Security Data Visualization: Graphical Techniques for Network Analysis

by Greg Conti

Information overload. If you're responsible for maintaining your network's security, you're living with it every day. Logs, alerts, packet captures, and even binary files take time and effort to analyze using text-based tools - and once your analysis is complete, the picture isn't always clear, or timely. And time is of the essence. Information visualization is a branch of computer science concerned with modeling complex data using interactive images. When applied to network data, these interactive graphics allow administrators to quickly analyze, understand, and respond to emerging threats and vulnerabilities. Security Data Visualization is a well-researched and richly illustrated introduction to the field. Greg Conti, creator of the network and security visualization tool RUMINT, shows you how to graph and display network data using a variety of tools so that you can understand complex datasets at a glance. And once you've seen what a network attack looks like, you'll have a better understanding of its low-level behavior - like how vulnerabilities are exploited and how worms and viruses propagate. You'll learn how to use visualizationtechniques

272 pages, Paperback

First published September 21, 2007

Reviews

[Tim · Rating 3 out of 5]

I recommend this book to the user interface developer that is learning network security. For the experienced developer with some knowledge of network security this book might not add much to their understanding.

Pros: The basics of IP and TCP packets are covered as well as intrusion detection, and there are many examples of different exploits found in the wild today, making the examples ones you can watch for and observe on your own network.

Learning how to make use of intrusion detection alerts in treemaps, or how to filter packet traffic out of parallel coordinate scans will give you a good idea of how to apply these techniques to any other exploit you study, but see my note below about treemaps.

The questions at the end of the book detailing how to learn the characteristics of your data sources and how to learn about the analysts you're working for are, while seemingly obvious to an experienced network expert, are exactly what any good developer will need to ask when first joining a new project in this domain, especially in a large organization.

Cons: Using treemaps to tune your snort configuration (which they give an example of) seems like a dubious method for something most sysadmins do without the overhead of parsing IDS logs into a format a visualization tool can use. So you definitely have to extrapolate the uses of these techniques.

He also gives a short survey of security tools currently in use, but the survey _is_ short while be far-ranging, so I suspect he leaves out more tools than I know of.

Summary: a very good introduction for the beginning network security developer.

[Ian Nelson · Rating 4 out of 5]

This book was a very good overview of visualization techniques of security data. While shallow in sections overall, and a little too deep in others (don't really want a network basics session), it shows great examples of the core security data types (logs, packet capture, etc) and unique ways of correlating data to activities and events.

[Daniel Ragsdale · Rating 5 out of 5]

Conti is a rising star in the Network Security field...