This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
A Survey of Visualization Systems for Network Security
Aug. 2012 (vol. 18 no. 8)
pp. 1313-1329
A. Shiravi, Inf. Security Centre of Excellence, Univ. of New Brunswick, Fredericton, NB, Canada
H. Shiravi, Inf. Security Centre of Excellence, Univ. of New Brunswick, Fredericton, NB, Canada
A. A. Ghorbani, Inf. Security Centre of Excellence, Univ. of New Brunswick, Fredericton, NB, Canada
Security Visualization is a very young term. It expresses the idea that common visualization techniques have been designed for use cases that are not supportive of security-related data, demanding novel techniques fine tuned for the purpose of thorough analysis. Significant amount of work has been published in this area, but little work has been done to study this emerging visualization discipline. We offer a comprehensive review of network security visualization and provide a taxonomy in the form of five use-case classes encompassing nearly all recent works in this area. We outline the incorporated visualization techniques and data sources and provide an informative table to display our findings. From the analysis of these systems, we examine issues and concerns regarding network security visualization and provide guidelines and directions for future researchers and visual system developers.

[1] C. Ware, Information Visualization: Perception for Design. Morgan Kaufmann Publishers, Inc., 2004.
[2] G. Conti, Security Data Visualization. No Starch Press, 2007.
[3] R. Marty, Applied Security Visualization. Addison-Wesley Professional, 2008.
[4] R. Erbacher, K. Walker, and D. Frincke, "Intrusion and Misuse Detection in Large-Scale Systems," IEEE Computer Graphics and Applications, vol. 22, no. 1, pp. 38-48, Jan./Feb. 2002.
[5] R. Erbacher, "Intrusion Behavior Detection through Visualization," Proc. IEEE Int'l Conf. Systems, Man and Cybernetics, pp. 2507-2513, 2003.
[6] T. Takada and H. Koike, "Tudumi: Information Visualization System for Monitoring and Auditing Computer Logs," Proc. Sixth Int'l Conf. Information Visualisation, pp. 570-576, 2002.
[7] K. Lakkaraju, W. Yurcik, and A. Lee, "NVisionIP: Netflow Visualizations of System State for Security Situational Awareness," Proc. ACM Workshop Visualization and Data Mining for Computer Security, vol. 29, pp. 65-72, 2004.
[8] K. Lakkaraju, R. Bearavolu, A. Slagell, W. Yurcik, and S. North, "Closing-the-Loop in Nvisionip: Integrating Discovery and Search in Security Visualizations," Proc. IEEE Workshop Visualization for Computer Security (VizSEC '05), pp. 75-82, 2005.
[9] G. Fink, P. Muessig, and C. North, "Visual Correlation of Host Processes and Network Traffic," Proc. IEEE Workshop Visualization for Computer Security (VizSEC 05), pp. 11-19, 2005.
[10] G. Fink, V. Duggirala, R. Correa, and C. North, "Bridging the Host-Network Divide: Survey, Taxonomy, and Solution," Proc. 20th USENIX Conf. Large Installation System Administration, pp. 247-262, 2006.
[11] J. Pearlman and P. Rheingans, "Visualizing Network Security Events Using Compound Glyphs from a Service-oriented Perspective," Proc. Workshop Visualization for Computer Security (VizSEC '07), pp. 131-146, 2008.
[12] D. Keim, F. Mansmann, J. Schneidewind, and T. Schreck, "Monitoring Network Traffic with Radial Traffic Analyzer," Proc. IEEE Symp. Visual Analytics Science and Technology, pp. 123-128, 2006.
[13] F. Mansman, L. Meier, and D.A. Keim, "Visualization of Host Behavior for Network Security," Proc. Workshop Visualization for Computer Security (VizSEC '07), pp. 187-202, 2008.
[14] R. Ball, G.A. Fink, and C. North, "Home-Centric Visualization of Network Traffic for Security Administration," Proc. ACM Workshop Visualization and Data Mining for Computer Security, pp. 55-64, 2004.
[15] X. Yin, W. Yurcik, M. Treaster, Y. Li, and K. Lakkaraju, "Visflowconnect: Netflow Visualizations of Link Relationships for Security Situational Awareness," Proc. ACM Workshop Visualization and Data Mining for Computer Security, pp. 26-34, 2004.
[16] R. Erbacher, K. Christensen, and A. Sundberg, "Designing Visualization Capabilities for ids Challenges," Proc. IEEE Workshop Visualization for Computer Security (VizSEC '05), pp. 121-127, 2005.
[17] J. Goodall, W. Lutters, P. Rheingans, and A. Komlodi, "Preserving the Big Picture: Visual Network Traffic Analysis with tnv," Proc. IEEE Workshop Visualization for Computer Security (VizSEC '05), pp. 47-54, 2005.
[18] K. Abdullah, C. Lee, G. Conti, and J. Copeland, "Visualizing Network Data for Intrusion Detection," Proc. Sixth Ann. IEEE SMC Information Assurance Workshop (IAW '05), pp. 100-108, 2005.
[19] S. Lau, "The Spinning Cube of Potential Doom," Comm. the ACM, vol. 47, no. 6, pp. 25-26, 2004.
[20] J. McPherson, K. Ma, P. Krystosk, T. Bartoletti, and M. Christensen, "PortVis: A Tool for Port-Based Detection of Security Events," Proc. the ACM Workshop Visualization and Data Mining for Computer Security, pp. 73-81, 2004.
[21] T. Taylor, S. Brooks, and J. McHugh, "Netbytes Viewer: An Entity-based Netflow Visualization Utility for Identifying Intrusive Behavior," Proc. Workshop Visualization for Computer Security (VizSEC '07), pp. 101-114, 2008.
[22] J. Janies, "Existence Plots: A Low-Resolution Time Series for Port Behavior Analysis," Proc. Fifth Int'l Workshop Visualization for Computer Security (VizSec '08), pp. 161-168, 2008.
[23] (2011) Re-Inventing Network Security. Palo Alto Networks. http://www.paloaltonetworks.com/literature/ whitepapers Re-inventing-Net work-Security.pdf , 2011.
[24] H. Debar and A. Wespi, "Aggregation and Correlation of Intrusion-Detection Alerts," Proc. Fourth Int'l Symp. Recent Advances in Intrusion Detection, pp. 85-103, 2001.
[25] B. Morin, L. Mé, H. Debar, and M. Ducassé, "M2D2: A Formal Data Model for IDS Alert Correlation," Proc. Fifth Int'l Symp. Recent Advances in Intrusion Detection (RAID '02), pp. 115-137, 2002.
[26] M. Shin, E. Kim, and K. Ryu, "False Alarm Classification Model for Network-Based Intrusion Detection System," Proc. Int'l Conf. Intelligent Data Eng. and Automated Learning (IDEAL), pp. 259-265, 2004.
[27] F. Cuppens and A. Miege, "Alert Correlation in a Cooperative Intrusion Detection Framework," Proc. IEEE Symp. Security and Privacy, pp. 202-215, 2002.
[28] F. Valeur, G. Vigna, C. Kruegel, and R. Kemmerer, "Comprehensive Approach to Intrusion Detection Alert Correlation," IEEE Trans. Dependable and Secure Computing, vol. 1, no. 3, pp. 146-169, July-Sept. 2004.
[29] L. Girardin, "An Eye on Network Intruder-Administrator Shootouts," Proc. First Conf. Workshop Intrusion Detection and Network Monitoring, vol. 1, pp. 3-13, 1999.
[30] K. Nyarko, T. Capers, C. Scott, and K. Ladeji-Osias, "Network Intrusion Visualization with niva, an Intrusion Detection Visual Analyzer with Haptic Integration," Proc. 10th Symp. Haptic Interfaces for Virtual Environment and Teleoperator Systems (HAPTICS '02), pp. 277 -284, 2002.
[31] H. Koike and K. Ohno, "SnortView: Visualization System of Snort Logs," Proc. ACM Workshop Visualization and Data Mining for Computer Security, vol. 29, pp. 143-147, 2004.
[32] P. Ren, Y. Gao, Z. Li, Y. Chen, and B. Watson, "Idgraphs: Intrusion Detection and Analysis Using Histographs," Proc. IEEE Workshop Visualization for Computer Security (VizSEC '05), pp. 39-46, 2005.
[33] H. Koike, K. Ohno, and K. Koizumi, "Visualizing Cyber Attacks Using ip Matrix," Proc. IEEE Workshop Visualization for Computer Security (VizSEC '05), pp. 91-98, 2005.
[34] C. Lee, J. Trost, N. Gibbs, R. Beyah, and J. Copeland, "Visual Firewall: Real-Time Network Security Monitor," Proc. IEEE Workshop Visualization for Computer Security (VizSEC '05), pp. 129-136, 2005.
[35] K. Abdullah, C. Lee, G. Conti, J. Copeland, and J. Stasko, "Ids Rainstorm: Visualizing ids Alarms," Proc. IEEE Workshop Visualization for Computer Security (VizSEC '05), pp. 1-10, 2005.
[36] Y. Livnat, J. Agutter, S. Moon, R. Erbacher, and S. Foresti, "A Visualization Paradigm for Network Intrusion Detection," Proc. Sixth Ann. IEEE SMC Information Assurance Workshop (IAW '05), pp. 92-99, 2005.
[37] Y. Livnat, J. Agutter, S. Moon, and S. Foresti, "Visual Correlation for Situational Awareness," Proc. IEEE Symp. Information Visualization (INFOVIS '05), pp. 95-102, 2005.
[38] S. Foresti, J. Agutter, Y. Livnat, S. Moon, and R. Erbacher, "Visual Correlation of Network Alerts," IEEE Computer Graphics and Applications, vol. 26, no. 2, pp. 48-59, Mar./Apr. 2006.
[39] G. Conti, K. Abdullah, J. Grizzard, J. Stasko, J. Copeland, M. Ahamad, H. Owen, and C. Lee, "Countering Security Information Overload through Alert and Packet Visualization," IEEE Computer Graphics and Applications, vol. 26, no. 2, pp. 60-70, Mar./Apr. 2006.
[40] S. Krasser, G. Conti, J. Grizzard, J. Gribschaw, and H. Owen, "Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization," Proc. Sixth Ann. IEEE SMC Information Assurance Workshop (IAW '05), pp. 42-49, 2005.
[41] P. Ren, J. Kristoff, and B. Gooch, "Visualizing dns Traffic," Proc. Third Int'l Workshop Visualization for Computer Security (VizSEC '06), pp. 23-30, 2006.
[42] L. Xiao, J. Gerth, and P. Hanrahan, "Enhancing Visual Analysis of Network Traffic Using a Knowledge Representation," Proc. IEEE Symp. Visual Analytics Science and Technology, pp. 107-114, 2006.
[43] I.-V. Onut and A.A. Ghorbani, "Svision: A Novel Visual Network-Anomaly Identification Technique," Computers Security, vol. 26, no. 3, pp. 201-212, 2007.
[44] F. Mansmann, D. Keim, S. North, B. Rexroad, and D. Sheleheda, "Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats," IEEE Trans. Visualization and Computer Graphics, vol. 13, no. 6, pp. 1105-1112, Nov./Dec. 2007.
[45] E. Bertini, P. Hertzog, and D. Lalanne, "Spiralview: Towards Security Policies Assessment through Visual Correlation of Network Resources with Evolution of Alarms," Proc. IEEE Symp. Visual Analytics Science and Technology, pp. 139-146, 2007.
[46] F. Fischer, F. Mansmann, D.A. Keim, S. Pietzko, and M. Waldvogel, "Large-Scale Network Monitoring for Visual Analysis of Attacks," Proc. Fifth Int'l Workshop Visualization for Computer Security (VizSec '08), pp. 111-118, 2008.
[47] A. Yelizarov and D. Gamayunov, "Visualization of Complex Attacks and State of Attacked Network," Proc. Sixth Int'l Workshop Visualization for Cyber Security (VizSec '09), pp. 1-9, 2009.
[48] Q. Liao, A. Striegel, and N. Chawla, "Visualizing Graph Dynamics and Similarity for Enterprise Network Security and Management," Proc. Seventh Int'l Symp. Visualization for Cyber Security (VizSec '10), pp. 34-45, 2010.
[49] H. Shiravi, A. Shiravi, and A. Ghorbani, "Ids Alert Visualization and Monitoring through Heuristic Host Selection," Proc. 12th Int'l Conf. Information and Comm. Security, pp. 445-458, 2010.
[50] L. Colitti, G. Di Battista, F. Mariani, M. Patrignani, and M. Pizzonia, "Visualizing Interdomain Routing with BGPlay," J. Graph Algorithms and Applications, vol. 9, pp. 117-148, 2005.
[51] T. Wong, V. Jacobson, and C. Alaettinoglu, "Internet Routing Anomaly Detection and Visualization," Proc. Int'l Conf. Dependable Systems and Networks (DSN '05), pp. 172-181, 2005.
[52] M. Lad, D. Massey, and L. Zhang, "Visualizing Internet Routing Changes," IEEE Trans. Visualization and Computer Graphics, vol. 12, no. 6, pp. 1450-1460, Nov./Dec. 2006.
[53] S.T. Teoh, K.-L. Ma, S. Wu, and X. Zhao, "Case Study: Interactive Visualization for Internet Security," Proc. IEEE Visualization (VIS '02), pp. 505-508, 2002.
[54] S.T. Teoh, K. Zhang, S.-M. Tseng, K.-L. Ma, and S.F. Wu, "Combining Visual and Automated Data Mining for Near-Real-Time Anomaly Detection and Analysis in bgp," Proc. ACM Workshop Visualization and Data Mining for Computer Security, pp. 35-44, 2004.
[55] S.T. Teoh, K.-L. Ma, S. Wu, and T. Jankun-Kelly, "Detecting Flaws and Intruders with Visual Data Analysis," IEEE Computer Graphics and Applications, vol. 24, no. 5, pp. 27-35, Sept./Oct. 2004.
[56] S.T. Teoh, S. Ranjan, A. Nucci, and C.-N. Chuah, "Bgp Eye: A New Visualization Tool for Real-Time Detection and Analysis of bgp Anomalies," Proc. Third Int'l Workshop Visualization for Computer Security (VizSEC '06), pp. 81-90, 2006.
[57] M. Endsley, "Toward a Theory of Situation Awareness in Dynamic Systems: Situation Awareness," Human Factors, vol. 37, no. 1, pp. 32-64, 1995.
[58] J.J. Garrett, The Elements of User Experience: User-Centered Design for the Web. New Riders Publishing, 2002.
[59] R.F. Erbacher, "User Issues in Visual Monitoring Environments," Proc. Int'l Conf. Imaging Science, Systems, and Technology, pp. 644-650, 2001.
[60] R.F. Erbacher, D.A. Frincke, P.C. Wong, S. Moody, and G. Fink, "A Multi-Phase Network Situational Awareness Cognitive Task Analysis," Information Visualization, vol. 9, pp. 204-219, 2010.
[61] J.-D. Fekete and C. Plaisant, "Interactive Information Visualization of a Million Items," Proc. IEEE Symp. Information Visualization (InfoVis '02), pp. 117-124, 2002.
[62] B. Yost and C. North, "The Perceptual Scalability of Visualization," IEEE Trans. Visualization and Computer Graphics, vol. 12, no. 5, pp. 837-844, Sept./Oct. 2006.
[63] D. Barrera and P. van Oorschot, "Security Visualization Tools and ipv6 Addresses," Proc. Sixth Int'l Workshop Visualization for Cyber Security (VizSec '09), pp. 21-26, 2009.
[64] A. Perer and B. Shneiderman, "Balancing Systematic and Flexible Exploration of Social Networks," IEEE Trans. Visualization and Computer Graphics, vol. 12, no. 5, pp. 693-700, Sept./Oct. 2006.
[65] F. van Ham and J.J. van Wijk, "Interactive Visualization of Small World Graphs," Proc. IEEE Symp. Information Visualization, pp. 199-206, 2004.
[66] F. Boutin, J. Thièvre, and M. Hascoët, "Focus-Based Filtering $+$ Clustering Technique for Power-Law Networks with Small World Phenomenon," Proc. Conf. Visualization and Data Analysis '06, vol. 6060, no. 1, 2006.
[67] J. Heer and D. Boyd, "Vizster: Visualizing Online Social Networks," Proc. IEEE Symp. Information Visualization, pp. 32-39, 2005.
[68] A. Komlodi, P. Rheingans, U. Ayachit, J. Goodall, and A. Joshi, "A User-Centered Look at Glyph-Based Security Visualization," Proc. IEEE Workshop Visualization for Computer Security (VizSEC '05), pp. 21-28, 2005.
[69] A. Oline and D. Reiners, "Exploring Three-dimensional Visualization for Intrusion Detection," Proc. IEEE Workshop Visualization for Computer Security (VizSEC '05), pp. 113-120, 2005.
[70] J. Oberheide, M. Karir, and D. Blazakis, "Vast: Visualizing Autonomous System Topology," Proc. the Third Int'l Workshop Visualization for Computer Security (VizSEC '06), pp. 71-80, 2006.
[71] Z. Jiawan, Y. Peng, L. Liangfu, and C. Lei, "Netviewer: A Visualization Tool for Network Security Events," Proc. Int'l Conf. Networks Security, Wireless Comm. and Trusted Computing., pp. 434-437, 2009.
[72] S.J. Westerman and T. Cribbin, "Mapping Semantic Information in Virtual Space: Dimensions, Variance and Individual Differences," Int'l J. Human-Computer Studies, vol. 53, no. 5, pp. 765-787, 2000.
[73] A. Cockburn and B. McKenzie, "3D or Not 3D?: Evaluating the Effect of the Third Dimension in a Document Management System," Proc. SIGCHI Conf. Human Factors in Computing Systems, pp. 434-441, 2001.
[74] A. Cockburn and B. McKenzie, "Evaluating the Effectiveness of Spatial Memory in 2D and 3D Physical and Virtual Environments," Proc. SIGCHI Conf. Human Factors in Computing Systems: Changing Our World, Changing Ourselves, pp. 203-210, 2002.
[75] J. Steele and N. Iliinsky, Beautiful Visualization: Looking at Data through the Eyes of Experts, first ed. O'Reilly Media, 2010.
[76] B. Shneiderman, "Why Not Make Interfaces Better than 3D Reality?," IEEE Computer Graphics and Applications, vol. 23, no. 6, pp. 12-15, Nov./Dec. 2003.
[77] U. Flegel, "Introduction," Privacy-Respecting Intrusion Detection, ser. Advances in Information Security, pp. 3-8. Springer, 2007.
[78] J. Biskup and U. Flegel, "On Pseudonymization of Audit Data for Intrusion Detection," Proc. Int'l Workshop Designing Privacy Enhancing Technologies: Design Issues in Anonymity and Unobservability, pp. 161-180, 2001.
[79] G. Minshall (2011) Tcpdpriv, http://ita.ee.lbl.gov/html/contribtcpdpriv.html , 2011.
[80] M. Peuhkuri, "A Method to Compress and Anonymize Packet Traces," Proc. First ACM SIGCOMM Workshop Internet Measurement, pp. 257-261, 2001.
[81] J. Xu, J. Fan, M. Ammar, and S.B. Moon, "On the Design and Performance of Prefix-Preserving ip Traffic Trace Anonymization," Proc. First ACM SIGCOMM Workshop Internet Measurement, pp. 263-266, 2001.
[82] R. Pang and V. Paxson, "A High-Level Programming Environment for Packet Trace Anonymization and Transformation," Proc. SIGCOMM '03, pp. 339-351, 2003.
[83] C. Eckert and A. Pircher, "Internet Anonymity: Problems and Solutions," Proc. IFIP TC11 16th Ann. Working Conf. Information Security, Trusted Information: The New Decade Challenge, pp. 35-50, 2001.
[84] E. Lundin and E. Jonsson, "Anomaly-Based Intrusion Detection: Privacy Concerns and Other Problems," Computer Networks, vol. 34, pp. 623-640, 2000.
[85] M. Sobirey, S. Fischer-Hübner, and K. Rannenberg, "Pseudonymous Audit for Privacy Enhanced Intrusion Detection," Proc. IFIP TC11 13 Int'l Conf. Information Security in Research and Business, pp. 151-163, 1997.
[86] X. Suo, Y. Zhu, and G.S. Owen, "Measuring the Complexity of Computer Security Visualization Designs," Proc. Workshop Visualization for Computer Security (VizSEC '07), 2008.
[87] J. Goodall, "Visualization is Better! a Comparative Evaluation," Proc. Sixth Int'l WorkshopVisualization for Cyber Security (VizSec '09), pp. 57-68, 2009.
[88] (2011) The PREDICT website. http:/www.predict.org, 2011.
[89] (2011) The Skaion website. http:/www.skaion.com, 2011.
[90] (2011) USC/ISI Network Traces. http://www.isi.edu/ant index.html, 2011.

Index Terms:
data visualisation,computer network security,information visualization,network security visualization system,security-related data,taxonomy,use-case classes,data sources,informative table,Data visualization,Security,Servers,Visualization,Monitoring,Feature extraction,IP networks,visualization techniques.,Information visualization,network security visualization
Citation:
A. Shiravi, H. Shiravi, A. A. Ghorbani, "A Survey of Visualization Systems for Network Security," IEEE Transactions on Visualization and Computer Graphics, vol. 18, no. 8, pp. 1313-1329, Aug. 2012, doi:10.1109/TVCG.2011.144
Usage of this product signifies your acceptance of the Terms of Use.