U.S. Department of Energy

Pacific Northwest National Laboratory

Safeguarding Cyber Systems with Visualization

From DIC

Jump to: navigation, search
Protecting communications networks against attacks that aim is to steal information, disrupt order, or harm critical infrastructure currently requires the collection and analysis of staggering amounts of data. The ability to detect and respond to threats quickly is a paramount concern across sectors – from government agencies to utilities and financial organizations – yet many such organizations must find threats buried in billions of network transactions each day. To better equip analysts responsible for more efficient and effective network activity, state-of-the-art data intensive visual analytics tools are needed for the unique challenges inherent today within cyber security.

Researchers at the Pacific Northwest National Laboratory have developed two innovative visual analytics tools, supported by a data intensive middleware platform, that are helping analysts to both see and be in command of their data in ways previously not possible. The tools can be used in concert with one another.

The Correlation Layers for Information Query and Exploration (CLIQUE) tool displays high-level overviews of network traffic using a new behavioral model-based anomaly detection technique. The CLIQUE system builds models for learning and classifying expected behavior on individual hosts on a network and then compares these modeled behaviors to real-time streaming data to generate early indicators of “non-normal” network activity.

The effectiveness of CLIQUE is enhanced by visualization features that allow the analyst to compare the anomalous activity to normal conditions. Users can navigate through their data temporally, viewing time periods as short as a few minutes or as long as several years. CLIQUE models help analysts to see departures from normal behavior at any time scale. Analysts also can drill down to view detailed displays of network activity and spot the machines, buildings, facilities or other sources of traffic behaving anomalously.

Since visualizations of aggregate network activity are often not detailed enough for analysts to spot subtle changes in communication in large data sets—which can be the first signal of malicious behavior – PNNL developed a second tool called Traffic Circle. Traffic Circle displays raw network traffic through multiple time-based views, and with up to hundreds of millions of communications events in a single view. Traffic Circle enables analysts to see individual communication patterns that appear suspicious.

Like CLIQUE, Traffic Circle accommodates streaming data. As new network transactions occur, Traffic Circle displays them on a moving timeline. Via the Traffic Circle “time wheel,” analysts can dynamically zoom through data spanning months or years in just seconds. The tool also allows for sophisticated filters that highlight important patterns in the traffic.

The interoperability between Traffic Circle and CLIQUE enables users to readily move data from one program to another at their desktop, supporting more diversity in analysis of information by allowing users to move seamlessly from high-level views of billions of transactions in CLIQUE down to detailed charts in Traffic Circle. The result is significantly improved situational awareness of network activity, which provides for swifter actions for prevention, response and mitigation of harmful attacks.

Article Title: Safeguarding Cyber Systems with Visualization

Article Added: 2010/09/21

Category(s): National Security, Cyber Security

Last Update: 13 July 2011 | Pacific Northwest National Laboratory