Abstract—Analysis of voluminous computer network data has become a common practice for cyber defense, but few tools provide adequate support for cyber-infrastructure defenders’ workflow, visual exploration, IP geo-location, scalability, collaboration, or reporting. The state-of-the-art in visual analysis tools for cyber defense is typically no more than spreadsheets and primitive charting. While familiar to users, this approach ignores the human perceptual ability to identify novel patterns and anomalies when data is presented graphically. This paper reports on a visual analytics systems, VIAssist, being developed for cyber-infrastructure protection that helps cyber defenders better understand the massive, multi-dimensional datasets to protect our nation’s critical infrastructure. Index Terms—Visual analytics, visualization, site security monitoring, computer network security. I. INTRODUCTION OMPUTER networks are growing larger and more complex as commercial and government entities have increasingly come to depend on the cyber infrastructure. Against this backdrop of increased complexity and reliance on the network infrastructure, the number of cyber attacks against critical cyber-infrastructure has also increased. The stakes have increased as well. The 2007 Russian cyber attack against Estonia hints at the future of cyber warfare: coordinated bots can attack and cripple the cyber-infrastructure of a nation [1]. To combat this threat, we are developing technologies for cyber-infrastructure defenders to facilitate the discovery, analysis and understanding of cyber attacks. This visual analytics platform, VIAssist, shown in Figure 1, enhances situational awareness, facilitates collaboration and reporting, and enables the analysis and understanding of cyber events. A Cognitive Task Analysis of Computer Network Defense (CND) analysts in commercial and military environments informed the system’s design. Based on the results of this research, we know that cyber defenders need to be able to Manuscript received March 26, 2009. This work was supported in part by the U.S. Department of Homeland Security under contract FA8750-08-C-0140 and the U.S. Department of Defense under contract F30602-03-C-0260. J. R. Goodall is with the Secure Decisions division of Applied Visions, Inc. (phone: 518-632-4195; e-mail: johng@securedecisions.avi.com) M. Sowul is with Applied Visions, Inc. (email: marks@avi.com) understand the big picture, to answer questions they didn’t know they had, to put events into their larger context, to collaborate and work with other cyber defenders, and to report their hypotheses and findings. New analysis tools must fit within defenders’ current workflow and work with the tools and data they currently use. To this end, we have integrated VIAssist with the SiLK network flow analysis tools. 1 We have also provided a mechanism for plugging in additional commands. Visual tools must bring together and link multiple information visualization views to present data from multiple perspectives. Tools should also take advantage of multiple displays that are common in today’s workspaces. Data should be presented at different levels of detail to support multiple levels of visual analysis, from a high-level dashboard overview to linked visualizations to the low-level textual details of cyber-related data. VIAssist provides an intuitive, customizable dashboard to provide a big-picture overview of network flow data. Multiple visualizations are linked together to facilitate exploration and discovery. Different kinds of visualizations are provided to enable the analysis of events in network, temporal, and geographic contexts. Even through network flow data is already somewhat aggregated, sizes can grow to be extremely large, so systems must address issues of scalability. VIAssist does so through automatic Smart Aggregation , which keeps both the size of data manageable and the presentation of data visually understandable. Drilling into the data from this aggregated state enables interactively increasing the level of detail. Collaboration is supported in multiple ways: through shared lists of critical and potentially malicious IP addresses, annotations, workspaces, and expressions. Embedded communication and reporting tools enable users to easily create and reuse reporting templates that allow non-technical users to understand findings through the visualizations. II. RELATED WORK NVisionIP is a visualization system aimed at increasing a CND analyst’s situational awareness by visualizing flows at multiple levels of detail. [2] At the highest level of aggregation, NVisionIP displays a Class B network (65,534 IP addresses) as a scatter plot, with points representing an IP 1 http://tools.netsa.cert.org/silk/ VIAssist: Visual Analytics for Cyber Defense John R. Goodall, Member, IEEE and Mark Sowul C 143 978-1-4244-4179-2/09/$25.00 ©2009 IEEE