Abstract
In computer networks many components produce valuable information about themselves or other participants, especially security analysis relevant information. Although such information is intrinsically related as components are connected by a network, most of them still operate independently and do not share data amongst each other. Furthermore, the highly dynamic nature of a network hampers a profound understanding of security relevant situations, such as attack scenarios. Hence, a comprehensive view of the network including multiple information sources as well as temporal network evolution would significantly improve security analysis and evaluation capabilities. In this paper, we introduce a comprehensive approach for an integrated visualization, covering all aspects from data acquisition in various sources up to visual representation of the integrated information. We analyze the requirements on the basis of an exemplary scenario, propose solutions covering these demands based on the IF-MAP protocol, and introduce our software application VisITMeta as a prototypical implementation. We show how the graph-based IF-MAP protocol provides a graphical model for an integrated view of network security.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
References
Ahlers, V., Heine, F., Hellmann, B., Kleiner, C., Renners, L., Rossow, T., Steuerwald, R.: Replicable security monitoring: Visualizing time-variant graphs of network metadata. In: CEUR Workshop Proceedings of the Joint Proceedings of the Fourth International Workshop on Euler Diagrams and the First International Workshop on Graph Visualization in Practice co-located with Diagrams, vol. 1244, pp. 32–41 (2014)
Bente, I., Hellmann, B., Vieweg, J., von Helden, J., Dreo, G.: TCADS: trustworthy, context-related anomaly detection for smartphones. In: Barolli, L., Taniar, D., Enokido, T., Rahayu, J.W., Takizawa, M. (eds.) 15th International Conference on Network-Based Information Systems, NBiS, pp. 247–254. IEEE (2012)
Birkholz, H., Sieverdingbeck, I., Sohr, K., Bormann, C.: IO: an interconnected asset ontology in support of risk management processes. In: Proceedings of the Seventh International Conference on Availability, Reliability and Security, ARES 2012, pp. 534–541. IEEE (2012)
Boschetti, A., Salgarelli, L., Muelder, C., Ma, K.-L.: TVi: a visual querying system for network monitoring and anomaly detection. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec 2011, pp. 1–10. ACM (2011)
Debar, H., Curry, D., Feinstein, B.: The intrusion detection message exchange format (IDMEF), RFC 4765 (Experimental), March 2007
Goodall, J., Sowul, M.: VIAssist: visual analytics for cyber defense. In: Proceedings of the IEEE Conference on Technologies for Homeland Security, HST 2009, pp. 143–150. IEEE (2009)
Karg, D., Muñoz, J.D., Gil, D., Ospitia, F., González, S., Casal, J.: OSSIM: open source security information management, general system description, version 0.18, November 2003. http://www.alienvault.com/docs/OSSIM-desc-en.pdf
Liao, Q., Blaich, A., Striegel, A., Thain, D.: ENAVis: enterprise network activities visualization. In: Proceedings of the 22nd Large Installation System Administration Conference, LISA, pp. 59–74. USENIX Association (2008)
Liao, Q., Striegel, A., Chawla, N.: Visualizing graph dynamics and similarity for enterprise network security and management. In: Proceedings of the Seventh International Symposium on Visualization for Cyber Security, VizSec 2010, pp. 34–45. ACM (2010)
Novikova, E., Kotenko, I.: Analytical visualization techniques for security information and event management. In: 21st Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, PDP, pp. 519–525. IEEE Computer Society Press (2013)
Tamassia, R., Palazzi, B., Papamanthou, C.: Graph drawing for security visualization. In: Tollis, I.G., Patrignani, M. (eds.) GD 2008. LNCS, vol. 5417, pp. 2–13. Springer, Heidelberg (2009)
Trusted Network Connect Working Group. TNC IF-MAP binding for SOAP, version 2.1, Revision 15, May 2012. http://www.trustedcomputinggroup.org/resources/tnc_ifmap_binding_for_soap_specification
Trusted Network Connect Working Group. TNC IF-MAP metadata for network security, version 1.1, Revision 8, May 2012. http://www.trustedcomputinggroup.org/resources/tnc_ifmap_metadata_for_network_security
Yasm, C.: Prelude as a hybrid IDS framework. Technical report, SAMS Institute (2009). http://www.sans.org/reading-room/whitepapers/awareness/prelude-hybrid-ids-framework-33048
Acknowledgements
The fruitful collaboration with Gabi Dreo Rodosek, Josef von Helden, Frauke Sprengel, and our students is gratefully acknowledged. This work is financially supported by the German Federal Ministry of Education and Research (BMBF) within the projects VisITMeta (grant no. 17PNT032) and SIMU (grant no. 16KIS0045).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Ahlers, V. et al. (2016). Integrated Visualization of Network Security Metadata from Heterogeneous Data Sources. In: Mauw, S., Kordy, B., Jajodia, S. (eds) Graphical Models for Security. GraMSec 2015. Lecture Notes in Computer Science(), vol 9390. Springer, Cham. https://doi.org/10.1007/978-3-319-29968-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-29968-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29967-9
Online ISBN: 978-3-319-29968-6
eBook Packages: Computer ScienceComputer Science (R0)