Prashanth Rajivan (1201612819)
Review of VIAssist: Visual Analytics for Cyber Defense
Paper Authors: John R Goodall, Mark Sowull
Published at IEEE International Conference on Technologies for Homeland Security (HST 2009).
Number of Citations: 4
The paper talks about VIAssist, a visual analytics tool for helping cyber security analysts to analyze data
such as network activity logs and system logs for detecting potential cyber threats. Organization’s
growing reliance on internet to conduct business and growing computer networks has led to an
increased number of cyber attacks on critical cyber-infrastructure. Cyber security defense is a complex
and a tedious task because it involves analyzing massive amounts of multi-dimensional datasets for
detecting and understanding cyber attacks. VIAssist is a tool developed by the authors that can help
security analyst to analyze and understand cyber attacks more effectively. The authors used findings
from the cognitive task analysis they conducted on security analysts to design the tool. From the CTA,
the authors found that security analysts needed visualizations the can provide big picture of the entire
network at any point in time, tools that can seamlessly integrate with their existing work flow,
visualizations that link multiple information views to present data from multiple perspectives and tools
that can scale with growing amounts of data. The authors compared VIAssist with similar other tools
such as NVisionIP, FlowTag and Isis. NVision IP is a visualization system developed to improve security
analyst’s situation awareness. NVisionIP, at the high level, presents IP addresses of systems receiving
traffic flow and can be zoomed in to lower level data. VIAssist can be configured to get similar view as
shown in Figure 1b. Using NVisionIP, visualization rules can be created that can alert on certain data
patterns. However this is not possible with VIAssist. FlowTag is a visualization tool for tagging flow data
which enables collaboration, reduces cognitive load and also helps to maintain context. VIAssist
supports annotation on all types of data but allows tagging the IP address data as either critical or
noteworthy. ISIS is a visualization tool that visualizes network flow data using timelines and event plots.
ISIS helps in reconstructing the events which lead to an intrusion. It also saves the analyst’s investigation
thread which enables the analyst to revisit and make changes or start a new thread. VIAssist supports
similar functionality. In addition, VIAssist makes it easy to import data whereas it is a tedious process
with the other mentioned tools. VIAssist follows Schniederman’s visual information seeking mantra:
Overview first, zoom and filter, details on demand. VIAssist provides a customizable dashboard view of
the data showing top N elements of any field in the data as shown in Figure 1a. In VIAssist, each of the
visualization view is linked and coordinated with other views such that when analysts zooms in or filters
data on any one of the views, it is reflected in other views also and thus providing multiple perspectives
of the data (Figure 1c). This makes it easy for the analyst to identify dependencies between data. To
make concrete decisions, security analysts need complete details. VIAssist links details with visual
elements and is presented on demand. VIAssist provides a geo-location view of IP addresses receiving
traffic (Figure 1d). This view provides the country, city and latitude/longitude information for all IP
addresses. The geo-location view, through region shading, presents different countries with different
colors according to the relative contribution of the country to all the traffic. The geo-location view
presents each end-point in the traffic flow as variable sized node and plots each connection as a variable
sized link based on attributes such as number of bytes transferred, number of records transferred etc.
Prashanth Rajivan (1201612819)
VIAssist uses smart aggregation technique to manage massively scaling data sets such as network flow
data. Smart aggregation is a data management approach which combines automatic data aggregation
with user-defined rules for data aggregation. VIAssist supports collaboration among analysts by allowing
analysts to annotate visual elements and tagging important IP addresses which is shared across the
team and across work shifts. VIAssist also supports effective reporting by provide a simple drag and drop
interface to produce power-point like reports with screen shots of the workspace and annotations.
VIAssist also supports report templates which enables the analyst to reuse reports.
Figure 1 Above Left (a) Dashboard view of VIAssist; Above Right (b) Visual representation of traffic flow between IP addresses as scatter
plots; Bottom Left (c) Multiple coordinated views of data; Bottom Right (d) Geo-location view of flow data
Results: The significant result of this work is the tool VIAssist itself. This work shows that considering
human factors is essential in building visualization for cyber security in order to reduce cognitive load on
security analysts and also to improve situation awareness (SA) in analysts. Some of the important
features in VIAssist are (1) multiple perspective and coordinated view of data (2) dashboard view
providing the big picture (3) Geo-location view of the data (4) Ability to Integrate well with existing work
flow (5) Scalability of the tool to growing amounts of data.
Visualization in the cyber security domain is one of my interests. Visualization and visual analytics in the
cyber security realm is fairly new. The authors of this paper are one of the forerunners in this field and
the tool VIAssist described in this paper is a popular tool. This paper is one of the recent papers
produced by this author about this tool. I therefore chose this paper to learn about the tool and to learn
how the findings from CTA are used in designing the tool. The design of this tool has taken into
consideration the human factors by using CTA findings. This is the significance of this paper.