This Article 
 Bibliographic References 
 Add to: 
Visual Discovery in Computer Network Defense
September/October 2007 (vol. 27 no. 5)
pp. 20-27
Anita D. D'Amico, Applied Visions
John R. Goodall, Applied Visions
Daniel R. Tesone, Applied Visions
Jason K. Kopylec, Applied Visions
Computer network defense (CND) requires analysts to detect both known and novel forms of attacks in massive volumes of network data. Visualization tools can potentially assist in the discovery of suspicious patterns of network activity and relationships between seemingly disparate security events, but few CND analysts are leveraging visualization technologies in their current practice. To address this, we created a new visualization framework, VIAssist, based on a comprehensive cognitive task analysis of CND analysts. We designed VIAssist to fit the work practices and operational environments of those analysts. This article describes the major visual analytic features of VIAssist that address the needs of CND analysts, including its coordinated visualizations and interactive report building capabilities. A scenario illustrates how it can be used to discover the unexpected in network flow data.

1. A. D'Amico et al., "Achieving Cyber Defense Situational Awareness: A Cognitive Task Analysis of Information Assurance Analysts," Proc. Human Factors and Ergonomics Soc. 49th Ann. Meeting, HFES Press, 2005, pp. 229–233.
2. A. D'Amico and M. Larkin, "Methods of Visualizing Temporal Patterns in and Mission Impact of Computer Security Breaches," DARPA Information Survivability Conf. and Exposition (DISCEX II), IEEE Press, 2001, pp. 343–354.
3. DTO Reference Data Set 4s4, Skaion Corp., North Chelmsford, Mass., 2005.
1. R.P. Hoffman and D.D. Woods, "Studying Cognitive Systems in Context," Human Factors, vol. 42, no. 1, 2000, pp. 1–7.
1. R.A. Becker, S.G. Eick, and A.R. Wilks, "Visualizing Network Data," IEEE Trans. Visualization and Computer Graphics, vol. 1, no. 1, 1995, pp. 16–28.
2. K. Lakkaraju, W. Yurcik, and A.J. Lee, "NVisionIP: NetFlow Visualizations of System State for Security Situational Awareness," Proc. ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC), ACM Press, 2004, pp. 65–72.
3. P. Ren et al., "IDGraphs: Intrusion Detection and Analysis Using Stream Compositing," IEEE Computer Graphics and Applications, vol. 26, no. 2, 2006, pp. 28–39.
4. G. Conti et al., "Visual Exploration of Malicious Network Objects Using Semantic Zoom, Interactive Encoding and Dynamic Queries," Proc. Int'l Workshop Visualization for Computer Security (VizSEC), IEEE CS Press, 2005, pp. 83–90.
5. J.R. Goodall et al., "Focusing on Context in Network Traffic Analysis," IEEE Computer Graphics and Applications, vol. 26, no. 2, 2006 pp. 72–80.
6. Y. Livnat et al., "A Visualization Paradigm for Network Intrusion Detection," Proc. IEEE Workshop Information Assurance and Security (IAW), IEEE Press, 2005, pp. 92–99.
7. K. Abdullah et al., "Visualizing Network Data for Intrusion Detection," Proc. IEEE Workshop Information Assurance and Security (IAW), IEEE Press, 2005, pp. 100–108.

Index Terms:
visual analytics, information visualization, information security, situational awareness, user-centered design
Anita D. D'Amico, John R. Goodall, Daniel R. Tesone, Jason K. Kopylec, "Visual Discovery in Computer Network Defense," IEEE Computer Graphics and Applications, vol. 27, no. 5, pp. 20-27, Sept.-Oct. 2007, doi:10.1109/MCG.2007.137
Usage of this product signifies your acceptance of the Terms of Use.