Optimizing cybersecurity by means of visual analytics
A six-hour outage for Facebook, Instagram and associated platforms resulted in losses running into billions for the US company Facebook Inc. But how do such problems occur and how can they be detected and remedied at the earliest possible juncture? Fraunhofer IGD has been looking into this complex set of issues for several years now and, in association with the ATHENE research center, is working towards making network data more intelligible. This will enable more users to assess what is happening within their own network. Current and future developments in visual analytics are intended to simplify the work of security experts.
“The sheer quantity of cyber security alerts that are flagged up in corporate networks is almost unmanageable,” says Professor Jörn Kohlhammer, ATHENE scientist at the Fraunhofer Institute for Computer Graphics Research IGD. “The problem is that a large number of these messages consist of warnings that are generated by peculiarities in network traffic that pose absolutely no danger. This can cause the messages that actually require action to be drowned out by these false positives. Uncertainty about which alerts to prioritize is a pressing problem here.”
Another example of confusion caused by masses of data is the Border Gateway Protocol (BGP). This is the routing protocol that connects autonomous systems and enables cross-border data traffic on the worldwide web. The importance of this was demonstrated by the outage of Facebook services in early October. Due to maintenance work being done by Facebook, the connections of the DNS servers to the data center were interrupted. The servers then withheld BGP announcements, as there appeared to be a faulty network connection, and the servers were unavailable for a longer period of time. This could have been prevented with a better overview of the BGP announcements. BGP announcements could have prevented this. However, the unmanageability of the data volumes makes it difficult for smaller companies to keep track and to ensure their cybersecurity. Fraunhofer IGD sees the solution as lying in the targeted visualization of security-relevant data and information. The thinking is that, the more straightforward the display of network data, the more readily users can assess what is happening in their own network.
In association with the National Research Center for Applied Cybersecurity (ATHENE), Fraunhofer IGD is working on solutions for the visualization of cybersecurity data. Manufacturers of cybersecurity software are able to benefit from this accumulated expertise, with improved visualization software increasing the effectiveness and user satisfaction of solutions that already have good functionalities. The objective is to create user interfaces that support the processing of very large amounts of data and which have been specifically designed with the tasks and responsibilities of network administrators and security experts in mind.
Visual analytics provides an overview
Fraunhofer IGD already offers a range of solutions in the field of visual analytics. Cyber security experts can visually and interactively assign alert messages to different groups without having to wade through long lists and assess each warning individually. Instead, similar alerts are visualized as adjacent “bubbles” that can be interactively allocated to different groups.
The NetCapVis tool visualizes network data sorted by criteria such as IP addresses or data format. A timeline shows which data packets enter or leave the network at which point in time. This provides an instant overview, which at the same time enables a targeted response to unknown data movements.
Professor Kohlhammer: “The question that guides our research is how we can simplify and improve interfaces so that users require less and less prior knowledge to monitor the security of their own network. In an era dominated by digitization and against a background of increasing cyberattacks on companies and public institutions, this is more important than ever. Visualization of cybersecurity data to maximize support for network administrators and security experts is the big goal here.”