AUTOMOTIVE
Visualizing the Enemy
- Written by: Writer
Security visualization tools being developed at the National Center for Supercomputing Applications (NCSA) will give these network guardians new techniques to head off and counter cyberattacks. With funding from the Office of Naval Research (ONR), NCSA researchers have developed two novel security tools: NVisionIP and VisFlowConnect. Both are designed to give security engineers a visual overview of an entire network in order to help them determine when a network is under attack, what is being attacked, and what form the attack is taking. The SIFT research is being conducted under the umbrella of NCSA's National Center for Advanced Secure Systems Research, which was launched in 2003 to address the nation's critical need for a dynamic, adaptive cybersecurity infrastructure. For more information, go to http://www.ncassr.org/. A wealth of network data is available to security engineers. There are multiple logs common to most computer networks, but they typically are large and dynamic, making it difficult to extract knowledge from the sea of information. NCSA's Security Incident Fusion Tool (SIFT) research team leverages human visual cognitive abilities to process log data into knowledge for situational awareness of network security. It is estimated that human beings can visually process a screen of information at 150 Mbits per second, with the ability to discriminate relatively minor shifts in color, shape, and motion. By presenting network data visually, it can be scanned quickly, patterns in complex data rise to the surface, and inferences become intuitive. "After a while, security professionals get an intuition about how a normal picture of their network should appear," explains Kiran Lakkaraju, a PhD student in NCSA's SIFT security research group who has been responsible for much of NVisionIP's software development. Once a security professional becomes familiar with the normal appearance of the network being monitored, he should be able to spot specific attack signatures as well as more subtle anomalies. "VisFlowConnect can be used to identify Internet attacks via traffic patterns in near real-time," says SIFT PhD student Xiaoxin Yin, the software developer behind the tool to visualize all traffic coming into and going out of a network. "The next step is to get both of these complementary tools into the hands of security engineers to see how useful they can really be in detecting security events," says Lakkaraju. The team has already fielded requests from security engineers who have either seen the tools demonstrated at conferences or heard of them from colleagues and are eager to try out the as-yet unreleased tools. NCSA's security operations team has been heavily involved in the development of both NVisionIP and VisFlowConnect, and both tools will be beta tested on NCSA's network this spring. "The potential use of these tools at NCSA for real-time analysis and as a forensic tool is very exciting," said Jim Barlow, NCSA Senior Security Engineer. "They will better equip our security engineers with a way of visualizing incidents and possible problems on our entire network." Based on feedback from beta tests within NCSA and at other organizations, the SIFT team will make adjustments to these tools. Future plans include the development of real-time monitoring and processing of streaming data. For more information, see http://www.ncassr.org/projects/sift/papers/.