Identifying Challenges in Cybersecurity Data Visualization Dashboards

Shirazi, Patrick

January 2020

Nowadays, a massive amount of cybersecurity data-objects, such as security events, logs,messages, are flowing through different cybersecurity systems. With the enormous fastdevelopment of different cloud environments, big data, IoT, and so on, these amounts of data areincreasingly revolutionary. One of the challenges for different security actors, such as securityadmins, cybersecurity analysis, and network technicians, is how to utilize this amount of data inorder to reach meaningful insights, so they can be used further in diagnosis, validation, forensicand decision-making purposes. In order to make useful and get meaningful insights from this data, we need to have efficientdashboards that simplify the data and provide a human-understandable presentation of data. Currently, there are plenty of SIEM and visualization dashboard tools that are using a variety ofreport generator engines to generate charts and diagrams. Although there have been manyadvances in recent years due to utilizing AI and big data, security professionals are still facingsome challenges in using the visualization dashboards. During recent years, many research studies have been performed to discover and address thesetypes of challenges. However, due to the rapid change in the way of working in many companies(e.g. digital transformation, agile way of working, etc.) and besides utilizing cloud environments,that are providing almost everything as a service, it is needed to discover what challenges are stillthere and whether they are still experiencing the same challenges or new ones have emerged. Following a qualitative method and utilizing the Delphi technique with two rounds of interviews,the results show that although the technical and tool-specific concerns really matter, the mostsignificant challenges are due to the business architecture and the way of working.

Cybersecurity visualization

Security visualization

security dashboards

Delphi technique

Computer Systems

Datorsystem

Visualising network security attacks with multiple 3D visualisation and false alert classification

Musa, Shahrulniza

January 2008

Increasing numbers of alerts produced by network intrusion detection systems (NIDS) have burdened the job of security analysts especially in identifying and responding to them. The tasks of exploring and analysing large quantities of communication network security data are also difficult. This thesis studied the application of visualisation in combination with alerts classifier to make the exploring and understanding of network security alerts data faster and easier. The prototype software, NSAViz, has been developed to visualise and to provide an intuitive presentation of the network security alerts data using interactive 3D visuals with an integration of a false alert classifier. The needs analysis of this prototype was based on the suggested needs of network security analyst's tasks as seen in the literatures. The prototype software incorporates various projections of the alert data in 3D displays. The overview was plotted in a 3D plot named as "time series 3D AlertGraph" which was an extension of the 2D histographs into 3D. The 3D AlertGraph was effectively summarised the alerts data and gave the overview of the network security status. Filtering, drill-down and playback of the alerts at variable speed were incorporated to strengthen the analysis. Real-time visual observation was also included. To identify true alerts from all alerts represents the main task of the network security analyst. This prototype software was integrated with a false alert classifier using a classification tree based on C4.5 classification algorithm to classify the alerts into true and false. Users can add new samples and edit the existing classifier training sample. The classifier performance was measured using k-fold cross-validation technique. The results showed the classifier was able to remove noise in the visualisation, thus making the pattern of the true alerts to emerge. It also highlighted the true alerts in the visualisation. Finally, a user evaluation was conducted to find the usability problems in the tool and to measure its effectiveness. The feed backs showed the tools had successfully helped the task of the security analyst and increased the security awareness in their supervised network. From this research, the task of exploring and analysing a large amount of network security data becomes easier and the true attacks can be identified using the prototype visualisation tools. Visualisation techniques and false alert classification are helpful in exploring and analysing network security data.

005.8