Applied Security Visualization and over one million other books are available for Amazon Kindle. Learn more
  • List Price: $59.99
  • Save: $26.73 (45%)
Rented from Amazon Warehouse Deals
To Rent, select Shipping State from options above
Due Date: Dec 20, 2014
FREE return shipping at the end of the semester. Access codes and supplements are not guaranteed with rentals.
  • List Price: $59.99
  • Save: $20.21 (34%)
Only 7 left in stock (more on the way).
Ships from and sold by
Gift-wrap available.
Have one to sell? Sell on Amazon
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Applied Security Visualization Paperback – August 11, 2008

ISBN-13: 978-0321510105 ISBN-10: 0321510100 Edition: 1st

Buy New
Price: $39.78
Price: $33.26
15 New from $29.99 13 Used from $8.14
Amazon Price New from Used from
"Please retry"
"Please retry"
$29.99 $8.14

Frequently Bought Together

Applied Security Visualization + Data-Driven Security: Analysis, Visualization and Dashboards + Network Security Through Data Analysis: Building Situational Awareness
Price for all three: $111.04

Buy the selected items together


Shop the new
New! Introducing the, a hub for Software Developers and Architects, Networking Administrators, TPMs, and other technology professionals to find highly-rated and highly-relevant career resources. Shop books on programming and big data, or read this week's blog posts by authors and thought-leaders in the tech industry. > Shop now

Product Details

  • Paperback: 552 pages
  • Publisher: Addison-Wesley Professional; 1 edition (August 11, 2008)
  • Language: English
  • ISBN-10: 0321510100
  • ISBN-13: 978-0321510105
  • Product Dimensions: 9.1 x 6.7 x 1.2 inches
  • Shipping Weight: 1.9 pounds (View shipping rates and policies)
  • Average Customer Review: 4.5 out of 5 stars  See all reviews (12 customer reviews)
  • Amazon Best Sellers Rank: #486,112 in Books (See Top 100 in Books)

Editorial Reviews

About the Author

Raffael Marty is the founder of PixlCloud (–a data visualization in the cloud company. His interests span anything related to information visualization and computer security, which is his traditional background. He used to hold various positions in the log management space at companies like Splunk, ArcSight, and IBM research, where he also earned his masters in computer science. Raffy has been instrumental in building and defining the security visualization space. The SecViz ( portal, the Data Analysis and Visualization Linux ( (DAVIX), as well as AfterGlow ( are some of the prime resources for information related to security visualization. Raffael has spoken at dozens of computer security conferences around the world about visualization of security data.

Excerpt. © Reprinted by permission. All rights reserved.



This book is about visualizing computer security data. The book shows you, step by step, how to visually analyze electronically generated security data. IT data must be gathered and analyzed for myriad reasons, including GRC (governance, risk, and compliance) and preventing/mitigating insider threats and perimeter threats. Log files, configuration files, and other IT security data must be analyzed and monitored to address a variety of use-cases. In contrast to handling textual data, visualization offers a new, more effective, and simpler approach to analyzing millions of log entries generated on a daily basis. Graphical representations help you immediately identify outliers, detect malicious activity, uncover misconfigurations and anomalies, and spot general trends and relationships among individual data points. Visualization of data—the process of converting security data into a picture—is the single most effective tool to address these tasks. After all...

A picture is worth a thousand log entries.

To handle today's security and threat landscape, we need new analysis methods. Criminal activity is moving up the network stack. Network-based attacks are becoming more sophisticated, and increasingly attacks are executed on the application layer.

Criminal techniques have adapted. Are you prepared to deal with these new developments? Are you aware of what is happening inside of your networks and applications? In addition to monitoring your networks, you must make sure you are taking an in-depth look at your applications. Because of the vast amount of data that requires analysis, novel methods are needed to conduct the analysis. Visualization can help address these complex data analysis problems.

What This Book Covers

Follow me on an exciting journey through security data visualization. We will start with the basics of data sources needed for security visualization. What are they? What information do they contain, and what are the problems associated with them? I then discuss different ways to display data in charts or more complex visualizations, such as parallel coordinates. You will learn which graphical methods to use and when. The book then takes you through the process of generating graphical representations of your data. A step-by-step approach guarantees that no detail is left out. By introducing an information visualization process, visualization of security data becomes a simple recipe, which I apply in the core of this book to analyze three big areas of security visualization: perimeter threat, compliance, and insider threat. These chapters are hands-on and use-case driven. Open source visualization tools and libraries are discussed in the last chapter of the book. You can find all the tools introduced on the accompanying CD. Without dealing with installations, you can immediately start analyzing your own security data.

The book is a hands-on guide to visualization. Where it covers theoretical concepts and processes, it backs them up with examples of how to apply the theory on your own data. In addition to discussing—step by step—how to generate graphical representations of security data, this book also shows you how to analyze and interpret them.

The goal is to get you excited and inspired. You are given the necessary tools and information to go ahead and embed visualization in your own daily job. The book shows example use-cases that should inspire you to go ahead and apply visualization to your own problems. If one of the chapters covers a topic that is not your responsibility or focus area (for example, compliance), try to see beyond the topic specifics and instead explore the visualizations. The concepts may be valid for other use-cases that you want to address.

What This Book Doesn't Cover - This book covers visualization of computer security data. I do not discuss topics such as binary code or malware analysis. I don't get into the topics of steganography (the art or science of hiding information in images) or system call visualizations. This book is about time-based data and system status records. The data visualized is data you use to operationally secure an organization.

This book is not a compendium of security data sources and possible visual representations. It uses existing visualization methods—charts, parallel coordinates, treemaps, and so on—that are supported by many tools and applications. The book is composed of a sample set of data sources and use-cases to illustrate how visualization can be used.


I wrote this book for security practitioners. I am introducing new ways to analyze security data to the people who can implement them. Whether you are analyzing perimeter threat issues, investigating insider crimes, or are in charge of compliance monitoring and reporting, this book is meant for you.

The reader should have a basic understanding of programming to follow the Perl and UNIX scripts in this book. I assume that you are familiar with basic networking concepts and have seen a log file before. You don't have to be an expert in IT security or compliance. It helps to have an understanding of the basic concepts, but it is definitely not a prerequisite for this book. Most of all, I want you to read this book with an open mind. Try to see how visualization can help you in your daily job.

Structure and Content

This book follows a simple organization. It introduces basic visualization and data graphing concepts first. It then integrates those concepts with security data and shows how you can apply them to security problems. In the following list, I briefly describe each chapter:

  • Chapter 1: Visualization

  • Visualization is the core topic of this book. The first chapter introduces some basic visualization concepts and graph design principles that help generate visually effective graphs.

  • Chapter 2: Data Sources

  • Visualization cannot exist without data. This chapter discusses a variety of data sources relevant to computer security. I show what type of data the various devices generate, show how to parse the data, and then discuss some of the problems associated with each of the data sources.

  • Chapter 3: Visually Representing Data

  • Data can be visualized in many different ways. This chapter takes a closer look at various forms of visualizations. It first discusses generic graph properties and how they can help encode information. It then delves into a discussion of specific visualizations, such as charts, box plots, parallel coordinates, links graphs, and treemaps. The chapter ends with a discussion of how to choose the right graph for the data visualization problem at hand.

  • Chapter 4: From Data to Graphs

  • This chapter introduces the information visualization process. It is a step-by-step process that guides you through how to take the data and generate a graphical representation of it. It also discusses how to interpret the resulting visual representation. In addition, the chapter discusses ways to process data with various tools, such as UNIX scripts or Perl.

  • Chapter 5: Visual Security Analysis

  • Visually analyzing security data can be separated into three classes: reporting, historical analysis, and real-time monitoring. Historical analysis I discuss in four sections: time-series visualization, correlation graphs, interactive analysis, and forensic analysis. These are the topics discussed in this chapter.

  • Chapter 6: Perimeter Threat

  • This chapter is a collection of use-cases. It starts out with a discussion of use-cases involving traffic-flow analysis. Everything from detecting worms to isolating denial-of-service attacks and monitoring traffic-based policies is covered. The use-cases are then extended to firewall logs, where a large firewall log is analyzed first. In a second part, firewall logs are used to assess the ruleset to find potential misconfigurations or security holes. Intrusion detection signature tuning and wireless access log analysis are the next two use-cases that deal with network layer data. The remainder of the chapter looks at application layer data. Email server logs are first analyzed to find open relays and identify email-based attacks. A second part then looks at social network analysis using email transaction logs. The chapter closes with a discussion of visualizing vulnerability scan data.

  • Chapter 7: Compliance

    This chapter first introduces compliance in a log analysis context. I discuss the basics of control objectives and policies and show which federal or industry regulations require companies to analyze and collect their logs. I then show how visualization can help analyze audit data for compliance. Going through this process, it becomes necessary to start mapping the log files against business processes to weigh their importance. This leads into a risk management discussion and shows how risk-centric security visualizations can be generated. The chapter finishes up with a discussion of two compliance use-cases: the visualization of separation of duties in an application context and the monitoring of databases.

  • Chapter 8: Insider Threat

  • Instead of looking from the outside in, insider threat focuses on monitoring inside the perimeter. This chapter first introduces the topic and discusses different aspects of it, such as who a typical insider is. The chapter then introduces a detection framework that helps assess and monitor individuals. Through the use of so-called precursors, we can then identify potential malicious insiders and find users behaving suspiciously. Visualization is a key component of the insider detection process.

  • Chapter 9: Data Visualization Tools

  • After a short introduction to different data formats used by visualization tools, this chapter then surveys visualization tools and libraries. The chapter then introduces about 20 tools and open source visualization libraries that you can use in your own programs. All of these tools are also available on the accompanying CD, the Data Visualization and Analysis Linux (DAVIX).


Color is a key property of information visualization. Unfortunately, the cost of printing a book in color is quite high. This is why the images in the book are printed in black and white. However, because color is an important graph property, the book contains an insert of 16 color pages in the middle of the book. This insert is a collection of figures from throughout the book that illustrate how color enhances the readability of the visualizations. The following table lists the figures that are featured in the color insert.

Color Insert Table Figures that appear in the color insert

Figure Number

Page Number

Figure 3-1


Figure 3-17


Figure 3-27


Figure 3-39


Figure 4-10


Figure 4-11


Figure 4-12


Figure 4-15


Figure 6-7


Figure 6-12


Figure 6-13


Figure 6-16


Figure 6-17


Figure 6-18


Figure 6-19


Figure 6-24


Figure 6-26


Figure 6-27


Figure 6-38


Figure 6-41


Figure 6-43


Figure 6-44


Figure 7-6


Figure 8-6


Figure 8-16


Figure 8-17


Figure 8-19


Figure 8-23


Figure 8-24


© Copyright Pearson Education. All rights reserved.

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

4.5 out of 5 stars
5 star
4 star
3 star
2 star
1 star
See all 12 customer reviews
One graphing type, invented by Ben Shneiderman, is the Treemap and several examples of its usage are presented.
Michael Rash
To achieve a complete "visualization experience," I would bundle ASV with Andrew Jaquith's Security Metrics and a book on statistics.
Richard Bejtlich
The chapter includes a really useful table to select the right graph based on the purpose of the analysis and the data available.

Most Helpful Customer Reviews

11 of 11 people found the following review helpful By Adam Shostack on September 23, 2008
Format: Paperback
Our publisher sent me a copy of Raffael Marty's Applied Security Visualization. This book is absolutely worth getting if you're designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They're useful far beyond security. The chapter I didn't like was the one on insiders, which I'll discuss in detail further in the review.

In the intro, the author accurately scopes the book to operational security visualization. The book is deeply applied: there's a tremendous number of graphs and the data which underlies them. Marty also lays out the challenge that most people know about either visualization or security, and sets out to introduce each to the other. In the New School of Information Security, Andrew and I talk about these sorts of dichotomies and the need to overcome them, and so I really liked how Marty called it out explicitly. One of the challenges of the book is that the first few chapters flip between their audiences. As long as readers understand that they're building foundations, it's not bad. For example, security folks can skim chapter 2, visualization people chapter 3.

Chapter 1, Visualization covers the whats and whys of visualization, and then delves into some of the theory underlying how to visualize. The only thing I'd change in chapter 1 is a more explicit mention of Tufte's small multiples idea. Chapter 2, Data Sources, lays out many of the types of data you might visualize. There's quite a bit of "run this command" and "this is what the output looks like," which will be more useful to visualization people than to security people.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
4 of 4 people found the following review helpful By Raul on September 9, 2008
Format: Paperback
When security professionals are dealing with huge amounts of information, and who is not nowadays, correlation and filtering is not the easiest path (and sometimes enough) to discern what is going on. The in-depth analysis of security data and logs is a time consuming exercise, and security visualization (SecViz) extensively helps to focus on the relevant data and reduces the amount of work required to reach to the same conclusions. It is mandatory to add the tools and techniques associated to SecViz to your arsenal, as they are basically taking advantage of the capabilities we have as humans to visualize (and at the same time analyze) data. A clear example is the insider threat and related incidents, where tons of data sources are available.

The best sentence (unfortunately it is not an image ;) that describes SecViz comes from the author:
A picture is worth a thousand log entries.

This is a great book that joins two separate worlds, visualization and information security (infosec). The first chapter is an excellent introduction to the human perception system, its basic principles, and how we analyze, discern, and assimilate information. It is an eye opener for those new to the field. Chapter two is similar from an infosec perspective, and summarizes the main challenges and data sources, such as packet captures, traffic flows, and firewall, IDS/IPS, system, and application logs. The third chapter details different graph properties and chart types, including some open-source and online tools for chart and color selection.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
Format: Paperback
Applied Security Visualization (ASV) is a pioneering book in the emerging field of using visualization techniques to explore and represent data from a security perspective. Many security products - everything from intrusion detection systems, firewalls, SIM's, and AV software - offer methods for visualizing data they collect, but no single product has the ideal visualization interface (whatever that is). A main theme in ASV is to impart the reader with the knowledge and skills necessary to ask new questions about security data (such as a set of IDS event logs or application logs) and show the reader how to visually represent the answers to these questions. If a commercial interface has not been designed to visualize a data set in a particular way, ASV introduces tools and techniques to frequently make this possible. For example, common visualizations of firewall logs involve source and destination IP addresses and port numbers, but suppose that you want to create a link graph that involves source and destination IP addresses graphed against the TTL value in the IP header? The information in ASV makes this a snap.

At many points ASV deals with custom data parsing with invocations of clever one-line perl commands, and being a perl hacker myself, these examples are of particular interest.

The discussion in ASV is firmly grounded computer security, and many important security questions are raised along with motivating examples. For instance, a nice example is given for visualizing all outbound connections made from a laptop and differentiating these connections based on whether they are sent over the Tor network for strong anonymity.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Customer Images

Most Recent Customer Reviews

What Other Items Do Customers Buy After Viewing This Item?