detect intrusions or attacks. Signature based security scanning is also used to detect malicious activities, however, but not as commonly used as anomaly based.
Different Methods of Detecting Malicious
Activities
14 5 0 2 4 6 8 10 12 14 16ANOMALY BASED SIGNATURE BASED
Type of Security Scanning
Number of Counts
Chart 7. Different ways of detecting malicious activities, through anomaly based or signature based security scanning.
Finding false alarms, or false positives, is another task in security visualization
techniques. By simplified definition, false positives occur when normal traffic is detected as an attack. False negatives occur when the system, or technique, fails to alarm real attacks. It is more common, in security visualization, to detect false positives than false negatives, since false negatives occur when a technique cannot function effectively. As mentioned in closely over 80 percent of all papers observed, false positives is a big problem in security visualization. Since data files, such as log files, are huge in size, detecting false alarms are not any less. Being able to decrease, if not eliminate, false alarms can also be an ideal goal in security visualization. False alarms account for much time and effort of users in security visualization; time that could have been spent finding real attacks or intrusions. As a result, some of the security visualization techniques turn their focus on finding false positive rather than finding intrusions or attacks. In [25], a clustering algorithm is used to implement a graph, which shows an abstraction of network traffic. The nodes on the graph represent the computers, and the edges represent the
communication between the computers. The visualization of the traffic depends on the location of the nodes, which are grouped according to their communication strengths. The main
visualization goal of this graph clustering and drawing is to detect false positives rather than finding intrusions or attacks. In [21], the technique implements two tasks, finding false positives and finding intrusions. Normal traffic is displayed as nodes that cluster together. Abnormal traffic does not cluster. However, the cluster algorithm, using SOMs, can detect which unclustered nodes are attacks, and which are false alarms. This is, more or less, as useful and beneficial as finding intrusions in security visualization.
Another important task in security visualization is training classifiers. This refers to being able to classify the data as raw data or classified data. Raw data, of course, are data that are straight from log files, or are things like raw IP addresses, ports, and others. Classified data are data that have been classified to categories, such as attacks, possible attacks (alarms or suspect), or that of non-intrusive nature. Usually, these classified data are the output of other network intrusion detectors. NIVA, from [20], uses network intrusion detectors, like Black Ice or Real Secure, to classify its data. Another example from [29] illustrates the use of classified data. On the detail scatterplot window, the technique allows for the display of the IP addresses being clustered together. On the lower view, the IP addresses are viewed on two 256 x 256 grid, side by side in pairs. The technique assumes that the IP addresses have been scanned thoroughly before being displayed. This is an example of classified data. Thus, training classifiers, though the statistics for such task is relatively low, can be thought of as another functional task in security visualization. Overall, training classifiers is a task that is not at the same level as detecting intrusions or finding false positives. This is due to a variety of reasons. In the future, there can be predictions that the number of training classifiers in security visualization
techniques will increase.
D ifferent T asks in S ecurity Visualization 19 8 5 0 2 4 6 8 10 12 14 16 18 20 FIND ING INTRUS IONS FIND ING FA LS E P OS ITIV E S TRA INING C LA S S IFIE RS Tasks Number of Counts
Chart 8. Comparing different tasks of each security visualization techniques.
As can be observed from the chart, the task of finding intrusions in security visualization accounts for nearly 60 percent of the tasks. Finding false positives account for approximately 25 percent, and training classifiers are about 15 percent. Moreover, detecting intrusions and false positives, together, account for almost 85 percent of the total tasks. It comes to no surprise that finding intrusions is the task most security visualization techniques target. Training classifiers are still at its development stage, where finding false positives are continuing to grow, in some cases may be at the same level as finding intrusions, in the future.
2.4 DESIGN ISSUES
These security visualization techniques require their display of data to be as efficient as possible, possessing simplicity but at the same time, containing sufficient amounts of
information. High dimension data is not considered a problem in security visualization, but more of a difficulty.
Different security visualization techniques deal with their essence of high dimension data in different ways. The amount of information to be displayed on the screen cannot be
insufficient, nor should it be too complicated for users to understand and analyze. When there is too little information displayed on the screen, there are too many holes and voids in the data display, and not enough data can be visualized. When there is too much information, data can be hidden or occluded. The key is, then, to have balance between the two.
Some visualization, for example SnortView in [18], uses five parameters in its data, which are: time of access, type of access, source of access, destination of access, and details of access. It contains three main frames: source address, alert, and source-destination matrix frames. Each frame is designed to visualize different parameters. The IP addresses are sorted and displayed in the source address frame. Colored icons, which represent NIDS alert, as well as time, are displayed in the alert frame. It was mentioned that the information displayed is
sufficient. However, according to SnortView, the source-destination matrix was not needed initially. It was implemented after the two frames because the technique needed a way to display both source and destination IP addresses in conjunction, joined by vertical and horizontal lines. So, SnortView has three main frames to display its different parameters of the data being visualized.
PortVis, [19], contains five to six visualization areas. PortVis uses raw data from an external text file. The data contained network traffic information. However, the idea is that the
data is reduced to a set of counts of entities rather than the content itself. For example, instead of a list of each TCP session, the data contains information on the counts of how many TCP
sessions exist. The main parameters used in PortVis are: protocol, port, and hour as the main fields. The other remaining five fields are: session count, source address, destination address, source/destination address pairs, and source countries. The three main visualization areas are timeline, hour, and port. The timeline contains a histogram and the gradient editor to display the activities of the ports. The hour, or main, visualization displays dots on the grid where the location of each dot is denoted by X = port / 256 and Y = port mod 256 where port is the port number. The port number uses the 2-byte classification, where X is the high byte of the port number and Y is the low byte of the port number. Moreover, the port activity visualization is used to display the port activities in histograms. Different visualization areas in PortVis allow different parameters of the data to be visualized.
According to the statistics chart, different groups of the number of parameters included in security visualization techniques are shown. It seems safe to say that the majority of the
techniques display zero to three parameters, or well over 56 percent. The group of four to six and seven to nine parameters account for approximately 40 percent. There is only one technique that includes ten or more parameters in its method. It is proper to include that at this point in security visualization, the number of parameters is still relatively not very large in most
techniques. As more techniques advance, more parameters will certainly be used, yielding more complicated visualization.