With the prevalence of multi-user environments and distributed applications, the traditional identity of hosts (e.g., IP addresses and port numbers) becomes less precise in describing what is going on in the networks. Instead, users, applications and data have received increasing attention from the perspective of enterprise network security and management. Precisely identifying who is doing what on an enterprise network has become an extremely challenging task. This dissertation presents a visualization tool called ENAVis (Enterprise Network Activities Visualization). Through collection of the context in terms of the actual users and applications associated with network connections and smarter visual analytics, ENAVis aids a real-world administrator in allowing them to more efficiently manage and gain insight about the connectivity between hosts, users, applications and data access, offering significant streamlining of the management process.
Challenges posed by the above context-based analysis include increased information dimensions, lack of clean training data, and highly dynamic nature of host-user-application (HUA). Besides the ability to visualize various combinations of HUA, the contribution of this study lies on its exploration and evaluation of the viability and efficacy of a unified approach by incorporating algorithmic data mining methods with interactive visual exploration process. The proposed data analysis algorithms can provide intelligence to start and guide an investigation process while the proposed visual transformations brings in experts’ domain knowledge to the security and management problems that are infeasible by existing machine learning approaches.
In particular, a hierarchical similarity and differential visualization framework is developed, which starts with the evolution of inter-graph states, adapts to the dynamics of individual nodes and edges of HUA context graphs, and concludes with the analysis of community evolutions. Through novel graph construction and transformation as well as modeling, quantification and visual investigation of the key similarities or differences among the important components of HUA graphs, spatio-temporal anomalies of user and application behaviors that are usually unknown or hard to define in advance can now be effectively detected. More importantly, the underlying causes for these abnormal activities can be found and analyzed in a time-efficient manner through intelligent and interactive visualization. Through examples and case studies, we demonstrate how similarity and dynamics can be effectively visualized and understood to provide insight with regards to network security and management.