“I saw it with my own eyes!”
This sentence usually expresses certainty and conviction. It is a strong sentence. It is stronger than saying, “I heard it with my own ears.” Often, this sentence is interpreted as expressing the speaker’s conviction that she is privy to some truth. And we treat that conviction as authentic. It must have happened if she saw it. We want people to say this about the security data we analyze. We want them to look at a picture of our work product and have that experience. A picture says more than a thousand words. A visual representation of data can communicate a lot of detail in a way that is instantly accessible and meaningful.
More of the human brain is devoted to visual processing than to any other sense. It is the “broadband” access to understanding. This ability of the human mind to rapidly process visual input makes information visualization a useful and often necessary tool, enabling us to turn data into information and knowledge.
Images are very interesting. They are different from the written or the spoken word in many ways. It is not just the bandwidth of information that can be transferred. There is a much more interesting phenomenon called the critical faculty or the skepticism filter.1 When you listen to someone speak, or while you are reading these words, you are constantly asking yourself, “Is he saying the truth? Does this match up with my experience?” If you look at a picture, this skepticism filter does not seem to be there in the first moment. We trust a photograph. Do we? At first glance, we seem to. However, the closer we look, the more detail we start seeing, the more we analyze the picture, and the more skeptical we get. What is happening?
- Barnett, E. A. Analytical Hypnotherapy: Principles and Practice (Glendale, CA: Westwood Publishing Company,1989).
For the brain to process an image and understand its contents, it has to formulate sentences and words around the image. The image, and more specifically color, is put into sentences.2 The longer we look at an image, the more sentences the brain constructs. And the more sentences, the more reason we give our brain to apply the skepticism filter.
- A. Franklin et al., “From the Cover: Categorical perception of color is lateralized to the right hemisphere in infants, but to the left hemisphere in adults,” PNAS 105, 2008, 322–3225.
What does this all have to do with visualization, you might wonder? When we visualize data, we have to make sure that the output is going to be as simple and clear as possible. We have to make sure that the viewer needs as few sentences as possible to interpret the graph. This not only decreases the time that someone needs to process and understand a visualization, it also minimizes the surface area for viewers to apply the skepticism filter. We want them to trust that the image correctly represents the data.
This chapter explores visualization, encourages you to visualize security data, and explains some of the fundamental principles that anybody who is trying to communicate information in a visual form should understand.
What Is Visualization?
The proverb says, “A picture is worth a thousand words.” Images are used to efficiently communicate information. An image can capture a sunset in all of its beauty. It would be impossible to capture the same impression in words. I like to say that
A picture is worth a thousand log records.
Instead of handing someone a log file that describes how an attack happened, you can use a picture, a visual representation of the log records. At one glance, the picture communicates the content of this log. Viewers can process the information in a fraction of time that it would take them to read the original log.
Visualization, in the security sense, is therefore the process of generating a picture based on log records. It defines how the log records are mapped into a visual represen tation.
Why should we be interested in visualization? Because the human visual system is a pattern seeker of enormous power and subtlety. The eye and the visual cortex of the brain form a massively parallel processor that provides the highest-bandwidth channel into human cognitive centers.
—Colin Ware, author of Information Visualization: Perception for Design
Visual representations of data enable us to communicate a large amount of information to our viewers. Too often, information is encoded in text. It is more difficult to immediately grasp the essence of something if it is just described in words. In fact, it is hard for the brain to process text. Pictures or images, on the other hand, can be processed extremely well. They can encode a wealth of information and are therefore, well suited to communicate much larger amounts of data to a human. Pictures can use shape, color, size, relative positioning, and so on to encode information, contributing to increased bandwidth between the information and the consumer or viewer.
Many disciplines are facing an ever-growing amount of data that needs to be analyzed, processed, and communicated. We are in the middle of an information explosion era. A big percentage of this information is stored or represented in textual form: databases, documents, websites, emails, and so forth. We need new ways to work with all this data. People who have to look at, browse, or understand the data need ways to display relevant information graphically to assist in understanding the data, analyzing it, and remembering parts of it. Browsing huge amounts of data is crucial for finding information and then exploring details of a resultset. Interaction with the visualizations is one of the key elements in this process. It is not just the expedited browsing capabilities that visualization has to offer, but often a visual representation—in contrast to a textual representation—helps us discover relationships well hidden in the wealth of data. Finding these relationships can be crucial.
A simple example of a mainstream visualization application is the Friend Wheel, a Facebook3 application that generates a visualization of all Facebook friends (see Figure 1-1). Each person who is a friend of mine on Facebook is arranged in a circle. Friends of mine who know each other are connected with a line. Instead of me having to explain in written form who my friends are and what the different groups are that they belong to, this visualization summarizes all the relations in a simple and easy-to-understand picture.
- Facebook (http://facebook.com) is a social networking platform.
Figure 1-1 The Friend Wheel visualizes friend relationships on Facebook.
There is a need for data visualization in many disciplines. The Friend Wheel is a simple example of how visualization has gone mainstream. The data explosion and resultant need for visualization affects computer security more than many other areas. Security analysts face an ever-increasing amount of data that needs to be analyzed and mastered. One of the areas responsible for the growth in data is the expanded scope of information that needs to be looked at by security people. It is not just network-based device logs anymore, such as the ones from firewalls and intrusion detection systems. Today, the entire stack needs to be analyzed: starting on the network layer, going all the way up to the applications, which are amazingly good at generating unmanageable amounts of data.
If you have ever analyzed a large log file with tens of thousands of entries, you know how hard it is. A visual approach significantly facilitates the task (as compared to using text-based tools). Visualization offers a number of benefits over textual analysis of data. These benefits are based on people’s ability to process images efficiently. People can scan, recognize, and recall images rapidly. In addition, the human brain is an amazing pattern-recognition tool, and it can detect changes in size, color, shape, movement, and texture very efficiently. The following is a summary of visualization benefits:
Answers a question: Visualization enables you to create an image for each question you may have about a dataset. Instead of wading through textual data and trying to remember all the relationships between individual entries, you can use an image that conveys the data in a concise form.
Poses new questions: One interesting aspect of visual representations is that they cause the viewer to pose new questions. A human has the capability to look at a visual representation of data and see patterns. Often, these patterns are not anticipated at the time the visual is generated. What is this outlier over here? Why do these machines communicate with each other?
Explore and discover: By visualizing data, you have a new way of viewing and investigating data. A visual representation provides new insights into a given dataset. Different graphs and configurations highlight various different properties in the dataset and help identify previously unknown information. If the properties and relationships were known upfront, it would be possible to detect these incidents without visualization. However, they had to be discovered first, and visual tools are best suited to do so. Interactive visualizations enable even richer investigations and help discover hidden properties of a dataset.
Support decisions: Visualization helps to analyze a large amount of data very quickly. Decisions can be based on a large amount of data because visualization has helped to distill it into something meaningful. More data also helps back up decisions. Situational awareness is a prime tool to help in decision support.
Communicate information: Graphical representations of data are more effective as a means of communication than textual log files. A story can be told more efficiently, and the time to understand a picture is a fraction of the time that it takes to understand the textual data. Images are great for telling a story. Try to put a comic into textual form. It just doesn’t do the trick.
Increase efficiency: Instead of wading through thousands of lines of textual log data, it is much more efficient to graph certain properties of the data to see trends and outliers. The time it takes to analyze the log files is drastically cut down. This frees up people’s time and allows them to think about the patterns and relationships found in the data. It also speeds up the detection of and response to new developments. Fewer people are needed to deal with more data.
Inspire: Images inspire. While visually analyzing some of the datasets for this book, I got inspired many times to try out a new visualization, a new approach of viewing the same data. Sometimes these inspirations are dead ends. A lot of times, however, they lead to new findings and help better understand the data at hand.
If data visualization has all of these benefits, we should explore what visualization can do for security.
The field of security visualization is very young. To date, only a limited amount of work has been done in this area. Given the huge amount of data needed to analyze security problems, visualization seems to be the right approach:
The ever-growing amount of data collected in IT environments asks for new methods and tools to deal with them.
Event and log analysis is becoming one of the main tools for security analysts to investigate and comprehend the state of their networks, hosts, applications, and business processes. All these tasks deal with an amazing amount of data that needs to be analyzed.
Regulatory compliance is asking for regular log analysis. Analysts need better and more efficient tools to execute the task.
The crime landscape is shifting. Attacks are moving up the network stack. Network-based attacks are not the prime source of security problems anymore. The attacks today are moving into the application layer: Web 2.0, instant messenger attacks, fraud, information theft, and crime-ware are just some examples of new types of attacks that generate a load of data to be collected and analyzed. Beware! Applications are really chatty and generate a lot of data.
Today, the attacks that you really need to protect yourself from are targeted. You are not going to be a random victim. The attackers know who they are coming for. You need to be prepared, and you have to proactively analyze your log files. Attackers will not set off your alarms.
Because of the vast amount of log data that needs to be analyzed, classic security tools, such as firewalls and intrusion detection systems, have over time added reporting capabilities and dashboards that are making use of charts and graphics. Most of the time, these displays are used to communicate information to the user. They are not interactive tools that support data exploration. In addition, most of these visual displays are fairly basic and, in most cases, an afterthought. Security products are not yet designed with visualization in mind. However, this situation is slowly improving. Companies are starting to realize that visualization is a competitive advantage for them and that user tasks are significantly simplified with visual aids.
The problem with these tools is that they are specialized. They visualize only the information collected or generated by that specific solution. We need to visualize information from multiple tools and for use-cases that are not supported by these tools. Novel methods are needed to conduct log and security data analysis.
Security Visualization’s Dichotomy
Most tools available for security visualization are victims of a phenomenon that I call the dichotomy of security visualization.
Most security visualization tools are written by security people who do not know much about visualization theory and human-computer interaction; the rest are written by visualization people who do not know much about computer security and adjacent technical fields, such as operating systems or networking. Therefore, tools lack one of two important aspects: either the security domain knowledge and accuracy or the visual efficiency.
Complete security visualization expertise requires knowledge of two worlds: the security world and the visualization world. The security world consists of bits and bytes, of exploits and security policies, of risk and compliance mandates. It is absolutely necessary to know these concepts to build a tool that is easy to use and effective for security experts, but also to be technically accurate. The knowledge of the visualization world encompasses visual perception and human-interface design. These two aspects are necessary to build a usable tool. We have all seen what happens when security experts build visualization tools. Three-dimensional pie charts, shades on bar charts, and illegible legends often result. I am sure you have seen the opposite, too, where a beautiful program was developed, but unfortunately it was completely useless because it was developed for one specific use-case that has nothing to do with real-world applications and problems that security professionals are facing.
There should not be a gap or a dichotomy between these two disciplines. We have to make sure they grow together. We have to work toward a security visualization community that has expertise in both areas. I do not want to claim that this book bridges the gap between security and visualization completely. However, I do attempt to show both worlds. By choosing a use-case-driven approach for most of the discussions in this book, I hope to keep the discussions on a level that stimulates the thinking about the problems in both fields: security and visualization.
Most readers of this book are going to have a more technical background in computer security than in visualization. Therefore, in an attempt to bridge the gap in the dichotomy of security visualization, I will delve into visualization theory for just a little bit to help most readers better understand why some displays are so easy to read, whereas others are just horrible and do not seem to serve their purpose of quickly communicating information and letting the user interactively explore it.
After reading these sections about visualization theory, you will by no means be a visualization expert. Entire books cover the topic. I want to provide you with a basic overview and some concepts that are I hope you find useful in your future journey through security visualization. I encourage you to read more about these topics and pick up one of these books:
Information Visualization: Perception for Design, by Colin Ware (San Francisco: Morgan Kaufmann Publishers, 2004). This book provides a great overview of visualization theory.
Information Graphics: A Comprehensive Illustrated Reference, by Robert L. Harris (New York & Oxford: Oxford University Press, 1999). A great reference book for terminology and concepts concerned with visualization.
Envisioning Information (Cheshire, CT: Graphics Press, 1990).
Visual Explanations (Cheshire, CT: Graphics Press, 1997).
The Visual Display of Quantitative Information (Cheshire, CT: Graphics Press, 2001).
Beautiful Evidence (Cheshire, CT: Graphics Press, 2006).
These four books by Edward R. Tufte provide great information about visualization that covers everything from visualization history to simple design principles for graphs.
The first and most important topic for visualizing data is visual perception.
The human visual system has its own rules. We can easily see patterns presented in certain ways, but if they are presented incorrectly, they become invisible. If we can understand how perception works, our knowledge can be translated into rules for displaying information. Following perception-based rules, we can present our data in such a way that the important and informative patterns stand out. If we disobey the rules, our data will be incomprehensible or misleading. What is the best way of visualizing data? What choice of color best supports the communication of properties we are interested in? Does shape and placement help improve perception? A fair amount of research has been done in this area. Two of the people who are instrumental in the field of modern visual perception are Edward Tufte4 and Jacques Bertin.5 They are not the ones who historically created the field of visual perception, but they greatly helped introduce a broader public to some of these visual principles.
When we look at an image, some elements are detected immediately by the human visual system. No conscious attention is required to notice them. These elements are decorated with so-called pre-attentive visual properties. Visual properties are all the different ways of encoding data, such as shape, color, orientation, and so forth. Some visual properties require the viewer to serially process an image or a visual representation of data to notice them and interpret them. Pre-attentive properties pop out. They catch a viewer’s attention immediately. A famous example used to illustrate pre-attentive processing is shown in Figure 1-2. The leftmost illustration makes it really hard to find the eights. The rightmost side uses color to make the eights visually different. You can see them immediately.
Figure 1-2 How many eights are in this sequence of numbers? The leftmost illustration requires you to serially scan all the numbers. On the rightmost side, the eights are colored differently, which directly addresses a human’s pre-attentive capabilities.
Visual properties that are pre-attentive can be grouped into four groups6: form, color, position, and motion. Each of these four groups consists of a number of visual attributes. For example, form consists of orientation, size, and shape that can be used to emphasize information. Color uses two attributes: hue and intensity. Figure 1-3 shows a few more examples of pre-attentive visual attributes. It illustrates how pre-attentive attributes can be used to make information display more effective. The important information in an image should use these attributes, such that a viewer sees the important information immediately, instead of having to serially parse the images.
- For a more in-depth discussion of pre-attentive visual properties, see Information Visualization: Perception for Design, by Colin Ware (San Francisco: Morgan Kaufman Publishers, 2004).
Figure 1-3 A list of pre-attentive visual attributes, illustrating how they can help emphasize information in a graphical display
If more than just a single dimension needs to be encoded in a display, multiple pre-attentive attributes can be combined. The issue is, however, that not all attributes mix well with each other. The human brain cannot easily process some combinations. Attributes that work well together are called separable dimensions, and ones that do not work together are called integral dimensions.
If a display uses two integral dimensions to encode two different data dimensions at the same time, a human perceives them holistically. Figure 1-4 shows an example. The example of two integral dimensions is shown on the left side of the image. The ovals are using width and height and integral dimensions to encode information. It is hard to separate the width and height of the ellipses. It takes almost serial processing to analyze the image and decode it. The right side of Figure 1-4 shows two separable dimensions: color and position. Separable dimensions enable the viewer to quickly separate the different visual elements into multiple classes. You can immediately separate the gray circles from the black ones and the group of circles on the top left from the ones on the bottom right.
Figure 1-4 The leftmost example shows a graph that uses two integral attributes, width and height, to encode information. The graph on the right uses separable attributes, color and position, to do the same.
Perception is just one visual property that we need to be aware of when creating powerful visual displays. Let’s take a look at two principles for creating expressive and effective graphs. After exploring the two principles, we will explore some more graph design principles that we should use to generate graphical representations of data.
Expressive and Effective Graphs
Generating graphs that are easy to understand and comprehend involves the two important principles of expressiveness and effectiveness. Not following these principles will result in graphs that are either confusing or simply wrong.
Two principles that are known as the Mackinlay criterion7 can be used to further improve legibility and efficiency of graphs. The first principle, Mackinlay’s expressiveness criterion, states the following:
Mackinlay, J., “Automatic Design of Graphical Presentations,” Ph.D. Dissertation, Computer Science Dept., Stanford University, Stanford, California, 1986.
A set of facts is expressible in a visual language if the sentences (i.e., the visualizations) in the language express all the facts in the set of data, and only the facts in the data.
This sounds very theoretical, but let’s look at it. In Figure 1-5, the length of the bars in the graph does not encode facts from the underlying data. It therefore, does not follow the expressiveness criteria. Although this example might look too obvious, keep this principle in mind when designing your own graphs. After you have generated the graph, think hard about what it really communicates.
Figure 1-5 This graph illustrates the violation of Mackinlay’s expressiveness principle. The graph does not encode the facts in the dataset. This data merely needed a tabular presentation.
The second Mackinlay criterion reads as follows:
A visualization is more effective than another visualization if the information conveyed by one visualization is more readily perceived than the information in the other visualization.
This ties directly back to the discussions throughout this chapter. By applying all the principles we have discussed so far, we will come up with more effective visualizations, based on Mackinlay’s effectiveness principle.
Graph Design Principles
When creating graphs, you should pay attention to a few simple design guidelines to generate easy to read, efficient, and effective graphs. You should know and understand the following list of graph design principles:
Reduce nondata ink.
Try to apply these principles on your graphs, and notice how they do not just esthetically improve, but also get much simpler to understand.
Reduce Nondata Ink
One of the most powerful lessons that I have learned stems from Edward Tufte. In his book, The Visual Display of Quantitative Information, he talks about the data-ink ratio. The data-ink ratio is defined by the amount of ink that is used to display the data in a graph, divided by the total amount of ink that was used to plot the entire graph. For example, take any bar chart. If the chart uses a bounding box, an excessive number of grid lines, or unnecessary tick marks on the axes, it increases the ink that was used to paint nondata elements in the graph. Three-dimensional bars and background images are some of the worst offenders of this paradigm. Get rid of them. They do not add anything to make a graph more legible and do not help to communicate information more clearly. Reduce nondata ink. It is a simple principle, but it is very powerful. Figure 1-6 shows how a graph can look before and after applying the principles of reducing nondata ink. The right side of the figure shows the same data as on the left side, but in a way that is much more legible.
Figure 1-6 An example illustrating the data to ink-ratio and how reducing the ratio helps improve the legibility of a graph
We briefly touched on the topic of perception in the preceding section. One perceptual principle relates to the number of different attributes used to encode information. If you have to display multiple data dimensions in the same graph, make sure not to exceed five distinct attributes to encode them. For example, if you are using shapes, do not use more than five shapes. If you are using hue (or color), keep the number of distinct colors low. Although the human visual system can identify many different colors, our short-term memory cannot retain more than about eight of them for a simple image.
To reduce search time for viewers of a graph and to help them detect patterns and recognize important pieces of information, a school of psychology called Gestalt theory8 is often consulted. Gestalt principles are a set of visual characteristics. They can be used to highlight data, tie data together, or separate it. The six Gestalt principles are presented in the following list and illustrated in Figure 1-7:
- Contrary to a few visualization books that I have read, Gestalt is not the German word for pattern. Gestalt is hard to translate. It is a word for the silhouette, the form, the body, or the looks of a thing.
Proximity: Objects grouped together in close proximity are perceived as a unit. Based on the location, clusters and outliers can be identified.
Closure: Humans tend to perceive objects that are almost a closed form (such as an interrupted circle) as the full form. If you were to cover this line of text halfway, you would still be able to guess the words. This principle can be used to eliminate bounding boxes around graphs. A lot of charts do not need the bounding box; the human visual system “simulates” it implicitly.
Similarity: Be it color, shape, orientation, or size, we tend to group similar-looking elements together. We can use this principle to encode the same data dimensions across multiple displays. If you are using the color red to encode malicious IP addresses in all of your graphs, there is a connection that the visual system makes automatically.
Continuity: Elements that are aligned are perceived as a unit. Nobody would interpret every little line in a dashed line as its own data element. The individual lines make up a dashed line. We should remember this phenomenon when we draw tables of data. The grid lines are not necessary; just arranging the items is enough.
Enclosure: Enclosing data points with a bounding box, or putting them inside some shape, groups those elements together. We can use this principle to highlight data elements in our graphs.
Connection: Connecting elements groups them together. This is the basis for link graphs. They are a great way to display relationships in data. They make use of the “connection” principle.
Figure 1-7 Illustration of the six Gestalt principles. Each of the six images illustrates one of the Gestalt principles. They show how each of the principles can be used to highlight data, tie data together, and separate it.
A piece of advice for generating graphical displays is to emphasize exceptions. For example, use the color red to highlight important or exceptional areas in your graphs. By following this advice, you will refrain from overusing visual attributes that overload graphs. Stick to the basics, and make sure your graphs communicate what you want them to communicate.
Figure 1-8 This bar chart illustrates the principle of highlighting exceptions. The risk in the sales department is the highest, and this is the only bar that is colored.
A powerful method of showing and highlighting important data in a graph is to compare graphs. Instead of just showing the graph with the data to be analyzed, also show a graph that shows “normal” behavior or shows the same data, but from a different time (see Figure 1-9). The viewer can then compare the two graphs to immediately identify anomalies, exceptions, or simply differences.
Graphs without legends or graphs without axis labels or units are not very useful. The only time when this is acceptable is when you want the viewer to qualitatively understand the data and the exact units of measure or the exact data is not important. Even in those cases, however, a little bit of text is needed to convey what data is visualized and what the viewer is looking at. In some cases, the annotations can come in the form of a figure caption or a text bubble in the graph (see Figure 1-10). Annotate as much as needed, but not more. You do not want the graphs to be overloaded with annotations that distract from the real data.
Figure 1-9 Two bar charts. The left chart shows normal behavior. The right side shows a graph of current data. Comparing the two graphs shows immediately that the current data does not look normal.
Figure 1-10 The left side bar chart does not contain any annotations. It is impossible for a user to know what the data represents. The right side uses axis labels, as well as text to annotate the outlier in the chart.
Whenever possible, make sure that the graphs do not only show that something is wrong or that there seems to be an “exception.” Make sure that the viewers have a way to identify the root cause through the graph. This is not always possible in a single graph. In those cases, it might make sense to show a second graph that can be used to identify the root cause. This principle helps you to utilize graphs to make decisions and act upon findings (see Figure 1-11). A lot of visualizations are great about identifying interesting areas in graphs and help identify outliers but they do not help to take action. Have you ever asked yourself, “So what?” This is generally the case for graphs where root causes are not shown.
Figure 1-11 This chart illustrates how causality can be shown in a chart. The number of servers failing per month is related to the temperature in the datacenter.
By applying all the previously discussed principles, you will generate not just visually pleasing graphs and data visualizations, but also ones that are simple to read and ones that communicate information effectively.
Information Seeking Mantra
In a paper from 1996,9 Ben Shneiderman introduced the information seeking mantra that defines the best way to gain insight from data. Imagine you have a large amount of data that needs to be displayed. For others to understand the data, they need to understand the overall nature of the data—they need an overview. Based on the overview, the viewer then wants to explore areas of the data (i.e., the graph) that look interesting. The viewer might want to exclude certain data by applying filters. And finally, after some exploration, the viewer arrives at a part of the data that looks interesting. To completely understand this data, viewers need a way to see the original, underlying data. In other words, they need the details that make up the graph. With the original data and the insights into the data gained through the graphical representation, a viewer can then make an informed and contextual statement about the data analyzed.
- “The Eyes Have It: A Task by Data Type Taxonomy for Information Visualization,” by Ben Shneiderman, IEEE Symposium on Visual Languages, 1996.
The information seeking mantra summarizes this process as follows:
Overview first, zoom and filter, then details on-demand.
We revisit the information seeking mantra in a later chapter, where I extend it to support some of the special needs we have in security visualization.
Applying visualization to the field of computer security requires knowledge of two different disciplines: security and visualization. Although most people who are trying to visualize security data have knowledge of the data itself and what it means, they do not necessarily understand visualization. This chapter is meant to help those people especially to acquire some knowledge in the field of visualization. It provides a short introduction to some visualization principles and theories. It touched on a lot of principles and should motivate you to learn more about the field. However, the visualization principles will be enough to guide us through the rest of this book. It is a distilled set of principles that are crucial for generating effective security visualizations.
This chapter first discussed generic visualization and then explained why visualization is an important aspect of data analysis, exploration, and reporting. The bulk of this chapter addressed graph design principles. The principles discussed are tailored toward an audience that has to apply visualization to practical computer security use-cases. This chapter ended with a discussion of the information seeking mantra, a principle that every visualization tool should follow.
© Copyright Pearson Education. All rights reserved.