-dimensional data. Various visualization methods have been proposed to detect the DDoS attack. However, little research has been carried out to give an overview of the existing methods. In this work, we surveyed the literature from 2004 to 2017 concerning network security visualization. We have selected the methods designed for or that can be applied to DDoS attack detection. We have classified these methods and given the advantages and shortcomings of each kind of method. We then proposed the future work in this area, which is aimed at helping the researchers in this area to have a comprehensive view of DDoS visualization.

SUN Yi-jun,ZHANG Hong-li,HE Hui

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.21.036

2007-01-01

Computer Engineering and Applications Journal

Abstract:Visualization of security events is an important component of large-scale network security warning.The research includes combining structural characteristic of large-scale network topology with the H3 algorithm in the field of information visualization,providing methods for visualizing the overall distribution and local details of large-scale network security events,and applying it effectively to the visualization of network security data on CERNET.Experiment results show that the methods present a sound visual effect to the network administrator to help him/her grasp the global security situation,and then work out an effective control plan in an overall perspective.

Xin Fan,Wenjie Luo,Xiaoju Dong,Rui Su

DOI: https://doi.org/10.1007/978-981-13-2203-7_45

2018-01-01

Abstract:Analyzing network data is one of the important means to safeguard network security. However, how to detect anomalies and trace back the origin of attacks in the enlarging scale of network data is still a challenge now. This paper designs and implements a network visualization system, which meets three main requirements: the situation awareness of the whole network, the rapid detection of anomalies, and the track of attack source. To combine multiple visualization technologies reasonably, the system provides information from three levels. It also uses unsupervised learning methods to detect anomalies in different ways. Therefore, the system enhances the ability of identifying abnormal behaviors from network data. Its efficiency is tested by the usage of data in the ChinaVis 2016.

Max Landauer,Florian Skopik,Markus Wurzenberger,Andreas Rauber

DOI: https://doi.org/10.1016/j.cose.2020.101739

2020-05-01

Abstract:<p>Log files give insight into the state of a computer system and enable the detection of anomalous events relevant to cyber security. However, automatically analyzing log data is difficult since it contains massive amounts of unstructured and diverse messages collected from heterogeneous sources. Therefore, several approaches that condense or summarize log data by means of clustering techniques have been proposed. Picking the right approach for a particular application domain is, however, non-trivial, since algorithms are designed towards specific objectives and requirements. This paper therefore surveys existing approaches. It thereby groups approaches by their clustering techniques, reviews their applicability and limitations, discusses trends and identifies gaps. The survey reveals that approaches usually pursue one or more of four major objectives: overview and filtering, parsing and signature extraction, static outlier detection, and sequences and dynamic anomaly detection. Finally, this paper also outlines a concept and tool that support the selection of appropriate approaches based on user-defined requirements.</p>

computer science, information systems

jian zhang,li jun zhao

DOI: https://doi.org/10.4028/www.scientific.net/AMM.602-605.2157

2014-01-01

Applied Mechanics and Materials

Abstract:In the field of network security, logs analysis is an efficient protecting measure. But it couldn’t meet with the requirements of dealing with threaten rapidly and responding at real time only with security administrator’s analysis of abundant multidimensional IDS logs. Visualization of multidimensional data is applied in information cognition and decision, with people’s perception of graph and advanced technology of computer’s dealing with abundant data. A frame of visualization in intrusion detection is proposed according to the process of visualization and intrusion detection. And then a simple efficient attribute encoding is put forward. K-dimensional logs are converted to the right regular polygon of even sides (RPES) using optimization algorithm. The experiments show that this method offers more dimensional distribution information and implicit knowledge and help security administrator to make efficient decision.

Mixia Liu,Dongmei Yu,Qiuyu Zhang,Honglei Zhu

DOI: https://doi.org/10.1109/IWASID.2007.373676

2007-01-01

Abstract:With the development of computer networks, the spread of malicious network activities poses great risks to the operational integrity of many organizations and imposes heavy economic burdens on life and health. Therefore, risk assessment is very important in network security management and analysis. Network security situation analysis not only can describe the current state but also project the next behavior of the network. Alerts coming from IDS, Firewall, and other security tools are currently growing at a rapid pace. Large organizations are having trouble keeping on top of the current state of their networks. In this paper, we described cyberspace situational awareness from formal and visual methods. Next, to make security administrator comprehend security situation and project the next behaviors of the whole network, we present using parallel axes view to give expression clearly of security events correlations. At last, we concluded that visualization is an important research of risk evaluation and situation analysis of network.

Siming Chen,Cong Guo,Xiaoru Yuan,Fabian Merkle,Hanna Schaefer,Thomas Ertl

DOI: https://doi.org/10.1145/2671491.2671493

2014-01-01

Abstract:Visualization and interactive analysis can help network administrators and security analysts analyze the network flow and log data. The complexity of such an analysis requires a combination of knowledge and experience from more domain experts to solve difficult problems faster and with higher reliability. We developed an online visual analysis system called OCEANS to address this topic by allowing close collaboration among security analysts to create deeper insights in detecting network events. Loading the heterogeneous data source (netflow, IPS log and host status log), OCEANS provides a multi-level visualization showing temporal overview, IP connections and detailed connections. Participants can submit their findings through the visual interface and refer to others' existing findings. Users can gain inspiration from each other and collaborate on finding subtle events and targeting multi-phase attacks. Our case study confirms that OCEANS is intuitive to use and can improve efficiency. The crowd collaboration helps the users comprehend the situation and reduce false alarms.

Brooklynn Stone,T. Cerný,Connor Woodahl,Karel Frajták,Miroslav Bures,Pavel Tisnovsky,John E. Raffety,J. Svacina,Dongwan Shin

DOI: https://doi.org/10.1145/3400286.3418261

2020-10-13

Abstract:Log analysis is a technique of deriving knowledge from log files containing records of events in a computer system. A common application of log analysis is to derive critical information about a system's security issues and intrusions, which subsequently leads to being able to identify and potentially stop intruders attacking the system. However, many systems produce a high volume of log data with high frequency, posing serious challenges in analysis. This paper contributes with a systematic literature review and discusses current trends, advancements, and future directions in log security analysis within the past decade. We summarized current research strategies with respect to technology approaches from 34 current publications. We identified limitations that poses challenges to future research and opened discussion on issues towards logging mechanism in the software systems. Findings of this study are relevant for software systems as well as software parts of the Internet of Things (IoT) systems.

Computer Science,Engineering

Jia Zhanpei,Shen Chao,Yi Xiao,Chen Yufei,Yu Tianwen,Guan Xiaohong

DOI: https://doi.org/10.1109/coase.2017.8256257

2017-01-01

CASE

Abstract:Log data are important audit basis to record routine events occurring on computer or network system, which are also critical data source for detecting system anomalies. By analyzing the data from multi-source logs, it is helpful to detect abnormal system behaviors and discover intruder attacks in real time. In this paper, a Spark-based log data security platform is designed and built to analyze the large-scale log data and detect abnormal network behaviors. By integrating data mining, machine learning, and statistical analysis technologies, our proposed framework can quickly analyze large-scale multi-source log data and accurately discriminate the abnormal behaviors. Furthermore, the association analysis is applied to detect abnormal behaviors or potential threats in the system. Under a real-world network environment, extensive experiments are conducted to evaluate the system performance, which can achieve a fast and accurate detection for abnormal network behaviors, and significantly improve the accuracies under various types of network attack scenarios.

Jiawei Zhao,Rahat Masood,Suranga Seneviratne

DOI: https://doi.org/10.1109/comst.2021.3086475

2021-01-01

Abstract:Network security has become an area of significant importance more than ever as highlighted by the eye-opening numbers of data breaches, attacks on critical infrastructure, and malware/ransomware/cryptojacker attacks that are reported almost every day. Increasingly, we are relying on networked infrastructure and with the advent of IoT, billions of devices will be connected to the Internet, providing attackers with more opportunities to exploit. Traditional machine learning methods have been frequently used in the context of network security. However, such methods are more based on statistical features extracted from sources such as binaries, emails, and packet flows. On the other hand, recent years witnessed a phenomenal growth in computer vision mainly driven by the advances in the area of convolutional neural networks. At a glance, it is not trivial to see how computer vision methods are related to network security. Nonetheless, there is a significant amount of work that highlighted how methods from computer vision can be applied in network security for detecting attacks or building security solutions. In this paper, we provide a comprehensive survey of such work under three topics; i) phishing attempt detection, ii) malware detection, and iii) traffic anomaly detection. We also discuss existing research gaps and future research directions, especially focusing on how network security research community and the industry can leverage the exponential growth of computer vision methods to build much secure networked systems. Finally, we review a set of such commercial products for which public information is available and explore how computer vision methods are effectively used in those products and conclude with a brief overview of commonly used computer vision methods in this domain.

computer science, information systems,telecommunications

Marija Schufrin,Hendrik Lücke-Tieke,Jörn Kohlhammer

DOI: https://doi.org/10.1109/VizSec56996.2022.9941462

2023-01-23

Abstract:In this paper, we present our design study on developing an interactive visual firewall log analysis system in collaboration with an IT service provider. We describe the human-centered design process, in which we additionally considered hedonic qualities by including the usage of personas, psychological need cards and interaction vocabulary. For the problem characterization we especially focus on the demands of the two main clusters of requirements: high-level overview and low-level analysis, represented by the two defined personas, namely information security officer and network analyst. This resulted in the prototype of a visual analysis system consisting of two interlinked parts. One part addresses the needs for rather strategical tasks while also fulfilling the need for an appealing appearance and interaction. The other part rather addresses the requirements for operational tasks and aims to provide a high level of flexibility. We describe our design journey, the derived domain tasks and task abstractions as well as our visual design decisions, and present our final prototypes based on a usage scenario. We also report on our capstone event, where we conducted an observed experiment and collected feedback from the information security officer. Finally, as a reflection, we propose the extension of a widely used design study process with a track for an additional focus on hedonic qualities.

Human-Computer Interaction,Cryptography and Security,Computers and Society

ZHANG Yi-fan,DONG Xiao-ju

DOI: https://doi.org/10.11959/j.issn.2096-109x.2017.00135

2017-01-01

Abstract:Firstly, the IP address of the Web log were visualized, and an integral system was presented by using proper visualization methods. Secondly, the whole system was related to the IP address, containing source IP address, target IP address and their relationship respectively. It provided users with different views of data, which could show more details and undetected relations among massive data. Besides, some interactions were added into the system, which made it more effective and useful. Finally, it ended up with the comparison of the systems when loading data with the DDoS attack and without it. It made much sense in the application field.

Wu Liu,Haixin Duan,Peng Wang,Jianping Wu

DOI: https://doi.org/10.1109/ICCT.2003.1209101

2003-01-01

Abstract:The phenomenal increase in the amounts of network security data are due to the hacker attacks, virus, worm and Shapper etc. Network security log file databases are very important in computer forensics. From researches, a lot of data mining methods have been found, such as content-based queries and similarity searches to manage and use such data. Fast and accurate retrievals for content-based queries are crucial for such numerous database systems to be useful. In this paper, a new method is provided to analyze and mine this kind of time-serial database. We first signalize the NSD databases, then we use these wavelet based transform to analyze the NSD and get the periodic law of intrusion event.

Chen,Lin Ye,Xiangzhan Yu,Bailang Ding

DOI: https://doi.org/10.1007/978-3-030-24268-8_10

2019-01-01

Abstract:With the increasing importance of cyberspace security, the research and application of network situational awareness is getting more attention. The research on network security situational awareness is of great significance for improving the network monitoring ability, emergency response capability and predicting the development trend of network security. This paper describes the development and evolution of network situational awareness and analyzes the basic architecture of the current situational awareness system. Based on the situational awareness conceptual model, four main research contents of situational awareness are elaborated: network data collection, situational understanding, situational prediction and situational visualization. This paper focuses on the core issues, main algorithms, and the advantages and disadvantages of each method that need to be addressed at each research point. Finally, under the current development trend of big data processing technology and artificial intelligence technology, the application realization and development trend of network situational awareness are analyzed and forecasted.

Zehua Ren,Yang Liu,Huixiang Liu,Baoxiang Jiang,Xiangzhen Yao,Lin Li,Haiwen Yang,Ting Liu

DOI: https://doi.org/10.1109/infocomwkshps54753.2022.9798168

2022-01-01

Abstract:Traditional intrusion detection systems often deal with massive alarms based on specific filtering rules, which is complex and inexplicable. In this demo, we developed a network security situation awareness (NSSA) system based on the spatio-temporal correlation of alarms. It can monitor the security situation from the temporal dimension and discover abnormal events based on the time series of alarms. Also, it can analyze alarms from the spatial dimension on the heterogeneous alarm graph and handle alarms in batches of events. With this system, system operators can filter most irrelevant alarms quickly and efficiently. The rich visualization of alarm data could also help find hidden high-risk attack behaviors.

Jung-Chun Liu,Chao-Tung Yang,Yu-Wei Chan,Endah Kristiani,Wei-Je Jiang

DOI: https://doi.org/10.1007/s11227-021-03715-6

IF: 3.3

2021-03-16

The Journal of Supercomputing

Abstract:Network log data is significant for network administrators, since it contains information on every event that occurs in a network, including system errors, alerts, and packets sending statuses. Effectively analyzing large volumes of diverse log data brings opportunities to identify issues before they become problems and to prevent future cyberattacks; however, processing of the diverse NetFlow data poses challenges such as volume, velocity, and veracity of log data. In this study, by means of Elasticsearch, Logstash, and Kibana, i.e., the ELK Stack, we construct an analysis and management system for network log data, which provides functions to filter, analyze, and display network log data for further applications and creates data visualization on a Web browser. In addition, an advanced cyberattack detection model is facilitated using deep neural network (DNN), recurrent neural networks (RNN), and long short-term memory (LSTM) approaches. By knowing cyberattack behaviors and cross-validating with the log analysis system, one can learn from this model the characteristics of a variety of cyberattacks. Finally, we also implement Grafana to perform metrics monitoring.