Visualizations for Cybersecurity PA214 — Visualization II Vít Rusňák https://cybermap.kaspersky.com Talk Overview • Users and Data • Visualization Categories • Trends in Cybersecurity Visualization Research Typical Users Cybersecurity operations (L1) • monitoring, countermeasures • CSIRT, Incident handlers Cybersecurity Analysts (L2) • network tra ffi c anomalies, malware analysts, penetration testing Management (both IT and non-IT background) • Chief information security o ffi cer (CISO), policy makers, lawyers Cybersecurity Researchers • simulations, process automation, application of ML/AI Data Sources Applications Network Services Proxies Operating System Firewalls Intrusion Detection Systems Passive Network Analysis Traf fi c Flows Packet Captures Static data Time-series Adapted from [1] Complexity of Visualizations Monitoring Analysis Simulations and 
 Predictions Dashboards VA Visualizations Modeling, Explainable AI Low High ComplexityVisualizations Modeling, Explainable AI Monitoring Image source: https://www.logpoint.com/en/ Characteristics • Dashboards are prevalent • Typically easy to read, decode and understand, multiple views (panels) • Goal(s): situational awareness, trends, outliers and anomalies (e.g., peaks) • Typical visualizations: tables, line/area charts, sparklines (microvisualizations), basic 2D charts (bar charts, heatmaps), basic geovisualizations (choropleth, links) • Shortcuts and click-throughs allowing drill-down in analytical tools Dashboards Provide • current value of key measures (KPI, number of detected events, blocked IP addresses, …) • comparison to target measures (di ff erence, trend) • a range of possible values of the measures with a qualitative association (semaphore, warnings) Types • Operational (monitoring, single source of information) • Tactical (planning) • Strategic (management) “A dashboard is a visual display of the most important information needed to achieve one or more objectives that has been consolidated in a single computer screen so it can be monitored at a glance.” — Stephen Few, Information Dashboard Design Examples: Commercial Tools Source: https://demo. fl owmon.com Examples: Commercial Tools Source: https://www.solarwinds.com/security-event-manager/use-cases/event-log-analyzer-tool Examples: Commercial Tools Source: https://www.tenable.com/sc-dashboards/cyber-essentials-scheme-dashboard Source [4], video from https://www.youtube.com/watch?v=7-RkJOdqHvI Examples: Research Analysis Source: [5] Characteristics • Drill-down Visual Analytics Tools • Usually designed for particular use-case (e.g., malware vs. network analysis) • Goal(s): Reduce “time-to-insight”, automate repetitive tasks, help to identify anomalies in data • Typical visualizations: linked views, basic visualizations, but also novel visualizations • Extend command line tools, use of APIs • Supported in existing systems (e.g, Splunk, Flowmon ADS) vs. custom-made tools • Computational notebooks (e.g., Jupyter) are also in this category Example: File System Analysis Source: [6] Example: Malware Analysis Source: [7] Example: Network Analysis Source: [8] Example: Traf fi c Analysis Source: [10] Predictions and Simulations Source: [9] Characteristics • Visual support for understanding ML/AI techniques, visualizations for eXplainable AI • Goal(s): early warning, understanding ML/AI techniques, explain their behavior, gain trust in them • Typical visualizations: clustering visualizations (for dimensionality reduction methods), linked views, basic visualizations, • Rise on popularity correlates with growing application of ML/AI in cybersecurity AI in Cybersecurity • Application of AI in cybersecurity is substantially di ffi cult comparing to domains such as image recognition • Three main areas: • Insights Generation: analyze the data to discover hidden patterns which can be used by decision-makers in order to react to anomalies. • Recommendations: the model discovers patterns in the data and provides recommendations on what should be best to do to a security specialist. • Autonomous mitigation: the model discovers patterns and tries to automatically solve problems without needing humans authorization. Example: Alert Predictions Source: [9] Simulations • Largely unexplored • Areas: • Attack surface and attack vectors • Scenario modelling tool • Autonomous agents (attackres) behavior • Comparison and explanation of their decisions Source: [11] CyberSecVis Research Source: [3] VizSec papers 2004—2015 Utilization of Visualizations Source: [3] VizSec papers 2004—2015 Utilization of Visual Metaphors Source: [3] VizSec papers 2004—2015 Interface Complexity Source: [3] VizSec papers 2004—2015 Take-aways • Cybersecurity visualizations (as any others) span multiple subcategories • Common 2D charts are predominant, complex visualizations are mostly research prototypes only • The commercial tools use only common charts and visualizations … … → lot of space for improvements • Research prototypes Resources • [1] Ra ff ael Marty. 2008. Applied Security Visualization (1st. ed.). Addison-Wesley Professional. • [2] Jay Jacobs, Bob Rudis. 2014. Data-Driven Security: Analysis, Visualization and Dashboards. • [3] R. J. Crouser, E. Fukuda and S. Sridhar, "Retrospective on a decade of research in visualization for cybersecurity," 2017 IEEE International Symposium on Technologies for Homeland Security (HST), Waltham, MA, USA, 2017, pp. 1-5, doi: 10.1109/THS.2017.7943494. • [4] S. Mckenna, D. Staheli and M. Meyer, "Unlocking user-centered design methods for building cyber security visualizations," 2015 IEEE Symposium on Visualization for Cyber Security (VizSec), Chicago, IL, USA, 2015, pp. 1-8, doi: 10.1109/VIZSEC.2015.7312771. • [5] M. Angelini et al., "SymNav: Visually Assisting Symbolic Execution," 2019 IEEE Symposium on Visualization for Cyber Security (VizSec), Vancouver, BC, Canada, 2019, pp. 1-11, doi: 10.1109/VizSec48167.2019.9161524. • [6] M. Beran, F. Hrdina, D. Kouřil, R. Ošlejšek and K. Zákopčanová, "Exploratory Analysis of File System Metadata for Rapid Investigation of Security Incidents," 2020 IEEE Symposium on Visualization for Cyber Security (VizSec), Salt Lake City, UT, USA, 2020, pp. 11-20, doi: 10.1109/VizSec51108.2020.00008. • [7] B. C. M. Cappers, P. N. Meessen, S. Etalle and J. J. van Wijk, "Eventpad: Rapid Malware Analysis and Reverse Engineering using Visual Analytics," 2018 IEEE Symposium on Visualization for Cyber Security (VizSec), Berlin, Germany, 2018, pp. 1-8, doi: 10.1109/VIZSEC.2018.8709230. • [8] A. Ulmer, D. Sessler and J. Kohlhammer, "NetCapVis: Web-based Progressive Visual Analytics for Network Packet Captures," 2019 IEEE Symposium on Visualization for Cyber Security (VizSec), Vancouver, BC, Canada, 2019, pp. 1-10, doi: 10.1109/VizSec48167.2019.9161633. • [9] A. Sopan, M. Berninger, M. Mulakaluri and R. Katakam, "Building a Machine Learning Model for the SOC, by the Input from the SOC, and Analyzing it for the SOC," 2018 IEEE Symposium on Visualization for Cyber Security (VizSec), Berlin, Germany, 2018, pp. 1-8, doi: 10.1109/VIZSEC.2018.8709231. • [10] B. C. M. Cappers and J. J. van Wijk, "SNAPS: Semantic network tra ffi c analysis through projection and selection," 2015 IEEE Symposium on Visualization for Cyber Security (VizSec), Chicago, IL, USA, 2015, pp. 1-8, doi: 10.1109/VIZSEC.2015.7312768. • [11] Moskal S, Yang SJ, Kuhl ME. Cyber threat assessment via attack scenario simulation using an integrated adversary and network modeling approach. The Journal of Defense Modeling and Simulation. 2018;15(1):13-29. doi:10.1177/1548512917725408 Other • IEEE Symposium on Visualization for Cyber Security https://vizsec.org and its database of published papers: https://vizsec.dbvis.de • Shixia Liu, Xiting Wang, Mengchen Liu, Jun Zhu, Towards better analysis of machine learning models: A visual analytics perspective, Visual Informatics, Volume 1, Issue 1, 2017, Pages 48-56, ISSN 2468-502X