System Advancements at the Monastery

“Visualization and belief in a pattern of reality, Activates the creative power of Realization.” — A. L. Linall, Jr.

As a follow up to my posting, “Traditional Thinking,” I wanted to examine one nontraditional solution that is still in the early stage of development. From watching detective shows, we all know that when a crimes occurs the police always need to first look towards family and friends. If it is not about passion, it is almost always about the money. Same is true in technology. Look to where organizations are putting the money. Love them or hate them, the Department of Homeland Security (DHS) is tasked with a very difficult task. To help DHS accomplish their tasks, all sides of the political spectrum have been willing to provide DHS with a budget to take on the task of securing our country.

Earlier this month, the White House issued changes to be made to the nation’s homeland security strategy. Jonah Czerwinski, from Homeland Security Watch, provides a link to the revised strategy, The National Strategy for Homeland Security. There is a section, Cyber Security: A Special Consideration, which states:

Many of the Nation’s essential and emergency services, as well as our critical infrastructure, rely on the uninterrupted use of the Internet and the communications systems, data, monitoring, and control systems that comprise our cyber infrastructure.

A cyber attack could be debilitating to our highly interdependent CI/KR and ultimately to our economy and national security.

A variety of actors threaten the security of our cyber infrastructure. Terrorists increasingly exploit the Internet to communicate, proselytize, recruit, raise funds, and conduct training and operational planning. Hostile foreign governments have the technical and financial resources to support advanced network exploitation and launch attacks on the informational and physical elements of our cyber infrastructure. Criminal hackers threaten our Nation’s economy and the personal information of our citizens, and they also could pose a threat if wittingly or unwittingly recruited by foreign intelligence or terrorist groups. Our cyber networks also remain vulnerable to natural disasters.

In order to secure our cyber infrastructure against these man-made and natural threats, our Federal, State, and local governments, along with the private sector, are working together to prevent damage to, and the unauthorized use and exploitation of, our cyber systems. We also are enhancing our ability and procedures to respond in the event of an attack or major cyber incident. The National Strategy to Secure Cyberspace and the NIPP’s Cross-Sector Cyber Security plan are guiding our efforts.

Let us follow the money, or at least a small part of the money.

In March 2004, DHS established the National Visualization and Analytics Center (NVAC) . The center is led by the Department of Energy’s (DOE) Pacific Northwest National Laboratory (PNNL) in Richland, Washington. NVAC is tasked with providing “scientific guidance and coordination for the research and development of new tools and methods that Homeland Security has identified as required for managing, visually representing, and analyzing enormous amounts of diverse data and information.”

There are five Regional Visualization and Analytics Centers (RVACs) led by Penn State University, Purdue University, Stanford University, the University of North Carolina at Charlotte, and the University of Washington. While Stanford was the first center, there are no links to the work. Stanford is performing “research on network traffic analysis for intrusion detection; cognitive and perceptual principles supporting reasoning with space and time; and methods to support exploratory analysis of graphs in relational databases.” These RVACs collaborate with the NVAC.

In July 2007, DHS announced a partnership between NVAC and National Science Foundation (NSF) to conduct a joint research program in data and visual analytics. A 5-year plan for collaboration, dependent on available resources, was established.

Currently, the NSF is soliciting proposals from “academia that capitalize on knowledge and expertise in the fields of mathematics, computational science and intelligent systems. The goal is to produce new data representations and transformations that will enable data stakeholders to detect the expected and discover the unexpected in massive data sets. This new program is called Foundations of Data and Visual Analytics, and FODAVA is the focus of the new NSFVAC. FODAVA is concerned only with a subset of the overall problem, namely the creation of the mathematical and computational sciences foundations required to transform data in ways that permit visual-based understanding.”

The proposals are due November 20, 2007. There will be five to seven awards consisting of one five-year FODAVA-Lead award totaling $3,000,000; four to six two to three year FODAVA-Partner awards totaling $300,000 to $500,000 each. This breaks down to $2,250,000 per year for 5 years. NSF will provide $1,500,000 per year for up to five years. DHS will provide $750,000 per year for up to five years.

Let me continue to quote the NVAC’s Novermber 2007 issue of VAC Views, “NVAC and NSF is establishing two types of research efforts: FODAVA Lead and FODAVA Partnerships. The FODAVA Lead effort will be granted to a research team where all team members belong to a single academic institution that will assume a leadership and coordination role. The FODAVA Lead will also play a key role in the development of FODAVA as a research field. In addition to forming the lead scientific research team, this institution will be responsible for assuring that results are disseminated to the FODAVA community, that effective liaison between FODAVA researchers and NVAC takes place, that testbed data sets are developed and disseminated and that the mathematics and computer science research communities become increasingly aware of the need for FODAVA-related research. FODAVA Partnership efforts will be two-to-three-year fundamental research projects. These academic partners will actively participate with the FODAVA Lead institution in developing FODAVA as a field.”

I find it interesting that both DHS and NSF are looking to security data visualization. It might just be time to read, “Security Data Visualization” by Greg Conti. Raffael Marty, author of AfterGlow, wrote the two chapters on IDS signature tuning and firewall log analysis. Raffael is also working on a book which will dive deeper into some visualization topics around security and focusing on use-cases. To quote Raffael blog posting, “How do you use visualization for compliance, insider threat, and perimeter threat? What are some of the tools out there, what are the data sources, and what are the different types of graphs you should know and understand when you are visualizing security data?” No other details are available at this time, but I look forward to what promises to be a very interesting book.

Siddhartha Gautama wrote, “These blind men, every one honest in his contentions and certain of having the truth, formed schools and sects and factions…” I am curious if sects and fractions are developing. Ian Greg in “The Failure of the Academic Contribution to Security Science” explains:

[A]cademics have presented stuff that is sometimes interesting but rarely valuable. They’ve pretty much ignored all the work that was done before hand, and they’ve consequently missed the big picture.

Why is this? One reason is above: academic work is only serious if it quotes other academic work. The papers above are reputable because they quote, only and fulsomely, other reputable work. And the work is only rewarded to the extent that it is quoted … again by academic work.

The academics are caught in a trap: work outside academia and be rejected or perhaps worse, ignored. Or, work with academic references, and work with an irrelevant rewarding base. And be ignored, at least by those who are monetarily connected to the field.

By way of thought experiment, consider how many peer-review committees on security conferences include the experts in the field?

Dr Anton Chuvakin states in “Once More on Failure of Academic Research in Security:”

Many people, myself included, have bemoaned the complete failure of academic research in information security. The main reason for this is a complete disconnect of academic security research from real-world threats and vulnerabilities (e.g. I still see people publishing papers inventing signature-based network IDS systems, reinventing MAC/RBAC, neural nets to catch hackers, etc – and if I hear about the Lincoln labs 1998 intrusion detection data set again, I will screeeeeeeeeeeam! )

Greg Conti is a Program Co-Chair while Raffael Marty on the Program Committee of the upcoming National Security Agency’s (NSA) National Information Assurance Research Laboratory (NIARL) sponsored VizSEC 2007 Workshop on Visualization for Computer Security. The workshop will be held in conjunction with IEEE Vis 2007 and IEEE InfoVis 2007. John Gerth, manager of the Computer Graphics Laboratory in the Department of Computer Science at Stanford University, is the only person on any of the boards for the workshop from the RVACs. The Standford RVAC supported John’s paper, “Enhancing Visual Analysis of Network Traffic Using a Knowledge Representation.”

While preparing the “Presentations” post, I came across the below visualization presentations. Again I am left questioning why the researchers from the RVACs sites are not presenting.

• Microsoft Bluehat: Automated Application Security Testing Models with Cool WPF Visualizations
• High Bandwidth Visual Analysis of Security Data Flows
• HITB 2007: Insider Threat Visualization
• Malware Cinema: A Picture is Worth a Thousand Packets
• Network Attack Visualization
• Operational Security Risk Metrics: Definitions, Calculations, and Visualiztions
• Tamara Munzner Presentation on InfoVis at UBC CS
• Visual Security Event Analysis

Security data visualization is a new field. This would explain why, while interest exist, work is spread in research pockets throughout industry, government, and academia. Visualization is not the solution for every security problem. Still, in combination with existing tools, it promises to help explore data, discover insights, and provide a way to effectively communicate results. It is a most interesting field offering intriguing possibilities.