Visualization in Interrogator using Graphviz

The Interrogator infrastructure is comprised of a number of networks each consisting of multiple thousands of nodes. The data produced by the sensors in this infrastructure is collected and stored in three distinct formats: relational databases, data files containing packet traffic or network flow information, and other report files - usually in extensible markup language (XML) format. In a network infrastructure of this size, it becomes very difficult to keep abreast of the complex relationships that exist within. Additionally, due to the sheer volume of data produced in the previously mentioned formats, a method to aid in extracting the security relevant content from the data becomes highly essential. We propose the use of network graphs to address these limitations in the current Interrogator architecture. Generation of the graphs required the development of methods to extract - from the data sources available - the needed connectivity and data transfer information. This information was then passed to a graphing utility, Graphviz, which was used to generate the network graphs. Using the capabilities provided in Graphviz, we were able to quickly obtain information about any node in the network including: the connectivity of the node, the data transferred, and any alerts generated that included these nodes. These graphs are used as another analysis source for an analyst to aid in the identification of suspicious network behavior