Data visualization is essential to understanding the underlying patterns of our DNS traffic. Over the last few months, we’ve spent tremendous effort developing a 3D engine capable of rendering semantic graphs applied to our DNS problematics. But that’s not all – in order to provide a better analysis of the modern security threats, we also required an intelligent way to build appropriate datasets. Through the combination of 3D knowledge and improved use of the Ripple Effect, we are now able to deliver high resolution videos of our powerful Security Graph.
Before exploring this topic further, let’s take a look at our first video:
Wikileaks
So, what are we looking at here?
This video presents a dataset extracted from our Security Graph with a single starting point: Wikileaks.org. At first glance, you’ll notice that the graph nodes have different colors. In this case, we used a different color to represent each entity type:
- Blue: Domain
- Yellow: IP address
- Green: AS number
The edges between the nodes represent different connection types:
- Domain to IP: A certain domain is mapped to a certain IP
- IP to ASN: A certain IP belongs to a certain ASN
- Domain to Domain: Related domain or Co-occurrences. Every co-occurrence connection comes with a confidence score. The speed of the co-occurrence edge particle is mapped to this confidence score – the higher the score, the faster the speed.
Carding sites
This dataset was extracted from the following list of domains, which are shown in a circle at the center of the graph:
- fullz-mart.biz
- gavi.cc
- hhfun.com
- hidden-crime.biz
- kreditkarten.ru
- lampeduza.net
- lampeduza.so
- octavian.su
- omerta.cc
- validmarket.ru
- validservice.su
- www.cardsmarket.su
- www.devil-group.com
- www.foreverpp.ru
- xcarder.net
These domains were analyzed in our recent blog post, “Examining the Target Attack and Carding Sites Using Security Graph“.
For this video, we basically extracted all the co-occurrences of those domains on 4 levels. The color code here is slightly different from the WikiLeaks video; as we had several new domains to study, we wanted to know which we were already blocking/allowing. So the adjusted color code is as follows:
- Green: Allowed
- Red: Blocked
- Gray: Unknown (Not blocked)
We only have one color for the edges (pink), as we are strictly focusing on the co-occurrence graph (the edge particles still represent the confidence score).
It’s interesting to note that most of this co-occurrence neighborhood orbits in the same themes : Carding, Bitcoin trading and some anarchist content.
Conclusion
Hopefully you enjoyed watching these videos, which introduce a new, interactive way to look at data. Their purpose extends beyond the aesthetic, as well – these visualizations are helping our amazing research team take threat-detection to the next level by allowing them to view connections between domains more easily than ever before. This set of videos represents only our first foray into illustrating the power of the Security Graph, with more on the way. Stay tuned!
Share