DOI: 10.5176/2251-2195_CSEIT18.135
Authors: Claude Turner, Dwight Richards, Rolston Jeremiah, Jie Yan and Ruth Agada
Abstract: This work presents LUCID Network Monitoring and Visualization Application (LNMVA), a comprehensive visualization software application for cyber security visualization. The application consists of five component types: components for monitoring network traffic, components for reporting various network messages, data storage components plus a visualization component and an automated animation reporting component. LNMVA can serve as an aid in teaching complex concepts in cybersecurity or to visually demonstrate active security events on a network to an audience or participants in the classroom or cyber defense competitions at near real-time speed. Its flexibility enables it to visualize different kinds of cybersecurity concepts, protocols and ideas. LNMVA is a subsystem of LUCID, a visualization and broadcasting system that aims to improve understanding and sense-making to participants or an audience. The system is targeted to intermediary or expert users engaged in cyber security exercises. LNMVA’s visualization component is a Node.js app that uses D3 for dynamic generation of graphical units. Also, LNMVA leverages several other open source components for collecting and organizing network data into LNMVA-internal data format: Linux Auditd kernel facility is used to report local userspace access to critical resources, Snort is used to monitor network traffic, Nagios is used to monitor network services, Redis is used to persist raw log messages, MySQL is used to persist processed log messages, and Syslog-ng is used to process network-wide log data. On each host a local syslog-ng client collects log records from each sub-system and dispatches results to a central syslog-ng server. The syslog-ng server is responsible for transforming log messages into a common format, attaching a timestamp and a unique message-id. Formatted data is sent to the visualization component via Redis over web-socket. Each log message reaching the visualization component is pre-processed by a scoring algorithm to assign a score. The result is cached or is immediately used to update an internal data structure, which in turn triggers an update of LNMVA’s GUI. Messages which triggers LNMVA’s GUI updates are persisted in MySQL database. These messages are consumed by the automated animation component.
Keywords:cybersecurity, cyber exercise, education, network
Updating...