dataviz Australia - Drive your data further

This small experimental project was done for the Shadowserver Foundation. They are a volunteer, Not for Profit organization who deal in the capture, analysis and dissemination of data and intelligence relating to nefarious activity on the internet. Shadowserver provided us with one day worth of data (which was several gigabytes) for us to apply some known techniques, and experiment with some new ones.

The idea of this project was simply to provide some ideas as to ways to represent their massive datasets visually. There's lot of work to go, however here are few early ideas. My favourite is a light-hearted time series visualization in the theme of an old favourite arcade game originally released in 1972 "Pong".

	Trojan Pong This piece of work is more than just a bit of fun. It turns out to be a reasonable method to spot wider trends and anomolies in both victim IP ranges as well as the behaviours of various trojan families. We used the Logstalgia package to create this, which is designed to analyze web server logs. We rearranged the malware dataset into such a format that the existing logstalgia platform could process. Why reinvent the wheel? Just find more uses for the ones you have! Keep in mind when you are watching this, this only represents a few minutes of malicious activity from only about 5 sample malware samples. Imagine what the wider state of the internet is like ?
Relative drone numbers per country per trojan Mapping the existence of different trojans families in each country	Drone activity (sinkhole data) Shadowserver and other security researchers collect data that indicates that an computer coming from an IP adress is infected (sometimes these are called drones or bots). This data is collected by taking control of the server that issues "Command and Control" (or C&C) instructions too these drones. The infected PC's periodically attempt to contact these C&C servers, so the IP address of the drone and the time is logged. Where possible, this information is then given to the networks responsible for these IP's so that the drones can be cleaned up. This piece shows the relative prevalance of such trojan families per country. We used one a tool called "Circos" to create these graphs. Circos was designed for the study of genetic attributes. Once again, we used an existing wheel for another purpose. Some people find these circos graphs a challenge to understand, if so - stick with it as it's worth the effort.
	Animated Drone locations Shows the location of drones during the course of a typical 24 hours. Remember once more that this is just for the trojans that have been "sinkholed" by security researchers. The end part of this video shows the cumulative dataset for the whole day.
DDOS commanding server country - Target Country (standardized size) DDOS commanding server country - Target Country (segments sized by volume- best estimates)	DDOS activity Shadowserver monitors the instructions that Command and Control (C&C) servers send out to various botnets. The location of the C&C server, as well as the location of the target servers is extracted from this data, to create these graphs. Attribution is difficult in cyber security, and a point must be made here that the actual cybercriminal may not live in the same country as the C&C server. This piece attempts to help answer the question "Where are the servers that control the botnets, and which countries host their targets".
	Wordcloud of DDOS targets A thousand words in a picture.. The bigger the domain name, the more often an instruction to launch a DDOS attack was observed over the 24 hour period.
	Animated DDOS Targets Shows the location of targets of DDOS's over a 24 hour period.

This work was done in collaboration with, and for the fine people at the Shadowserver Foundation