350 rub
Journal Highly available systems №2 for 2012 г.
Article in number:
Visualization techniques in siem-systems
Keywords: security information visualization security information and event management visualization component architecture
Authors:
E.S. Novikova, I.V. Kotenko
Abstract:
To monitor the security state of computer systems it is necessary to track constantly and analyze the data received from different security sources - routers, sniffers, firewalls, intrusion detection systems, etc. Security Information and Event Management systems (SIEM-systems) allow accumulating these data, normalizing and transforming them into a common format and providing convenient graphical user interface (GUI) to access it. Usually security data have textual format; that is why the visualization techniques are used to analyze information among others. Graphical representations help specialists to identify immediately general trends and relationships among individual data points, detect malicious activity or anomalies, because the human visual system is a pattern seeker of enormous power and subtlety. The new generation SIEM-system for service infrastructures supporting intelligent, scalable and multi-level/multi-domain security event processing and predictive security monitoring is designed in the framework of the MASSIF FP7 project. In the paper the current results of the security visualization technique analyses and visualization component design are presented. The three-level service-oriented architecture of the visualization component is proposed. It consists of the User Interface, Control Services Middleware and Graphical elements. Such approach allows developing the scalable application and integrating different visualization technologies used to implement graphical items. The paper describes the software visualization component developed to illustrate the proposed architecture. It provides graphical interface for the Attack Simulation of Attack Modeling and Security Evaluation Component of the SIEM-system. To increase the efficiency of the developed visualization component the user interaction mechanisms such as zooming, collapsing/expanding of the subgraphs, viewing the hosts - or attack actions - details on demand are implemented. To enforce the effect of the implemented mechanisms the principles of the human perception are considered when designing graphical items.
Pages: 91-99
References
  1. Ware C. Information Visualization. Perception for Design 2nd Edition, Elsevier Morgan Kaufman. 2004.
  2. Котенко И.В., Саенко И.Б., Полубелова О.В., Чечулин А.А. Применение технологии управления информацией и событиями безопасности для защиты информации в критически важных инфраструктурах // Труды СПИИРАН. Вып.1 (20). СПб.: Наука. 2012.
  3. Котенко И.В., Саенко И.Б., Полубелова О.В., Чечулин А.А. Технологии управления информацией и событиями безопасности для защиты компьютерных сетей // Проблемы информационной безопасности. Компьютерные системы.
    № 2. 2012.
  4. MASSIF Website. http://www.massif-project.eu/
  5. Marty R. Applied Security Visualization. NY: Addison Wesley Professional. 2008.
  6. Lakkaraju K., Yurcik W., Lee A.J. NVisionIP: Netflow visualizations of system state for security situational awareness // VizSEC/DMSEC - 04: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security. New York. NY. USA. 2004. P. 65-72.
  7. Ohno K., Koike H., Koizumi K. IP Matrix: An Effective Visualization Framework for Cyber Threat Monitoring // Ninth International Conference on Information Visualization (IV05). London. England. IEEE/CS. P. 678-685.
  8. Hideshima Y., Koike H. STARMINE: a Visualization System For Cyber Attacks // Proceedings of the Asia Pacific Symposium on Information Visualisation. 2006. V. 60 (Tokyo, Japan, February 01 - 01, 2006). № 243. P. 131-138.
  9. McPherson J., Ma K.-L., Krystosk P., Bartoletti N., Christensen M. PortVis: A Tool for PortBased Detection of Security Events // Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (VizSEC/DMSEC '04). 2004. P. 73-81.
  10. Lau S. The spinning cube of potential doom // Communications of the ACM. 47(6). 2004. P. 24-26.
  11. Lee C.P., Trost J., Gibbs N., Beyah N., Copeland J.A. Visual Firewall: Real-time Network Security Monitor // Visualization for Computer Security (VizSEC 05). 2005. IEEE Workshop. P. 129-136.
  12. Krasser S., Conti G., Grizzard J., Gribshaw J., Owen H. Real-time and forensic network data analysis using animated and coordinated visualization // 2005 IEEE Workshop on Information Assurance. IEEE Press. 2005.
  13. Mansmann F., Meier L., Keim D.A. Visualization of Host Behavior for Network Security // Proceedings of the Workshop on Visualization for Computer Security (VizSEC 2007). Sacramento. California. USA. P.187-202.
  14. Tamassia R., Palazzi B., Papamanthou C. Graph Drawing for Security Visualization Graph Drawing // 16th International Symposium, GD 2008, Heraklion, Crete, Greece, September 21-24, 2008. Lecture Notes in Computer Science. V. 5417. Springer. 2009. P. 2-13.
  15. OSSIM Website. http://alienvault.com/products/unified-siem/siem
  16. ArcSight Website. http://www.arcsight.com/products/products-esm/
  17. QRadar Website. http://q1labs.com/products/qradar-siem.aspx
  18. Chi E.H. A Taxonomy of Visualization Techniques Using the Data State Reference Model // IEEE Symposium on Information Visualization. 2000. P. 69-75.
  19. Wood J., Brodlie K.W., Seo J., Duke D.J. and Walton J. A web services architecture for visualization / Proceedings of the IEEE Fourth International Conference on eScience, 2008. 7-12 December 2008. Indianapolis. Indiana. USA. IEEE Computer Society Press. P. 1-7.
  20. Shneiderman B. Dynamic queries for visual information seeking // The Craft of Information Visualization: Readings and Reflections. 2003.
  21. Kotenko I., Chechulin A., Doynikova E. Analytical Attack Modeling in Security Information and Event Management Systems / Proceedings of the Work in Progress Session held in connection with the 20th Euromicro International Conference on Parallel, Distributed and network-based Processing (PDP 2012). Garching/Munich, February 2012.
  22. Jung. http://jung.sourceforge.net
  23. Spring framework. http://www.springsource.org/spring-framework
  24. OSGi framework. http://www.osgi.org/Main/HomePage
  25. Itoh T., Muelder C., Ma K.-L., Sese J. A Hybrid Space-Filling and Force-Directed Layout Method for Visualizing Multiple-Category Graphs // Proceedings of IEEE Pacific Visualization 2009 Symposium April. 2009.