Security Tools: Visualization Is Power

Information security practitioners are overloaded with information. There is network information, like reports of scans, viruses, worms and spam blasts. There are reports from host and authentication systems—users who haven’t changed their passwords and should have, users who have been locked out and users who are just plain suspicious. There are the reports from deployment and patch management systems. These days we even need to be concerned about backup systems—are they backing up the data, and is that backup data encrypted?

One of the most basic ways to help people deal with information overload is to visualize it—that is, to draw it out as a graph, plot it on a map or use the data to make some kind of diagram. Unfortunately, many of the “visualizations” provided by today’s security tools and vendors are little more than bar graphs and pie charts of information that’s easy to gather but meaningless to analyze.

For example, one visualization that’s popular with antispam vendors is a map of the world with pie-charts or color-coded countries that show the amount of spam that each part of the world is producing. The United States is red, because most of today’s spam comes from computers that have been compromised and signed up for hacker botnets. Europe, Brazil and China come next. Africa is in last place—not because the Africans are masters of computer security, but because the continent doesn’t have a lot of computers or connectivity. Yes, this information is mildly interesting. But it’s positively worthless when it comes to formulating an antispam strategy. What’s a CSO to do—block all the e-mail that’s coming from the United States?

Simple management charts and graphs might make passable eye candy for the boardroom or an annual report, but they don’t work well for security management because they don’t give security professionals more insight into their problems. For planning purposes it matters little how much spam is coming from Russia.

More Practical Applications of Security Visualization

Turning collected data into information that can drive a security visualization is hard work: It’s much easier to collect data than it is to analyze it. Spam vendors sometimes graph how the amount of spam changes from week to week. But what’s more important is how the amount of spam is changing in relationship to another variable—for example, the amount of legitimate e-mail that’s being delivered. Another important metric is how much spam is delaying the delivery of legitimate mail, and how much spam is costing an enterprise in terms of computational and human resources. A graph that shows the utilization of an organization’s spam-processing appliances can be used to predict when it’s going to be necessary to purchase new equipment.

But visualization can be used for far more than capacity planning. Properly presented, visualizations should be able to help organizations find security threats and incidents that they might otherwise miss. There’s some promising work popping up here and there, for example, in security event/information management packages. But overall, sadly, today much of the best visualization technology remains in research labs and on vendor shelves.

Visualization has long been a powerful tool for network and computer management. Displaying network bandwidth or CPU utilization on a strip chart allows administrators to see the systems’ status, trends and sudden divergences from established norms. Administrators soon learn that specific patterns on their screens correlate with specific problems they need to address. Essentially, the visualization becomes a high-speed interface that allows the human brain and the computer system to work together on a complicated problem.

This visual brain/machine symbiosis takes advantage of the computer’s ability to process large amounts of numeric data and the brain’s ability to find meaning in otherwise chaotic patterns. The human visual cortex has been tuned for rapidly making sense out of the jumble of information. A good visualization takes neurons that evolved over the eons to detect leopards moving through the veld and uses them for finding a router that’s crashed or a RAID array that’s lost a spindle. Although it may take a little training to learn the correlation between patterns and problems, it doesn’t take much.

But while high-quality visualizations have become an important part of network management, visualizations of this type have had little impact on the practice of network security—or any other kind of computer security, for that matter. There has been some academic work in recent years aimed at developing visualization techniques for detecting hostile network scans or other abnormal behavior.

Ben Schneiderman, a professor at University of Maryland who has been researching data visualization for more than 20 years, is fond of saying that a picture may be worth a thousand words, but a picture with a control is worth a thousand pictures. Visual presentations of information need to be interactive. Today the best visualization systems under development are following this advice.

Into the Lab

For example, a team led by professor Kwan-Liu Ma at the University of California, Davis, has developed a program called PortVis that makes it relatively easy for an analyst to spot different kinds of network scans. The program can display time lines of activity by a host or port; a grid visualization, in which all of the activity of a network over a period of time is displayed on a single grid; a volume visualization, which extends the grid to a three-dimensional volume; and a port visualization, which shows the activity on particular TCP/IP ports over time. When viewed with this tool, different kinds of network scans have very distinct patterns. The hope is that the analyst will be able to recognize these patterns even when they are superimposed upon the noise and chatter of a moderately busy network.

Other work Kwan-Liu Ma’s team did was aimed at using advanced signal processing to make these attack patterns more distinctive. Another paper on the website applies wavelet scalograms to a noisy block of data and produces a bar graph. Similar scans have similar bar graphs, while different scans have very different ones. Other visualizations in that paper show how the hosts in a network can be clustered in blobs, trails and snakelike patterns depending on how the attacker scanned them.

At the National Center for Supercomputing Applications, William Yurcik has been developing tools for visualizing NetFlow data for security purposes. Yurcik’s tool, NVisionIP, features a “Galaxy” view, in which a block of tens of thousands of IP addresses can be viewed on a single page: Darker regions are responsible for more network activity. The analyst can drill down to see individual machines. Another tool lets the analyst see which machines are the sources and recipients of traffic.

The real value of visualization is that it makes it possible to find things that are new and unexpected—patterns that are strangely out of place. You find something that looks weird and you try to explain it. Sometimes the explanation is innocent; other times it’s a malicious attack.

A few months ago I was working with a fellow researcher on a new network security visualization. We had a system that drew arrows on the computer’s screen that symbolized Internet connections through the network over time. Looking at the display I saw several hundred arrowheads forming a diagonal line. “That’s weird,” I thought. It turns out that I was looking at a port scan. Elsewhere on the plot we saw a series of arrows going off in one direction with no packets sent in response. A few seconds later the pattern repeated, then repeated again. Investigation revealed that we were seeing queries to an unresponsive domain name server.

Many visualization tools require a knowledgeable analyst who has the time and the motivation to use the tool to search out anomalies and network events. Unfortunately, that’s rarely the case. As a result, many researchers have developed useful visualizations, only to have them sit on the shelves because the analysts just didn’t have the time to run them.

As a result, another area of research aims to use these visualizations as inputs to machine learning algorithms. Those algorithms then learn what’s normal and what’s not, and are programmed to bring abnormalities to the attention of the human operators.

Combining visualizations with machine learning accomplishes many of the same results that a good data-mining algorithm might. In fact, you could think of this as a special kind of data mining. The key difference is that it is data mining that depends on visualization, so it’s possible for a human being to jump into the middle of the system and look at that same picture. Add a few controls and the visualization becomes an interactive application that can be used for drilling down, getting additional information and rapidly making a determination about a possible incident.

While it’s easy to see how visualization is useful for network traffic, this technology can also be applied to computer forensics, patch management and even privacy policy enforcement. But we won’t see this technology on the market until companies start demanding visualizations that deliver information that’s both useful and meaningful. Eye candy belongs in video arcades, not the boardroom. ##

Simson Garfinkel, CISSP, is the author of numerous security books, including Security and Usability: Designing Secure Systems that People Can Use.