Welcome to Understanding Link Analysis. The purpose of my site is to discuss the methods behind leveraging visual analytics to discover answers and patterns buried within data sets.

Visual analytics provides a proactive response to threats and risks by holistically examining information. As opposed to traditional data mining, by visualizing information, patterns of activity that run contrary to normal activity surface within very few occurances.

We can dive into thousands of insurance fraud claims to discover clusters of interrelated parties involved in a staged accident ring.

We can examine months of burglary reports to find a pattern leading back to a suspect.

With the new generation of visualization software our team is developing, we can dive into massive data sets and visually find new trends, patterns and threats that would take hours or days using conventional data mining.

The eye processes information much more rapidly when information is presented as images, this has been true since children started learning to read. As our instinct develops over time so does our ability to process complex concepts through visual identification. This is the power of visual analysis that I focus on in my site.

All information and data used in articles on this site is randomly generated with no relation to actual individuals or companies.

Call Center and BPO Fraud Visual Analytics

Outsourced customer service and Back Office Processing (BPO) organizations process an ever increasing number of transactions and contacts every day. Agents have access to large amounts of sensitive customer information and access to company inventory to perform their operations. Every operation that is granted to outsourced agents allows for potential theft, abuse or breach of sensitive information or goods and services.

Threats within these industries range from misappropriation of inventory through internal theft to breach of sensitive and protected customer and account holder information. Any adverse event has a substantial impact on the company and the client's reputation and opens both to potential regulatory and legal action.

With an ever increasing trend of companies outsourcing operations that carry substantial risk to both the BPO and the client, both have the responsibility of establishing protocols that prevent contractors and employees alike from utilizing systems for personal gain.

Considering the amount of transactions and customer interactions which are logged on a daily basis, the amount of information which must be analyzed is daunting. A large BPO may average in excess of 100,000 customer transactions per day. Each transaction can be logged in many different locations from the telecommunication system which records data from the call to the account management system which maintains the access and permission logs.

With the amount of information that must be examined to audit the activities of many disbursed locations throughout the world, visual analytics provides the most intuitive and effective way to identify problematic trends and threats across multiple data sources.

Call Center Visualization

For this example lets take a scenario where an analyst is performing an audit on all call centers within a specific country. This country maintains multiple call center locations tasked with providing customer support for a large electronics company. Each call center agent is has the ability to address customer issues with products purchased by the company through warranty replacement or providing free or gratis replacements parts or incentive products to resolve customer complaints.

The internal auditor within the BPO or call center wants to holistically view the activities of each call center within the country to determine if there are any patterns or unusual velocities occurring with the production environment which could indicate an agent is involved in the theft of good or services from the client inventory. Alternatively, the analyst or investigator from the contracting company may want to do the same, although they will be visualizing activity across several different contracted BPO's.

For this example we are going to leverage SynerScope for the visualization of call center to product and part fulfillment to holistically examine all the of the customer service data for the past six months across the Philippines (the company used for our example).

We will begin by importing the customer service system data into SynerScope establishing a hierarchy for the data of call country origination, call center Geo-location, call center name or identifier and call center agent identifier. For the relationship view, we are establishing a link between the call center agent and the products from the company that the agent sends to customers for fulfillment of the request. The hierarchy used for the product and customer include the customer shipping location (country, state), the fulfillment purpose (warranty, customer complaint resolution) and the product SKU or item number.

This visualization will allow us to examine the relationships and velocities between agents in multiple call center locations and the products that are being sent to customers. The analyst will be looking for any unusual patterns of relationships which may indicate a call center agent is sending an unusual velocity of particular items to a certain area or customer which may be indicative of internal fraud.

An added benefit is that the visualization also provides business intelligence to both the company and the BPO indicating distribution of call volume along with velocities around certain parts which may indicate defect or lack of customer satisfaction.

The analyst will start by drilling into a time period to closely examine the relationship view for any unusual patterns forming around certain call center agents who have an increased relationship between certain parts going to the same areas. This is indicated visually within SynerScope through increase node or entity size and bundle width.

Once an outlying pattern is visually identified within SynerScope, the analyst can then examine the underlying data to confirm or further investigate if the pattern is irregular or suspicious or an outlier or false positive. Trends such as one call center agent sending out a high price product to the same customer over a short time period would be a theft concern, especially if no other agent during that time period was performing the same activity across the country.

As calls into the centers are completely random and assigned to agents at random by the telephony system, any particular agent in the visualization who has a concentrated relationship between a specific customer should not naturally occur and will need to be investigated. By utilizing visual analytics within SynerScope, the analyst can drill into specific time ranges to look for concentrations of linked events between call center agents, products and customers which fall outside the normal pattern of operations experienced by the BPO.

Another scenario for the analyst would be incorporating visual analysis within SynerScope to look for unusual velocities of call center agents accessing customer information. Because visual analysis looks holistically across all the data, adverse trends surface much more rapidly. For example a call center agent who is looking across 20 different customer accounts within a one hour period where others in the same center with the same client are only accessing 10 accounts within one hour will surface within the visualization. This could be a strong indicator that a call center agent is compromising customer account information to sell on the black market to identity theft rings.

Early identification of these trends are essential in mitigating potential threats within BPO's. The primary difference in visual analytics is that it offers a proactive method for much earlier identification of trends then through traditional data mining through the use of multiple attribute relationships. Due to the size of the data being examined, in traditional data mining for an outlining pattern to be realized, a differential of 1% or more is required. If the analyst is examining 500,000 records an outlier of 1% is 5,000 similar events while in visual analysis, patterns of abnormal activity surface within 3 to 4 events when examined on top of normal activity.

From the illustration you can see that within this specific time period selected by the analyst, activity around a specific call center agent with an unusual relationship pattern to a specific item surfaced in only 3 transactions within approximately 50,000 events.


Since the volume of such transactions are often extremely large, SynerScope provides an alternative to finding such patterns much more rapidly. Quick identification of threats is the key to threat mitigation. It is impossible to prevent every fraud scenario from occurring but failing to detect fraud or theft until it is discovered by the customer, company or a law enforcement agency exposes the client and the BPO to potential brand reputation damage and costly regulatory and legal consequences.

While a completely fool proof method of fraud and theft prevention is impractical, a process for early identification of threats is expected. Visual analytics provides a key ingredient to fraud, theft and compromise detection that preserves the reputation and operational integrity of the organization.

For an interactive example of visual analytics for call center fraud and threat click the video below:

Use Visual Analytics to Detect Medical Fraud

Discovering fraudulent trends and patterns within medical data is the modern day equivalent of finding a needle in a haystack. Private medical and property/causality insurers as well as government agencies are tasked with discovering and preventing medical fraud from within millions of submitted bills daily.

With health care and medical fraud costing consumers over $100 billion dollars in the United States alone, there has never been a more important time for fraud prevention. The question has always remained, how can I as an analyst proactively identify emerging trends across large volumes of medical billing.

By leveraging visual analytics, analysts gain the ability to holistically examine large amounts of medical billing across geographies, allowing for the intuitive identification of medical billing and provider to claimant trends which are indicators of fraud. It is through an holistic visual analytic approach that adverse trends surface within visual analysis when compared against normal medical billing traffic.

Medical Fraud Visual Analysis

To provide an example of leveraging visual analytics for medical fraud we will utilize SynerScope to examine volumes of medical billing data across a specific geography to surface any irregular patterns.

The process begins by importing and holistically examining the providers, claimants and CPT codes within the relationship diagram to look for any unusual relationships or velocities which may exist. From a wide view, we can determine which providers have the highest velocity of medical billing by CPT code for this area.

Next, by leveraging the sequence diagram within SynerScope, we can hover over the relationships between providers and claimants either by the provider as a whole or isolating specific CPT codes to determine when in time the treatments are taking place. As an analyst this helps me understand any unusual velocities of billing from short time spans that would be impractical under normal circumstances.

As an analyst, I want to confirm that the association being viewed within the relationship diagram is suspect. Within SynerScope I can quickly view the underlying medical billing data that is represented within the relationship at the bottom of the user interface. This provides me a preview of all the relevant data attributes that exist within the actual billing database for validation of my analysis.

By focusing on the individual claimants and their corresponding relationships, within SynerScope I can highlight and compare the treatments being rendered across multiple claimants to individual providers. As an analyst this helps me understand if multiple claimants are receiving identical treatments regardless of injury or diagnosis code (ICD9). I also want to understand that if multiple claimants are receiving the same treatments, if they are receiving them in the same time periods. Within my SynerScope visualization, I can interactively compare the relationship between claimant, provider and CPT code billed within the relationship diagram and also view within the sequence diagram if treatments are being rendered in the same velocity or span of time.

Sequence of events are just as important as the relationships as it assists the analyst in understanding if a provider is attempting not only to bill for services not required or rendered, but also if treatments billed are in a condensed time period in an effort to maximize or exhaust policy limits.


As compared to traditional data mining or statistical analysis, by leveraging visual analytics we can identify adverse trends more rapidly and through fewer occurrences by providing an holistic visual representation of all medical billing for an area which causes abnormal trends to surface against normal billing patterns within SynerScope. These trends can be discovered in as few as three or more occurrences, where within statistical analysis from the same number of records would require a deviation of at least 2% or more. This means by leveraging visual analysis, fewer occurrences of fraudulent billing must occur before detection and intervention by the insurer resulting in a significant risk reduction.

For an interactive example of this principal, please view the video below:

Utilizing Visual Analytics for Point of Sale Fraud and Compromise Detection

Point of Sale or POS fraud and compromise poses a serious risk to financial institutions and corporations alike. Just examining some of the recent large point of sale fraud and compromise cases over the past couple of years sheds some light on the seriousness and risk exposure involved.

From June 2007 to July 2009, a major U.S. retailer's Point of Sale system exposed data from 45.6 million credit and debit card transactions. In 2011, another U.S. retailer discovered that over 50% of the Point of Sale terminals throughout the chain were compromised.

Aside from the internal risks of Point of Sale compromise and fraud, add the proliferation of skimming devices, some as small as a lighter, can compromise hundreds of accounts per hour without the knowledge of the financial institution or corporation.

The challenge to corporations and financial institutions is early detection of compromised Point of Sale sites and those site which are conducting fraud as quickly as possible to mitigate risk. This can be a monumental task considering the transactions volume generated by POS sites.

For a financial institution, compromised Points of Sale mean millions of dollars of fraud exposure a day. For a corporation, the additional risk is to the reputation of the business and the brand itself.

Visualizing Point of Sale Transactions

By leveraging visual analytics, analysts gain the ability to quickly detect emerging patterns in Point of Sale fraud and compromise by surfacing patterns of potential threats against the thousands of normal transactions. Visually, normal POS activity forms a visual pattern that irregular activity runs contrary to.

Because of this, the visual pattern within as little as two fraudulent POS transactions can surface against large amounts of transaction volume when utilizing visual analytics. Something that may not be possible through traditional data mining as patterns in few transactions may not become statistically relevant enough to surface.

To provide an example of leveraging visual analytics for Point of Sale fraud and compromise, I will utilize SynerScope and import several days of POS transactional activity.

To accomplish the visualization of such a large amount of information, SynerScope utilizes the natural hierarchies which exist within the data. For the credit and debit accounts, we have established a hierarchy based on the card brand and issuing bank. For the Point of Sale location we have established a hierarchy by merchant category, Point of Sale location and terminal identification.

This structure will give us a perspective of relationship, sequence in time and velocities which exist between accounts and Point of Sale locations with a granular perspective of individual accounts and terminal relationships.

From a high level view, we can already establish those accounts and Point of Sale locations which have the highest overall velocity of activity. These areas of "low hanging fruit" are potential targets of further analysis to determine why the activity is occurring.
Within the visualization, we can see specific high velocities from a Point of Sale location in Jakarta with a specific POS terminal identification number as well as a corresponding high velocity from a Visa card type from a specific issuing bank.

To get a better understanding of the activity, I will drill down into the segment time to get a more granular detail of the activity involved.

From this view, SynerScope is indicating increased velocity through bundle size or linearization to indicate increase velocity in relation to the other objects within my visualization. As the visualization between the relationship view and the sequence view are interactive, those entities with enlarged hierarchies and increased bundle width correspond to the activity within the time span selected when I drilled into the data.

Also within the sequential event viewer I am noticing several blocks of structured "bursts" of transaction volume which is in contrast to the normal transaction flow present within Point of Sale transactional data.

By hovering over the connecting bundle I can see that this particular Point of Sale location is involved in the all the structured blocks within my sequential event view. Another important observation is that this Point of Sale location is almost exclusively utilizing the connecting card type and issuing bank to conduct the transactions.

To confirm my suspicion of irregular activity, I can surface the underlying data within SynerScope by right clicking on the highlighted bundle. Once surfaced I can see that this particular Point of Sale location is conducting numerous high dollar transactions against this account seconds apart from each other.

In Conclusion:

By leveraging visual analytics, the analyst was able to import a large amount of Point of Sale transactional data, gain an holistic understanding of the activity present, drill down by time to discover irregular patterns, and confirm my fraud or compromise threat easily and intuitively.

As opposed to traditional data mining and analysis, patterns in irregular activity through visual analytics, can be surfaced in fewer transactions that would be required to become statistically relevant in standard data mining.

Because visual analytics provides a holistic overview of all the data, not just segments of it, a greater understanding into the differentiating patterns between normal activity and irregular activity can be intuitively identified.

For a complete interactive example of leveraging visual analytics for Point of Sale fraud and compliance please view the attached video:

Leveraging Visual Analysis to Combat Remittance and Online Transaction Fraud

Online financial transactions pose a number of real fraud and compliance risks. The fraud rate for eCommerce driven transactions for traditional retailers is 5% but remittance and financial companies deal with much higher risk threat from both a compliance standpoint and an elevated fraud threat when dealing with actual currency as opposed to goods and services.

As remittance companies have moved online and to mobile based peer to peer financial transfers, the time required to identify emerging fraud and compliance issues has decreased significantly making proactive analysis more important then ever. With the bar being set lower everyday to expedite transactions, transferring money from sender to receiver in ever shorter periods of time, remittance and financial companies need new ways to proactively identify fraud and compliance threats to mitigate risk.

In this article we are going to examine ways to leverage visual analysis to detect patterns and trends in remittance transaction fraud and compliance issues from internet, eCommerce and mobile based financial transactions. We are going to explore ways to utilize visual analytics for proactive fraud and compliance mitigation as well as improved "know your customer" (KYC) response and analysis from network captured attributes.

Fraud and Compliance Threat Identification

While the current trend in mobile and internet based remittance and financial related transactions lacks in person verification, network driven transactions do contain attributes which can be utilized for proactive fraud and compliance identification. By utilizing the attributes captured during network based transactions within a visualization, we can detect clusters, velocities and relationships existing within the data that are abnormal from the regular production flow within your financial framework.

To begin we are going to import six months of remittance transactions destined for a specific geography. As fraud and compliance trends and regulations are very geo specific, it is important to analyze the data as it pertains the geography that the transaction is destined to.

There are a number of attributes captured from our mobile and internet based remittance flow that can help us establish unique identities and hierarchies of both the sender and the recipient within our visualization.

Within our visualization I have established a hierarchy for the sender of the transaction based on the account country, state and city and the originating IP address utilized for the transaction. For mobile based transactions we would utilize the latitude and longitude of the mobile device and the IMEI or SIM serial numbers from the transaction along with any relevant linked account information from the subscriber if it were available.

For the recipient, I am going to use a combination of attributes obtained from transaction that identifies the recipient, but I am also going to utilize some of the attributes captured from the sender's mobile device or computer to help rationalize the relationships between sender and recipient. While this might sound counter intuitive, there is a good reason to utilize this relationship when performing fraud and compliance analysis. The recipient of remittance transactions has the lowest verification threshold, the information regarding the recipient is always provided by the sender themselves.

It stands to reason that in fraudulent transactions, the device being used to generate the transaction is actually being utilized by the recipient or a group associated with the recipient. Second, as the recipient's information is being supplied by the sender, from a compliance standpoint, it is important to know how many unique devices are sending to a single recipient to detect patterns in compliance related illegal or prohibited activity.

Lets take a compliance example of the funding of online gaming. Within our visualization we would want to look for large numbers of independent devices sending funds to a single or related group of individuals with large dollar amounts at increased velocities from normal remittance flow. By understanding through visualization what the normal pattern of remittance activity appears as, we can quickly and intuitively discern adverse patterns which are indicative of fraud or compliance threats.

From a high level view of my remittance transaction activity within the SynerScope visualization, I can begin identifying those entities with much higher then normal velocities. From what I call 'low hanging fruit", even from the highest level of visualization I can begin identifying targets of investigation based on unusual patterns in their relationship and velocity of transactions over time. This is made significantly easier within SynerScope as a visualization of relationship and a visualization of sequence of events is displayed within one user interface that is completely interactive with each other.

Lets start by examining the entities with the highest velocities of interrelationships within our visualization. This is identified within the tool by adjusting the weight given to specific entities that have the most interrelation and velocity, or in social networking terms, centrality and betweeness.

From our high level view we can see large velocities on the sender side emanating from two specific IP addresses from Phoenix Arizona and a corresponding velocity from a specific device utilizing a specific OS located in Chihuahua Mexico that is outside the average velocity from the normal flow of remittance transactions present.

By hovering over the connecting bundle from the recipient I can determine if these two entities are related to one and another, or determine which relationships exist. Additionally because SynerScope provides an interactive sequence view I can also rationalize when the transactions are taking place and at what velocity. As it turns out, these two entities are related, engaged in P2P remittance flow between one of the enlarged IP addresses in Phoenix AZ and the suspect recipient in Mexico. The transactions are also occurring in great velocity over very short time spans which is indicative of fraudulent activity as represented within the sequence view.

By hovering over the connecting bundle from the IP's within Arizona I can see that the secondary IP is associated with multiple remittance transactions destined for several different locations within Mexico. To gain a better understanding of the relationship between that specific IP and the transactions being generated I can right click on the highlighted bundle to examine the underlying production data from the transaction.

What we can see from the underlying data is that we have a large volume of remittance transactions being generated from a specific IP within Arizona to multiple OS and device ID's located in and around Chihuahua Mexico, all destined for recipients with the same last name. In some cases multiple transactions are being performed within seconds of each other. The pattern of remittance transactions is highly suspect and an activity that I am going to want to mitigate as quickly as possible to minimize fraud exposure.

Drilling down into time, I can begin exploring for smaller fraud and compliance trends that be emerging over time. I will select a period of time within SynerScope's sequential event viewer and explore remittance transactions that have occurred within the past day.

From this visualization I can see that there is an emerging velocity in transactions coming from a specific IP address within California that seems to have a velocity greater then the normal flow of transactions. By hovering over the connecting bundle, I can see that the IP within California is connected to a recipient in Michoacan Mexico associated with a specific OS and device ID.

By right clicking on the highlighted bundle and examining the underlying remittance information, I can determine that all of the transactions are destined for a recipient with the same last name and that the transactions are occurring over very short time spans, a red flag for fraudulent activity.

From a compliance standpoint, in my visualization I want to identify those recipients who have a large velocity of transactions coming from multiple unrelated senders in multiple geographies. Within my SynerScope visualization, I can examine and drill down into recipients who have large number of connections to multiple unrelated senders with a large velocity of remittance transactions destined for a single recipient.

In this sample visualization we see a single recipient who is receiving remittance transactions from senders and IP's located in nine different states. By examining the underlying data, I see that the transactions are all for $50 and that the recipients location is one known to operate underage web cam shows. As an analyst familiar with this type of activity, I know that the rate often charged by these individuals is between $50 and $100 dollars. By visualizing and understanding that multiple people are sending to this same recipient with consistent transaction amounts, and having information on the activity which occurs in this area, I can closely examine these transactions for patterns for adverse compliance violations.


By leveraging the power of visual analytics, remittance and financial transactions from mobile and web based systems can be holistically analyzed for patterns in fraud and compliance issues. Most of the issues that we examined within our visualization may not have surfaced within normal data mining as the volume of the transactions themselves in comparison to the overall transaction volume, may have made them statistically irrelevant.

Through visual analysis within SynerScope, mobile and web based remittance transactions can be examined more intuitively. By knowing the visual pattern represented by normal transaction flow, even small numbers of transactions which may go unnoticed in traditional data mining and fraud modeling efforts, surface easily when represented visually both through relationship and through sequence in time.

To gain a better perspective of leveraging visual analytics for mobile and web based remittance and financial transactions please view the attached video.

**Note: All Data Used In This Example Is Random With No Association To Actual Events**

Using Visual Analysis for Forensic Accounting

Those engaged in forensic accounting know that parsing multiple ledgers with thousands of entities to detect potential issues can be a monumental task. In much the same way we have talked about utilizing visual analytics for a variety of fraud, compliance and threat related tasks, visual analysis holds value to those engaged in forensic accounting.

For my example we are going to import ledger data from a forensic audit into SynerScope for visualization. The hierarchies we establish are payable accounts to receivable accounts as shown in the illustration below.

SynerScope visualizes direction of travel with green being sending entities and red being receiving entities. When you combine green with red, you get black entity bundles which helps us quickly identify accounts which may be entry errors, out of balance or wrong debit or credit entries within the ledger. This assists the forensic accountant or fraud examiner, by identifying potential problematic activity and accounts for further examination. With one of the hardest chores in accounting or fraud examinations being where to start, you can see by leveraging visual analysis that chore is significantly reduced.

There are two simultaneous and interactive visualizations being produced within SynerScope, a Dynamic Relationship Diagram which indicates the flow of debit and credit entries between the payable to receivable accounts and a Sequential Event Viewer or Time Diagram, showing events in order of occurrence. The forensic accountant or fraud examiner can use either of the visualizations to drill down and examine their data.

Within the Sequential Event Viewer, there are four distinct blocks of activity occurring within the ledger transactions. Random events when visualized appear as noise. This noise is important when leveraging visual analysis to allow the analyst to differentiate between normal or random activity and structured activity. As a general rule in all types of visual analysis, random activity is good and represents the normal flow of operations while structured, clustered or interrelated activity is questionable and needs to be carefully examined for threats.

Lets start by drilling into the first noise block within the Sequential Event Viewer. Within the Dynamic Relationship View, most debit and credit transactions overlap which creates black connecting bundles. For a high level view of the relationship visualization, what jumps out at us are the red and green connecting bundles which indicate some unbalance. By hovering over the bundles of interest we can get an interactive perspective of when these transactions are occurring in time. By right clicking on highlighted bundle, we can surface the underlying data for examination of the event. The most condensed and interesting bundle is activity from company results to foreign debt, the amounts are significant with most being over $100k.

Moving to the next block of data within the Sequential Event Viewer, the visualization clearly shows money being paid out from the cash accounts to the customer accounts. Curiously when hovering and right clicking on the bundles, the amounts are standardized and repeating for very low transaction amounts. This could be an attempt on the accountants part to "bury the needle in the haystack".

Within the same time frame there is a subset of structured activity which is occurring. By drilling down into this second set of structured transactions we they are reoccurring payments all for the same amount.

Another interesting observation is a circular visualization object which appears to be correction entries from the ledger. By examining the underlying data they are repeating entries for a very low amount.

The next block of structured data within the Sequential Event Viewer, shows almost the contrast to the previous block with money from the customer accounts returning to the cash account. However, there are some strange occurrences surfacing in our visualization. It would appear that there are direct transactions between the customer accounts without any GLA coming into play. Basically it would appear as if we have customers paying each other within the ledger. By examining the underlying data these amounts are typically not very large and should not be appearing within the ledger at all.

In the next block of transactions within the Sequential Event Viewer, we see more of the same types of transactions we saw in the first noise block, overlapping credit and debit transactions which show as black within the bundles in the Dynamic Relationship View. What jumps out in this visualization as well are the green and red bundles to accounts which would indicate some unbalance.

There are three blocks of activity occurring in this last set of data within the Sequential Event Viewer, a block of random transactions, followed by a subset of structured transactions followed by another block of seemingly random transactions. By looking at the last sub-block in the visualization we see a repeating pattern of money being paid out from a debit account to an internal cash account for a large amount of money. This could be a strong indicator that the underlying repeating transactions from the two structured blocks within the sequence view were created to hide a large amount of money being siphoned from the company.

In summary, from this article you can see that visual analytics can provide a great resource to those involved in internal auditing, forensic accounting and fraud examinations. While not eliminating the steps involved in such audits, it gives the examiner areas which to focus on and a holistic concepts of the flow of transactions within the ledger.

For a complete perspective of leveraging SynerScope for forensic account and fraud examinations please view the following video.

Using Visual Analysis for Network Threat Detection

The amount of data accumulated in network threat detection is massive. Even during live captures of network traffic, being able to identify emerging threats and irregular activity is difficult using traditional data mining, filtering and legacy visual analytic programs that were all designed around a time when data logs were significantly smaller and threats less complicated.

I will address the challenge of network threat detection through next generation visual analytics using two different scenarios commonly tasked to network threat analysts and investigators; mal-ware forensics, network visualizations and IRC or chat log analysis.

Mal-ware Forensics and Network Threats:

Determining the anatomy of network threats and mal-ware requires the network analyst to understand how the threat originated, spread and ultimate impacted the users. Stopping or mitigating network threats additionally require determining the "signature" of the mal-ware, network vulnerabilities and establishing appropriate countermeasures to make the threat benign.

Through visual analytics, the first step is gathering all the data available from network packet logs and server logs to get an overview of the issue. In this example we are going to deploy SynerScope to assist us with our visual analysis of a network attack by uploading our network log information (over 150,000 lines of data) to provide a holistic view of the threat.

SynerScope has several interactive representations for the network analyst, first is the relationship view which shows which geography and IP addresses are related within the network logs. Second, SynerScope displays the direction of travel between the related entities with red being the receiving and green the sending network points. Third, SynerScope provides an interactive visualization of sequence of events to the right which allows us to simultaneously view relationship, direction and sequence.

Immediately apparent from the holistic or full view is that there is a command and control server which has a large amount of centrality within our visualization. Sending to the command and control server are two groups of IP addresses located in two specific geographies. These two area represented with the cluster of green bundles are only sending information to the command and control server, however are not receiving any information.

Within the sequence view, we can see a group of structured network traffic sending and receiving to the same area at the earliest point within our data. By drilling into that block of structured traffic, we can see within the relationship view how the planning and execution of the attack began.

Moving forward within the sequence visualization, we can see how once planning and execution is complete, how the command and control server begins to reach out to infected. Through visualization of the data within SynerScope we can follow the progression of the network threat as the command and control server begins compromising networks in different geographical areas.

Network Visualization

To aid network security and threat analysts, leveraging visual analytics to gain a real time understanding of network traffic is essential. Accomplished in the past through data mining and statistical analysis, this process could not occur in close to real time and was a manpower intensive task undertaken daily.

Through SynerScope's visual analytic capabilities, I can feed in information from my network and gain a visual representation of the traffic that is occurring at any point in time to look for potential network threats and irregularities that need to be addressed.

I begin by uploading network activity logs into SynerScope to gain a holistic view of all network protocols, IP's and devices currently utilizing my network to look for signatures of concern.

By isolating down on certain protocols or IP addresses through the relationship and sequential views within the program and utilizing the color coding of direction provided by SynerScope I can drill down into specific events that I want to further examine.

Once I have isolated a specific signature of concern, I can execute the data stream view within SynerScope to examine the raw underlying data constructing my visualization to confirm or refute if the signature contains a threat to my network or is benign activity that I do not need to be concerned with.

Chat and IRC Log Visualization

Those tasked with investigation and forensic discovery within IRC or chat logs knows that determining the activity, flow of conversation and content can be a monumental task based on the volume of information that is present.

By utilizing visual analytics and the capabilities within SynerScope, I can save countless investigation and forensic hours by quickly determining through visual representations of velocities and structure which entities have the greatest amount of betweeness or centrality within the social network of the logs, the direction of communication that is occurring and the time the conversations are occurring interactively.

By importing the log data I have for my investigation and leveraging SynerScope's visual analytic tools to look for velocities and direction of travel I can quickly identify those individuals engaged in the most activity within the data.

By hovering over the bundles within the relationship view, I can view the time and sequence of the conversations between the active individuals to determine the rate, dates and time the persons of interest are most engaged in communication.

Finally, by drilling down on the individuals who I am most interested in for my investigation, I can execute SynerScope's data stream view to visualize the conversation in order of which it occurred to determine if the content of the communication is relevant to my investigation or if I should continue on to other entities within my investigation.

The following video provides a comprehensive look at SynerScope for Network Threat Detection:


Through the examples within my article, you can see how leveraging visual analytics in network investigations can aid in more rapid discovery of threats and irregular activity. It can allow analysts and investigators to save countless hours by allowing immediate discovery of relevant activity and can increase understanding and solutions to addressing network threat issues more rapidly mitigating the threat and minimizing exposure.

** Note ** Some image items within this article were blurred or distorted to protect private information

Visual Analysis of Large Datasets

Challenges to Visual Analysis for Large Datasets

While data has been continually growing, the tools which to visualize and discover what is in that data have not significantly changed over the past ten years. Analysts are challenged with larger and larger amounts of information in which to find problematic trends and patterns, yet the tools they are using have not evolved to meet the demand.

Today’s analysts need the ability to visualize their entire landscape of information, not bits and pieces. The complex nature of fraud, internet crimes, network threats and finance demands a visualization tool that can holistically view and leverage the vast amount of information that is being generated in the technical age.

When an organized criminal ring is targeting your organization, hours could mean millions of dollars, yet those who are tasked with discovering these trends are outmatched when using today’s visual analysis technology costing time, valuable resources and your organizations assets.

Today’s online and mobile driven transactions have opened the door to a new generation of fraud. Hidden behind a veil of assumed anonymity and the ability to operate anywhere in the world has led to an increased emergence of organized threats to businesses who’s front door to their goods and customer information is no longer protected by brick and mortar.

Twenty years ago, credit card fraud was face to face crime carried out one by one against their victims. A credit card fraud ring used to rely on theft and counterfeiting to carry out their crimes. The complexity and risk involved limited their ability to conduct all but a few transactions per day.

At the same time, businesses were conducting only several hundred transactions a day at their physical locations. Detecting fraud was a task made much simpler by simple record review and investigation. Trends were much easier to spot as the number of fraudulent transactions were few and easily stood out among the legitimate within the documentation.

Twenty years later fraud is no longer a face to face crime. An organized credit card fraud ring can operate from thousands of miles away. The only risk and overhead involved is a laptop and an internet connection. Businesses are not processing hundreds of transactions a day at their stores, now it’s thousands at a location that is open 24 hours a day 7 days a week.

Thousands of transactions a day means thousands of lines of data, each containing a multitude of attributes now captured in eCommerce. Buried in among these gigabytes of attributes hides fraudulent transactions, but finding them has become the modern day equivalent of looking for a needle in a haystack.

While the world of organized financial fraud has become more sophisticated and wide spread, the tools to detect them have lagged behind, still firmly rooted in the days of brick and mortar face to face crime.

Fraud analysts and your business need a way to level to playing field. Businesses demand better ways to identify fraud trends much faster as in today’s eCommerce, hours can mean thousands of dollars in exposure.

SynerScope was created to quickly find the needle in the haystack of your transactions. Realizing that analysts need as wide of a view as possible of the important attributes within your data that identify fraud, SynerScope has been designed to visually show the relationships in your data and the sequence in which they occur over a much larger period of time.

Analysts require as much information as they can get their hands on to tackle today's threats. After all, how can you find the needle if you are only looking at a corner of the haystack.

Visual analytics in the past has relied upon finding relationships between entities through a one to one representation. A transaction is associated with an IP address, that IP address is linked to ten other transactions each represented as an individual entity. While this method was efficient when data and transactions were relatively small, it was inefficient when dealing with large amounts of information.

SynerScope, through the use of forced edge bundling and representing data through specified hierarchies allows the analyst to visualize concurrent relationships over a significantly larger set of data then previously possible. The larger the amount of data which can be visualized, the longer the period of time which is available to the analyst. This is key to the analyst’s ability to visually detect trends which run contrary to the normal flow business leading to much faster proactive identification of threats.

Just as important as the relationships which exist between entities within the fields of data is the time and sequence in which they occur. This has previously been overlooked in legacy visualization software where the analyst was able to visualize relationships or events over time but never both simultaneously.

Today’s fraud analysis requires the ability to detect fraud both as the events relate to one and other but also the sequence in which they occurred. SynerScope provides the ability for the analyst to leverage relational and sequential visual analytics within one workspace increasing the field to a complete 360° representation of the data.

SynerScope has been designed to give the analyst all the resources required to visualize activity and relationships for effective identification within one workspace.

Within SynerScope's primary analytical space the analyst can view, drill down and manipulate their visualization through:


Sequence of Events

Time of Events