Clarified Visualization Gallery

Situation Rooms - Intuitive views

We develop & deploy beautiful visualizations that are easy to understand also by non-technical people, such as reporters and different types of decision makers:

situation-room-generic.png

CyberDefence Situational Awareness

image.png

A screenshot from Swedish mainstream television SVT. Mikael Wedin explains the live events of the game using the Clarified's topology view running in video wall. On the right topmost corner earth view shows the connections from different participating countries to the game environment.

Situation Rooms - Domain Specialist Views

We also develop innovative and powerful visualizations that are valuable tools in the hands of specialists. Furthermore, we track and deploy third party visualizations to provide optimal solutions for our customers.

situation-room-specialist.png

COTS Monitoring & Security Product

Our commercial-off-the-shelf deployments have typically 2 major components. 1) Clarified Recorders and 2) Clarified Analyzers. The Clarified Recorder leverages a mirror port for traffic capture. Clarified Analyzer shows flows and visualizations on the data the Recorders Recorders have captured over the time period selected by the user.

cots.png

http://creativecommons.org/licenses/by/3.0/

Internet Crime - Tracking Criminal Movement

We also do visualizations on custom data formats. Due to our expertise in IP networking and Internet crime, we are able transform raw data to intuitive visualizations. Our customers can use these visualizations to explain to non-technical people how the Internet criminals operate.

movement.png

http://creativecommons.org/licenses/by/3.0/

This was released in TED global 2011, see a blog about it.

Internet Crime - Tracking Botnet Activity

This visualization demonstrates the activities of one botnet. Data was provided by F-Secure.

f-secure.png

http://creativecommons.org/licenses/by/3.0/

Cyberthreat Situational Awareness

This visualization shows how patching the servers against one DNS related vulnerability proceeds over time. (Red = vulnerable servers, Green = non-vulnerable servers). Data was provided by DoxPara Research and Dan Kaminsky.

kaminsky.png

http://creativecommons.org/licenses/by/3.0/

Interfacing with other information systems - Rogue DHCP servers and IPv6 routers

This screenshot demonstrates on how we interfaced existing monitoring/security system with our COTS-product. User of our Clarified Analyzer can view several different visualizations related to the event. Furthermore, the analyst can drill-down from the visualizations all the way to the packet level.

clarified-interfacing-alerting.png

http://creativecommons.org/licenses/by/3.0/

Producing Different Visualizations to Different Interest Groups

Below are two visualizations for the same data. First one is an intuitive visualization explaining how Wikipedia edits languages differ over different geolocations. The second visualization is a powerful domain specialist view, which show the same data using a Hilbert Curve layout.

wikipedia-view.png

http://creativecommons.org/licenses/by/3.0/

wikipedia-hilbert.png

http://creativecommons.org/licenses/by/3.0/

Connection Graphs with spring layout

IP-IP conversations, IP-Ether conversations, Ether-Ether conversations... The following one shows IRC conversations:

ircgraph.png

http://creativecommons.org/licenses/by/3.0/

Funky 80's style graph layout:

80sgraph.png

http://creativecommons.org/licenses/by/3.0/

Plankton

Shows IP-IP conversations.

plankton.png

http://creativecommons.org/licenses/by/3.0/

Videos:

Treemap

Shows IP-IP conversations, size proportional to the amount of data.

treemap.png

http://creativecommons.org/licenses/by/3.0/

Pass-through view

A custom view for tracking which fuzzed test cases have passed e.g. a SIP firewall.

passthrough.png

http://creativecommons.org/licenses/by/3.0/

Videos:

Visualization prototypes on botnet activity

Created a viz that shows hosts using TCP in blue, and hosts using UDP in red (and hosts using other IP protocols in green).

This is panoulu at approx. 2008-10-08 04:02:00-04:02:15:

panoulu1.png

http://creativecommons.org/licenses/by/3.0/

This is panoulu at approx. 2008-10-08 04:02:45-04:03:00:

panoulu2.png

http://creativecommons.org/licenses/by/3.0/

Interesting. A bit more fiddling reveals that almost all that "red" traffic comes from one host, port 8361.

Spectral view on activity

Visualizing botnet by activity spectrum (y-axis is the latitude, x-axis time, color the amount of activity, one step in x-axis is about 120 seconds):

spectrum1.png

http://creativecommons.org/licenses/by/3.0/

This shows that there is a periodical (turns out, hourly) jump in activity of the botnet. If we adjust the x-axis a bit (one step is about an hour) we can see that the focus of activity shifts with the Sun:

spectrum2.png

http://creativecommons.org/licenses/by/3.0/

The 4 weird vertical lines are probably just artifacts, because they happen to be just where the log files change. The same picture rotated around a bit (y-axis is time, growing from top to bottom, x-axis is the latitude, USA is the leftmost red spot, Europe in the middle, Asia right):

spectrum3.png

http://creativecommons.org/licenses/by/3.0/

Changed the color scheme a bit, so color challenged people can also see the spectrum. This is the same spectrum, but now one update is 6 minutes and the picture is a bit denser. You can see both the hourly bursts and how the general action shifts with the Sun:

spectrum4.png

http://creativecommons.org/licenses/by/3.0/

I just realized that this might happen because all people aren't such supernerds, and they don't keep their computers on 24/7 (they close the computer after work etc.). Or is there some other factor here?

Live Earth with Boxes

Created from the botnet data this supposedly less graphically intensive (the fuzzy blobs tend to be intensive) viz, where the world is divided into 500 rectangular areas. The activity for each area is counted per frame. For each reddish rectangle the intensity of the colour red and the size of the rectangle are proportional to the log(amount of activity):

boxearth1.png

http://creativecommons.org/licenses/by/3.0/

Note the biggest and baddest box in the Indonesia-Thailand-Malaysia area, which seems to be dominating also in the animated version. There is a LOT of traffic coming from there.

The weird center-of-gravity-thingamajig

This viz shows (with the colour red) to which latitudes most of the traffic is concentrated. It shows a center of gravity of sorts for the traffic. The width of the red stripe reflects how well distributed the traffic is geographically (narrower = more concentrated). Here's a sequence of pictures that shows how the "center of action gravity" shifts with the time of the day:

gravity1.png gravity2.png gravity3.png gravity4.png

http://creativecommons.org/licenses/by/3.0/


Linked in pages: Scada, About Us, hacknet