Li Zheng,Gang Yu,Yuntian Zheng

DOI: https://doi.org/10.1007/s11265-023-01836-0

2023-02-01

Journal of Signal Processing Systems

Abstract:Data visualization is an important approach for data analysis, which can reveal the patterns and characteristics of complex datasets through visual processing, and provide aid for data analysts. In recent years, with the expansion of Internet users and the rich diversity of various Internet applications, the importance of network security is increasing. In the field of network security data analysis, it is a developing direction to use data visualization methods and visual analysis tools to assist manual analysis. In this paper, a visualization system for network security data is designed and implemented, which is mainly based on network flow records and security policies. The node centrality measurement and high-dimensional data visualization methods are comprehensively applied, and an interactive visualization approach is proposed. The IP topology is presented in three different view modes: static analysis, temporal analysis and exploration analysis. In addition, the high-dimensional projection map takes flow, security policy and IP address as analysis objects and selects several dimensional features as indicators. After visual presentation, the distribution of the stream set and IP set contained in the record after projection in the selected dimension space can be obtained, so that the analyst can find the points with significant abnormal eigenvalue distribution, and deduce the possible situation based on this. After testing, the system can accept the new original data record file, and quickly generate the corresponding visualization content, which can be used for the visualization analysis of network security optimization tool software, and has been used in the actual system.

computer science, information systems,engineering, electrical & electronic

Yang Shi,Ying Zhao,Fangfang Zhou,Ronghua Shi,Yaoxue Zhang,Guojun Wang

DOI: https://doi.org/10.1109/mcg.2018.2879067

IF: 1.909

2018-01-01

IEEE Computer Graphics and Applications

Abstract:Intrusion detection systems (IDSs) generally produce an overwhelming amount of alerts, which are commonly plagued by issues of false positives. It is cumbersome for network administrators to manually traverse text-based alert logs in order to detect threats. In this work, we present a novel radial visualization of IDSs alerts, IDSPlanet, which helps administrators identify false positives, analyze attack patterns, and understand evolving network situations. Using a planet's geology as a metaphor for the design. IDSPlanet is composed of chrono rings, alert continents, and an interactive core. Accordingly, these components encode the temporal features of alert types, patterns of behavior in affected hosts, and correlations amongst alert types. attackers, and targets, respectively. The visualization provides an informative picture of networks' status. IDSPlanet offers different interactions and monitoring modes, which allow users to investigate in detail as well as to explore overall pattern. Two case studies and two interviews were conducted to demonstrate the usability and effectiveness of our visualization design.

Ying ZHAO,Xiaoping FAN,Fangfang ZHOU,Wei HUANG,Mengjiao TANG

DOI: https://doi.org/10.3778/j.issn.1673-9418.1312039

2014-01-01

Abstract:Network security visualization is a growing community of network security research in recent years. It provides the human security analysts with better tools to discover patterns, detect anomalies, identify correlations of security events with higher efficiency. To meet the demand of cooperative visual analytics on large-scale network and multi-source data, this paper develops a data fusion model based on the even tuple and statistics tuple within uni-form data formats, raises a design strategy including the radial graph that is good at parsing events correlations and comparative stacked stream that is good at comparing statistics time series, explores the automated deployment method based on network logic topology and edge bundling method in radial graph. Finally by utilizing the pro-posed prototype system to analyze network security datasets in VAST Challenge 2013 and conducting some experi-ments and discussions, the effectiveness of tools is verified and substantiated.

Shibo He,Gang Liu,Zhenwen He,Zhengping Weng

DOI: https://doi.org/10.1109/geoinformatics.2010.5567648

2010-01-01

Abstract:Log management module plays an important role in the massive spatial database management system. Recently there are few three-dimensional spatial database management systems with pertinent log management sub-system, or the administrator can only use the log, which is attached by database system, to recover the data. To improve this issue, hierarchical structure of the log management module should be taken into account. The overall design of three-dimensional spatial database management system is as follows: three-dimensional spatial database (including database system, file system), three-dimensional spatial data engine, and three-dimensional space management tools. The log management module is designed to solve the problem of complexity and inconvenience of three-dimensional spatial data manipulation records. According to the 3D spatial database management system design, we divided the log management into three layers. The log management system includes monitor layer of three-dimensional spatial database's triggers and file database system operations recording statements, interface layer of log management module of three-dimensional spatial database engine, and graphical user interface layer of log management module of three-dimensional spatial data management tools. Monitor layer design includes database system trigger design. When the database table has been dynamically created, the trigger will be automatically created and record the database operations, then the file system calls function to record the log. Interface layer design includes accessing the database, reading the log table in database and other integrated operations, including query and delete. Graphical user interface layer mainly includes the design of graphical interfaces, the function call form interface layer, and log data operations. In order to work on the layers conveniently, database system trigger and file database system's record are used to record the operation of the database. The log module interface in three-dimensional spatial data engine is used to exchange the data between graphical interface and underlying database. The log module in database management tools can directly provide a graphical interface, but not need to provide access functions to get the log data. This design method has an excellent scalability and flexibility, and can also be made appropriate changes to meet the new needs.

Zhang, Yanling,Liu, Haolin,Dong, Xiaoju,Li, Chenlu,Zhang, Zexi

DOI: https://doi.org/10.1007/s12650-021-00789-5

IF: 1.7

2021-01-01

Journal of Visualization

Abstract:Cyber security issues are always worthy of attention. Intrusion detection system (IDS) is one of approaches used to protect computer system and identify potential attack. However, existing methods are limited by high-dimensional computational complexity in rare or unknown attack detection task. To improve the ability of detecting anomaly intrusions, a hybrid intrusion detection framework is proposed in this paper. The proposed RuleRCD algorithm first uses fuzzy association rules based on Apriori and K -Means algorithm for normal pattern and major attack detection. The other data are then fed to an active learning-based rare category detection algorithm to identify its attack pattern. This paper also introduces an interactive visualization system, which integrates experts’ decision into intrusion detection workflow. The method improves the effectiveness and interpretability of detection process. KDD-99 dataset is used to evaluate the proposed framework. The result shows that the approach outperforms some methods, especially in terms of the rare attack.

ZHANG Yi-fan,DONG Xiao-ju

DOI: https://doi.org/10.11959/j.issn.2096-109x.2017.00135

2017-01-01

Abstract:Firstly, the IP address of the Web log were visualized, and an integral system was presented by using proper visualization methods. Secondly, the whole system was related to the IP address, containing source IP address, target IP address and their relationship respectively. It provided users with different views of data, which could show more details and undetected relations among massive data. Besides, some interactions were added into the system, which made it more effective and useful. Finally, it ended up with the comparison of the systems when loading data with the DDoS attack and without it. It made much sense in the application field.

ZHANG Haocheng,WU Xiaojie,TANG Xiang,SHU Runxuan,DING Tianchen,DONG Xiaoju

DOI: https://doi.org/10.11959/j.issn.2096-109x.2018015

2018-01-01

Abstract:With the fast development of information technology and computer network, the scale and complexity of network security data grows rapidly. Traditional visualization techniques are no longer suitable. In addition, it designs interactive functions based on the feature of network security analysis, in order to assist the network security analyst. The existing approaches for network security visualization have some defects, which fail to provide a good indication of network security data in terms of timing and also fail to display information completely and realize user-friendly interaction. A multi-view network security visualization system was proposed, which provided the analysts of both the static status and dynamic changes of the network by combining the force-oriented model and the staged animation. It provides comprehensive information with display and filter of protocols, IP segment and port. The system on Shanghai Network database were evaluated.

Jakrarin Therdphapiyanak,Krerk Piromsopa

DOI: https://doi.org/10.1145/2448556.2448559

2013-01-01

Abstract:In this paper, we apply Hadoop for large-scale log analysis. Our main objective is to efficiently detect an abnormal traffic from high volume data. Due to the high volume of data traffics, the size of traffic logs is usually exceed the capacity of a standalone IDS. Thus, it is practically impossible to perform useful analysis with these data. In most cases, an analysis is usually done when an attack occurred for digital forensics. We proposed applying K-Means algorithm to cluster high volume log data. The resulted clusters are useful in classifying minority as possible intruders. In addition, we proposed IP address summarization method to capture the characteristic of each cluster. Our implementation allows high volume data traffics to be analyzed with a distributed analysis system using K-Means algorithm and data mining. The eventual result is to reduce a chance of being attacked. The prominent points of our implementation are anomaly detection with large file sizes and the distributed processing. However, this paper is just a preliminary study. There exist several opportunities for optimization. Nonetheless, our implementation can point out anomaly. The K-Means Algorithm can provide a new knowledge useful for enhancing security of the system.

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.21203/rs.3.rs-1770107/v1

2022-01-01

Abstract:Abstract Intrusion detection is a fuzzy classification problem. Intrusion detection can detect the attack behaviors of hackers in advance. For generating a visualizing architecture for identifying intrusions, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System), DT (Decision Tree), and K-means clustering algorithm for visualizing the deep pattern of intrusion detection. The ANFIS generates complex and fuzzy combinations of selected attributes. To reduce the rules generation of ANFIS, Pearson Correlation analysis is used to select attributes that highly relate to the target. Meanwhile, standard deviation analysis and a proposed adaptive K-means algorithm are used for determining the interval division of selected attributes. Then, the CART (classification and regression tree) is used to identify the deep mode in generated rules and selected attributes. The architecture of the proposed algorithm is a hybrid visualizing approach. The architecture can identify deep and hybrid features in intrusion detection. The proposed algorithm was trained, validated, and tested on the NSL-KDD dataset. Using 22 attributes that highly relate to the target, the performance of the proposed method achieved a 99.86% detection rate and 0.14% false alarm rate, which is better than many classifiers. Besides, the visualizing model can help us visually identify the complex pattern of intrusions and analyze the pattern of various intrusions.

Guo Zhi,Ming Gao

2005-01-01

Abstract:Web applications, which are widely used to provide E-commerce and E-government services with the spread use of Internet, are faced with serious threats of security now. Intrusion detection was an effective way to secure web applications. Using visualization technique will facilitate security experts to create normal behavior profiles more exactly, and improve the detection performance of intrusion detection. However, traditional visualization model based on scatter points was not suitable to some web applications due to its poor display effect for volumes of samples. This paper proposes a new visualization model based on density field and corresponding algorithm in order to provide richer visual information for security experts and facilitate security experts to creating profiles more exactly. A comparison of experimental results between traditional model and new model was presented in this paper.

M D Poat,J Lauret,D Fedele

DOI: https://doi.org/10.1088/1742-6596/2438/1/012040

2023-02-17

Journal of Physics: Conference Series

Abstract:A difficult aspect of cyber security is the ability to achieve automated real time intrusion prevention across various sets of systems. To this extent, several companies are offering comprehensive solutions that leverage an "accuracy of scale" and moving much of the intelligence and detection on the Cloud, relying on an ever-growing set of data and analytics to increase decision accuracy. Often, they provide tools to visualize the decision workflows in attack prevention (as well as tune the algorithm) but those solutions are not always practical as companies see the problem as "global" that is, from a unified Cyber-security standpoint. However, a key to a successful Cyber-security program is transparency and trust: from an experimental team viewpoint, this specifically means having the ability to immediately see what and from where, who has been blocked and being able to inform the community in case of a revoked access without the need for filing a "ticket" (that may eventually be answered) – in other words, rapid response to their user-base is essential but solutions targeting "sub-groups" in an organization are not often available. We have come up with a versatile solution leveraging the ELK stack (Elasticsearch, Logstash, & Kibana) and an IPS (Intrusion Prevention System) based WAF (Web Application Firewall) from Signal Sciences. Signal Science allows the streaming of detailed logs in a Logstash format suitable for custom solutions for visualization. By combining these two tools, we have strengthened our security posture and enabled individual experiments to monitor their own traffic. Specifically, the IPS WAF provides unique data such as country of origin, protocol, response code, source IP, and paths accessed. In this contribution, we will show how we engineered a visualization solution so experiment groups could access a dashboard with predefined graphs but also, where they can create individual customizable dashboards used to display blocked traffic and troubleshoot latency issues. We will discuss the details and procedures for developing and configuring these tools and how it benefits cyber security postures across our scientific based environment.

English Else

Xuefei Tian,Chenlu Li,Aijuan Qian,Xiaoju Dong

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom51426.2020.00077

2020-01-01

Abstract:The network environment is increasingly complex, resulting in the explosive growth of network traffic logs. Discovering the patterns of these logs and detecting various cyber-attacks and anomalies have become a widespread concern. However, traditional network analysis techniques and Intrusion Detection System (IDS) have limited ability to identify and respond to the malicious activities hidden in dynamic and long-duration time series. This paper proposes a novel visual analysis system, combining visual analysis and machine learning model, to better reveal the pattern of various traffic logs, detect and classify abnormal network behaviors from enormous traffic logs. The system supports interactive exploration in data space and comparative analysis of the normal and abnormal pattern. It could help users analyze traffic logs conveniently and identify network intrusions efficiently. Besides, a supervised classifier in our system supports the prediction of a single traffic log which facilitates users' analysis of the patterns of traffic logs. A case study conducted on the CICIDS-2017 dataset demonstrates the feasibility of our system.

Zhi Guo,Kwok-yan Lam,Siu-Leung Chung,Ming Gu,Jia-guang Sun

DOI: https://doi.org/10.1007/978-3-540-45203-4_5

2003-01-01

Abstract:This paper presents an efficient implementation technique for presenting multivariate audit data needed by statistical-based intrusion detection systems. Multivariate data analysis is an important tool in statistical intrusion detection systems. Typically, multivariate statistical intrusion detection systems require visualization of the multivariate audit data in order to facilitate close inspection by security administrators during profile creation and intrusion alerts. However, when applying these intrusion detection schemes to web-based Internet applications, the space complexity of the visualization process is usually prohibiting due to the large number of resources managed by the web server. In order for the approach to be adopted effectively in practice, this paper presents an efficient technique that allows manipulation and visualization of a large amount of multivariate data. Experimental results show that our technique greatly reduces the space requirement of the visualization process, thus allowing the approach to be adopted for monitoring web-based Internet applications.

Quan Li,Li Chen,Hongsen Liao,Junhai Yong

DOI: https://doi.org/10.1109/csss.2012.343

2012-01-01

Abstract:In multidimensional data analysis, one important task is to investigate the inner relations and patterns. Numerous visual representations have been proposed, such as parallel coordinates and scatter plots. However, parallel coordinates emphasize the overall patterns and data distributions while ignoring the correlation of data values over more than three dimensions. And when rendering more poly lines, the visual clutter may occur. Scatter plots are powerful in revealing the data distributions but the overall patterns are restrained. We propose Pattern Track to reveal the implied relations and patterns while also maintaining flexible operations on data values. The layout of Pattern Track is composed of a mixture of automatic computations and interactive adjustments by mapping all dimension axes to concentric circles and integrating three levels of concentric group -- data values, patterns and gradient circles. Multi-interactive operations are supported to help users dig out the implied multivariate correlations. Experimental results demonstrate the effectiveness.

Hamed Eramian,G. Levchuk,G. Zheng,Mohammed Eslami

DOI: https://doi.org/10.1109/BigData.2017.8258527

2017-12-01

Abstract:Data from cyber logs can often be represented as a bipartite graph (e.g. internal IP-external IP, user-application, or client-server). State-of-the-art graph based anomaly detection often generalizes across all types of graphs — namely bipartite and non-bipartite. This confounds the interpretation and use of specific graph features such as degree, page rank, and eigencentrality that can provide a security analyst with rapid situational awareness of their network. Furthermore, graph algorithms applied to data collected from large, distributed enterprise scale networks require accompanying methods that allow them to scale to the data collected. In this paper, we provide a novel, scalable, directional graph projection framework that operates on cyber logs that can be represented as bipartite graphs. This framework computes directional graph projections and identifies a set of interpretable graph features that describe anomalies within each partite.

Computer Science

Hao Xiong,Haocheng Zhang,Xiaoju Dong,Lingxi Meng,Wenyang Zhao

DOI: https://doi.org/10.1007/978-981-10-6385-5_55

2017-01-01

Abstract:Data flow diagram (DFD), as a special kind of data, is a design artifact in both requirement analysis and structured analysis in software development. However, rigorous analysis of DFD requires a formal semantics. Formal representation of DFD and its formal semantics will help to reduce inconsistencies and confusion. The logical structure of DFD can be described using formalism of Calculus of Communicating System (CCS). With a finite number of states based on CCS, state space methods will help a lot in analysis and verification of the behavior of the systems. But the number of states of even a relatively small system is often very great that is called state explosion. In this paper, we present a visual system which combines Formal methods and visualization techniques so as to help the researchers to understand and analyze the system described by the DFD regardless of the problem of state explosion.

Jia Yan,Lei Shi,Jun Tao,Xiaolong Yu,Zhou Zhuang,Congcong Huang,Rulei Yu,Purui Su,Chaoli Wang,Yang Chen

DOI: https://doi.org/10.1109/tvcg.2018.2889470

IF: 5.2

2020-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Successfully detecting, analyzing, and reasoning about collective anomalies is important for many real-life application domains (e.g., intrusion detection, fraud analysis, software security). The primary challenges to achieving this goal include the overwhelming number of low-risk events and their multimodal relationships, the diversity of collective anomalies by various data and anomaly types, and the difficulty in incorporating the domain knowledge of experts. In this paper, we propose the novel concept of the faceted High-Order Correlation Graph (HOCG). Compared with previous, low-order correlation graphs, HOCG achieves better user interactivity, computational scalability, and domain generality through synthesizing heterogeneous types of objects, their anomalies, and the multimodal relationships, all in a single graph. We design elaborate visual metaphors, interaction models, and the coordinated multiple view based interface to allow users to fully unleash the visual analytics power of the HOCG. We conduct case studies for three application domains and collect feedback from domain experts who apply our method to these scenarios. The results demonstrate the effectiveness of the HOCG in the overview of point anomalies, the detection of collective anomalies, and the reasoning process of root cause analyses.

Sarwar Tapan,Dianhui Wang

2012-01-01

Abstract:Data-structure preserved visualization of high-dimensional data reveals the dataset borders and the spread and overlapping tendency of the class borders in a more informative manner than the usual data-topology preserved mapping produced by Self-Organizing Maps (SOMs). Hence, an extension of SOM called Probabilistic Regularized SOM (PRSOM) is proposed for the data-structure preservation in the visualization; however, PRSOM is less suitable for the classification task due to its regularized positioning of the prototypes. In many practical applications, a good classification rate and data-structure informative visualization of high-dimensional data are simultaneously required from an employed method. However, it is difficult to find a method in the current literature that can perform these two tasks effectively. This paper proposes a variant of the Learning Vector Quantization (LVQ) algorithm as Data-Structure Preserving LVQ (LVQ(dsp)) by combining the classical LVQ1 algorithm with a proposed visualization mechanism, to support these two tasks on high-dimensional datasets. Simulations on several benchmark datasets demonstrated LVQ(dsp)'s promising capability of producing data-structure preserving visualizations in addition to offering excellent classification rates.

SUN Yi-jun,ZHANG Hong-li,HE Hui

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.21.036

2007-01-01

Computer Engineering and Applications Journal

Abstract:Visualization of security events is an important component of large-scale network security warning.The research includes combining structural characteristic of large-scale network topology with the H3 algorithm in the field of information visualization,providing methods for visualizing the overall distribution and local details of large-scale network security events,and applying it effectively to the visualization of network security data on CERNET.Experiment results show that the methods present a sound visual effect to the network administrator to help him/her grasp the global security situation,and then work out an effective control plan in an overall perspective.

Chunyuan Wu,Shiying Sheng,Xiaoju Dong

DOI: https://doi.org/10.1109/SMC.2018.00507

2018-01-01

Abstract:Computer networks have been widely used and the network security is becoming a critical issue due to the frequent attacks. Among these attacks, the DDoS attack is a destructive attack method, which can cause enormous loss and is difficult to detect. The network administrators work on large volume of traffic data to monitor the DDoS attack. The information visualization method is then introduced to the domain of network security and DDoS attack detection to better comprehend the information behind the multi-dimensional data. Various visualization methods have been proposed to detect the DDoS attack. However, little research has been carried out to give an overview of the existing methods. In this work, we surveyed the literature from 2004 to 2017 concerning network security visualization. We have selected the methods designed for or that can be applied to DDoS attack detection. We have classified these methods and given the advantages and shortcomings of each kind of method. We then proposed the future work in this area, which is aimed at helping the researchers in this area to have a comprehensive view of DDoS visualization.