On Multilateral Security Monitoring and Analysis With an Abstract Tomogram of Network Flows

In this paper, we present a novel method for visualizing an abstract tomogram of network flows. Through a tomogram, we offer visual cues for quickly sensing aggregate and temporal networking behaviors of the monitored systems. In an integrated view of a tomogram, users can cut across a specific dimension to reason about interesting networking activities without losing the overall picture of the networked system. We extend this tomogram with user interfaces for finding correlation between network flows and their attributes using a co-occurrence analysis algorithm. This paper also presents an interface for conducting sequence mining for interested flows in order to infer causal relationships. Security engineers need to prioritize the aforementioned situation analysis tasks by focusing on endpoints with relatively higher security risks. To help security engineers with this task, we devise a way to assess and visualize the security risks according to a new centrality measure that is computed based on various networking information from a set of network flows. Our paper shows that the novel visualization method and analytics interfaces offer more intuitive means to track down complicated symptoms of advanced and covert security threats.