Security Visualization
by Raffael Marty
RSS

Recent blog posts

Maturity Scale for IT Data Management

How does the IT data management -- the market that is an umbrella for log management, security information management, and security event …
How do you encode hundreds of data points into one single graph? Use Sparklines.

Have you tried to visualize your traffic flows? Did you have the problem that your graphs got really cluttered? Did you find a way around …
How do you prepare your security data for visualization?

Do you know how much traffic is transmitted on your networks? Do you know what protocols are in use and what machines are using them? Are …

5 comments
What is the right graph to use in what situation?

Do you like pie charts? Have you ever thought about replacing them with a bar chart? Or a line chart? Do you know when to use what chart?

2 comments
How do you create good visualizations?

I am sure you have seen graphs that were just horrible to look at. Even worse, it was almost impossible to determine what the graph was …
How Do You Get Started With Security Visualization?

Are you in charge of analyzing large amounts of security data? Have you ever wondered whether there is a better way than reading your logs …

How do you visualize your traffic flow (NetFlow) logs?

By Raffael Marty 2 comments

November 18, 2008, 9:05 AM — In my last blog post I showed how you collect NetFlow records and format them suitable for visualization. The next step, after the data has been processed and prepared in a CSV format, is to pick a graph or visual representation that is suitable for the problem at hand. Relationships between data entries are best visualized with link graphs. GraphViz is a tool that can be used to generate these link graphs. Unfortunately, the input format for GraphViz is a DOT file, which is a fairly complicated representation of a link graph. In order to translate CSV files to DOT files, I am going to use a tool called AfterGlow.
AfterGlow reads CSV data. Each edge in the graph is represented by a single CSV entry. For example, a node from 10.0.0.1 to 10.0.0.2 is generate by the following entry:

10.0.0.1,10.0.0.2

To generate the DOT file from our CSV input, run the CSV data through the following command:

cat file.csv | afterglow.pl -t > graph.dot

The DOT file now needs to be visualized with GraphViz. There are various layout algorithms that GraphViz supports, each launched through its own command. An example graph is generated as follows:

cat graph.dot | neato -Tgif -o graph.gif

To try out the other layouts, exchange neato in the above command with circo, dot, fdp, twopi.

If you want to get a bit more sophisticated with formatting the graph, you can use a graph property file and pass it to AfterGlow. The property file is used to assign color to nodes, filter nodes, or cluster them. A sample property file looks as follows:

color="yellow" if (field()=~/^192\.168\..*/);
color="greenyellow" if (field()=~/^10\..*/);
color="lightyellow4" if (field()=~/^172\.16\..*/);
color="red"

This sample property file assigns colors to the nodes based on their subnet. Nodes that belong to private address spaces are drawn in yellow. Other nodes are drawn in red. To tell AfterGlow to use this property file, use the following command:

cat file.csv | afterglow.pl -t -c sample.properties | neato -Tgif -o graph.gif

Have you generated your own link graphs? Share your examples and experiences on SecViz.

Hope to see you at my visualization workshop on Thursday the 20th of November in Hong Kong at the IS Summit 2008.

Raffael Marty most recently co-founded Loggly, a cloud-based log management company. As an entrepreneur, he is interested in enterprise and infrastructure startups, business models, and technologies. He has been a long term data analysis and visualization enthusiast and has spent a lot of time building and defining the security visualization space through open source tools, writing books, a number of papers, and speaking at conferences around the world. He is frequently consulting as an industry expert in all aspects of log analysis, computer security, and data visualization. Raffy has held various positions in the log management space at companies like Splunk, ArcSight, and IBM research where he also earned his masters in computer science. In addition to visualization, big data analysis, and computer security, Raffy is all over cloud-based business models.

2 comments

Sort by

Subscribe by email Subscribe by RSS

Anonymous 2 years ago

Thanks for the article. Traffic visualization is very important.I thought you would like to know that Plixer International is doing some very interesting things with visualizing NetFlow traffic. They store long term data like most NetFlow tools, but they are definitely spicing things up with some very cool ways to look at the data.Take a look.

Flag comment | Permalink Reply

Anonymous 3 years ago

Great article! I have seen your book at the store and online and can't wait until I buy it! It will be my Xmas present. Until then I am using your manual (which is a excellent document). I plan to use Davix for Vulnerability assessment data and systems (IDS, Firewall, syslog) log data. You should get this tool approved by the Government agencies to use on their networks. SANS is using it and they are taking it in the right direction.

Flag comment | Permalink Reply

Add a comment

The enemy of SMS is my ... ?

2 comments
Microsoft's Kinect Play Fit will track exercise across games

1 comment
Where did 'cloud' come from?

1 comment
Fedora Project is naming names

1 comment
Japanese invent robot that won't fall when you kick it

1 comment

Older
|
Newer

ITworld LIVE

The white paper Is Your Infrastructure Mobile Ready? was viewed
decibel.places commented on New tech advice: don't learn to code
User Roger William is following Keith Peter
Roger William has just joined ITworld
erics commented on Where did 'cloud' come from?
erics has just joined ITworld
TechnoStall has just joined ITworld
liuleo123456 has just joined ITworld
Housewarm shared MIT hackers play TETRIS on a whole building on Reddit
dofamalubo has just joined ITworld
Easexette has just joined ITworld
duwokytyha has just joined ITworld
Joseph Obebeduo has just joined ITworld
vibs@hcl.com has just joined ITworld
sandeepseeram answers Is number of Facebook LIKEs are important for online business success?
Keith Peter has just joined ITworld
bvdysf7d8fda commented on Google network admins wear blue short pants, according to this video
bvdysf7d8fda commented on Taking the measure of big data: More is more
bvdysf7d8fda commented on Rdio rolls out its new design to free users
bvdysf7d8fda commented on Pondering the future of Skype
bvdysf7d8fda commented on This is the golden age of Facebook privacy
bvdysf7d8fda commented on How to enforce password complexity on Solaris
bvdysf7d8fda commented on Facebook IPO sucker scheme task list almost complete
bvdysf7d8fda commented on Startup uses DDOS to confuse BitTorrent sites
bvdysf7d8fda commented on Adobe backpedals, will now patch software for free
bvdysf7d8fda commented on Facebook proposes more changes to privacy policy
bvdysf7d8fda commented on 'Old people' icons: why do we still use them?

SecurityWhite Papers & Webcasts

White Paper

Cloud Security Vendor Round Table

This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions posed to three cloud infrastructure providers, three managed or hosted infrastructure providers, and three cloud technology providers. Compare their answers to questions on data protection, compliance, ROI and more.

White Paper

Cloud Security Planning Guide

Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different endpoints. This guide provides recommendations for strengthening data, identity, and platform protection and will also walk you through seven key steps to plan your cloud security strategy from the ground up.

White Paper

Planning Guide - Technology for Tomorrow's Cloud

This cloud planning guide will introduce you to data center technologies that address challenges of networking, storage, security, and power management. It's based on Intel's experience working with IT managers, cloud providers, and security and power management vendors-as well as the experience Intel has gained building and deploying its own cloud technology.

White Paper

Cloud Security Insights for IT Strategic Planning

The survey results of 200 IT professionals highlights the key business and technology drivers behind implementation plans, the importance of security, and the level of investment in security required. This benchmark data can be used for your own cloud security planning.

White Paper

Expert Guide to Secure Your Active Directory

Layered security is the way to go when it comes to protecting Active Directory. This expert e-guide explains the best method to use when planning and designing a security solution. Find out why it is important to secure Group Policy settings and discover how managed service accounts boost server security in R2.

See more White Papers | Webcasts