By Topic

Visualization for Cyber Security, 2009. VizSec 2009. 6th International Workshop on

Date 11-11 Oct. 2009

Filter Results

Displaying Results 1 - 23 of 23
  • [Title page]

    Page(s): i
    Save to Project icon | Request Permissions | PDF file iconPDF (81 KB)  
    Freely Available from IEEE
  • [Copyright notice]

    Page(s): ii
    Save to Project icon | Request Permissions | PDF file iconPDF (16 KB)  
    Freely Available from IEEE
  • Contents

    Page(s): iii
    Save to Project icon | Request Permissions | PDF file iconPDF (40 KB)  
    Freely Available from IEEE
  • Message from the workshop chairs

    Page(s): iv - v
    Save to Project icon | Request Permissions | PDF file iconPDF (298 KB)  
    Freely Available from IEEE
  • Executive Committee

    Page(s): vi
    Save to Project icon | Request Permissions | PDF file iconPDF (51 KB)  
    Freely Available from IEEE
  • Keynote address: Visual tools for security: Is there a there there?

    Page(s): viii
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1692 KB)  

    It seems obvious: networks, software, authentication, and people have important and often complicated relationships and interactions. There's far too much going on to keep track of all of it, but we know there are important devils down in the details. We know they are there. Though many have been chasing this dream of security visualization for a couple of decades, we don't have that much to show for our efforts. We use NOCs and tools widely for managing large networks, but they get complicated fast. And most of the anomalous activity is weird but benign, leaving us awash in a sea of false positives. And those people in the NOCs seem totally resistant to 3D displays, data gloves, and other cool tools of our trade. What can we do? How can we help, really? View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Committee

    Page(s): vii
    Save to Project icon | Request Permissions | PDF file iconPDF (29 KB)  
    Freely Available from IEEE
  • Visualization of complex attacks and state of attacked network

    Page(s): 1 - 9
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2562 KB) |  | HTML iconHTML  

    This paper deals with the visualization of complex attacks. ¿Complex attacks¿ is used here to denote the type of attack which consists of a sequence of related events, namely a multistep, DDoS attack and alike. While there are numerous systems to visualize events that occur in the network, most of them are too complex to perceive, and require several visualization modes. This work presents a technique whereby the operator, using visualization alone, is able to display the full picture of events occurring in the network. The main feature of this method is the high recognition ratio of complex attacks as the sequence of constituent common events. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • [Blank page]

    Page(s): 1
    Save to Project icon | Request Permissions | PDF file iconPDF (5 KB)  
    Freely Available from IEEE
  • Over flow: An overview visualization for network analysis

    Page(s): 11 - 19
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (3132 KB) |  | HTML iconHTML  

    Many network visualizations make the assumption that an administrator has previously determined the subset of data that should be visualized. Yet the problem remains that if the visualization provides no insight into the network events that warrant further consideration, then the administrator must go back to the data to determine what should be visualized next. This is a critical issue given the amount of network data under consideration, only a small portion of which can be examined at any one time. In this paper we present a visualization that provides context for network visualizations by providing a high-level view of network events. Our visualization not only provides a starting point for network visualization, but also reduces the cognitive burden of the analyst by providing a visual paradigm for both the filtering of network data and the selection of network data to drill into and visualize with alternative representations. We demonstrate, through the use of a case study, that our visualization can provide motivation for further investigation into anomalous network activity. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • [Blank page]

    Page(s): 1
    Save to Project icon | Request Permissions | PDF file iconPDF (5 KB)  
    Freely Available from IEEE
  • Security visualization tools and IPv6 addresses

    Page(s): 21 - 26
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (304 KB) |  | HTML iconHTML  

    Visualization is used by security analysts to help detect patterns and trends in large volumes of network traffic data. With IPv6 slowly being deployed around the world, network intruders are beginning to adapt their tools and techniques to work over IPv6 (vs. IPv4). Many tools for visualizing network activity, while useful for detecting large scale attacks and network behavior anomalies still only support IPv4. In this paper, we explore the current state of IPv6 support in some popular security visualization tools and identify the roadblocks preventing those tools from supporting the new protocol. We propose a filtering technique that helps reduce the occlusion of IPv6 sources on graphs. We also suggest using treemaps for visually representing the vast space of remote addresses in IPv6. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Visualizing compiled executables for malware analysis

    Page(s): 27 - 32
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (383 KB) |  | HTML iconHTML  

    Reverse engineering compiled executables is a task with a steep learning curve. It is complicated by the task of translating assembly into a series of abstractions that represent the overall flow of a program. Most of the steps involve finding interesting areas of an executable and determining their overall functionality. This paper presents a method using dynamic analysis of program execution to visually represent the overall flow of a program. We use the Ether hypervisor framework to covertly monitor a program. The data is processed and presented for the reverse engineer. Using this method the amount of time needed to extract key features of an executable is greatly reduced, improving productivity. A preliminary user study indicates that the tool is useful for both new and experienced users. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Visual analysis of malware behavior using treemaps and thread graphs

    Page(s): 33 - 38
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2493 KB) |  | HTML iconHTML  

    We study techniques to visualize the behavior of malicious software (malware). Our aim is to help human analysts to quickly assess and classify the nature of a new malware sample. Our techniques are based on a parametrized abstraction of detailed behavioral reports automatically generated by sandbox environments. We then explore two visualization techniques: treemaps and thread graphs. We argue that both techniques can effectively support a human analyst (a) in detecting maliciousness of software, and (b) in classifying malicious behavior. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A visual analytic framework for exploring relationships in textual contents of digital forensics evidence

    Page(s): 39 - 44
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1557 KB) |  | HTML iconHTML  

    We describe the development of a set of tools for analyzing the textual contents of digital forensic evidence for the purpose of enhancing an investigator's ability to discover information quickly and efficiently. By examining the textual contents of files and unallocated space, relationships between sets of files and clusters can be formed based on the information that they contain. Using the information gathered from the evidence through the analysis tool, the visualization tool can be used to search through the evidence in an organized and efficient manner. The visualization depicts both the frequency of relevant terms and their location on disk. We also discuss a task analysis with forensics officers to motivate the design. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Visualizing cyber security: Usable workspaces

    Page(s): 45 - 56
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (25011 KB) |  | HTML iconHTML  

    The goal of cyber security visualization is to help analysts increase the safety and soundness of our digital infrastructures by providing effective tools and workspaces. Visualization researchers must make visual tools more usable and compelling than the text-based tools that currently dominate cyber analysts' tool chests. A cyber analytics work environment should enable multiple, simultaneous investigations and information foraging, as well as provide a solution space for organizing data. We describe our study of cyber-security professionals and visualizations in a large, high-resolution display work environment and the analytic tasks this environment can support. We articulate a set of design principles for usable cyber analytic workspaces that our studies have brought to light. Finally, we present prototypes designed to meet our guidelines and a usability evaluation of the environment. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Visualization is better! A comparative evaluation

    Page(s): 57 - 68
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1385 KB) |  | HTML iconHTML  

    User testing is an integral component of user-centered design, but has only rarely been applied to visualization for cyber security applications. This paper describes a comparative evaluation of a visualization application and a traditional interface for analyzing network packet captures, that was conducted as part of the user-centered design process. Structured, well-defined tasks and exploratory, open-ended tasks were completed with both tools. Accuracy and efficiency were measured for the well-defined tasks, number of insights was measured for exploratory tasks and user perceptions were recorded for each tool. The results of this evaluation demonstrated that users performed significantly more accurately in the well-defined tasks, discovered a higher number of insights and demonstrated a clear preference for the visualization tool. The study presented here may be useful for future visualization for network security visualization evaluation designers. Some of the challenges and lessons learned are described. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Visualizing keyboard pattern passwords

    Page(s): 69 - 73
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (259 KB) |  | HTML iconHTML  

    Passwords are a fundamental security vulnerability in many systems. Several researchers have investigated the tradeoff between password memorability versus resiliency to cracking and have looked at alternative systems such as graphical passwords and biometrics. To create stronger passwords, many systems enforce rules regarding the required length and types of characters passwords must contain. Another suggested approach is to use passphrases to combat dictionary attacks. One common ¿trick¿ used to remember passwords that conform to complex rules is to select a pattern of keys on the keyboard. While appearing random, the pattern is easy to remember. The purpose of this research was to investigate how often patterns are used, whether patterns could be classified into common categories, and whether those categories could be used to attack and defeat pattern-based passwords. Visualization techniques were used to collect data and assist in pattern categorization. The approach successfully identified two out of eleven passwords in a real-world password file that were not discovered with a traditional dictionary attack. This paper will present the approach used to collect and categorize patterns, and describe the resulting attack method that successfully identified passwords in a live system. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • [Blank page]

    Page(s): 1
    Save to Project icon | Request Permissions | PDF file iconPDF (5 KB)  
    Freely Available from IEEE
  • Visualizing firewall configurations using created voids

    Page(s): 75 - 79
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1297 KB) |  | HTML iconHTML  

    Security configuration files are created and edited as text files. These files are the essential definition and control of the behavior of security devices. Despite their significant size, complexity, and the possibility of interaction between entries, no visually sophisticated tools exist that explicitly capture and visualize problematic interactions between rules to aid in the comprehension and modification of configuration files. Our initial work on the direct visualization of firewall configurations showed the limitations of visualizing just the range of packets that can be accepted. To visually capture the interactions between rules, we introduce the concept of a "created void." Created voids capture the information about destructive interactions between rules in a firewall ruleset, where an overlap between a deny rule prevents that packet from reaching an accept rule later in the ruleset. We present a lossless five-dimensional visualization of the convex solid decomposition of the set of acceptable packets from a firewall configuration, augmented with visual representations of created voids. This interactive visualization is embedded in a simple firewall ruleset editor, allowing the user to investigate the effect of changes in the ruleset. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • [Blank page]

    Page(s): 1
    Save to Project icon | Request Permissions | PDF file iconPDF (5 KB)  
    Freely Available from IEEE
  • Author index

    Page(s): 1 - 2
    Save to Project icon | Request Permissions | PDF file iconPDF (31 KB)  
    Freely Available from IEEE
  • [Front cover]

    Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (2001 KB)  
    Freely Available from IEEE