Network Data Visualization

Background

The United States Computer Emergency Readiness Team (US-CERT) has a strong need for technologies that can visualize network flow data and meta-data. Specifically, the agency desires technologies that will enable analysts to discover new cyber security events or make additional observations on existing events. The visualization of the data makes it easier for analysts to recognize patterns and allows them to customize how it is presented in order to best meet their needs. In response to this need, CCI is working to supplement existing text-based command-line tools and enhance the arsenal of tools available to US-CERT analysts.

Technology Implementation

Visualization tools can provide a richer and more interactive, intuitive experience than text-based command-line tools. However, the existing visualization tools have been difficult to automate and required more effort to use while achieving less useful results than command-line tools. Further, these tools have not provided new information or additional observations on existing events. In order to foster the greatest level of benefit, these tools must provide additional analytic capabilities and support the existing suite of command-line suite tools.

Computer Associates Labs is developing a visualization system that will allow US-CERT analysts to view entity and connection behaviors in collected network flow data at scales ranging from a single host to the entire Internet. They have developed techniques to produce graphical snapshots from the data that allows analysts to more efficiently analyze it. US-CERT aims to provide analysts with the ability to manipulate different views of network traffic in order to maximize insight and to allow further examination of the data.

Additionally, Secure Decisions is developing a technology that will provide a big picture view depicting overall trends in network flow data. This technology will reduce the time needed to discover flow anomalies by highlighting important information in massive amounts of data. It will also present multiple perspectives that will allow analysts to view data in new ways and understand cyber attacks in context.

Significant Impact

These technologies will provide the government with advanced methods of sorting and analyzing massive amounts of network flow data. Visualization technologies will allow analysts to more efficiently monitor their networks and identify potential cyber attacks.