I will address the challenge of network threat detection through next generation visual analytics using two different scenarios commonly tasked to network threat analysts and investigators; mal-ware forensics, network visualizations and IRC or chat log analysis.
Mal-ware Forensics and Network Threats:
Determining the anatomy of network threats and mal-ware requires the network analyst to understand how the threat originated, spread and ultimate impacted the users. Stopping or mitigating network threats additionally require determining the "signature" of the mal-ware, network vulnerabilities and establishing appropriate countermeasures to make the threat benign.
Through visual analytics, the first step is gathering all the data available from network packet logs and server logs to get an overview of the issue. In this example we are going to deploy SynerScope to assist us with our visual analysis of a network attack by uploading our network log information (over 150,000 lines of data) to provide a holistic view of the threat.
SynerScope has several interactive representations for the network analyst, first is the relationship view which shows which geography and IP addresses are related within the network logs. Second, SynerScope displays the direction of travel between the related entities with red being the receiving and green the sending network points. Third, SynerScope provides an interactive visualization of sequence of events to the right which allows us to simultaneously view relationship, direction and sequence.
Moving forward within the sequence visualization, we can see how once planning and execution is complete, how the command and control server begins to reach out to infected. Through
Network Visualization
To aid network security and threat analysts, leveraging visual analytics to gain a real time understanding of network traffic is essential. Accomplished in the past through data mining and statistical analysis, this process could not occur in close to real time and was a manpower intensive task undertaken daily.
Through Syne
I begin by uploading network activity logs into SynerScope to gain a holistic vie
By isolating down on certain protocols or IP addresses through the relationship and sequential views within the program and utilizing the color coding of direction provided by SynerScope I can drill down into specific events that I want to further examine.
Once I ha
Chat and IRC Log Visualization
Those tasked with investigation and forensic discovery within IRC or chat logs knows that determining the activity, flow of conversation and content can be a monumental task based on the volume of information that is present.
By utilizin
By impo
By hovering over the bundles within the relationship view, I can view the time and sequence of the conversations between the active
Finally, by drilling down on the individuals who I am most interested in for my investigation, I can execute SynerScope's data stream view to visualize the conversation in order of which it occurred to determine if the content of the communication is relevant to my investigation or if I should continue on to other entities within my investigation.
The following video provides a comprehensive look at SynerScope for Network Threat Detection:
Conclusion:
Through the examples within my article, you can see how leveraging visual analytics in network investigations can aid in more rapid discovery of threats and irregular activity. It can allow analysts and investigators to save countless hours by allowing immediate discovery of relevant activity and can increase understanding and solutions to addressing network threat issues more rapidly mitigating the threat and minimizing exposure.
** Note ** Some image items within this article were blurred or distorted to protect private information