Closing-the-loop: discovery and search in security visualizations

Abstract

The tasks of security engineers include detecting attacks and responding to them. In order to accomplish this, a security engineer must be able to decide what behavior indicates an attack and then search for this behavior. Current security visualization tools provide rich and concise visualizations of network data that allow security engineers to determine the nature of attacks on the network. However, current security visualizations lack the ability for security engineers to search for these behaviors in the network logs. The process of finding interesting patterns in the data is called discovery, and finding instances of these patterns is called searching. Security engineers must do both discovery and search, but current security visualization tools only help in discovery. In this paper, we describe the modifications we have made to our security visualization tool, NVisionIP, that allow security engineers to not only discover patterns in the data, but also to search for those patterns in other data.