Visualizations for Cybersecurity
PA214 — Visualization II
Vít Rusňák
https://cybermap.kaspersky.com
Talk Overview
• Users and Data

• Visualization Categories

• Trends in Cybersecurity Visualization Research
Typical Users
Cybersecurity operations (L1)

• monitoring, countermeasures 

• CSIRT, Incident handlers

Cybersecurity Analysts (L2)

• network tra
ffi
c anomalies, malware analysts, penetration testing

Management (both IT and non-IT background)

• Chief information security o
ffi
cer (CISO), policy makers, lawyers

Cybersecurity Researchers
• simulations, process automation, application of ML/AI
Data Sources
Applications Network Services Proxies
Operating System
Firewalls
Intrusion Detection
Systems
Passive Network
Analysis
Traf
fi
c Flows
Packet Captures
Logs
Time-series
Adapted from [1]
Complexity of Visualizations
Monitoring
Analysis
Simulations and 

Predictions
Dashboards
VA Visualizations
Modeling, Explainable AI
Low
High
ComplexityVisualizations
Modeling, Explainable AI
Monitoring Image source: https://www.logpoint.com/en/
Characteristics
• Dashboards are prevalent

• Typically easy to read, decode and understand, multiple views (panels)
• Goal(s): situational awareness, trends, outliers and anomalies (e.g., peaks)

• Typical visualizations: tables, line/area charts, sparklines
(microvisualizations), basic 2D charts (bar charts, heatmaps), basic
geovisualizations (choropleth, links)

• Shortcuts and click-throughs allowing drill-down in analytical tools
Dashboards
Provide
• current value of key measures (KPI, number of detected events, blocked IP addresses, …)

• comparison to target measures (di
ff
erence, trend)

• a range of possible values of the measures with a qualitative association (semaphore, warnings)

Types
• Operational (monitoring, single source of information)

• Tactical (planning) 

• Strategic (management)
“A dashboard is a visual display of the most important information needed to achieve one or more
objectives that has been consolidated in a single computer screen so it can be monitored at a glance.”
— Stephen Few, Information Dashboard Design
Examples: Commercial Tools
Source: https://demo.
fl
owmon.com
Examples: Commercial Tools
Source: https://www.solarwinds.com/security-event-manager/use-cases/event-log-analyzer-tool
Examples: Commercial Tools
Source: https://www.tenable.com/sc-dashboards/cyber-essentials-scheme-dashboard
Source [4], video from https://www.youtube.com/watch?v=7-RkJOdqHvI
Examples: Research
Analysis Source: [5]
Characteristics
• Drill-down Visual Analytics Tools
• Usually designed for particular use-case (e.g., malware vs. network analysis)

• Goal(s): Reduce “time-to-insight”, automate repetitive tasks, help to identify
anomalies in data

• Typical visualizations: linked views, basic but also novel visualization types

• Extend command line interface, use of APIs 

• Supported in existing systems (e.g, Splunk, Flowmon ADS) vs. custom-made tools

• Computational notebooks (e.g., Jupyter) are also in this category
Example: File System Analysis
Source: [6]
Example: Traf
fi
c Analysis
Source: [8]
Predictions and Simulations Source: [9]
Characteristics
• Visual support for understanding ML/AI techniques, visualizations for
explainability (XAI = eXplainable AI)

• Goal(s): understanding ML/AI techniques, behavior explanation, trust building

• Typical visualizations: clustering visualizations (for dimensionality reduction
methods), linked views, basic visualizations

• Rise on popularity correlates with growing application of ML/AI in
cybersecurity. 

• Explainability approaches are transferable between di
ff
erent domains
AI in Cybersecurity
• Application of AI in cybersecurity is substantially di
ffi
cult comparing to
domains such as image recognition

• Three main areas:

• Insights Generation: analyze the data to discover hidden patterns which can
be used by decision-makers in order to react to anomalies.

• Recommendations: the model discovers patterns in the data and provides
recommendations on what should be best to do to a security specialist.

• Autonomous mitigation: the model discovers patterns and tries to
automatically solve problems without needing user input (e.g., approvals).
Example: Alert Predictions
Source: [9]
Simulations
• Largely unexplored

• Areas:

• Attack surface and attack vectors

• Scenario modelling tool

• Autonomous agents (attackres)
behavior

• Comparison and explanation of
their decisions
Source: [11]
CyberSecVis Research
Source: [3]
VizSec papers 2004—2015
Utilization of Visualizations
Source: [3]
VizSec papers 2004—2015
Utilization of Visual Metaphors
Source: [3]
VizSec papers 2004—2015
Interface Complexity
Source: [3]
VizSec papers 2004—2015
Take-aways
• Cybersecurity visualizations (as many others) span multiple subcategories

• Common 2D charts are predominant, complex visualizations are mostly
research prototypes only

• The commercial tools use only common charts and visualizations …

… → lot of space for improvements

• Growing area of interest due to the lack of skilled personnel.
Resources
• [1] Ra
ff
ael Marty. 2008. Applied Security Visualization (1st. ed.). Addison-Wesley Professional.

• [2] Jay Jacobs, Bob Rudis. 2014. Data-Driven Security: Analysis, Visualization and Dashboards.

• [3] R. J. Crouser, E. Fukuda and S. Sridhar, "Retrospective on a decade of research in visualization for cybersecurity," 2017 IEEE International Symposium on Technologies
for Homeland Security (HST), Waltham, MA, USA, 2017, pp. 1-5, doi: 10.1109/THS.2017.7943494.

• [4] S. Mckenna, D. Staheli and M. Meyer, "Unlocking user-centered design methods for building cyber security visualizations," 2015 IEEE Symposium on Visualization for
Cyber Security (VizSec), Chicago, IL, USA, 2015, pp. 1-8, doi: 10.1109/VIZSEC.2015.7312771.

• [5] M. Angelini et al., "SymNav: Visually Assisting Symbolic Execution," 2019 IEEE Symposium on Visualization for Cyber Security (VizSec), Vancouver, BC, Canada, 2019,
pp. 1-11, doi: 10.1109/VizSec48167.2019.9161524.

• [6] M. Beran, F. Hrdina, D. Kouřil, R. Ošlejšek and K. Zákopčanová, "Exploratory Analysis of File System Metadata for Rapid Investigation of Security Incidents," 2020 IEEE
Symposium on Visualization for Cyber Security (VizSec), Salt Lake City, UT, USA, 2020, pp. 11-20, doi: 10.1109/VizSec51108.2020.00008.

• [7] B. C. M. Cappers, P. N. Meessen, S. Etalle and J. J. van Wijk, "Eventpad: Rapid Malware Analysis and Reverse Engineering using Visual Analytics," 2018 IEEE
Symposium on Visualization for Cyber Security (VizSec), Berlin, Germany, 2018, pp. 1-8, doi: 10.1109/VIZSEC.2018.8709230.

• [8] A. Ulmer, D. Sessler and J. Kohlhammer, "NetCapVis: Web-based Progressive Visual Analytics for Network Packet Captures," 2019 IEEE Symposium on Visualization for
Cyber Security (VizSec), Vancouver, BC, Canada, 2019, pp. 1-10, doi: 10.1109/VizSec48167.2019.9161633.

• [9] A. Sopan, M. Berninger, M. Mulakaluri and R. Katakam, "Building a Machine Learning Model for the SOC, by the Input from the SOC, and Analyzing it for the SOC," 2018
IEEE Symposium on Visualization for Cyber Security (VizSec), Berlin, Germany, 2018, pp. 1-8, doi: 10.1109/VIZSEC.2018.8709231.

• [10] B. C. M. Cappers and J. J. van Wijk, "SNAPS: Semantic network tra
ffi
c analysis through projection and selection," 2015 IEEE Symposium on Visualization for Cyber
Security (VizSec), Chicago, IL, USA, 2015, pp. 1-8, doi: 10.1109/VIZSEC.2015.7312768.

• [11] Moskal S, Yang SJ, Kuhl ME. Cyber threat assessment via attack scenario simulation using an integrated adversary and network modeling approach. The Journal of
Defense Modeling and Simulation. 2018;15(1):13-29. doi:10.1177/1548512917725408

Other
• IEEE Symposium on Visualization for Cyber Security https://vizsec.org and its database of published papers: https://vizsec.dbvis.de 

• Shixia Liu, Xiting Wang, Mengchen Liu, Jun Zhu, Towards better analysis of machine learning models: A visual analytics perspective, Visual Informatics, Volume 1, Issue 1,
2017, Pages 48-56, ISSN 2468-502X