Home Contact Us Site Map
 
 
 

NIST Interactive Visualization and Data Mining for Cyber-Security

John Trenkle - Program Manager Data Exploitation - Michigan Aerospace Corporation
Program Manager
John Trenkle
510-524-1447
johntrenkle@michiganaerospace.com
Brochures
Complete List

MAC won and successfully completed a NIST Phase 1 Small Business Innovation Research (SBIR) contract for the 2008 Topic: 9.03.3-9.TT Data Management and Visualization Techniques for Improving Cyber Security. The goal of this program was to develop concepts for graphical tools that would provide in-depth analytical capabilities to analysts that will scale up for the large and growing amount of data coming into Local Networks as well as providing new, complementary information to existing Intrusion Detection techniques.

The research directions specified by NIST for this Phase 1 program were as follows:
  • Include new data visualization techniques such as scatter plots and temporal modeling
  • Provide support for
    • Multiple views
    • Data aggregation
    • Drill-down
  • Handle common database formats as well as delimited text inputs and XML
  • Allow for incorporation of derivable information for geo-location such as country and location
  • Allow analysts to quickly and efficiently drill-down to views of interest in order to detect
    • Bad actors
    • Inbound/outbound attacks
    • Denial of service attacks
    • Anomalous service activity
  • Differentiate the new analytical tools from existing approaches
We have successfully demonstrated a viable Data Warehouse architecture for holding TCP IP header information in a concise fashion that will facilitate run-time and historical analysis. We have also demonstrated various visualizations that highlight potential undesirable interactions between systems, accentuate anomalous or malicious events and allow for heterogeneous drill-downs to detect and explain bad behavior.



Layout of MAC’s DINHA System (Detecting Intrusions from Network and Host Anomalies)




Treemap Showing Internal to External Contact




Bubble-Pie Showing Contact Frequency Broken Down By Port




Radial layout of conversations between external systems and those behind the
firewall with convex hulls around those in the same domain




Grid showing network traffic with huge surge in the center corresponding to DoS attacks




3D view of IP-Port-Protocol interactions with projections into each of the corresponding planes




Zoom on Incoming Network Traffic Showing Coordinated Probe Attacks




Zoom on Incoming Network Traffic Showing Attacks by 197.218.177.69




Breakdown of network traffic by country




Polar Scatterplot Showing Interactions for the Full IP Addresses




128-Byte Text Signatures for Linux Log File and Signal from Ensemble of Decision Trees in Outlier Detection Mode


 
Home
Company Overview
Divisions
Business Units
Company News
Brochures
Careers
Employee Web
Search

Copyright © 2000 Michigan Aerospace Corporation. All rights reserved.
Send any questions or comments to webmaster@michiganaerospace.com