LYT-GUEST EDIT-Goodall_Layout 1 11/19/12 12:26 PM Page 4
Computer Network Visualization
John R. Goodall
omputer networks are dynamic, growing, and continually evolving. As complexity grows, it becomes harder to effectively communicate to human decision-makers the results of methods and metrics for monitoring networks, classifying traffic, and identifying malicious or abnormal events. Network administrators and security analysts require tools that help them understand, reason about, and make decisions about the information their analytic systems produce. To this end, information visualization and visual analytics hold great promise for making the information accessible, usable, and actionable by taking advantage of human perceptual abilities. Information visualization techniques help network administrators and security analysts to quickly recognize patterns and anomalies; visually integrate heterogeneous data sources; and provide context for critical events. This special issue of IEEE Network on computer network visualization features a selection of six articles that presents a wide variety of topics related to networks, security, and visualization. Topics in this issue range from tools that facilitate detecting intrusions to standardizing data generated from network maps to a case study in tools used to monitor an IPTV system. The first article, “The Future of Security Visualization: Lessons from Network Visualization” by Harrison and Lu, gives a broad overview of the field, and discusses current shortcomings and how progress in other visualization fields can be transferred to network security visualization. “AlertWheel: Radial Bipartite Graph Visualization Applied to Intrusion Detection System Alerts” by Dumas, Robert, and McGuffin is a technical contribution with a focus on analyzing alerts generated by intrusion detection systems with special consideration for the workflow of network defense analysts. In particular, edge bundling is used at the core of their AlertWheel system to avoid visual clutter in their radial graph representations. The following article, “Navigating and Visualizing the Malware Intelligence Space” by Couture, Létourneau,
Massicotte, and Normandin, takes a more abstract view on the network security topic by visualizing the malware intelligence space. Through graph visualizations, relationships between different malware samples are made explicit to support the investigation of cyber security incidents. Furthermore, their approach allows revealing trends by tracking changes over time. “I Can See for Miles: Revisualizing the Internet” by Knight, Falkner, Nguyen, Tune, and Roughan details an open data initiative for collecting historic and current maps of network backbones from providers all over the world. Extracting the semantic information of network nodes from these maps and storing it in a standardized format allows the visualizations of these maps to be improved according to specific interests, such as geographically accurate representations or the evolution of network structures. “Visual Analytics for BGP Monitoring and Prefix Hijacking Identification” by Biersack et al. covers visualization efforts for monitoring the Internet’s control plane as defined by the Border Gateway Protocol (BGP). After surveying current visualization approaches for BGP monitoring, the authors present an example of a real prefix hijacking incident and demonstrate how visualization can support decision makers to distinguish valid routing changes from malicious activity. In their article “Contextualized Monitoring and Root Cause Discovery in IPTV Systems Using Data Visualization,” Sedlar, Volk, Sterle, Sernec, and Kos use visualization for monitoring the quality of service and user experience in a Slovenian IPTV network. Real-time information is gathered by distributed agents within IPTV terminal equipment and collected at a central location. Data visualization and enrichment through external sources such as weather reports then enable a deeper understanding of the monitored network for root cause analysis. These articles offer a small glimpse of current visual applications in computer networks. There is much still to be done. While data continues to grow exponentially, display system growth has been roughly linear, which challenges us
IEEE Network • November/December 2012
LYT-GUEST EDIT-Goodall_Layout 1 11/19/12 12:26 PM Page 5
GUEST EDITORIAL to produce both ever more comprehensive analytics along with ever more succinct analytic summaries. In addition to methods for handling more voluminous data in visualization applications, tools need to process streaming data faster, to enable analysts to make insights about events closer to when those events occur. For security purposes, much of the data now used was originally designed for other purposes, such as billing. There is a need to develop data elements explicitly focused on security issues. Context, such as seen in the impact of weather on IPTV systems, is also becoming increasingly important. We need methods for both identifying and correlating relevant externalities, be they physical or even political. Much of the potential of the human visual system will remain unrealized without further research. We hope that you will be inspired through the diverse visual approaches to networking presented in the articles of this special issue. This special issue was only feasible through the contributions of the authors, the anonymous reviewers, Editor-in-Chief Xuemin (Sherman) Shen, and the IEEE publication staff.
IEEE Network • November/December 2012
Biographies JOHN R. GOODALL ([email protected]
) is the team lead for the Visual Analytics Research team at Oak Ridge National Laboratory. He holds Ph.D. and M.S. degrees in information systems from the University of Maryland, Baltimore and a B.A. in history from Binghamton University. His research experiences and interests include visual analytics, information visualization, humancomputer interaction, computer network defense, and computer-supported cooperative work; he is particularly interested in the intersection between these areas. F LORIAN M ANSMANN ([email protected]
) is a post-doctoral researcher at the University of Konstanz, Germany, where he leads research projects on network security and geoinformatics. He holds a B.Sc. degree from the University of Konstanz, an M.Sc. degree from the Vrije Universiteit Brussels, Belgium, and a Ph.D. degree in computer science (2008) from the University of Konstanz. His research interests include network security, geoinformatics, and real-time analysis with a focus on information visualization, knowledge discovery, and visual analytics methods. JOHN GERTH ([email protected]
) is the network security officer for the Electrical Engineering and Computer Science Departments at Stanford University where he has been a member of the technical staff since 1996. Prior to Stanford, he spent two decades as a software developer and an RSM at IBM Yorktown Heights Research, and much earlier was a kindergarten teacher. His research interests are in language design, network traffic analysis, and information visualization.