Towards Designing Effective Visualizations for DNS-based Network Threat Analysis

Rosa Romero-Gomez, Yacin Nadji, Manos Antonakakis
IEEE Symposium on Visualization for Cyber Security, 2017

As threat detection systems become critical for protecting modern organizations, visualization has emerged as an essential tool for security analysts to understand network threats. However, there is currently little research in designing and evaluating effective network threat analysis visualizations. To address this problem, we take a user-centered approach, starting with designing an open source threat analysis console for DNS-based network threat analysis grounded in both an understanding of analysts’ needs and tasks and security visualization best practices. The proposed open source threat analysis console, called THACO (THreat Analysis COnsole), leverages open DNS datasets, domain WHOIS records, and both public malware and domain blacklists. It also uses a visually scalable visualization technique, a multi-grouping, zoomable treemap, to adapt to DNS-based network threat analysis needs. Then, we conduct a user study with 7 in-situ and 31 online IT security practitioners. Our code for THACO and THACO itself will be opened to the community in order to further improve the ability of analysts to perform network threat analysis and better secure their networks.