[attachment=3502]

Introduction

Network Security Visualization is still a relatively new field as most research has been published since 1999. Network security is crucial to maintaining stable networks in order for institutions to continue normal operations. Network attacks are designed to cripple or disable normal functionality of a network, interrupting normal operations. A network administratorâ„¢s primary task is to enable secure and legitimate communications between machines on a network. A large portion of this task involves both reactive and proactive prevention of attacks. Visualization is used to aid a network administrator in their job related tasks by allowing the administrator to detect intrusions and insecurities that they would not detect through other means. Furthermore, visualization can be used to speed up detection of network security events, allowing for quicker responses that can minimize the damage of network attacks. Good network security visualization will provide increased understanding of a network and decrease the time it takes to recognize a security event. If the visualization is used for real-time monitoring, current network security events are highlighted to enable quick response time.
The primary goal of network security visualization is to provide a network administrator with visual information that allows the administrator to perform their job-related tasks, including identifying and preventing unauthorized access to resources, attacks on their network, and misuse of resources from within the network. One of the difficulties of this task is handling large amounts of data and filtering the data in such a way that security events stand out. Another difficulty is enabling the visualization to show data for individual nodes while showing data for the entire network to better detect and understand security events. Most of the current network security visualization techniques focus on one of these areas, either displaying data for only one node on a network, or displaying overall network data without going into detail on the particular nodes. Without an understanding of the nodeâ„¢s traffic in its significance within the overall network traffic, certain types of attacks are difficult to detect.
We present a new approach to network security visualization by extending existing approaches in order add service and temporal information into the node itself. We begin with a node scatter plot, which is similar to other approaches based upon network traffic data sets. Within each node in the scatter plot, we embed more information than previous approaches by using time slicing and service differentiation visualization techniques. By visualizing different service activity over time on a per-node basis, we are able to differentiate between attacks, discover more details about the attack, and identify different types of attacks not available in previous scatter plot node graph visualizations of network data.

Network Security Background

Network security is the field of controlling risks involved with a set of connected computers. Network security is an important field because network attacks cost businesses an estimated $666 million in 2003. A goal of network security is to prevent unauthorized access to resources, such as unauthorized reading of files. Another goal of network security is to prevent attacks that disable services, such as not allowing a set of users to access a companyâ„¢s web server. The network security administrator is responsible for monitoring the computer network. The administrator is concerned with any type of anomaly that could represent an attack or an intrusion. Furthermore, the administrator must recognize signature-based network threats, as most attacks follow some pattern. The network administrator performs three tasks: monitoring,
Analysis and response. In the first phase, monitoring, the administrator attempts to find something problematic about the network, such as an attack or unauthorized access. Once a problem is found, the administrator will analyze the specifics of the problem in order to respond by taking steps to correct the issue and prevent the problem from occurring again.Network security visualization aids the network administrator in the first two generalized tasks, monitoring and analyzing. The more specific tasks that a network security administrator must perform in the monitoring and analysis stages include detecting insecurities, detecting intrusion attempts, defending against network attacks, and detecting resource misuse.
2.1 Network Data Set
Various different data sets are used to analyze a networkâ„¢s security profile. It is important to understand the different network security data sets as each network security visualization tends to pick a particular data set to visualize. Some network data sets are subsets of other network data sets, but provide the data in a more specific format or in more detail.
2.1.1 Network Routing
A common data set related to network security is network routing information which is the links between nodes that transfer data. When communicating across a network, in order to get traffic from one to another, the traffic often must travel between intermediate nodes known as hops before reaching its endpoint. The node path from one endpoint to another is known as a route. Like in a graph, there can be various paths from endpoint to another, so routes are configurable. During network attacks, some of the nodes in a particular route, or a hop, may be disabled. Even an attack that is not directly against a particular network, but against a node that commonly serves as a hop to such a network, can deny access to users of services on that network. By monitoring the status of network routing, administrators can make arrangements to change the network routing information during an attack. Network routing information also gives details on network stability, identifying which paths are currently active. Teoh et al. detected network instability on the network route leading to Google by analyzing network routing data. They were able to detect weaknesses in the route but analyzing each hop on the route.
2.1.2 Network Port Status
Network port status is another data set relevant in network security. Often, unauthorized access is obtained through a service running on a network. Each network service running on a machine opens a port on that machine, so users of the service can connect to it. Examples of network services include web servers, email servers, and SSH servers. However, this also allows potential access from a malicious user. Detecting open services can indicate security risks, especially if a service is open inadvertently. For a network security administrator, it is important to monitor which ports are open on a network, and make sure that each open port is intended to be opened and properly secured. Unintentionally opened ports are almost always a problem. Mcpherson et al. worked on a data set based on access to specific ports of a system. Muelder et al. actively performed network scans, which probe to see which services are available on a network by detecting which ports are open.
2.2 Network Attacks
Network attacks come a variety of forms, some of which are common enough to classify. A network attack consists of anything that attempts to prevent a system from performing its normal function over a network or remotely allows unintentional behavior. Some attacks are designed to be disable network services to prevent normal network function, a form of sabotage. Other attacks are designed to gain unauthorized access or control of a network, a form of espionage. The following is a discussion of the broader categories of network attacks.
2.2.1 Session Hijacking
Session hijacking occurs an attacker pretends to be the victim during the victimâ„¢s normal network communication to a host. After the victim is authenticated by the host, that session can be hijacked by mimicking the next packets that would normally be sent by the victim. This can be very effective when the attacker is able to passively monitor network traffic in order to easily predict the next packetâ„¢s structure. Session hijacking often occurs in the application layer in stateless protocols like HTTP. For example, once you log onto a website, you are given a session which is passed around when you navigate to different pages. There are various methods of passing the session id around including appending it to the URL, making a hidden form value, or storing it in a cookie. Each method passes the session id over the network, however. An attacker can read a victimâ„¢s session id and then use it to access the website just like the victim, after the victim already authenticated the session.
2.2.2 Man in the Middle
Man in the middle attacks occur when an attacker is positioned between a victim and its intended location and the network traffic is routed through the attacker. The attacker gains access to all of the network communication between the victim and its intended location, allowing a wide variety of attacks, including session hijacking. One of the most common techniques for an attacker to become aman in the middle is Address Resolution Protocol (ARP) poisoning. ARP poisoning involves using the ARP protocol to spoof another machine at the network layer. The ARP protocol is responsible for mapping IP address in the transport layer to MAC addresses at the network layer. In ARP, a node is whatever it says it is so an attacker can easily map a victimâ„¢s IP address to its own MAC address. Then, the attacker will route packets to and from the victim to makes its presence transparent. This type of attack is undetectable by monitoring traffic between source and destination because it involves an attack on the route between the source and destination. However, monitoring traffic along routes increases the monitoring complexity by the average number of hops it takes to get from a source to a destination.
2.3 Research Problem
The specific problem we address is visually aiding a network system administrator in identifying high-risk machines and security events on their network from a service oriented perspective. The major goal of this research is to provide a visual means for a network administrator to take steps to prevent attacks, mitigate damage from attacks, and monitor service traffic. The features that a visualization tool must provide to perform this task are to visually identify anomalous behavior in a network and allow the administrator to gain information about the anomalous behavior. The visualization tool must provide service information about each node on the network to detect anomalous behavior at the service level. Finally, the visualization tool should be able to use temporal data to distinguish between heavy usage and attacks. This visualization will aid the administrator in identifying the presence, severity, and type of network security even present in a network by representing network data at the service or application layer.
Often, a network is fairly secure in its boundaries to a larger network, such as the Internet. However, internally, networks are insecure in order to allow workplace productivity; for example, everyone on a network might have unrestricted access to a printer. This implies that a network is only as secure as its weakest point to an external network. Furthermore, the likely points of attack are services running on nodes that connect the internal network to the external network.


Chapter 3
Network Security Visualization Techniques

In addition to being diverse, network security data tends to appear in large data sets. Using a simple packet capture, which logs network messages, sent to and from a computer, one can expect to log around 100 messages over a one-minute time frame from a user browsing the web and using some form of a network chat service. Multiplying those 100 messages by the number of users on a network and the amount of time those users are using the network results in very large data sets, which in turn, creates a need for overviewing, summarizing, highlighting, and filtering the data.
3.1 Node Links using Scatter Plots
Becker performed research on visualizing node links; this research is frequently cited because most visualization contains some type of node page link information. Beckerâ„¢s visualization, shown in Figure 3.1, has a line between two nodes representing some page link between those two nodes that allows the transfer of messages from one node to another. In other words, the vertices in the plot represent machines, and the edges in the plot represent network connections. The lines can be unidirectional with arrows (directed) and can have varying thickness or color to represent the amount of activity over that link. Each node is positioned on a map representing the nodeâ„¢s location to show links across wide areas. The visualization also provides interactive controls allowing resizing of nodes and zooming on map locations. Figure 3.1 shows this example applied to nodes in the United States. The image shows that the majority of the network traffic plotted has either a source or destination in California. The thick lines represent large amounts of traffic, one of which has an endpoint in Seattle. One of the weaknesses of Beckerâ„¢s approach is that the plot becomes crowded quickly. Often, a network administrator is not concerned with information from nodes that are not on the network the administrator manages. Ball introduced a method that reduced the clutter by focusing in on nodes for a specific network and called this a home-centric approach. Ball used Beckerâ„¢s work in displaying lines of varying color and thickness to represent links between nodes but changed the overall perspective, separating internal nodes from external nodes. The idea is to focus on the nodes that are part of an internal network that the system administrator is managing and view their communications with the external nodes. This filters out the communications between external nodes. Figure 2 shows the results of this type of focus and filtering. In this figure, there are no links between any of the external nodes, so the focus is on the traffic from the internal nodes to the external nodes. The amount of traffic is represented by the size of
Figure 3.1: Beckerâ„¢s visualization of node links across a geographic area [2].
The glyph representing the external node. Ball et al.â„¢s home-centric network visualization had a primary goal of changing the perspective of network visualizations by focusing on the network being managed. The research also provided glyph modifications to represent different machines on the network. The glyph was a simple rectangle; the size was modified according to the amount of network activity for a machine. Furthermore, the glyph was shaded according to inactivity time. Teohâ„¢s work took node links to a higher level of detail, by using focus + context techniques to display time data in addition to node page link data. Focus + context are the term used to define a visualization technique that focuses on details of a specific area without losing context of the larger picture. For example, a fish eye lens for a specific portion of a large visualization is a focus +context technique, while simply zooming in a specific area loses the context. The focus + context techniques provide an interactive way to manipulate the data by allowing adjustment of time and multiple views of the network. The user can view node page link data for a time frame of their choice, while previous methods were limited to a static timeframe. This allows a network administrator to detect anomalies over time, using comparisons to normal network activity. In another application of this technique, Goldring experimented with using scatter plots for various visualizations, including network page link traffic. His focus was organizing and converting data to forms which are easily represented by scatter plots and he was successful in performing this task for network traffic data.
Building upon the common node page link scatter plot, Erbacher used glyphs instead of dots as nodes, and glyphs instead of lines for links, in order to add more information to the visualization. By representing the links as different glyphs, Erbacher could distinguish the type of traffic going from one node to another, in order to visually distinguish between the types of transaction occurring over a network link. For example, in Figure 3, one glyph is used to represent the start of the connection, and another shows the authentication for a user. The page link glyphs differ by either using a dotted line, double line, bold line, or a single line. The advantage to this approach is that it adds another level of detail to the visualization, allowing the user to see the types of data transmitted over a link, rather than only the amount of data. While other approaches varied to line width to represent one attribute of the link, Erbacher was able to represent more
Figure 3.2: Ballâ„¢s node page link visualization, which focuses on the network being managed [1].
Attributes by varying the type of line and endpoint glyph and direction. As noted previously, simple glyphs are used in Ballâ„¢s visualization to represent multiple attributes of each node. Ball uses size to represent amount of traffic and opacity to represent inactivity time.
3.2 Parallel Coordinates
Parallel coordinates are used for visualizing multidimensional data. They have the advantage of being able to visualize virtually unlimited dimensions. For each object being visualized, each attribute is plotted as an x-y coordinate. The x coordinate represents the dimension, and the y coordinate represents the relative value of that dimension. Finally, the sequence of x-y coordinates for an object is connected by lines. Since parallel coordinates can be used to visualize any multivariate data set, it is often not specific enough for capturing details about a specialized data set, making it difficult to understand what is being visualized. Conti used this technique to plot external port, internal port, source address, and destination address. In this example, each machine has an address and each address has a number of possible ports, which implies a composition relationship that does not come across in this visualization since all variables are treated equally. Figure 3.4 shows connections from external addresses to internal address using the two vertical lines closest to the center. The outer lines represent the port being used by each node. This shows that several connections occurred to and from the same port, but several external nodes connected to the same internal node. In Contiâ„¢s example, it is difficult to draw any conclusions because the range of the y-axis is huge and specific values are important. For instance, the security difference between someone using port 21, telnet, and port 22, Ssh, is the difference between sending user names and passwords unencrypted versus encrypted. Yin et al. used Net- Flow data, a format that logs network data transferred from end to end by ignoring intermediate communications, to visualize a network.
3.3 Mapping Port Activity of Network Traffic
McPherson used a color mapping technique to identify interesting ports on a network (Figure 3.3). Each port was mapped to a point by mapping the x and y axis to a value based on
The
Figure 3.3: An example of Erbacherâ„¢s glyph representation of network page link data.
More information is displayed in the visualization by using different glyphs to represent different types of network data.
Figure 3.4: Contiâ„¢s example of using parallel coordinates to display connections from internal machines to external machines on different ports.
Port number. The color of the point represents the number of sessions active on that port for the particular time being visualized. Finally, a gradient editor is used to interactively modify the color gradient for port activity in order to detect ports of interest. The gradient controls the amount of port activity required to make the point saturated with a specific color. This technique provides a quick overview to the user that allows the identification of busy ports. A busy port that is not expected to be busy could be the result of a network attack. McPhersonâ„¢s technique was able to detect port scans against a machine effectively, independent of whether or not the port scans occurred in a randomized or linear order. However, a quiet attack on only one service running on one port would be difficult to detect.
Chapter 4
Approach
The method used to solve the problem of identifying high risk network nodes to determine attacks is a glyph-based visualization technique similar to scatter plots of network traffic developed in previous work. Starting from their basic visualization, like the one shown in Figure 3.2, our method adds more information to the glyphs in order to better identify high-risk nodes by the service activity. In order to identify vulnerable nodes and network attacks, more information than general network activity must be used, such as service information. The service activity information can differentiate between normal usage and potential attacks. In Ballâ„¢s network visualization, a user would be unable to see the difference in a set of web service connections to the same host and a set of IRC connections to the same host. From a network security perspective, the difference is that the former is likely a popular web site and the latter is likely a worm communicating back to an attackerâ„¢s control point. By adding the additional service information to the visualization, the user will be able to detect more potential attacks.
In order to detect denial of service attacks and compromised networks, it is important to distinguish traffic based on service type and time. Girardin used a self-organizing map to visualize varying service activity over time. Girardinâ„¢s results present a precise view of service data for a particular machine or set of machines, but the results do not offer a method for distinguishing which node the service activity occurs. Our method combines several techniques to accomplish the goal of determining the presence, severity, and type of a network attack. Like in Ballâ„¢s approach, glyph representations and differentiation between managed and unmanaged nodes are techniques used in this method and like in Girardinâ„¢s technique; we break down difference service activity visually. However, service activity is displayed within each node in order to give more detail about network attacks. Furthermore, temporal data is displayed in a static manner to allow for more analysis on an attack. Finally, adjusting opacity on a per glyph basis is used to compare the network to normal network conditions for detection of anomalies
4.1 Network Node Glyph
This method maps port information to a glyph representing a node on the managed network.Each open port, or service running on a machine, exposes a potential point of entry, authorizedor unauthorized. Each glyph, representing a node on the network, represents the presence andamount of activity for a particular service. Each glyph is a compound representation of servicesand their activities, with each region of the glyph representing the amount of activity on anopen service of a machine. The size of the glyph represents the total amount of activity on thenode, while the regions identify what percentage of that total activity belongs to a particular
Service. The glyph contains a representation color for each different service but reuses colors
For services because there are more services than visually distinguishable colors (approximately
65,000 different services). Following Ballâ„¢s home-centric approach, managed nodes on the network will be rendered differently from unmanaged nodes outside the network. Finally, nodeactivity links exist between managed nodes to other managed nodes, and unmanaged nodes tomanaged nodes. Figure 4.1 shows two examples of the node glyph. Two nodes are visualized using our glyph approach and divided up into regions based the amount and type of service activity occurring at each node. In this example, the node on the bottom is conducting activity on twodifferent services in nearly equal amounts. One of the services is communicating with the othernode in the visualization, represented by the connecting line and the same colored region in thetop node.
4.1.1 Managed and Unmanaged Nodes
Like in Ballâ„¢s visualization, this method will separate managed nodes from unmanaged nodesand visualize them differently. Managed nodes will be visually larger than the majority of unmanaged nodes barring relatively large amounts of activity occurring on an unmanaged node.Furthermore, unmanaged node traffic that does not have one endpoint at a managed node willnot be visualized. Unmanaged node traffic (both endpoints are unmanaged nodes) is rarely useful.
Figure 4.1: A figure demonstrating a basic network node glyph, which is divided up into regions
Based on service activity. This image contains two managed nodes.
In determining a network attack and is extremely vast, since this effectively means all Internet
Traffic! Also, having access to capture all traffic on the Internet poses a different problem. By
Eliminating unmanaged node traffic, the administrator can focus on managed nodes and their
Communications.
4.2 Layout
The layout of the nodes follows a trivial formula and is not a primary focus of this visualization. The (x, y) coordinates of the node on the 2-dimensional plane are calculated based upon the type of activity occurring within that node. For managed nodes, their location starts near the center of the viewing area and randomly moved slightly from the center to create some separation from other managed nodes. For unmanaged nodes, the service with the largest amount of traffic is found and used to position the node along the x-axis and slight randomization is added to prevent excessive overlap. By performing this positioning, unmanaged nodes with similar characteristics

Figure 4.2: A visualization of a small normal network. Notice that each of the web traffic nodes
(Green), representing web sites the managed nodes are visiting is grouped in the same area.One time slice has been performed on this visualization among all nodes. a) Without comparing To a simple model. b) Comparing to a simple model that detects abnormal behavior. Nearly all Nodes are faded because our simple model doesnâ„¢t detect very anomalous behavior. Are grouped together, allowing the user to treat such groups as larger entities if needed. The goal of this basic layout is to cluster similar nodes which can be seen in the resulting images and Figure 4.2. Notice that all of the unmanaged nodes producing web traffic are grouped together. Finally, we allow the user to manually reposition nodes as well.
Chapter 5
Results
These methods were applied to a simulated network consisting of a small set of client users representing college studentâ„¢s dorm computers with some added network servers. Most of the common types of attacks were identifiable by applying these methods and creating a visualization of the network under attack. More specifically, details of the attack can be determined from the visualization down to which computer and which service is under attack. Session hijacking and man in the middle attacks will not be visible using these methods as that different style of attack would require a different visualization approach. This visualization deals with endpoint to endpoint traffic which will not identify changes along the route which occurs in man in the middle attacks. Furthermore, in order to detect session hijacking, unmanaged node to unmanaged traffic must be visualized, which creates large scalability issues and moves away from Ballâ„¢s approach.
5.1 Data Sets
Raw network traffic is used for this research. Network packets are captured at each machine on the network and stored in some pcap (packet capture) format. Each packet consists of TCP/IP header information, containing Meta information such as the source and destination of
The packet. In addition to the source and destination address, the header contains the source and destination port. The source and destination address allows for mapping of activity on a node to node basis. The destination port allows for mapping the availability of services on a node in addition to the amount of activity for a particular service on a node. This application is capable of real time network monitoring and therefore needs the capability to sniff network traffic in real time. JPcap (Java API to the pcap library) is used for real time packet sniffing and creating simulated network packets.
Due to the privacy and security issues in obtaining raw network traffic, simulated data sets are used. The base data of the simulation is derived from samples taken from college students in dorm rooms. The college studentâ„¢s machines represent the managed nodes in these visualizations. Network attacks and servers are added to various different simulations to show features of this visualization. This implementation is independent of how the network data is injected into JPcap, simulated or read from the wire.
(a)
{b)
Figure 5.1: A visualization of network infected by an IRC Trojan.
a) Without comparing to a simple model.
b) Comparing to a simple model that detects abnormal behavior. Notice that the nodes emitting abnormal network behavior are darker.

5.2 Compromised Network
Figure 5.1 is an example of an IRC (Internet Relay Chat) Trojan which has infected severalmachines on the managed network. IRC traffic is mapped to a yellow color and covers ports6667-7000, which are the typical set of ports used for IRC. The small yellow sections indicate a small amount of IRC traffic coming from the managed nodes, in each of the time slices. Thesmall yellow node is the control center the attacker uses to control the IRC trojans. Trojans are difficult to detect from a network administrator view that is not familiar with the network. Certain trojans use fairly uncommon services, for example, Backdoor.IRC.Snyd.A uses IRC as its command protocol.
When comparing the infected network to a simple network model, normal traffic can be faded, highlighting potential risks. A very basic model, which does not consider IRC common traffic, can highlight infected nodes in figure 5.1. Even if IRC was commonly used by several users on the managed network, if the administrator is familiar with seeing such traffic, the added IRC traffic when other nodes are infected will appear anomalous. Finally, if the model is created or adapted to consider IRC traffic from particular IRC users to be normal, and even consider the
Set of IRC servers normally used to be normal, then comparing to the model will still effectively
Highlight the infected nodes.
5.3 Denial of Service Attacks
Figure 5.2 is an example of a network receiving an application level distributed denial of service attack. This example is a web (port 80) distributed denial of service attack. The attackers are represented by the large cluster of green colored nodes all connecting to the same managed node. The larger size of the attacking nodes indicates a larger amount of network traffic. A comparison is difficult to find in this network because nearly all represented nodes experience high traffic volume. However, in the northwest region of the web traffic nodes cluster, there is a smaller traffic node in which only about half of the glyph is visible peeking out on the left side. This likely represents normal usage or a weak attacker in the Denial of Service attack.
Time slicing is performed among the web client (or attacking) nodes to show that traffic occurs in each slice. By using time slicing, it makes it more apparent that this is a denial of service attack and not a case of large legitimate web traffic. Notice that web traffic occurs in every time slice of the attacking node, indicating constant web traffic over an extended period of time. Normal usage would have a colored inner ring, indicating the initial connection, but would likely see the traffic trail off toward the outer rings. The number of time slices colored would
Figure 5.2: A visualization of network undergoing heavy web traffic on its web server. This
Represents a Distributed Denial of Service attack. Notice that in each timeslice, web traffic is
Still occurring from each of the nodes contacting the webserver represented by the large green
Glyph near the center.
Be proportional to the amount of time the client continues to browse the same web server. Of Course, it is extremely unlikely that all clients continue to browse the same web server for even A small amount of time.
Figure 5.3 is an example of a network receiving large amounts of application level networktraffic, but not necessarily a distributed denial of service attack. In this network visualization, many web client connections are made to the web server (represented by the cluster of green nodes), which happens in a Denial of Service attack. However, using time slicing, this visualization shows that most of the nodes do not continuously communicate with the web server.
Most nodes are represented by a green inner circle, representing an initial connection and traffic to the web server, and clear outer rings. This indicates that after the initial connection and traffic occurs, the user no longer browses the managed web server in this visualization. This is more typical of normal web usage than figure 5.3 as the user would likely come to a web server, obtain what they need, and move onto to another web server or stop browsing all together.
Figure 5.1 is an example of a network receiving an application level denial of service attack Against the Ssh service. The large red node indicates the attacker and is large because of the Amount of traffic present. Under normal network conditions, no node will become larger than A managed node. Baseline network traffic is also present in this visualization of normal college Student traffic. Analyzing the managed node under attack, normal traffic patterns are present in The initial time slice (center) with a mix of web, chats, and files sharing traffic. In the most recent Time slice (outer), normal traffic is present but heavily overcome by SSH traffic as indicated by
The strong red color presence. In this particular network, the managed node is a normal network User with the SSH service open to allow remote logins to that machine. However, that service Is under a denial of service attack in this visualization, which is likely inhibiting that userâ„¢s Ability to conduct normal network traffic and certainly inhibiting the use of the SSH remote
Figure 5.3: A visualization of network undergoing heavy web traffic on its web server.
This represents large amounts of web traffic from approximately one hundred different clients in the time span of the visualization. Time slicing is used to show that the majority of these clients Have activity in a single time slice and are not repeatedly creating connections like in a Denial of Service attack. Login service. The SSH DoS attack network visualization is also compared to a normal usage network model and is easily able to identify the managed node under attack.

Chapter 6
Conclusion
This approach aids a network administrator in identifying network attacks and intrusions. By visualizing the network from a service perspective, more specific types of attacks can be detected. The contribution of this research is to provide an application using a combination of existing visualization techniques applied a network traffic data set in order to better detect the type, severity, and presence of a network attack. Furthermore, this research visualizes more information than previous network traffic maps by approaching the data from a service oriented perspective and embedding multivariate information into the glyph representing a node. Based upon the results of our evaluation survey, network administrators feel that gather more information and successfully detect attacks using this visualization technique. In typical network traffic based visualization, it would be difficult to detect quiet attacks on services that do not typically receive traffic. However, this research presents a method to detect such attacks by distinguishing the type of traffic present on network based upon the service that traffic corresponds to. The compound glyphs that represent each node and the corresponding service based node links will provide such a distinction, allowing the user of the visualization to better identify high risk nodes and attacks on a network. Finally, the temporal data present in the compound glyph via time slicing provides information for an administrator to distinguish between high volume cases and distributed denial of service attacks.
There are some limitations to this approach including visual scalability and custom models.The comparison feature of this visualization is only available and effective when used with a good model of an existing network. In our results we use a very basic and simple model, which covers a variety of anomalous behavior, but does not get into enough detail about the normal activity of the network in order to be more useful. Basically, our model assumes all networks are the same, and things such as web and instant messaging chat should be the large majority of traffic. Such a model would not compare well with a cluster of SSH servers. Also, scalability to large networks is a limitation. Our results section included networks with fairly small amounts of managed nodes. We apply some techniques to account for scalability including layout clustering of unmanaged nodes, zooming, panning, and interactive repositioning but this visualization will become crowded for networks containing large amounts of managed nodes. Future improvements to this approach include allowing interactive creation and adaption of the network model. For example, some way for the network administrator to flag events as normal or anomalous, and to adjust the network model accordingly for future events. Also, trying different focus + context techniques to the managed nodes could alleviate scalability concerns.
Chapter 7
Bibliography
[1] Robert Ball, Glenn A. Fink, and Chris North. Home-centric visualization of network traffic
For security administration. In VizSEC/DMSEC â„¢04: Proceedings of the 2004 ACM workshop
On Visualization and data mining for computer security, pages 55“64, New York, NY,
USA, 2004. ACM Press.
[2] Richard A. Becker, Stephen G. Eick, and Allan R. Wilks. Visualizing network data. IEEE
Transactions on Visualization and Computer Graphics, 1(1):16“28, 1995.
[3] Patrick Charles. Jpcap: Network packet captures facility for java.
http://sourceforgeprojects/jpcap.
[4] Gregory Conti and Kulsoom Abdullah. Passive visual fingerprinting of network attack tools.
In VizSEC/DMSEC â„¢04: Proceedings of the 2004 ACM workshop on Visualization and Data
Mining for Computer Security, pages 45“54, New York, NY, USA, 2004. ACM Press.
[5] Digg. http://digg.com.
[6] Paul Dourish and David Redmiles. An approach to usable security based on event monitoring
And visualization. In NSPW â„¢02: Proceedings of the 2002 workshop on New security
paradigms, pages 75“81, New York, NY, USA, 2002. ACM Press.
[7] D. Ellis, J. Aiken, K. Attwood, and S. Tenaglia. A behavioral approach to worm detection.
Workshop on Rapid Malcode, 2003, 2003.
[8] Robert F. Erbacher. Glyph-based generic network visualization. In Proceedings of the SPIE
™2002 Conference on Visualization and Data Analysis, pages 228“237, January 2002.