1. Visual Analytic Representation of Large Datasets for Enhancing Network Security
James Davey
Fraunhofer Institute for Computer Graphics Research IGD
Fraunhoferstraße 5
64283 Darmstadt
Phone +49 6151 155-655 | Fax -139
james.davey@igd.fraunhofer.de
www.igd.fraunhofer.de/igd-a3
www.vis-sense.eu
No. 257495
2. VIS-SENSE Organisation
Topic: Technology and Tools for Trustworthy ICT (2009.1.4)
Grant Agreement: STREP – 257495
Time Frame: 01.10.2010 until 30.09.2013
Budget: 3,32 million euro / 2.35 million euro EU contribution
6 partners from 4 countries:
Fraunhofer IGD (Germany) – Coordinator
CERTH / ITI (Greece)
Institut EURECOM (France)
Institut Telecom (France)
Symantec Ltd. (Ireland)
University of Konstanz (Germany)
www.vis-sense.eu
No. 257495
3. Root-Cause Analysis
Use Case: Root-Cause Analysis
Overview over the Internet threat landscape
Zooming Out
www.vis-sense.eu
No. 257495
7. Overview – Zooming Out
Features in an interactive map: Our Features:
Position, I.P. addresses,
Area, Server names,
Street hierarchy, Email addresses,
Etc. Keyword sets,
Distributions,
Timestamps,
Etc.
www.vis-sense.eu
No. 257495
8. Overview – Zooming Out
Features in an interactive map: Our Features:
Grouping is easy and unambiguous Grouping is difficult
Grouping is ambiguous
We need some definition of distance or
similarity
Similarity Models
www.vis-sense.eu
No. 257495
9. The TRIAGE(1) approach
Clustering based on Multi-Criteria Decision Analysis (MCDA)
Automatic grouping of elements likely to share the same root causes
Features
Selection Σ
Multi-criteria
Per feature Multi-Dimensional
Aggregation
Graph-based representation Clusters (MDC’s)
Events (data fusion)
1) Triage (med.): process of prioritizing patients based on the severity of their condition
www.vis-sense.eu
No. 257495 9
9
10. Definitions Features
Entities
www.vis-sense.eu
No. 257495
15. An example of Rogue AV campaign
750 domains registered
over a span of 8 months
Domain name
/24 network of web server
Registrant email
www.vis-sense.eu
Registration date No. 257495
16. - domain name patterns
- use of whois privacy
protection services
www.vis-sense.eu
No. 257495