 |
Savors |
|
|
Savors |
|
Savors consists of five visualization tools, an auralization component, and supporting software that together provide an integrated environment for monitoring, analyzing, and responding to security event data. Tools are split into client and server components, with the server responsible for locating and processing the requested data and streaming it to the client for display. Data is located using an administrator-defined function that returns the data file path corresponding to any given timestamp. Savors has built-in support for libpcap and CSV data formats, but custom handlers can be easily added. Servers may be invoked by the client either locally, or remotely over SSH, which allows the client to be geographically separated from the data. Data is sent in batches and buffered at the client to maintain consistent display speed. Subsequent batches are transferred asynchronously while the current batch is being displayed.
The client is responsible for providing a visual (or aural) representation of the data along with playback controls and input fields to manipulate its behavior. All Savors visualization tools share the same basic interface. The bottom of each tool consists of buttons to play, pause, rewind, etc. the data stream as well as input fields to select/display the time period and other parameters. The left side of each tool shows the current mapping between colors and protocols. Protocols may be filtered from the display by clicking on the corresponding color box. The central region of each tool shows a specific visualization. Though not required, Savors was intended to be run on a small hyperwall-like device with a dedicated display and back-end system for each tool. Savors was written in Perl/Tk, which allowed for a very rapid and portable implementation.
To support analysis over such large data sets, three of the visualization tools are designed to utilize high-end computing (HEC) resources such as clusters and supercomputers. Additionally, a response capability is integrated into all the visualization tools that allows users to instantaneously react to displayed data by blocking traffic, adding new filters, etc. The details of HEC usage, firewall configuration, and sensor updates as well as the underlying capabilities for locating data and controlling access to data and resources are hidden behind the Savors visual interface. This allows users to focus on their specific security tasks without the need to become experts in every aspect of their organization's infrastructure.