Visual Analytics for Situational Awareness in Cyber Security

Abstract

More than ever, we rely on computer systems and the availability of computer networks. It is crucial to have a high standard of security in this modern world. Fully-automated systems to identify threats on the Internet are not enough to provide awareness of the actual situation of complex computer networks. Especially advanced persistent threats stay undetected for too long. Providing interactive visual interfaces in combination with analytical methods, help analysts and system administrators to get a better impression of possible symptoms, suspicious behavior, and understand complex dependencies to enhance cyber security. To achieve this goal, we implement and evaluate novel visual analytics systems to facilitate exploration of network activity, analysis of network threats, and correlation of heterogeneous data streams.This thesis starts with an extensive literature review focusing on visualization systems supporting situational assessment in cyber security and identifies various research gaps. Afterwards, we focus on monitoring of network activity and introduce VACS, which is a web-based visual analytics suite for cyber security. This thesis also introduces a system for time-series analysis with integrated analytical methods to enhance visual correlation for port activity monitoring. Because of limitations of existing approaches to analyze temporal network data in a given hierarchical context, we also propose a novel visualization technique, called ClockMap. To assess this scalable approach, which is a unique combination of circular temporal glyphs and radial treemaps, we report the results of various evaluations. In particular, we actively participate in international challenges and successfully compete with other approaches and validate our findings based on ground truth data.We also address the analysis of various specific cyber security threats. This thesis, therefore, proposes a novel visual analytics tool, called VisTracer to help network analysts to investigate BGP prefix hijackings and routing anomalies, which pose a severe threat to the underlying network infrastructure of the Internet. To make use of visual analytics to understand malware behavior, we contribute a taxonomy of visualization systems for malware analysis and reveal future research directions in this emerging field. Gaining situational awareness on a larger scale helps to understand the modus operandi of cyber attackers. We support this use case and integrate various alternative visualizations into VACS to facilitate attack attribution on multi-dimensional clusters. Furthermore, a field experiment with security experts is conducted to evaluate the novel combination of threat intelligence algorithms with interactive visual exploration.The literature review shows that most of the visual analytics techniques in cyber security do not explicitly focus on dynamic real-time characteristics. However, concerning situational awareness, such capabilities are crucial. To emphasize the importance and foster more research in this direction, we propose a novel and scalable analysis infrastructure, integrated to VACS, for heterogeneous data streams. We specifically introduce, NStreamAware, which is a stream analysis system based on Apache Spark, and contribute a novel visualization technique, called NVisAware, to present aggregated data slices using various embedded visualization widgets to reduce the cognitive load of analysts. Moreover, visual feature selection techniques are applied to provide meaningful summaries of those slices. Eventually, we successfully evaluate the system using a network security case study and assess the general applicability in the context of situational awareness through active participation in an international competition.