Towards Classifying and Selecting Appropriate Security Visualization Techniques

ABSTRACT:

Visualization of network security events has become an important method for detecting, responding to, and resolving security incidents. While there are many security visualization tools and techniques available, each one may require a different run-time environment and data input, making it difficult for a network security analyst to try them all (or a significant subset) and select those that work best for a specific incident or purpose.

This thesis analyzes three common classes of network attacks that security analysts encounter. Relevant variables which help understand and resolve an incident are identified in each specific class of attack. We then survey a large set of network security visualization techniques and use a task-based methodology to assess the usability, insight gained and overall usefulness of visualization tools for specific classes of attacks. We also recommend the most appropriate techniques for visualizing each attack and suggest other features that could help provide more insight.