Visible to the public International Conferences: Workshop on Visualization for Cyber Security (VizSec 2014), Paris, France

SoS Newsletter- Advanced Book Block

SoS Logo

International Conferences:

Workshop on Visualization for Cyber Security (VizSec 2014)


The eleventh workshop on visualization in security was held on 10 November 2014 in Paris, France.

Conference  focus was to explore effective, scalable visual interfaces for security domains, where visualization may provide a distinct benefit, including computer forensics, reverse engineering, insider threat detection, cryptography, privacy, preventing user assisted attacks, compliance management, wireless security, secure coding, and penetration testing in addition to traditional network security.  The VizSec 2014 presentations are all available at the VizSec Vimeo group site at:  and the ACM digital library at the URLs listed.

Diane Staheli, Tamara Yu, R. Jordan Crouser, Suresh Damodaran, Kevin Nam, David O'Gwynn, Sean McKenna, Lane Harrison ; Visualization Evaluation For Cyber Security: Trends And Future Directions; VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security,  November 2014, Pages 49-56. Doi:  10.1145/2671491.2671492 The Visualization for Cyber Security research community (VizSec) addresses longstanding challenges in cyber security by adapting and evaluating information visualization techniques with application to the cyber security domain. This research effort has created many tools and techniques that could be applied to improve cyber security, yet the community has not yet established unified standards for evaluating these approaches to predict their operational validity. In this paper, we survey and categorize the evaluation metrics, components, and techniques that have been utilized in the past decade of VizSec research literature. We also discuss existing methodological gaps in evaluating visualization in cyber security, and suggest potential avenues for future research in order to help establish an agenda for advancing the state-of-the-art in evaluating cyber security visualizations.

Keywords: cyber security, evaluation, information visualization  (ID#: 15-3572)



Christopher Humphries, Nicolas Prigent, Christophe Bidan, Frédéric Majorczyk; CORGI: Combination, Organization And Reconstruction Through Graphical Interactions; VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 57-64  doi: 10.1145/2671491.2671494 In this article, we present CORGI, a security-oriented log visualization tool that allows security experts to visually explore and link numerous types of log files through relevant representations and global filtering. The analyst can mark values as values of interest and then use these values to pursue the exploration in other log files, allowing him to better understand events and reconstruct attack scenarios. We present the user interface and interactions that ensure these capabilities and provide two use cases based on challenges from VAST and from the Honeynet project.

Keywords: forensics, intrusion detection, visualization  (ID#: 15-3573)



Siming Chen, Cong Guo, Xiaoru Yuan, Fabian Merkle, Hanna Schaefer, Thomas Ertl; OCEANS: Online Collaborative Explorative Analysis On Network Security; VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 1-8. Doi: 10.1145/2671491.2671493 Visualization and interactive analysis can help network administrators and security analysts analyze the network flow and log data. The complexity of such an analysis requires a combination of knowledge and experience from more domain experts to solve difficult problems faster and with higher reliability. We developed an online visual analysis system called OCEANS to address this topic by allowing close collaboration among security analysts to create deeper insights in detecting network events. Loading the heterogeneous data source (netflow, IPS log and host status log), OCEANS provides a multi-level visualization showing temporal overview, IP connections and detailed connections. Participants can submit their findings through the visual interface and refer to others' existing findings. Users can gain inspiration from each other and collaborate on finding subtle events and targeting multi-phase attacks. Our case study confirms that OCEANS is intuitive to use and can improve efficiency. The crowd collaboration helps the users comprehend the situation and reduce false alarms.

Keywords: collaborative visual analytics, network security, situation awareness  (ID#: 15-3574)



Tobias Wüchner, Alexander Pretschner, Martín Ochoa; DAVAST: Data-Centric System Level Activity Visualization; VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 25-32. Doi: 10.1145/2671491.2671499 Host-based intrusion detection systems need to be complemented by analysis tools that help understand if malware or attackers have indeed intruded, what they have done, and what the consequences are. We present a tool that visualizes system activities as data flow graphs: nodes are operating system entities such as processes, files, and sockets; edges are data flows between the nodes. Pattern matching identifies structures that correspond to (suspected) malicious and (suspected) normal behaviors. Matches are highlighted in slices of the data flow graph. As a proof of concept, we show how email worm attacks, drive-by downloads, and data leakage are detected, visualized, and analyzed.

Keywords:  (not provided) (ID#: 15-3575)



J. Joseph Fowler, Thienne Johnson, Paolo Simonetto, Michael Schneider, Carlos Acedo, Stephen Kobourov, Loukas Lazos;  IMap: Visualizing Network Activity Over Internet Maps; VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 80-87. Doi: 10.1145/2671491.2671501 We propose a novel visualization, IMap, which enables the detection of security threats by visualizing a large volume of dynamic network data. In IMap, the Internet topology at the Autonomous System (AS) level is represented by a canonical map (which resembles a geographic map of the world), and aggregated IP traffic activity is superimposed in the form of heat maps (intensity overlays). Specifically, IMap groups ASes as contiguous regions based on AS attributes (geo-location, type, rank, IP prefix space) and AS relationships. The area, boundary, and relative positions of these regions in the map do not reflect actual world geography, but are determined by the characteristics of the Internet's AS topology. To demonstrate the effectiveness of IMap, we showcase two case studies, a simulated DDoS attack and a real-world worm propagation attack.

Keywords: anomaly, map, network, security, topology visualization  (ID#: 15-3576)



Robert Gove, Joshua Saxe, Sigfried Gold, Alex Long, Giacomo Bergamo; SEEM: a Scalable Visualization For Comparing Multiple Large Sets Of Attributes For Malware Analysis; VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 72-79. Doi: 10.1145/2671491.2671496 Recently, the number of observed malware samples has rapidly increased, expanding the workload for malware analysts. Most of these samples are not truly unique, but are related through shared attributes. Identifying these attributes can enable analysts to reuse analysis and reduce their workload. Visualizing malware attributes as sets could enable analysts to better understand the similarities and differences between malware. However, existing set visualizations have difficulty displaying hundreds of sets with thousands of elements, and are not designed to compare different types of elements between sets, such as the imported DLLs and callback domains across malware samples. Such analysis might help analysts, for example, to understand if a group of malware samples are behaviorally different or merely changing where they send data.  To support comparisons between malware samples' attributes we developed the Similarity Evidence Explorer for Malware (SEEM), a scalable visualization tool for simultaneously comparing a large corpus of malware across multiple sets of attributes (such as the sets of printable strings and function calls). SEEM's novel design breaks down malware attributes into sets of meaningful categories to compare across malware samples, and further incorporates set comparison overviews and dynamic filtering to allow SEEM to scale to hundreds of malware samples while still allowing analysts to compare thousands of attributes between samples. We demonstrate how to use SEEM by analyzing a malware sample from the Mandiant APT1 New York Times intrusion dataset. Furthermore, we describe a user study with five cyber security researchers who used SEEM to rapidly and successfully gain insight into malware after only 15 minutes of training.

Keywords: computer security, malware, sets, venn diagrams, visualization  (ID#: 15-3577)



Fabian Fischer, Daniel A. Keim; NStreamAware: Real-Time Visual Analytics For Data Streams To Enhance Situational Awareness;  VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 65-72.  Doi: 10.1145/2671491.2671495 The analysis of data streams is important in many security-related domains to gain situational awareness. To provide monitoring and visual analysis of such data streams, we propose a system, called NStreamAware, that uses modern distributed processing technologies to analyze streams using stream slices, which are presented to analysts in a web-based visual analytics application, called NVisAware. Furthermore, we visually guide the user in the feature selection process to summarize the slices to focus on the most interesting parts of the stream based on introduced expert knowledge of the analyst. We show through case studies, how the system can be used to gain situational awareness and eventually enhance network security. Furthermore, we apply the system to a social media data stream to compete in an international challenge to evaluate the applicability of our approach to other domains.

 Keywords: data streams, network security, real-time processing, situational awareness, visual analytics  (ID#: 15-3578)



Daniel M. Best, Alex Endert, Daniel Kidwell; 7 Key Challenges for Visualization In Cyber Network Defense; VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 33-40. Doi: 10.1145/2671491.2671497 What does it take to be a successful visualization in cyber security? This question has been explored for some time, resulting in many potential solutions being developed and offered to the cyber security community. However, when one reflects upon the successful visualizations in this space they are left wondering where all those offerings have gone. Excel and Grep are still the kings of cyber security defense tools; there is a great opportunity to help in this domain, yet many visualizations fall short and are not utilized.  In this paper we present seven challenges, informed by two user studies, to be considered when developing a visualization for cyber security purposes. Cyber security visualizations must go beyond isolated solutions and "pretty picture" visualizations in order to impact users. We provide an example prototype that addresses the challenges with a description of how they are met. Our aim is to assist in increasing utility and adoption rates for visualization capabilities in cyber security.

Keywords: cyber security, defense, visualization  (ID#: 15-3579)



Alexander Long, Joshua Saxe, Robert Gove; Detecting Malware Samples With Similar Image Sets; VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 88-95. Doi: 10.1145/2671491.2671500 This paper proposes a method for identifying and visualizing similarity relationships between malware samples based on their embedded graphical assets (such as desktop icons and button skins). We argue that analyzing such relationships has practical merit for a number of reasons. For example, we find that malware desktop icons are often used to trick users into running malware programs, so identifying groups of related malware samples based on these visual features can highlight themes in the social engineering tactics of today's malware authors. Also, when malware samples share rare images, these image sharing relationships may indicate that the samples were generated or deployed by the same adversaries. To explore and evaluate this malware comparison method, the paper makes two contributions. First, we provide a scalable and intuitive method for computing similarity measurements between malware based on the visual similarity of their sets of images. Second, we give a visualization method that combines a force-directed graph layout with a set visualization technique so as to highlight visual similarity relationships in malware corpora. We evaluate the accuracy of our image set similarity comparison method against a hand curated malware relationship ground truth dataset, finding that our method performs well. We also evaluate our overall concept through a small qualitative study we conducted with three cyber security researchers. Feedback from the researchers confirmed our use cases and suggests that computer network defenders are interested in this capability.

Keywords: human computer interaction, malware, security, visualization  (ID#: 15-3580)



Jan-Erik Stange, Marian Dörk, Johannes Landstorfer, Reto Wettach; Visual Filter: Graphical Exploration Of Network Security Log Files;  VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 41-48. Doi: 10.1145/2671491.2671503 Network log files often need to be investigated manually for suspicious activity. The huge amount of log lines complicates maintaining an overview, navigation and quick pattern identification. We propose a system that uses an interactive visualization, a visual filter, representing the whole log in an overview, allowing to navigate and make context-preserving subselections with the visualization and in this way reducing the time and effort for security experts needed to identify patterns in the log file. This explorative interactive visualization is combined with focused querying to search for known suspicious terms that are then highlighted in the visualization and the log file itself.

Keywords: dynamic querying, exploratory search, human pattern recognition, overview and detail, visual filter  (ID#: 15-3581)



Simon Walton, Eamonn Maguire, Min Chen; Multiple Queries With Conditional Attributes (Qcats) For Anomaly Detection And Visualization: VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 17-24. Doi: 10.1145/2671491.2671502 This paper describes a visual analytics method for visualizing the effects of multiple anomaly detection models, exploring the complex model space of a specific type of detection method, namely Query with Conditional Attributes (QCAT), and facilitating the construction of composite models using multiple QCATs. We have developed a prototype system that features a browser-based interface, and database-driven back end. We tested the system using the "Inside Threats Dataset" provided by CMU.

Keywords: QCAT, anomaly detection, information theory, model visualization, multivariate data visualization, parallel coordinates, visual analytics  (ID#: 15-3582)



Markus Wagner, Wolfgang Aigner, Alexander Rind, Hermann Dornhackl, Konstantin Kadletz, Robert Luh, Paul Tavolato;   Problem Characterization And Abstraction For Visual Analytics In Behavior-Based Malware Pattern Analysis;  VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 9-16. Doi: 10.1145/2671491.2671498 Behavior-based analysis of emerging malware families involves finding suspicious patterns in large collections of execution traces. This activity cannot be automated for previously unknown malware families and thus malware analysts would benefit greatly from integrating visual analytics methods in their process. However existing approaches are limited to fairly static representations of data and there is no systematic characterization and abstraction of this problem domain. Therefore we performed a systematic literature study, conducted a focus group as well as semi-structured interviews with 10 malware analysts to elicit a problem abstraction along the lines of data, users, and tasks. The requirements emerging from this work can serve as basis for future design proposals to visual analytics-supported malware pattern analysis.

Keywords: evaluation, malicious software, malware analysis, problem characterization and abstraction, visual analytics  (ID#: 15-3583)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.