Entry Name: "CSU-Zhao-MC2"
VAST 2013 Challenge
Mini-Challenge 2: Situation Awareness Display Design
Team Members:
Ying Zhao, Central South University, Zhaoying511@gmail.com PRIMARY
Fangfang Zhou, Central South University, zhouffang@gmail.com
Xing Liang, Central South University, csushin1004@gmail.com
Yezi Huang, Central South University, huangyezide@126.com
Ronghua Shi, Central South University, shirh@csu.edu.cn
Student Team: NO
Software Used:
Photoshop
Processing
MySQL
Eclipse
May we post your submission in the
Visual Analytics Benchmark Repository after VAST Challenge 2013 is complete? Yes
Video:
index.files/CSU-Zhao-MC2-Demo-Final.wmv
High-Resolution
Image:
Storyboards:
index.files/CSU-Zhao-MC2-StoryBoard.pdf
Description of Your Design:
Our design has three features: cooperative analysis for multiple datasets, four specialized time-synced and analytical views with various interactions, and favorable scalability on spatial and temporal dimensions.
1.
Cooperative Analysis of Multiple Datasets
To meet the need of network security, various network monitoring systems and safe-guard devices are introduced to guarantee the security of network like firewall, Netflow, IDS alert system and router monitoring system which often generate massive logs and configuration data while processing. When malicious activities happen, they will more or less leave traces in related data which obviously reveals that multiple source data are correlated. In our design (shown in Figure 1 and Figure 2), source data are widely sampled from real time and history network security data. Within time synchronization and space location, users are able to make cooperative analysis on multiple source data and even master the health, security and performance conditions of the whole network.
Figure 1
Figure 2
2.
Favorable Scalability on Spatial and Temporal Dimensions
In order to deal with the numerous growing hosts with the attribute of geospatial distribution and logic topology, a two-layer and highly scalable deployment (shown in Figure 3) is raised to deploy hosts based on their space information and network structure. GIS technique is utilized in the first layer, each office and its computers of which are marked as dots of different shapes on a geographical map. Further clicking the dot (may represent one department or one group of hosts), users could switch to the second layer where the hosts pertain to the preceding dot. Hosts in the second layer are classified by class C or class D IP network and automatically deployed with force directed rules thereby forming the logic network topology. Each node in the second layer represents one host or one group of hosts with different color and shape distinguishing routers, servers, workstations, and etcetera.
The scalability on temporal dimension is achieved by providing users with the ability to analyze real time data (shown in Figure 4), time series data and specific history moment data (shown in Figure 5). Besides real time monitoring and analysis, users are allowed to visually choose and analyze any history series data over any time period as these series are sampled at several levels respectively including one month, one day and one hour. Moreover, users can pick out one specific moment to analyze more detailed data.
Figure 3
Figure 4
Figure 5
3.
Introduction of Visualization Views
Different visualization graph fits into different features of the data as well as various analyzing objectives. In our system, four cooperated visualization views are designed for multiple network security data and disparate monitoring and analyzing objectives.
3.1
View of monitoring and analyzing the activity of network hosts
By using heat map technique to visualize network traffic and accessing conditions, this view (shown in Figure 6) could assist operation managers in analyzing the activities of network hosts. Hosts of network are deployed into two layers. Nodes of the first layer are placed using GIS technique; once users pick out one dot (may represent one department or one group of hosts), nodes pertain to the preceding dot in the second layer will be deployed by incorporating force directed layout. Hosts are colored from cool tune to warm tune representing the growth of the active extent of activities. By monitoring in real time and analyzing history statistics, users are capable of directly finding vulnerable hosts as well as analyzing their correlations on spatial and temporal dimensions.
Figure 6
3.2
View of monitoring and analyzing the events
This view is deliberately designed for monitoring real time events and analyzing history statistics. The monitored events could either be alerts from developed systems like IDS and BigBrother or be activities that violate the rules set by administrators in advance. The arc (shown in Figure 7) which represent the type of the events distribute evenly on the outer ring. The height of histograms (shown in Figure 7) inside the outer ring stands for the occurrence times of events and curves (shown in Figure 7) between hosts and histograms manifest their correlations. The arrangement of hosts in the circle (shown in Figure 7) adopts the above-mentioned two-layer deployed strategy. Above all, this view explicitly displays correlations among events, hosts and timeline, which aids users in keeping vigilant to network anomalous and strengthening their situational awareness.
Figure 7
3.3
View of monitoring and analyzing the time series data
Kinds of data offered by VAST 2013 Mini-Challenge 3 could be synchronized into time series such as traffic volume in Netflow and connection numbers through one certain IP or port. In order to better discern correlations and trends of multiple time series in network security data, we have designed the comparative stacked stream view (shown in Figure 8), two streams of which are stacked upward and downward respectively and the central line of draw area is their boundary. In this situation, users can compare two time series at the same timestamp or compare changes of one single time series along the timeline. Through comprehensive comparisons, users could find out the underlying relationships among couples of time series or weird changes of one single time series that may fit into some attacking patterns and lead us to discover abnormal attacks.
Figure 8
3.4
View of monitoring and analyzing the detailed information
Matrix graph is often used to parse ports and IPs information as well as monitor the health status of the hosts of data center. We have elaborately designed four matrix graphs (shown in Figure 9), source port matrix, destination port matrix, source IP matrix and destination IP matrix, which are combined to analyze the ports and IPs information. Each grid cell may represent a single port number, a single IP address or one group of ports and IPs. This view offers users many optional datasets such as the status of hosts’ hardware, accessing numbers, traffic volume, within colors encoding different values of the data.
Figure 9
4.
Experiment on our visualization tools
In order to verify the effectiveness of our visualization tools, we make use of the dataset in VAST Challenge 2013 mini challenge 2 to show how our tools work (shown in Figure 10) and display them in the storyboards.
Figure 10