Visual fusion and analysis for multivariate heterogeneous network security data
ZHANG Sheng1,2, SHI Ronghua1, ZHAO Ying1
1. School of Information Science and Engineering, Central South University, Changsha Hunan 410083, China;
2. Modern Educational Technology Center, Hunan University of Commerce, Changsha Hunan 410205, China
With the growing richness of modern network security devices, network security logs show a trend of multiple heterogeneity. In order to solve the problem of large-scale, heterogeneous, rapid changing network logs, a visual method was proposed for fusing network security logs and understanding network security situation. Firstly, according to the eight selected characteristics of heterogeneous security logs, information entropy, weighted method and statistical method were used respectively to pre-process network characteristics. Secondly, treemap and glyph were used to dig into the security details from micro level, and time-series chart was used to show the development trend of the network from macro level. Finally, the system also created graphical features to visually analyze network attack patterns. By analyzing network security datasets from VAST Challenge 2013, the experimental results show substantial advantages of this proposal in understanding network security situation, identifying anomalies, discovering attack patterns and removing false positives, etc.
[1] SHIRAVI H, SHIRAVI A, GHORBANI A. A survey of visualization systems for network security[J]. IEEE Transactions on Visualization and Computer Graphics, 2012, 18(8):1313-1329. [2] FINK G A, MUESSIG P, NORTH C. Visual correlation of host processes and network traffic[C]// Proceedings of the 2005 IEEE Workshop on Visualization for Computer Security. Piscataway: IEEE, 2005:11-19. [3] BOSCHETTI A, MUELDER C, SALGARELLI L, et al. TVi: a visual querying system for network monitoring and anomaly detection[C]// Proceedings of the 8th International Symposium on Visualization for Cyber Security. New York: ACM, 2011: 1-10. [4] BRAUN L, VOLKE M, SCHLAMP J, et al. Flow-inspector: a framework for visualizing network flow data using current Web technologies[J]. Computing, 2014, 96(1): 15-26. [5] SHIRAVI H, SHIRAV A, GHORBANI A. IDS alert visualization and monitoring through heuristic host selection[C]// Proceedings of the 12th International Conference on Information and Communications Security. Piscataway: IEEE, 2010: 445-458. [6] ZHANG S, SHI R, ZHOU F. A visualization scheme based on radial panel in intrusion detection system[J]. Computer Engineering, 2014, 40(1): 16-19. (张胜, 施荣华, 周芳芳. 入侵检测系统中基于辐射状面板的可视化方法[J]. 计算机工程, 2014, 40(1): 15-19.) [7] XI R, YUN X, JIN S, et al. Research survey of network security situation awarenss[J]. Journal of Computer Applications, 2012, 32(1): 1-4. (席荣荣, 云晓春, 金舒原, 等. 网络安全态势感知研究综述[J]. 计算机应用, 2012, 32(1): 1-4.) [8] ZHAO Y, ZHOU F, FAN X, et al. IDSRadar: a real-time visualization framework for IDS alerts[J]. Science China Information Sciences, 2013, 56(8): 1-12. [9] HUMPHRIES C, PRIGENT N, BIDAN C, et al. ELVIS: Extensible Log VISualization[C]// Proceedings of the 10th Workshop on Visualization for Cyber Security. New York: ACM, 2013:9-16. [10] ALSALEH M, ALQAHTANI A, ALARIFI A, et al. Visualizing PHPIDS log files for better understanding of Web server attacks [C]// Proceedings of the 10th Workshop on Visualization for Cyber Security. New York: ACM, 2013: 1-8. [11] LI B, SPRINGER J, BEBIS G, et al. A survey of network flow applications[J]. Journal of Network and Computer Applications, 2013, 36(2): 567-581. [12] LAI J, WANG H, JIN S. Study of network security situation awareness system based on Netflow[J]. Application Research of Computers, 2007, 24(8): 167-172.(赖积保, 王慧强, 金爽. 基于Netflow的网络安全态势感知系统研究[J]. 计算机应用研究, 2007, 24(8): 167-172.) [13] SCARFONE K, MELL P. Guide to Intrusion Detection and Prevention Systems (IDPS)[K/OL]. [2014-06-20].http://wenku.baidu.com/link?url=JICw2pW5FMQQpKbU1TBfcFGrz5 51tCfIIbjAysZsRQJDfiG3--BOxvOZeczL1_sNflAq_r9J0iDEoz-K8Mwsnt4ofLO6_rxqNUZO9fbUSZ_. [14] NEWMAN R. Computer security: protecting digital resources[M]. Burlington: Jones & Bartlett Publishers, 2009:273-275. [15] GUERRA-GOMEZ J, BUCK-COLEMAN A, PACK M, et al. TreeVersity: Interactive visualizations for comparing hierarchical datasets[J/OL].[2014-06-20]. http://hcil2.cs.umd.edu/trs/2012-14/2012-14.pdf. [16] ZHANG X, YUAN X. Treemap visualization[J]. Journal of Computer-Aided Design and Computer Graphics, 2012, 24(9): 1113-1124. (张昕, 袁晓如. 树图可视化[J]. 计算机辅助设计与图形学学报, 2012, 24(9): 1113-1124.) [17] KRSTAJIC M, KEIM D. Visualization of streaming data: observing change and context in information visualization techniques[C]// Proceedings of the 2013 IEEE International Conference on Big Data. Piscataway: IEEE, 2013:41-47. [18] ROPINSKI T, OELTZE S, PREIM B. Survey of glyph-based visualization techniques for spatial multivariate medical data[J]. Computers and Graphics, 2011, 35(2): 392-401. [19] CHEN Y, HU H, LI Z. Performance compare and optimization of ractangular treemap layout algorithms[J]. Journal of Computer-Aided Design and Computer Graphics, 2013, 25(11): 1623-1634. (陈谊, 胡海云, 李志龙. 树图布局算法的比较与优化研究[J]. 计算机辅助设计与图形学学报, 2013, 25(11): 1623-1634.) [20] KRSTAJIC M, BERTINI E, KEIM D. Cloudlines: Compact display of event episodes in multiple time-series[J]. IEEE Transactions on Visualization and Computer Graphics, 2011, 17(12): 2432-2439. [21] SHI C, CUI W, LIU S, et al. RankExplorer: visualization of ranking changes in large time series data[J]. IEEE Transactions on Visualization and Computer Graphics, 2012, 18(12): 2669-2678.