www.vis-sense.euNo. 257495

Visual Analytic Representation of Large Datasets for Enhancing Network Security

James DaveyFraunhofer Institute for Computer Graphics Research IGDFraunhoferstraße 564283 Darmstadt

Phone +49 6151 155-655 | Fax -139james.davey@igd.fraunhofer.dewww.igd.fraunhofer.de/igd-a3

www.vis-sense.euNo. 257495

VIS-SENSE Organisation

6 partners from 4 countries:

� Fraunhofer IGD (Germany) – Coordinator

� CERTH / ITI (Greece)

� Institut EURECOM (France)

� Institut Telecom (France)

� Symantec Ltd. (Ireland)

� University of Konstanz (Germany)

Topic:

Grant Agreement:

Time Frame:

Budget:

Technology and Tools for Trustworthy ICT (2009.1.4)

STREP – 257495

01.10.2010 until 30.09.2013

3,32 million euro / 2.35 million euro EU contribution

www.vis-sense.euNo. 257495

Root-Cause Analysis

Use Case: Root-Cause AnalysisUse Case: Root-Cause Analysis

Overview over the Internet threat landscapeOverview over the Internet threat landscape

Zooming OutZooming Out

www.vis-sense.euNo. 257495

Overview – Zooming Out

www.vis-sense.euNo. 257495

Overview – Zooming Out

www.vis-sense.euNo. 257495

Overview – Zooming Out

www.vis-sense.euNo. 257495

Features in an interactive map:

�Position,

�Area,

�Street hierarchy,

�Etc.

Overview – Zooming Out

Our Features:

�I.P. addresses,

�Server names,

�Email addresses,

�Keyword sets,

�Distributions,

�Timestamps,

�Etc.

www.vis-sense.euNo. 257495

Features in an interactive map:

�Grouping is easy and unambiguous

Overview – Zooming Out

Our Features:

�Grouping is difficult

�Grouping is ambiguous

�We need some definition of distance or similarity

Similarity Models

www.vis-sense.euNo. 257495

The TRIAGE (1) approach

� Clustering based on Multi-Criteria Decision Analysis (MCDA)

� Automatic grouping of elements likely to share the same root causes

Σ

Per feature

Graph-based representation

Multi-criteria

Aggregation

(data fusion)

Multi-Dimensional

Clusters (MDC’s)

Events

Features

Selection

1) Triage (med.): process of prioritizing patients based on the severity of their condition

9

9

www.vis-sense.euNo. 257495

Definitions

Entities

Features

www.vis-sense.euNo. 257495

Similarity – Models for Similarity

www.vis-sense.euNo. 257495

Per Feature Similarity Example – Real Numbers

www.vis-sense.euNo. 257495

Grouping with respect to different features

www.vis-sense.euNo. 257495

Aggregate Similarity Example

www.vis-sense.euNo. 257495

An example of Rogue AV campaign

Registration date

750 domains registered over a span of 8 months

/24 network of web server

Domain name

Registrant email

www.vis-sense.euNo. 257495

- domain name patterns- use of whois privacy

protection services

www.vis-sense.euNo. 257495

Rustock

Unclassified

Grum

Cutwail

Subject keywords

Spam event

Bot name

Spam BotnetsInter-relationships

Mega-D

www.vis-sense.euNo. 257495

Thanks for Your Attention

IGD

_Fol

ienv

orla

ge_v

2010

.10.

ppt

James DaveyFraunhofer IGDFraunhoferstraße 564283 Darmstadt

Tel +49 6151 155 – 655 | Fax – 139james.davey@igd.fraunhofer.dewww.igd.fraunhofer.de/igd-a3