Clarified Visualization Gallery
Clarified Visualization Gallery
- Situation Rooms - Intuitive views
- Situation Rooms - Domain Specialist Views
- COTS Monitoring & Security Product
- Internet Crime - Tracking Criminal Movement
- Internet Crime - Tracking Botnet Activity
- Cyberthreat Situational Awareness
- Interfacing with other information systems - Rogue DHCP servers and IPv6 routers
- Producing Different Visualizations to Different Interest Groups
- Connection Graphs with spring layout
- Pass-through view
- Visualization prototypes on botnet activity
Situation Rooms - Intuitive views
We develop & deploy beautiful visualizations that are easy to understand also by non-technical people, such as reporters and different types of decision makers:
CyberDefence Situational Awareness
A screenshot from Swedish mainstream television SVT. Mikael Wedin explains the live events of the game using the Clarified's topology view running in video wall. On the right topmost corner earth view shows the connections from different participating countries to the game environment.
Situation Rooms - Domain Specialist Views
We also develop innovative and powerful visualizations that are valuable tools in the hands of specialists. Furthermore, we track and deploy third party visualizations to provide optimal solutions for our customers.
COTS Monitoring & Security Product
Our commercial-off-the-shelf deployments have typically 2 major components. 1) Clarified Recorders and 2) Clarified Analyzers. The Clarified Recorder leverages a mirror port for traffic capture. Clarified Analyzer shows flows and visualizations on the data the Recorders Recorders have captured over the time period selected by the user.
Internet Crime - Tracking Criminal Movement
We also do visualizations on custom data formats. Due to our expertise in IP networking and Internet crime, we are able transform raw data to intuitive visualizations. Our customers can use these visualizations to explain to non-technical people how the Internet criminals operate.
This was released in TED global 2011, see a blog about it.
Internet Crime - Tracking Botnet Activity
This visualization demonstrates the activities of one botnet. Data was provided by F-Secure.
Cyberthreat Situational Awareness
This visualization shows how patching the servers against one DNS related vulnerability proceeds over time. (Red = vulnerable servers, Green = non-vulnerable servers). Data was provided by DoxPara Research and Dan Kaminsky.
Interfacing with other information systems - Rogue DHCP servers and IPv6 routers
This screenshot demonstrates on how we interfaced existing monitoring/security system with our COTS-product. User of our Clarified Analyzer can view several different visualizations related to the event. Furthermore, the analyst can drill-down from the visualizations all the way to the packet level.
Producing Different Visualizations to Different Interest Groups
Below are two visualizations for the same data. First one is an intuitive visualization explaining how Wikipedia edits languages differ over different geolocations. The second visualization is a powerful domain specialist view, which show the same data using a Hilbert Curve layout.
Connection Graphs with spring layout
IP-IP conversations, IP-Ether conversations, Ether-Ether conversations... The following one shows IRC conversations:
Funky 80's style graph layout:
Shows IP-IP conversations.
Shows IP-IP conversations, size proportional to the amount of data.
A custom view for tracking which fuzzed test cases have passed e.g. a SIP firewall.
Visualization prototypes on botnet activity
Created a viz that shows hosts using TCP in blue, and hosts using UDP in red (and hosts using other IP protocols in green).
This is panoulu at approx. 2008-10-08 04:02:00-04:02:15:
This is panoulu at approx. 2008-10-08 04:02:45-04:03:00:
Interesting. A bit more fiddling reveals that almost all that "red" traffic comes from one host, port 8361.
Spectral view on activity
Visualizing botnet by activity spectrum (y-axis is the latitude, x-axis time, color the amount of activity, one step in x-axis is about 120 seconds):
This shows that there is a periodical (turns out, hourly) jump in activity of the botnet. If we adjust the x-axis a bit (one step is about an hour) we can see that the focus of activity shifts with the Sun:
The 4 weird vertical lines are probably just artifacts, because they happen to be just where the log files change. The same picture rotated around a bit (y-axis is time, growing from top to bottom, x-axis is the latitude, USA is the leftmost red spot, Europe in the middle, Asia right):
Changed the color scheme a bit, so color challenged people can also see the spectrum. This is the same spectrum, but now one update is 6 minutes and the picture is a bit denser. You can see both the hourly bursts and how the general action shifts with the Sun:
I just realized that this might happen because all people aren't such supernerds, and they don't keep their computers on 24/7 (they close the computer after work etc.). Or is there some other factor here?
Live Earth with Boxes
Created from the botnet data this supposedly less graphically intensive (the fuzzy blobs tend to be intensive) viz, where the world is divided into 500 rectangular areas. The activity for each area is counted per frame. For each reddish rectangle the intensity of the colour red and the size of the rectangle are proportional to the log(amount of activity):
Note the biggest and baddest box in the Indonesia-Thailand-Malaysia area, which seems to be dominating also in the animated version. There is a LOT of traffic coming from there.
The weird center-of-gravity-thingamajig
This viz shows (with the colour red) to which latitudes most of the traffic is concentrated. It shows a center of gravity of sorts for the traffic. The width of the red stripe reflects how well distributed the traffic is geographically (narrower = more concentrated). Here's a sequence of pictures that shows how the "center of action gravity" shifts with the time of the day: