Visualizing Netflows For Security At Line Speed: The Sift Tool Suite

The first step in improving Internet security is measurement - security events must be made visible. The irony in making this happen is that there is no lack of security measurement data, in fact, quite the opposite. However, making security manifest faces a major challenge: the large volume and multi-dimensional nature of security data typically obscures valuable security events. NCSA has developed a suite of tools that solves this problem and is making this software available to the Internet community.We present two visualization tools,1 (1) NVisionIP and (2) VisFlowConnect-IP. Both of these tools have been developed based on system administrator requirements, their design peer-reviewed in security research forums, and usability testing is in process. These tools both present large volume complex data transparently to system administrators in simple intuitive visual interfaces that support human cognitive processes. NVisionIP visually represents the state of all IP addresses on large networks on a single screen window (we use a Class B address space as the default) with capabilities to filter and drill-down to subnets and individual machines for details-on-demand. VisFlowConnect-FP visually represents flows between internal network IP hosts and the Internet showing who is connecting with whom with capabilities to filter and drill-down to subnets and individual machines for details-on-demand. NVisionIP and VisFlowConnect-IP can be used individually or in unison for correlating events. This work is distinguished from others in that these are the first Internet security visualization tools to be freely available on the Internet and deployed in large production environments.