skip to main content
10.1145/1641587.1641590acmconferencesArticle/Chapter ViewAbstractPublication PageschimitConference Proceedingsconference-collections
research-article

Visual support for analyzing network traffic and intrusion detection events using TreeMap and graph representations

Published: 07 November 2009 Publication History

Abstract

Network security depends heavily on automated Intrusion Detection Systems (IDS) to sense malicious activity. Unfortunately, IDS often deliver both too much raw information, and an incomplete local picture, impeding accurate assessment of emerging threats. We propose a system to support analysis of IDS logs, that visually pivots large sets of Net-Flows. In particular, two visual representations of the flow data are compared: a TreeMap visualization of local network hosts, which are linked through hierarchical edge bundles with the external hosts, and a graph representation using a force-directed layout to visualize the structure of the host communication patterns. Three case studies demonstrate the capabilities of our tool to 1) analyze service usage in a managed network, 2) detect a distributed attack, and 3) investigate hosts in our network that communicate with suspect external IPs.

References

[1]
R. Ball, G. Fink, and C. North. Home-centric visualization of network traffic for security administration. Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 55--64, 2004.
[2]
C. Cranor, T. Johnson, O. Spataschek, and V. Shkapenyuk. Gigascope: a stream database for network applications. Proceedings of the 2003 ACM SIGMOD international conference on Management of data, pages 647--651, 2003.
[3]
J. Ellson, E. Gansner, L. Koutsofios, S. North, and G. Woodhull. Graphviz-Open Source Graph Drawing Tools. Lecture Notes in Computer Science, pages 483--484, 2002.
[4]
S. Foresti, J. Agutter, Y. Livnat, and S. Moon. Visual correlation of network alerts. IEEE Computer Graphics and Applications, 26(2):48--59, 2006.
[5]
J. R. Goodall, W. G. Lutters, P. Rheingans, and A. Komlodi. Preserving the Big Picture: Visual Network Traffic Analysis with TNV. In VIZSEC '05: Proceedings of the IEEE Workshops on Visualization for Computer Security, Washington, DC, USA, 2005. IEEE Computer Society.
[6]
R. Greer. Daytona and the fourth-generation language Cymbal. Proceedings of the 1999 ACM SIGMOD international conference on Management of data, pages 525--526, 1999.
[7]
G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In USENIX Security Symposium, pages 139--154, 2008.
[8]
J. Heer, S. Card, and J. Landay. prefuse: a toolkit for interactive information visualization. In Proceedings of the SIGCHI conference on Human factors in computing systems, pages 421--430. ACM New York, NY, USA, 2005.
[9]
D. Holten. Hierarchical Edge Bundles: Visualization of Adjacency Relations in Hierarchical Data. IEEE Trans. Vis. Comput. Graph., 12(5):741--748, 2006.
[10]
T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. C. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In LEET, 2008.
[11]
B. Huffaker, E. Nemeth, and K. Claffy. Otter: A general-purpose network visualization tool. In Proc. INET 99, 1999.
[12]
H. Koike, H. Koike, K. Ohno, and K. Koizumi. Visualizing cyber attacks using IP matrix. In K. Ohno, editor, Proc. IEEE Workshop on Visualization for Computer Security (VizSEC 05), pages 91--98, 2005.
[13]
K. Lakkaraju, R. Bearavolu, A. Slagell, W. Yurcik, and S. North. Closing-the-Loop in NVisionIP: Integrating Discovery and Search in Security Visualizations. In Visualization for Computer Security, IEEE Workshops on, pages 9--9, 26 Oct. 2005.
[14]
F. Mansmann, F. Fischer, D. A. Keim, and S. C. North. Visualizing large-scale IP traffic ows. In Proceedings of 12th International Workshop Vision, Modeling, and Visualization, November 2007. Saarbrücken, Germany.
[15]
F. Mansmann, D. Keim, S. North, B. Rexroad, and D. Sheleheda. Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats. IEEE Trans. Vis. Comput. Graph., pages 1105--1112, 2007.
[16]
NfSen - Netflow Sensor. A graphical web based front end for the nfdump netflow tools, 2007. http://nfsen.sourceforge.net/.
[17]
A. Oslebo. Stager A Web Based Application for Presenting Network Statistics. In Network Operations and Management Symposium, 2006. NOMS 2006. 10th IEEE/IFIP, pages 1--15, 2006.
[18]
T. Peng, C. Leckie, and K. Ramamohanarao. Survey of network-based defense mechanisms countering the dos and ddos problems. ACM Comput. Surv., 39(1):3, 2007.
[19]
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Internet Measurement Conference, pages 41--52, 2006.
[20]
N. Robison and J. Scaparra. Interactive network active-traffic visualization. Technical report, Texas A&M University, 2007. http://inav.scaparra.com/docs/whitePapers/INAV.pdf.
[21]
B. Shneiderman. Tree visualization with tree-maps: 2-d space-filling approach. ACM Trans. Graph., 11(1):92--99, 1992.
[22]
P. Wang, S. Sparks, and C. Zou. An advanced hybrid peer-to-peer botnet. IEEE Transactions on, pages 1--1, 2003.
[23]
J. Zhang, P. A. Porras, and J. Ullrich. Highly predictive blacklisting. In USENIX Security Symposium, pages 107--122, 2008.

Cited By

View all
  • (2022)Carbonic: A Framework for Creating and Visualizing Complex Compound GraphsApplied Sciences10.3390/app1215754112:15(7541)Online publication date: 27-Jul-2022
  • (2022)VITALflow: Visual Interactive Traffic Analysis with NetFlowNOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS54207.2022.9789776(1-6)Online publication date: 25-Apr-2022
  • (2021)Design of Interactive Visualizations for Next-Generation Ultra-Large Communication NetworksIEEE Access10.1109/ACCESS.2021.3057803(1-1)Online publication date: 2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CHiMiT '09: Proceedings of the Symposium on Computer Human Interaction for the Management of Information Technology
November 2009
70 pages
ISBN:9781605585727
DOI:10.1145/1641587
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2009

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

CHiMiT '09
Sponsor:

Acceptance Rates

Overall Acceptance Rate 15 of 43 submissions, 35%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)11
  • Downloads (Last 6 weeks)1
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Carbonic: A Framework for Creating and Visualizing Complex Compound GraphsApplied Sciences10.3390/app1215754112:15(7541)Online publication date: 27-Jul-2022
  • (2022)VITALflow: Visual Interactive Traffic Analysis with NetFlowNOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS54207.2022.9789776(1-6)Online publication date: 25-Apr-2022
  • (2021)Design of Interactive Visualizations for Next-Generation Ultra-Large Communication NetworksIEEE Access10.1109/ACCESS.2021.3057803(1-1)Online publication date: 2021
  • (2020)Hyperion: A Visual Analytics Tool for an Intrusion Detection and Prevention SystemIEEE Access10.1109/ACCESS.2020.30107898(133865-133881)Online publication date: 2020
  • (2020)Evaluating visualization approaches to detect abnormal activities in network traffic dataInternational Journal of Information Security10.1007/s10207-020-00504-9Online publication date: 22-May-2020
  • (2018)Ecological Interface Design for Computer Network DefenseHuman Factors: The Journal of the Human Factors and Ergonomics Society10.1177/001872081876923360:5(610-625)Online publication date: 9-May-2018
  • (2017)Applications of Visualization Technology for Network Security2017 IEEE Trustcom/BigDataSE/ICESS10.1109/Trustcom/BigDataSE/ICESS.2017.349(1038-1042)Online publication date: Aug-2017
  • (2017)BotViz: A memory forensic-based botnet detection and visualization approach2017 International Carnahan Conference on Security Technology (ICCST)10.1109/CCST.2017.8167804(1-8)Online publication date: Oct-2017
  • (2017)Lessons Learned: Visualizing Cyber Situation Awareness in a Network Security DomainTheory and Models for Cyber Situation Awareness10.1007/978-3-319-61152-5_3(47-65)Online publication date: 7-Jul-2017
  • (2016)A Survey on Information Visualization for Network and Service ManagementIEEE Communications Surveys & Tutorials10.1109/COMST.2015.245053818:1(285-323)Online publication date: Sep-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media