NetCapVis: Web-based Progressive Visual Analytics for Network Packet Captures
IEEE Symposium on Visualization for Cyber Security (VizSec) <16, 2019>
Network traffic log data is a key data source for forensic analysis of cybersecurity incidents. Packet Captures (PCAPs) are the raw information directly gathered from the network device. As the bandwidth and connections to other hosts rise, this data becomes very large quickly. Malware analysts and administrators are using this data frequently for their analysis. However, the currently most used tool Wireshark is displaying the data as a table, making it difficult to get an overview and focus on the significant parts. Also, the process of loading large files into Wireshark takes time and has to be repeated each time the file is closed. We believe that this problem poses an optimal setting for a client-server infrastructure with a progressive visual analytics approach. The processing can be outsourced to the server while the client is progressively updated. In this paper we present NetCapVis, an web-based progressive visual analytics system where the user can upload PCAP files, set initial filters to reduce the data before uploading and then instantly interact with the data while the rest is progressively loaded into the visualizations.
User-Centered Anomaly Detection in Network Data
Darmstadt, TU, Master Thesis, 2018
Identifying anomalies in network traffic logs is a very challenging task for a network analyst. With the ever-increasing number of devices that can be connected to the network, the need for detecting anomalies is at the peak. Usual techniques for detecting such anomalies include visual analysis of network data or applying automated algorithms. Both techniques have major drawbacks. Visual analysis requires high expertise of the analyst, and automated detection algorithms produce high rates of false alarms. In this work, both techniques are combined to improve the detection and reduce the workload of the analyst. The visual interface gives the network administrator the power to edit the predictions made by the algorithms. The feedback from the network administrator are used by the algorithms to improve the performance of the detector and to reduce the false alarms. The system is tested and evaluated on a publicly available dataset which shows that the system achieves competitive performance.
Visual-Interactive Identification of Anomalous IP-Block Behavior Using Geo-IP Data
IEEE Symposium on Visualization for Cyber Security (VizSec) <15, 2018, Berlin, Germany>
Routing of network packets from one computer to another is the backbone of the internet and impacts the everyday life of many people. Although, this is a fully automated process it has many security issues. IP hijacks and misconfigurations occur very often and are difficult to detect. In the past visual analytics approaches aimed at detecting these phenomenons but only a few of these integrated geographical references. Geo-IP data is being used mostly as a lookup table which is an undervaluation of its capabilities. In this paper we present a visual-interactive system which only relies on Geo-IP data to create more awareness for this data source. We show that looking at Geo-IP data over time in combination with owner and location information of IP blocks already reveals suspicious cases. Together with our design study we also contribute a pre-processing algorithm for the Maxmind GeoIP2 City and ISP databases, to motivate the community to integrate this data source in future approaches.
Web-based Visual-Interactive Exploration of Network Data
Darmstadt, TU, Bachelor Thesis, 2018
The amount of cyberattacks in Germany increased over the last years but many small and medium-sized enterprises can not afford Security Operation Centers (SOCs) to find and handle these attacks. In this work I created a visual interactive analysis tool as a web-application that is used to show different aspects of data with interactive visualizations to enable users to find irregular traffic and attacks. Since the amount of data can be enormous the main visualization shows the data in an aggregated form. To appeal to both experts and novices in network traffic I created two different single page interfaces with different visualizations and layouts that best suit their abilities. To find out if the interfaces fit their expected audiences best I conducted a user study where users had to complete tasks in both interfaces and tell which interface is better for experts or novices.
Towards Enhancing the Visual Analysis of Interdomain Routing
IVAPP 2017. Proceedings
International Conference on Information Visualization Theory and Applications (IVAPP) <8, 2017, Porto, Portugal>
Interdomain routing with Border Gateway Protocol (BGP) plays a critical role in the Internet, determining paths that packets must traverse from a source to a destination. Due to its importance BGP also has a long history of prefix hijack attacks, whereby attackers cause the traffic to take incorrect routes, enabling traffic hijack, monitoring and modification by the attackers. Proposals for securing the protocol are adopted slowly or erroneous. Our goal is to create a novel visual analytics approach that facilitates easy and timely detection of misconfigurations and vulnerabilities both in BGP and in the secure proposals for BGP. This work initiates the analysis of the problem, the target users and state of the art approaches. We provide a comprehensive overview of the BGP threats and describe incidents that happened over the past years. The paper introduces two new user groups beside the network administrators, which should also be addressed in future approaches. It also contributes a survey about visual analysis of interdomain routing with BGP and secure proposals for BGP. The visualization approaches are rated and we derive seven key challenges that arise when following our roadmap for an enhanced visual analysis of interdomain routing.
Supporting Collaborative Political Decision Making - An Interactive Policy Process Visualization System
VINCI 2016. The 9th International Symposium on Visual Information Communication and Interaction
International Symposium on Visual Information Communication and Interaction (VINCI 2016) <9, 2016, Dallas, Texas>
The process of political decision making is often complex and tedious. The policy process consists of multiple steps, most of them are highly iterative. In addition, different stakeholder groups are involved in political decision making and contribute to the process. A series of textual documents accompanies the process. Examples are official documents, discussions, scientific reports, external reviews, newspaper articles, or economic white papers. Experts from the politi- cal domain report that this plethora of textual documents often exceeds their ability to keep track of the entire policy process. We present PolicyLine, a visualization system that supports different stakeholder groups in overview-and-detail tasks for large sets of textual documents in the political decision making process. In a longitudinal design study conducted together with domain experts in political decision making, we identfied missing analytical functionality on the basis of a problem and domain characterization. In an iterative design phase, we created PolicyLine in close collaboration with the domain experts. Finally, we present the results of three evaluation rounds, and reect on our collaborative visualization system.
Uncovering Periodic Network Signals of Cyber Attacks
IEEE Symposium on Visualization for Cyber Security (VizSec) <2016, Baltimore, MD, USA>
This paper addresses the problem of detecting the presence of malware that leave periodic traces in network traffic. This characteristic behavior of malware was found to be surprisingly prevalent in a parallel study. To this end, we propose a visual analytics solution that supports both automatic detection and manual inspection of periodic signals hidden in network traffic. The detected periodic signals are visually verified in an overview using a circular graph and two stacked histograms as well as in detail using deep packet inspection. Our approach offers the capability to detect complex periodic patterns, but avoids the unverifiability issue often encountered in related work. The periodicity assumption imposed on malware behavior is a relatively weak assumption, but initial evaluations with a simulated scenario as well as a publicly available network capture demonstrate its applicability.
Joint Estimation of Depth and Labels from a Single Image
Darmstadt, TU, Master Thesis, 2015
Estimating depth and semantic segmentation from a single image are two very challenging tasks in computer vision. In traditional approaches models for image structure or semantic class connections were used to create estimations. In the past years new non-parametric methods proved to achieve state of the art results for each of the problems. The non-parametric approach makes use of huge image databases by directly transferring the ground truth to the query image. Further, research showed that semantic segmentation can be used to improve depth estimation and vice versa. In this work both problems of depth estimation and semantic segmentation are tackled. Therefore a non-parametric system is build which extracts features from a query images, retrieves similar images, matches sub regions of the images, and generates a pixel-level potential for depth and semantic segmentation. This potential is utilized for a joint optimization with a fully connected conditional random field to achieve consistent estimates. The system is tested with synthetic images which have pixel accurate depth maps and semantic segmentation. Additionally, an evaluation on publicly available real world datasets shows that the system achieves competitive performance.
Visual Access to an Agent-based Simulation Model to Support Political Decision Making
International Conference on Knowledge Technologies and Data-driven Business (I-KNOW) <14, 2014, Graz, Austria>
Decision making in the field of policy making is a complex task. On the one hand conflicting objectives influence the availability of alternative solutions for a given problem. On the other hand economic, social, and environmental impacts of the chosen solution have to be considered. In the political context, these solutions are called policy options. To tackle societal problems a thorough analysis of policy options needs to be executed before a policy can be put into practice. Computational simulation is a method considered for measuring the impacts of policy options. However, due to their complexity, the underlying models and their output may be difficult to access by decision makers. In this work, we present a visual-interactive interface for an agent-based simulation model that enables decision makers to evaluate the impacts of alternative policy options in the field of regional energy planning. The decision maker can specify different subsidy strategies for supporting public photovoltaic installations as input and evaluate their impact on the actual adoption via the simulation output. We show the usability and usefulness of the visual interface in a real-world example evolved from the European research project ePolicy.
Visual Access to Optimization Problems in Strategic Environmental Assessment
Advances in Visual Computing. 9th International Symposium, ISVC 2013
International Symposium on Visual Computing (ISVC) <9, 2013, Rethymnon, Crete, Greece>
The complexity of actual decision making problems especially in the field of policy making is increasing due to conflicting aspects to be considered. Methods from the field of strategic environmental assessment consider environmental, economic, and social impacts caused by political decisions. This makes the analysis of reasonable decisions more complex. Mathematical models like optimization can help to balance conflicting aspects. Although they are not easy to understand, these complex models and the resulting policy options have to be reviewed by the decision makers. In this work we present a visual-interactive interface to an optimization system capable of solving multidimensional decision problems. The interface enables visual access to the complex optimization models, and the analysis of alternative solutions. As a result strategic environmental assessment can be included in the decision making process. An evaluation in the domain of regional energy planning underlines the usability and usefulness of the visual interface.
Visual Analysis of Multidimensional Optimization Problems
Darmstadt, TU, Bachelor Thesis, 2013
This work presents a visual interface to access an optimization system to solve multidimensional decision problems. Today the complexity of decision making problems is generally high because many aspects have to be considered. Especially in the policy making process substantial decisions require profound knowledge. Strategic environmental assessment plays an important role in this process. The duty to consider environmental impacts caused by political decisions is obliged by law in many countries. This makes the decision making process more complex and requires better methods to find a solution. With optimization it is possible to create mathematical models that weight out multidimensional decisions. The models and the produced solutions have to be reviewed by the decision makers but they are not easy-to-understand. In my approach I design and implement a visual-interactive application that enables the visual access to complex optimization models, and the analysis of alternative solutions. It makes use of approved visualization techniques and state of the art methodologies to make abstract information transparent. This conveys the knowledge behind the decision options in a reasonable way. Contributions are a visual-interactive interface that enables the visual access to complex optimization models, and the analysis of alternative solutions. In this way strategic environmental assessment can be improved and the policy maker is able to understand where policy options originated. The evaluation of the prototype revealed that the interface offers an easy access to alternative solutions and gives more insight to the process behind finding policy options.