Defense:Security Visualization

DAVIX Live CD Visualization Tools

DAVIX, a live CD based on SLAX distribution, includes a list of tools in data analysis and visualization. For more information on installing DAVIX please visit Installing DAVIX. Some of the tools are:

AfterGlow 

AfterGlow converts CSV input in a DOT graph language output file processed by the graphiviz libraries or into other data formats that can be processed by visualization tools. Afterglow 2.0 is written in Java and generates treemaps while Afterglow 1.0 is written in Perl. For more information please visit http://afterglow.sourceforge.net/main.html.

ARGUS 

ARGUS is primarily used to collect traffic flows from a host. Captures and analyze network transaction information.

Chaossreader 

The tool allow reassembly of content in network traffic capture files. The extracted information is then made available as HTML report where the individual content elements can be accessed.

ChartDirector 

Perl programming library to generate a wide variety of charts.

Cytoscape 

Generation and display of two-dimensional link graphs

Cyberseer 

3D audio-visual immersion for network security and management.

Dotty and lneato

EtherApe 

Real-time visualization of network traffic

fe3D 

Front End 3D. 3D front end to nmap if nmap is available.

GeoIP 

Lookup of country information for an IP address or a host name. when the extended geo coding databases are purchased from MaxMind latitude and longitude information are displayed.

GGobi 

Visualizes data with different graphs and allow brushing.

glTail 

Real-time visualization of web server traffic.

GNUplot 

Generation of various types of simple graphs.

Graphviz 

Generation of two-dimensinal of link graphs

GUESS 

Display and interaction with two-dimensional link graphs. Has the capability to use a scripting language to process graphs.

gwhois 

A generic whois client that can handle web site based whois services

InetVis 

Real-time visualization of network traffic as a three-dimensional scatter plot.

Large Graph Layout - LGL 

Generation of two- and three-dimensional link graphs. Large Graph Layout is a compendium of applications for making the visualization of large networks and trees tractable. LGL was specifically motivated by the need to make the visualization and exploration of large biological networks more accessible. Essentially the network is a graph, which is the data that you define, and LGL is responsible for showing it to you. Download from http://lgl.sourceforge.net/

Mondrian 

Generation and display of a variety of charts that are linked. Mondrian is an OLAP (online analytical processing) engine written in Java. Mondrian is a general purpose statistical data-visualization system. It features outstanding visualization techniques for data of almost any kind, and has its particular strength compared to other tools when working with Geographical Data, Categorical Data and LARGE Data.

Currently implemented plots comprise Mosaic Plot, Scatterplots and SPLOM, Maps, Barcharts, Histograms, Missing Value Plot, Parallel Coordinates/Boxplots and Boxplots y by x. Download from http://sourceforge.net/projects/mondrian/

MRTG/RRD 

Visualization of traffic load on network devices using SNMP queries.

NVisionIP 

Animated two-dimensional scatter plot of ARGUS files.

Netbytes Viewer 

network flow data per port of an individual host machine or subnet on a network using a 3D impulse graph plot.

Netviewer 

Visualization for network events in 3D

Parvis 

Rendering of data as parallel coordinate display. Parvis is a tool for parallel coordinates visualisation of multidimensional data sets. The main goal was to develop a flexible, reusable user-interface component compliant to the Java Swing and Java Beans standards, to perform state of the art visualization and provide the user with the necessary means of visual interaction with the data set. Can be downloaded from http://www.mediavirus.org/parvis/.

Passive Asset Detection System - PADS 

PADS allows to passively instrument hosts on the network and their services.

Ploticus 

Generation of all kinds of charts.

Portvis 

A visualization tool that detect large-scale network security events and generate patterns for these events.

p0f 

identification of a remote host's operating system.

Processing 

A visualization framework that allows you to program visualizations in Java style language and provides a runtime environment to view these programs.

R Project 

Tool for statistical analysis that offers a great variety of graphing capabilities. R is a free software environment for statistical computing and graphics. It compiles and runs on a wide variety of UNIX platforms, More info is located at http://www.r-project.org/

RT graph 3D (RT3DG) 

Real-time 3D visualization of linked graphs.

rumint (Installed on Visualization Computer) 

Visualization of real-time and recorded network captures. Since rumint is running in Wine, sniffing of real-time traffic is not supported.

Scapy 

Caputre and manipulation of TCP/IP traffic. Visualization of traceroutes

SecVis 

Parallel visualization of source IP and destination port with relation to time.

SecureScope 

3D visualization of network with location, host version, and attack type.

Shell Tools 

Common UNIX tools (awk, grep, sed) for processing text files.

Shoki Packet Hustler 

Visualization of network traffic as a three-dimensional scatter plot.

Snort 

Intrusion Detection Systime to analyze life traffic or network capture files.

Spinning Cube of Potential Doom 

A visualization tool that displays overall level of malicious traffic with a cube the user spins at will.

syslog-ng 

New generation syslog daemon that allows for easy post processing of log events.

tcpdump 

Command line tool for sniffing network traffic.

tcpreplay 

Actually a suite of three tools, which allows to replay capture network traffic back to the network (tcpreplay), rewrite packets in capture files (tcpwrite) and a pre-processing tool for both mentioned tools (tcpprep).

Timesearcher 1 

Analysis of time series data

tnv 

Time based analysis of network traffic.

Treemap 

Visualization of hierarchical data as treemaps. Treemap is a space-constrained visualization of hierarchical structures. It is very effective in showing attributes of leaf nodes using size and color coding. Treemap enables users to compare nodes and sub-trees even at varying depth in the tree, and help them spot patterns and exceptions. The goal of the TreeMap Java Library is to provide a library to ease the implementation of treemap visualization.

Tulip 

Visualization tool for linked graphs that supports several layout algorithms.

VAST 

Visualizing Autonomous System Topology, 3D projection of autonomous system.

Walrus 

Visualization hierarchical data as three-dimensional link graphs.

Wireshark 

Capturing and dissecting network traffic

Other Visualization Tools

• Splunk
• Gephi

  BINViz(Bidirectional Interactive Network Visualization) 

  BINViz is a JavaScript library for network and graph visualization. The goal of this tool is to provide a better way to visualize complex graphical models and the underlying data in a web-based environment. For more info, please visit http://sourceforge.net/projects/binviz/

• Interactive Network Active-traffic Visualization
• Netview
• jpcap
• NetFlow
• NetFlow Visualizer
• Nfdump
• PicViz - uses parallel coordinates to visualize tcpdump, syslog, ip table logs, apache logs, etc.
• Tenable Network Security 3D Tool beta Video

Visualization Programming Toolkits

prefuse toolkit 

Prefuse supports a rich set of features for data modeling, visualization, and interaction. It provides optimized data structures for tables, graphs, and trees, a host of layout and visual encoding techniques, and support for animation, dynamic queries, integrated search, and database connectivity. For more information, please visit http://prefuse.org/

Prefuse Flare Toolkit 

Prefuse Flare Toolkit provides visualization and animation tools for ActionScript and the Adobe Flash Player. For more information, please visit http://prefuse.org/

The Visualization Toolkit 

The Visualization Toolkit (VTK) is an open source, freely available software system for 3D computer graphics, modeling, image processing, volume rendering, scientific visualization and information visualization. For more information, please visit http://www.vtk.org/

Tk and Qt GUI Toolkit

Visualization Formats

Security Visualization Books

• "Applied Security Visualization" Raffael Marty

• "Security Data Visualization: Graphical Techniques for Network Analysis" By Greg Conti, Published by No Starch Press. ISBN: 9781593271435; Published: September 2007; Pages: 272; Edition: 1st.

• Information Visualization: Perception and Design, by Colin Ware (San Francisco: Morgan Kaufmann Publishers 2004).

• Information Graphics: A Comprehensive Illustrated Reference, by Robert L. Harris (New York & Oxford University Press, 1999).

• Envisioning Information (Cheshire, CT: Graphics Press, 1990).

• Visual Explanations (Cheshire, CT: Graphics Press, 1997).

• The Visual Display of Quantitative Information, by Edward Tuff. (Cheshire, CT: Graphics Press, 2001).

• Beautiful Evidence (Cheshire, CT: Graphics Press 2006).

Security Visualization Conferences

• VizSec/DMSEC

SOUPS 2012

Symposium on Usable Privacy and Security

Paper Submission Date: 3/9/2012

IEEE LCN 2012

The 37th IEEE Conference on Local Computer Networks (LCN)

Paper Submission Date: 4/5/2012

IEEE GlobeCom 2012

Various Visualization visual representations

• Bar Chart (2D, 3D, Stacked)
• Boxplots and Boxplots y by x
• Histogram
• Line Chart
• link graphs (2D and 3D)
• Maps
• Missing Value Plot
• Mosaic Plot
• Parallel Coordinate
• Pie Chart(2D and Stacked)
• Scatterplot (2D and 3D)
• SPLOM
• Treemap

Pcap Respositories

Publicly Available PCAP Files

Applications for Visualization Security

• visualing risk
• visualizaing insider threat
• vulnerability data visualization
• graph decision process
• honeynet visualization
• visualizing classification of network traffic

Standards

Standardized Common Event Expression (CEE) 

New standard started by MITRE used for the way data is logged, exchanged, and exchanged.

References

S. Abbott-McCune, A. Newtson, R. Ross, R. Ware, and G. Conti. “Free visualization tools for security analysis and network monitoring.” INSECURE, Issue 15, February 2008, pp. 18-25.