SlideShare a Scribd company logo

Towards Designing Effective Visualizations for DNS-based Network Threat Analysis

Rosa Romero Gรณmez, PhD, profile picture
Rosa Romero Gรณmez, PhD

The document discusses the challenges of network threat analysis, particularly focusing on the use of the Domain Name System (DNS) by both legitimate applications and cyber attacks. It presents an approach called the Open Source Threat Analysis Console (THACO) that utilizes various data sources and user-centered visualization techniques to aid analysts. The evaluation of THACO revealed positive usability ratings among experienced analysts, though improvements are needed for tracking information over time.

Data & Analytics
Related topics:
Data Visualization Techniques
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Towards Designing Effective Visualizations for DNS-based Network Threat Analysis Rosa Romero-Gรณmez, Yacin Nadji, and Manos Antonakakis {rgomez30,yacin,manos}@gatech.edu
What is Network Threat Analysis? 2
Analyst Alerts Threat Intelligence The Domain Name System (DNS) is an essential protocol used by both legitimate Internet applications and cyber attacks [Building a Dynamic Reputation System for DNS, Antonakakis et al. 2010] 3
Challenges 4
Threat Intelligence Acquisition โ€œSecurity analysts are still collecting threat intelligence via email, spreadsheets, and cutting/pasting information from web-based sources. Obviously, these manual processes donโ€™t scaleโ€ [Enterprise Strategy Group (ESG) Research Report: Threat Intelligence and Its Role Within Enterprise Cybersecurity Practices, June 2015] 5
Analytics โ€œThreat intelligence may offer clues but human beings are left to do the heavy lifting by investigating and analyzing the data on their ownโ€ [ESG Research Report: Threat Intelligence and Its Role Within Enterprise Cybersecurity Practices, June 2015] 6
Our Approach: Open Source THreat Analysis COnsole (THACO) Open Datasets Visualization Techniques 7
8 Classless Inter-Domain Routing (CIDR) Notation 192.0.0.0/8 192.1.0.0/16 192.2.0.0/16 192.168.16.0/24 192.3.0.0/16 192.2.3.0/24 192.2.3.1/32 192.2.3.12/32 /8 /16 /24 /32
Access to THACO live demo: https://ipviz.gtisc.gatech.edu/ 9
User-centered Visualization Design Domain Problem / Data Characterization Design Prototype Evaluation 10
Domain Problem & Data Characterization โ€ข Procedure: informal interviews with two domain experts in network threat analysis during two months โ€ข Output: two main high-level categories of tasks and data requirements: Top-down network threat analysis or Threat Hunting Bottom-up network threat analysis or Incident Response 11
Domain Problem & Data Characterization โ€ข Effective threat intelligence involves the combination of multiple data sources: โ€ข Active DNS datasets (https://www.activednsproject.org/) โ€ข Public Domain Blacklists such as abuse.ch โ€ข Malware Traces (https://www.virustotal.com) โ€ข Domain WHOIS records (https://www.threatminer.org/) 12
Design โ€ข Design Goals 1. Multiple views 2. Different levels of detail 3. Scalability Multi-grouping, zoomable treemap 13
Evaluation โ€ข Participants: โ€ข Network threat analysts are hard to find โ€ข Seven in-situ and thirty-one online network threat analysts from both academia and industry โ€ข Years of experience ranging < 1 year to > 10 years โ€ข Procedure: โ€ข In-situ evaluation: tasks scenarios and semi-structured interviews โ€ข Online evaluation: web-based survey (SUS, System Usability Scale) 14
Evaluation โ€ข Main Results: โ€ข Threat analysis experience of participants affects neither task completion rates nor task completion times using THACO โ€ข Experience analysts satisfaction garnered THACO an โ€œAโ€ grade in usability โ€ข Limitations: โ€ข THACO could be improved for tasks involving keeping track of different pieces of information over time 15
Want data? Active DNS datasets: https:// www.activednsproject.org/ 16
Want a demo? THACO live demo: https:// ipviz.gtisc.gatech.edu/ 17
Want code? Source code on GitHub: https:// github.com/Astrolavos/THACO 18
Questions? 19
Towards Designing Effective Visualizations for DNS-based Network Threat Analysis Rosa Romero-Gรณmez, Yacin Nadji, and Manos Antonakakis {rgomez30,yacin,manos}@gatech.edu

More Related Content

PDF
Data Visualization for Big Data: Experience from the Front Line
Rosa Romero Gรณmez, PhD
ย 
PDF
balloon: LOD forecasting - cloudy with a chance of services
Kai Schlegel
ย 
PDF
Diffusion in platform-based markets: big data driven agent-based model
Jari Jussila
ย 
PDF
From Data to Visualization, what happens in between?
Krist Wongsuphasawat
ย 
PDF
Cloud - Security - Big Data
Raffael Marty
ย 
PDF
Big Data Visualization
bigdataviz_bay
ย 
PPTX
An Approach for RDF-based Semantic Access to NoSQL Repositories
Luiz Henrique Zambom Santana
ย 
PPTX
How To Drive Value with Security Data
Raffael Marty
ย 
Data Visualization for Big Data: Experience from the Front Line
Rosa Romero Gรณmez, PhD
ย 
balloon: LOD forecasting - cloudy with a chance of services
Kai Schlegel
ย 
Diffusion in platform-based markets: big data driven agent-based model
Jari Jussila
ย 
From Data to Visualization, what happens in between?
Krist Wongsuphasawat
ย 
Cloud - Security - Big Data
Raffael Marty
ย 
Big Data Visualization
bigdataviz_bay
ย 
An Approach for RDF-based Semantic Access to NoSQL Repositories
Luiz Henrique Zambom Santana
ย 
How To Drive Value with Security Data
Raffael Marty
ย 

What's hot (20)

PDF
A Picture is Worth 1,000 Rows
Neo4j
ย 
PDF
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
DataWorks Summit
ย 
PDF
Democratizing Data within your organization - Data Discovery
Mark Grover
ย 
PDF
DataTags: Sharing Privacy Sensitive Data by Michael Bar-sinai
datascienceiqss
ย 
PDF
Reproducible Research and the Cloud
Microsoft Azure for Research
ย 
PDF
Doing Research in the Cloud - NIH Workshop Dennis Gannon
Microsoft Azure for Research
ย 
PDF
(Web User Interfaces track) "Getting the Query Right: User Interface Design o...
icwe2015
ย 
PDF
Data Analytics in Real World (May 2016)
geetachauhan
ย 
PDF
vion_a2000_5 facts_d2
Roman Chanclor
ย 
PDF
Gianluigi Vigano, Senior Architect and Fouad Teban, Regional Presales Manager...
Dataconomy Media
ย 
PDF
[Webinar] Introduction to Cypher
Neo4j
ย 
PPT
Collaborative Data Analysis with Taverna Workflows
Andrea Wiggins
ย 
PDF
Accelerating your Research with Microsoft Azure (June 2015)
Microsoft Azure for Research
ย 
PPT
Semantic Text Processing Powered by Wikipedia
Maxim Grinev
ย 
PDF
Big Data Repository for Structural Biology: Challenges and Opportunities by P...
datascienceiqss
ย 
PDF
Tutorial Data Management and workflows
SSSW
ย 
PDF
Secondary data analysis with digital trace data
Andrea Wiggins
ย 
PPTX
Databases, Web Services and Tools For Systems Immunology
Yannick Pouliot
ย 
PPTX
[3DIR] BIM Search Engine: Exploiting Interrelations between Objects when Ass...
pdemian
ย 
PDF
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Elasticsearch
ย 
A Picture is Worth 1,000 Rows
Neo4j
ย 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
DataWorks Summit
ย 
Democratizing Data within your organization - Data Discovery
Mark Grover
ย 
DataTags: Sharing Privacy Sensitive Data by Michael Bar-sinai
datascienceiqss
ย 
Reproducible Research and the Cloud
Microsoft Azure for Research
ย 
Doing Research in the Cloud - NIH Workshop Dennis Gannon
Microsoft Azure for Research
ย 
(Web User Interfaces track) "Getting the Query Right: User Interface Design o...
icwe2015
ย 
Data Analytics in Real World (May 2016)
geetachauhan
ย 
vion_a2000_5 facts_d2
Roman Chanclor
ย 
Gianluigi Vigano, Senior Architect and Fouad Teban, Regional Presales Manager...
Dataconomy Media
ย 
[Webinar] Introduction to Cypher
Neo4j
ย 
Collaborative Data Analysis with Taverna Workflows
Andrea Wiggins
ย 
Accelerating your Research with Microsoft Azure (June 2015)
Microsoft Azure for Research
ย 
Semantic Text Processing Powered by Wikipedia
Maxim Grinev
ย 
Big Data Repository for Structural Biology: Challenges and Opportunities by P...
datascienceiqss
ย 
Tutorial Data Management and workflows
SSSW
ย 
Secondary data analysis with digital trace data
Andrea Wiggins
ย 
Databases, Web Services and Tools For Systems Immunology
Yannick Pouliot
ย 
[3DIR] BIM Search Engine: Exploiting Interrelations between Objects when Ass...
pdemian
ย 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Elasticsearch
ย 
Ad

Similar to Towards Designing Effective Visualizations for DNS-based Network Threat Analysis (20)

PDF
Telesoft Cyber Threat Hunting Infographic
Sarah Chandley
ย 
PDF
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
Alex Pinto
ย 
PPTX
Incorporating Threat Intelligence into Your Enterprise Communications Systems...
EC-Council
ย 
PPTX
Application of threat intelligence in security operation 2017-06-03
Jun LI
ย 
PDF
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
Speck&Tech
ย 
PDF
Cyber Threat hunting workshop
Arpan Raval
ย 
PPTX
User and entity behavior analytics: building an effective solution
Yolanta Beresna
ย 
PPTX
Application of threat intelligence in security operation
Jeremy Li
ย 
PDF
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
ย 
PDF
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
ย 
PPTX
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
ย 
PPTX
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
ย 
PDF
Threat Intelligence in the daily life of a SOC Analyst
priyanshamadhwal2
ย 
PDF
SOC Analyst a Practical Walkthrough.pdf
infosec train
ย 
PDF
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET Journal
ย 
PPTX
Threat Hunting with Splunk Hands-on
Splunk
ย 
PDF
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
ย 
PPTX
Hunting the Evil of your Infrastructure
A. S. M. Shamim Reza
ย 
PDF
What Happens Before the Kill Chain
OpenDNS
ย 
PDF
Cyber Secuirty Visualization
Doug Cogswell
ย 
Telesoft Cyber Threat Hunting Infographic
Sarah Chandley
ย 
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
Alex Pinto
ย 
Incorporating Threat Intelligence into Your Enterprise Communications Systems...
EC-Council
ย 
Application of threat intelligence in security operation 2017-06-03
Jun LI
ย 
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
Speck&Tech
ย 
Cyber Threat hunting workshop
Arpan Raval
ย 
User and entity behavior analytics: building an effective solution
Yolanta Beresna
ย 
Application of threat intelligence in security operation
Jeremy Li
ย 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
ย 
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
ย 
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
ย 
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
ย 
Threat Intelligence in the daily life of a SOC Analyst
priyanshamadhwal2
ย 
SOC Analyst a Practical Walkthrough.pdf
infosec train
ย 
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET Journal
ย 
Threat Hunting with Splunk Hands-on
Splunk
ย 
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
ย 
Hunting the Evil of your Infrastructure
A. S. M. Shamim Reza
ย 
What Happens Before the Kill Chain
OpenDNS
ย 
Cyber Secuirty Visualization
Doug Cogswell
ย 
Ad

Recently uploaded (20)

PPTX
oil_refinery_comprehensive_20250804084928 (1).pptx
TusharPrajapati65
ย 
PPTX
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
ย 
PDF
Business Analytics and business intelligence.pdf
khalidisah4750
ย 
PDF
Recruitment and Placement PPT.pdfbjfibjdfbjfobj
Alka392097
ย 
PPT
Reliability_Chapter_ presentation 1221.5784
abobaker13
ย 
PPTX
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
ย 
PPTX
advance b rammar.pptxfdgdfgdfsgdfgsdgfdfgdfgsdfgdfgdfg
rohullahansari5
ย 
PPTX
1_Introduction to advance data techniques.pptx
AshutoshDeshmukh33
ย 
PPTX
01_intro xxxxxxxxxxfffffffffffaaaaaaaaaaafg
Vittaya Boon Suwansiri
ย 
PPTX
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
ย 
PPTX
IB Computer Science - Internal Assessment.pptx
agarwal18harsh08
ย 
PPT
Quality review (1)_presentation of this 21
abobaker13
ย 
PPTX
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
ย 
PPTX
Microsoft-Fabric-Unifying-Analytics-for-the-Modern-Enterprise Solution.pptx
Mahesh Reddy
ย 
PPTX
DISORDERS OF THE LIVER, GALLBLADDER AND PANCREASE (1).pptx
chepkoitcheruiyot
ย 
PDF
Fluorescence-microscope_Botany_detailed content
dollydoll12
ย 
PPTX
Introduction-to-Cloud-ComputingFinal.pptx
testnet29393883
ย 
PPTX
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
ย 
PDF
Mega Projects Data Mega Projects Data
saidsalah8181
ย 
PPTX
Qualitative Qantitative and Mixed Methods.pptx
AhmaduMohammed
ย 
oil_refinery_comprehensive_20250804084928 (1).pptx
TusharPrajapati65
ย 
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
ย 
Business Analytics and business intelligence.pdf
khalidisah4750
ย 
Recruitment and Placement PPT.pdfbjfibjdfbjfobj
Alka392097
ย 
Reliability_Chapter_ presentation 1221.5784
abobaker13
ย 
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
ย 
advance b rammar.pptxfdgdfgdfsgdfgsdgfdfgdfgsdfgdfgdfg
rohullahansari5
ย 
1_Introduction to advance data techniques.pptx
AshutoshDeshmukh33
ย 
01_intro xxxxxxxxxxfffffffffffaaaaaaaaaaafg
Vittaya Boon Suwansiri
ย 
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
ย 
IB Computer Science - Internal Assessment.pptx
agarwal18harsh08
ย 
Quality review (1)_presentation of this 21
abobaker13
ย 
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
ย 
Microsoft-Fabric-Unifying-Analytics-for-the-Modern-Enterprise Solution.pptx
Mahesh Reddy
ย 
DISORDERS OF THE LIVER, GALLBLADDER AND PANCREASE (1).pptx
chepkoitcheruiyot
ย 
Fluorescence-microscope_Botany_detailed content
dollydoll12
ย 
Introduction-to-Cloud-ComputingFinal.pptx
testnet29393883
ย 
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
ย 
Mega Projects Data Mega Projects Data
saidsalah8181
ย 
Qualitative Qantitative and Mixed Methods.pptx
AhmaduMohammed
ย 

Towards Designing Effective Visualizations for DNS-based Network Threat Analysis

  • 1. Towards Designing Effective Visualizations for DNS-based Network Threat Analysis Rosa Romero-Gรณmez, Yacin Nadji, and Manos Antonakakis {rgomez30,yacin,manos}@gatech.edu
  • 2. What is Network Threat Analysis? 2
  • 3. Analyst Alerts Threat Intelligence The Domain Name System (DNS) is an essential protocol used by both legitimate Internet applications and cyber attacks [Building a Dynamic Reputation System for DNS, Antonakakis et al. 2010] 3
  • 5. Threat Intelligence Acquisition โ€œSecurity analysts are still collecting threat intelligence via email, spreadsheets, and cutting/pasting information from web-based sources. Obviously, these manual processes donโ€™t scaleโ€ [Enterprise Strategy Group (ESG) Research Report: Threat Intelligence and Its Role Within Enterprise Cybersecurity Practices, June 2015] 5
  • 6. Analytics โ€œThreat intelligence may offer clues but human beings are left to do the heavy lifting by investigating and analyzing the data on their ownโ€ [ESG Research Report: Threat Intelligence and Its Role Within Enterprise Cybersecurity Practices, June 2015] 6
  • 7. Our Approach: Open Source THreat Analysis COnsole (THACO) Open Datasets Visualization Techniques 7
  • 8. 8 Classless Inter-Domain Routing (CIDR) Notation 192.0.0.0/8 192.1.0.0/16 192.2.0.0/16 192.168.16.0/24 192.3.0.0/16 192.2.3.0/24 192.2.3.1/32 192.2.3.12/32 /8 /16 /24 /32
  • 9. Access to THACO live demo: https://ipviz.gtisc.gatech.edu/ 9
  • 10. User-centered Visualization Design Domain Problem / Data Characterization Design Prototype Evaluation 10
  • 11. Domain Problem & Data Characterization โ€ข Procedure: informal interviews with two domain experts in network threat analysis during two months โ€ข Output: two main high-level categories of tasks and data requirements: Top-down network threat analysis or Threat Hunting Bottom-up network threat analysis or Incident Response 11
  • 12. Domain Problem & Data Characterization โ€ข Effective threat intelligence involves the combination of multiple data sources: โ€ข Active DNS datasets (https://www.activednsproject.org/) โ€ข Public Domain Blacklists such as abuse.ch โ€ข Malware Traces (https://www.virustotal.com) โ€ข Domain WHOIS records (https://www.threatminer.org/) 12
  • 13. Design โ€ข Design Goals 1. Multiple views 2. Different levels of detail 3. Scalability Multi-grouping, zoomable treemap 13
  • 14. Evaluation โ€ข Participants: โ€ข Network threat analysts are hard to find โ€ข Seven in-situ and thirty-one online network threat analysts from both academia and industry โ€ข Years of experience ranging < 1 year to > 10 years โ€ข Procedure: โ€ข In-situ evaluation: tasks scenarios and semi-structured interviews โ€ข Online evaluation: web-based survey (SUS, System Usability Scale) 14
  • 15. Evaluation โ€ข Main Results: โ€ข Threat analysis experience of participants affects neither task completion rates nor task completion times using THACO โ€ข Experience analysts satisfaction garnered THACO an โ€œAโ€ grade in usability โ€ข Limitations: โ€ข THACO could be improved for tasks involving keeping track of different pieces of information over time 15
  • 16. Want data? Active DNS datasets: https:// www.activednsproject.org/ 16
  • 17. Want a demo? THACO live demo: https:// ipviz.gtisc.gatech.edu/ 17
  • 18. Want code? Source code on GitHub: https:// github.com/Astrolavos/THACO 18
  • 20. Towards Designing Effective Visualizations for DNS-based Network Threat Analysis Rosa Romero-Gรณmez, Yacin Nadji, and Manos Antonakakis {rgomez30,yacin,manos}@gatech.edu