InViz: Instant Visualization of Security Attacks Lucas Layman Fraunhofer Center for Experimental Soft. Eng. College Park, MD, USA llayman@fc-md.umd.edu Nico Zazworka Fraunhofer Center for Experimental Soft. Eng. * Frankfurt am Main, Germany zazworka@gmail.com ABSTRACT The InViz tool is a functional prototype that provides graph- ical visualizations of log file events to support real-time at- tack investigation. Through visualization, both experts and novices in cybersecurity can analyze patterns of application behavior and investigate potential cybersecurity attacks. The goal of this research is to identify and evaluate the cyberse- curity information to visualize that reduces the amount of time required to perform cyber forensics. Categories and Subject Descriptors K.6.m [Management of Computing and Information Systems]: Miscellaneous—security General Terms Security Keywords cybersecurity; visualization; log file; real-time analysis 1. CHALLENGES IN ATTACK MONITOR- ING Network cybersecurity attacks take on many forms, from network breaches to denial-of-service attacks to insider threats exfiltrating sensitive data. A 2010 study by Verizon and the U.S. Secret Service found that 98% of data theft took place on network servers, and that 86% of victims had evidence of the breach in their log files [?]. Despite the presence of such evidence, most victims did not find the evidence of a breach until it is too late (see Figure ??). The lag time between attack, detection and containment can be attributed to shortcomings in automated cyber de- fense systems and the challenges facing human users in in- vestigating cyberattacks. The volume of network and log * Nico Zazworka is now with Elsevier Information Systems GmbH Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author. Copyright is held by the owner/author(s). HotSoS’14 April 08 - 09 2014, Raleigh, NC, USA ACM 978-1-4503-2907-1/14/04 http://dx.doi.org/10.1145/2600176.2600191. file information requires automated analysis solutions for de- tecting cybersecurity attacks. These automated systems are useful for processing large amounts of esoteric information, but, a human agent (e.g. an IT administrator) must often step in to verify or investigate an attack in detail, usually by examining log files. The tools to support log file investiga- tion are often primitive, often no more sophisticated than a text editor or Microsoft Excel [?]. Much current cybersecu- rity research focuses on automated detection of anomalous events or defensive practices, often ignoring how to support the humans performing cyber forensics. 2. VISUALIZATION TO SUPPORT ATTACK MONITORING The objective of this research is to identify, define, and evaluate graphical representations that are useful for inves- tigating attacks in log files. Just as researchers investigate what information to show in an aircraft controller’s display, fundamental research is needed to identify the ideal informa- tion display for a security expert (or novice) monitoring and investigating a potential security attack. Multi-dimensional information is required for a person (or automated agent) to verify an attack in real-time. To illustrate our cybersecurity visualization concepts, Fraun- hofer CESE has created an initial research prototype called InViz – Instant Visualization of cybersecurity attacks (Fig- ure ??, http://www.fc-md.umd.edu/inviz). These InViz cybersecurity visualizations combine concepts from glTail [?] and CodeVizard [?] to distill large amounts of information into a form more palatable to the user. InViz transforms individual lines from a web server log file (easily adaptable to other formats) into objects that tra- verse the screen in real-time as the log file lines are writ- ten. The size, shape, and color of the animated objects correspond to attributes of the log entry: size is the num- ber of bytes sent, shape is the type of file (e..g, media vs. HTML), and color reflects status code. Log event details are displayed in a table at the bottom. A timeline at the top shows the history of activity seen in the log file. InViz uses a DVD/DVR metaphor for playing the events in real- time: users can play, pause, stop, and fast forward. Users can also specify where in the timeline they would like to start and end. InViz resolves IPs to hostnames automati- cally, and allows users to specify strings that are highlighted (e.g., known attack strings, hex characters). Finally, a user can filter on, highlight, or ignore events from particular re- questers. A demonstration video of InViz’s capabilities can be seen at http://www.fc-md.umd.edu.