Cyber Security Through Visualization

Size: px
Start display at page:

Download "Cyber Security Through Visualization"

Transcription

1 Cyber Security Through Visualization Kwan-Liu Ma Department of Computer Science University of California at Davis Networked computers are subject to attack, misuse, and abuse. Organizations and individuals are making every effort to build and maintain trustworthy computing systems. The main strategy is to closely monitor and inspect network activities by collecting and analyzing data about the network traffic and the trails of system usage. The analysis usually requires large amounts of finely detailed, high-dimensional data to enable analysts to uncover hidden threats and make calculated predictions in a timely fashion. The traditional, signature-based and statistical methods are limited in their capability to cope with the large, evolving data and the dynamic nature of the Internet. Visualization proves effective to aid in understanding large, high-dimensional data commonly found in many demanding applications such as large-scale scientific simulations and biomedicine. There is thus a growing interest in the development of visualization methods as alternative or complementary solutions to the pressing cyber security problems (Brodley, Chan, Lippmann & Yurcik 2004, Ma, North & Yurcik 2005). The challenge is to develop new visual representations, layout methods, user interfaces, and interaction techniques that can effectively facilitate visual interrogation and communication of the vast amounts of cyber security information. Visual data analysis is inherently an iterative process, where each iteration provides more insight into the data being shown. A typical example of this process occurs with any type of overview plus detail visualization. Patterns in the overview tend to direct what the user chooses to view in more detail, and the detailed view can provide insight on regions of the overview. This drill-down process, starting at a high semantic level and progressing to more detailed views, creates a feedback loop as shown in Figure 1, which can lend itself well to visualizing the relationships between large number of objects, such as port and network scans. In most cases, different visual representations are needed for constructing these different views. In particular, each specific region of interest may be defined in a space of arbitrary dimensions. The challenge is thus to seek the best space and visual representation in that space for each type of analysis task. I show with three different tasks how visualization can assist in the analysis of computer network activities for detecting anomalies using the drill-down process. Copyright c 2006, Australian Computer Society, Inc. This paper appeared at Asia Pacific Symposium on Information Visualization (APVIS 2006), Tokyo, Japan. Conferences in Research and Practice in Information Technology, Vol. 60. K. Misue, K. Sugiyama and J. Tanaka, Ed. Reproduction for academic, not-for profit purposes permitted provided this text is included. Figure 1: The process of visual data analysis is inherently iterative to see both summary and details in context. Analysis of Internet Routing Data The Internet can be considered as a set of subnetworks, each of which represents an organization s network. The problem of packet routing can simplify to routing data between these larger entities, referred to Autonomous Systems, according to the Border Gateway Protocol (BGP). For data packets to arrive at the correct destination, these Autonomous Systems exchange network reachability information in the form of BGP path announcements. Studying and understanding the dynamics of BGP routing changes is thus crucial to ensuring robust network performance. A drill-down process of analysis (Teoh, Jankun-Kelly, Ma & Wu 2004) can start by looking at the aggregate information about routing changes over a complete period of time, followed by examining routing update messages over selected period of time and their corresponding statistical values; next, particular instances of instability can be visualized in detail. Figure 2 shows a two-level aggregate data browser which displays the distribution of the BGP announcements over a 1-year period (bottom), and allows the analyst to select a focused period of several minutes. Figure 3 shows the color coded text visualization of individual BGP path announcements as well as statistical measures of the routing updates during the focused period. This joint visualization al-

2 Figure 2: A two-level aggregate data browser can cover a wide range of granularity. Bottom: At the overview level, the analyst first looks at the aggregate information of the entire time period (typically one year) and specifies a period to focus on. Top: At the next level, the focus can be further narrowed down to a period of several minutes. Figure 3: Left: Text visualization of a sequence of Autonomous System (AS) path announcements. Each unique AS path is shown in a different color, which effectively forms visual patterns of the updates such as oscillations, repeats, or slow convergences. Right: Statistical measures corresponding to each announcement can be used to help verify any detected anomaly. lows for verification of the visual and statistical information for anomaly detection (Teoh, Zhang, Tseng, Ma & Wu 2004). After instability events are identified, it is possible to see the distribution of different events, their severity, duration, and frequency all in one single visualization (Teoh, Ma & Wu 2003), as shown in Figure 4. Port Data Visualization Scanning a network is a very common first step in a network intrusion attempt. Crackers frequently scan entire ranges of ports, looking for open ports that can be exploited to gain access to a system. Worms and viruses often target specific ports in an attempt to locate systems that are vulnerable to the mechanisms they use to spread. These attacks are all recorded in security logs, but these logs are time-consuming for administrators to analyze by hand. One way to understand the collected security logs is to produce images of network traffic by choosing axes that correspond to important features of the data, creating a grid based on these axes and then assigning each cell of the grid with a visual property such as color to represent the network activity there. The drill-down process of analyzing port data begins with an overview that presents a time-ordered view of the entire data set. The goal here is to choose a particular range of time to zoom into. In the following steps, detailed views are created to eventu- Figure 4: Visualization of instability events for a particular IP prefix. Each event is represented by a circle and a base. The area of the circle is proportion to the number of announcements and each color segment indicates a specific type of instability. The triangular base shows the duration of the event. The position of each circle is placed to avoid occlusion. Nevertheless, tall events suggest that there are many events at that time. ally reach an atomic unit of network security interest, which may represent a port scan, an intrusive attack, the activities of spyware, the flocking of employees to Web news sites after a major news event, or any other discrete feature that can be identified in the data. Figure 5 shows, from left to right, a 3-tier process for studying TCP port data (Muelder, Ma & Bartoletti 2005a), in which the left most image displays a highly condensed port data over a period of time such as a week or a month. Each row of the visualization represents one unit (generally an hour) of time. Each pixel corresponds to a range of ports and is colored according to the level of activity on the ports during the time unit. Figure 6 shows different levels of enhancement can bring out port scans; furthermore, using different data metrics can reveal different patterns in the data leading to new discoveries (Muelder et al. 2005a). The grid visualization, shown in the middle of Figure 5, depicts the the activity during a given time unit. It consists of a dot on the grid for each of the 65,536 ports. The user can select a port to see detailed information about that port and its surrounding ports, as shown in the upper right image in Figure 5. The bottom right picture shows a single port over the entire time range, for each of the metrics of interest including, from top to bottom, session count, destination count, source count, the ratio of source and destination, and country count. Such a visualization is useful for finding relationships between metrics, as well as showing periodic structures in the data such as the change in web traffic throughout the day. Figure 7 presents some distinct patterns of activity. Scan Characterization In order to obfuscate an attack, an attacker frequently alters identifying features like source IP addresses. Thus, in order to identify an attacker, some more immutable aspect of the attack must be considered, such as packet arrival timing, which is dependent on several factors that are difficult to alter, such as hardware or operating system limitations or router delays. However, due to the chaotic nature of packet arrival times, one must analyze a large quantity of packets. Network scans provide a good source of such timing information. It is thus beneficial to take network scan

3 Figure 5: A drill-down process for finding network scans by applying it to a 24 hour long dataset at 10 minute resolution. Starting at the timeline on the left, a spike is found on a high port that crosses several hours. One of these hours is then selected for viewing in the grid based visualization shown in the middle. In it, there is exactly one port with unusually large values in the range of ports that correspond to the spike. The range around this port is zoomed into which reveals in the bottom-right image that an abnormally large number of destinations being connected to by a small number of sources, which means that this is likely a network scan. Figure 6: Visualization of the entire time range with enhancement to bring out port scans corresponding to a particular spike using the activity-level histogram and gradient editor shown on the bottom. timing information and use visualization techniques to characterize the scans. An underlying premise of this approach to the network scan characterization problem is that humans are creatures of habit (and autonomous software applications even more so.) Having created an environment of attack tools with which they have become familiar, they tend to reuse those tools and support systems in future activities. The particular settings employed would likely remain consistent as well, both out of familiarity and a desire to properly compare recent results with earlier findings. Additionally, other software processes that may be running concurrently in support of analysis or ancillary activities compete with and impact the performance of their network activities in reliably consistent ways, imposing uniquely identifiable characteristics in the sequence and packet arrival times of high packet count interactions. Individual scans can be shown with a grid-based visualization, where the axes are the third and forth octets of the destination IP addresses, and the color is based on a metric derived from timing information. Metrics range from simple metrics such as arrival time of the first probe or number of probes for each address to complex metrics such as deviation from a linear expected arrival time for each destination. Patterns that are nearly identical in one metric can be distinct in others. Figure 8 shows such scan visualizations. The relationships between network scans may be understood by statistically comparing pairs of scans and it is also possible to get a quantitative measure on how well they match. However, because the scans are too chaotic to compare directly, frequency analysis, such as Fourier transforms or wavelet transforms, can be used to convert the scan patterns into scalograms, which can then be systematically compared (Muelder, Ma & Bartoletti 2005b). Although network scan patterns can exhibit a periodic or quasi-periodic structure, they often contain gaps, aperiodic aberrations and regions where the relative phase of the periodic structures has shifted, which are things that Fourier analysis has been found to not handle well. Wavelets, on the other hand, are relatively resistant to phase Figure 7: Plots metrics versus time for individual ports. In each example, the session count (the first metric) is highlighted. The other four metrics shown are destination address count, source address count, unique source and destination pair count, and country count. The usage of Port 80 (upper left) is very periodic while Port (upper right) has a fairly constant level of activity, with a few spikes. Port (lower left) is more erratic, though, interestingly, its usage drops noticeably as time goes on. Port (lower right) has one of the most suspicious usage graph; it is only used a few times, but it is used fairly heavily during those times.

4 Figure 8: Visualization of individual scans showing patterns that can easily be compared by eye. These images show the arrival time of the first connection attempt to each address, with blue being early in the scan, red being late in the scan, and black being an address that had no connection attempt. shifts and noise. Figure 9 shows that dissimilar patterns result ine different scalograms. At this point, the scans can be directly visualized individually, but when dealing with large numbers of scans, this is unfeasible. So, once the scans are isolated, in order to automatically compare them, fingerprints are generated to be fed into an overview visualization. This overview of the relationships between the scans and the detailed view of individual pairs of scans for comparison purposes compose an overview plus detail feedback loop. As described before, the overview allows the analyst to drill down into certain areas, by showing them in the detailed view. The overview can be provided by a graph visualization of the relationship between scans. Each node is a scan, and each edge is their relationship. The edge weights are derived from the wavelet analysis of the scans, and they range from 0, which means the scans are completely different, to 1 which means they are identical. The graph can be displayed with a force directed layout algorithm and edges below a particular threshold may be dropped for clarity. The resulting image then shows clusters of scans that are similar, as shown in Figure 10. The user can start with such an overview graph and then drill down to detailed characteristics of the scans in the same cluster. In this way, a graph of a large number of scans can be rapidly compared and subsequently identified. Furthermore, it is very helpful to allow the analyst to bias the overview in a manner reflecting the cognitive insight gained from looking at the detail view (Muelder et al. 2005b). This enhances the feedback loop by allowing information gained by viewing the details of network scans to be reflected back in the overview. Figure 9: Wavelet scalograms reduce large complex pattern to smaller simpler vectors that can be compared. This example was made using a metric based on the number of visits per unique address, with black to red gradient, where black is no probes and red is the maximum for that scan. Top: Similar scans have similar wavelet scalograms. Bottom: Dissimilar scans have very different scalograms. Concluding Remarks Visualization leverages human s extraordinary ability to detect patterns in images; nevertheless, by itself visualization does not answer all the questions the analyst has. Visualization is best for guiding a complex data analysis process since visualization is particularly good for showing an overview of the data, which can direct the analyst s attention to the aspects of the data that require further investigations, as demonstrated by the three examples I have given. The ability to show details in context with visualization is also very powerful. To fight against the in- Figure 10: Graph visualization of network scans. Clusters contain scans with a general pattern. A representative example from each selected cluster is shown.

5 creasingly creative and malicious attacks to network security I believe a promising approach is to add intelligent reasoning with learning capabilities into the visualization directed analysis. Cyber security is a much broader topic than ensuring the normal operation of a computer network. The task of analyzing network security data represents only a small subset of the greater security problem that we are faced with today. For example, data collected for intelligence information analysis are more heterogeneous, including text, measurements from sensors, imagery, video and audio from diverse sources. What visual representations should we use to study such heterogeneous data in a unified manner? What would be the meaningful linkages among the disparate data to facilitate cross-exploration? For the field of information visualization, this new class of problems presents many challenges and open research questions. We have only addressed a very small fraction of these challenges. Please join me in this research endeavor. References Brodley, C., Chan, P., Lippmann, R. & Yurcik, B., eds (2004), Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), ACM. Ma, K.-L., North, S. & Yurcik, B., eds (2005), Proceedings of the IEEE Workshop on Visualization for Computer Security 2005 (VizSEC 2005), IEEE Computer Society. Muelder, C., Ma, K.-L. & Bartoletti, T. (2005a), Interactive visualization for network and port scan detection, in Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection (RAID 2005). Muelder, C., Ma, K.-L. & Bartoletti, T. (2005b), A visualization methodlogy for characterization of network scans, in Proceedings of the Workshop on Visualization for Computer Security (VizSEC 2005), pp Teoh, S. T., Jankun-Kelly, T. J., Ma, K.-L. & Wu, S. F. (2004), Visual data analysis for detecting flaws and intruders in computer network systems, IEEE Computer Graphics and Applications (special issue on Visual Analytics) 24(5), Teoh, S. T., Ma, K.-L. & Wu, S. F. (2003), Visual exploration process for the analysis of internet routing data, in Proceedings of the IEEE Visualization 2003 Conference, pp Teoh, S. T., Zhang, K., Tseng, S.-M., Ma, K.-L. & Wu, S. F. (2004), Combining visual and automated data mining for near-real-time anomaly detection and analysis in gbp, in Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), pp

A Visualization Methodology for Characterization of Network Scans

A Visualization Methodology for Characterization of Network Scans A Visualization Methodology for Characterization of Network Scans Chris Muelder University of California, Davis Kwan-Liu Ma University of California, Davis Tony Bartoletti Lawrence Livermore National Laboratory

More information

Visualization for Network Traffic Monitoring & Security

Visualization for Network Traffic Monitoring & Security Visualization for Network Traffic Monitoring & Security Erwan ISIT/KYUSHU, Supélec 2006 Plan Visualization Visualization Host based Network based Between networks Other prototypes Pre-processing PGVis

More information

A Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.

A Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks. A Framework for Effective Alert Visualization Uday Banerjee Jon Ramsey SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.com Abstract Any organization/department that

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Simplified Network Traffic Visualization for Real-Time Security Analysis

Simplified Network Traffic Visualization for Real-Time Security Analysis Simplified Network Traffic Visualization for Real-Time Security Analysis Matthew Dean and Lucas Vespa Department of Computer Science University of Illinois Springfield Springfield, IL 62703 Abstract Although

More information

Interactive Visualization for Network and Port Scan Detection

Interactive Visualization for Network and Port Scan Detection Interactive Visualization for Network and Port Scan Detection Chris Muelder 1, Kwan-Liu Ma 1, and Tony Bartoletti 2 1 University of California, Davis 2 Lawrence Livermore National Laboratory Abstract.

More information

A Visualization Technique for Monitoring of Network Flow Data

A Visualization Technique for Monitoring of Network Flow Data A Visualization Technique for Monitoring of Network Flow Data Manami KIKUCHI Ochanomizu University Graduate School of Humanitics and Sciences Otsuka 2-1-1, Bunkyo-ku, Tokyo, JAPAPN manami@itolab.is.ocha.ac.jp

More information

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION 18-19 September 2014, BULGARIA 137 Proceedings of the International Conference on Information Technologies (InfoTech-2014) 18-19 September 2014, Bulgaria APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK

More information

VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring

VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign byurcik@ncsa.uiuc.edu

More information

2 Technologies for Security of the 2 Internet

2 Technologies for Security of the 2 Internet 2 Technologies for Security of the 2 Internet 2-1 A Study on Process Model for Internet Risk Analysis NAKAO Koji, MARUYAMA Yuko, OHKOUCHI Kazuya, MATSUMOTO Fumiko, and MORIYAMA Eimatsu Security Incidents

More information

The Scientific Data Mining Process

The Scientific Data Mining Process Chapter 4 The Scientific Data Mining Process When I use a word, Humpty Dumpty said, in rather a scornful tone, it means just what I choose it to mean neither more nor less. Lewis Carroll [87, p. 214] In

More information

Real-Time Interactive Visual Port Monitoring and Analysis

Real-Time Interactive Visual Port Monitoring and Analysis Real-Time Interactive Visual Port Monitoring and Analysis Robert F. Erbacher 1 and Menashe Garber 2 1 Utah State University, Dept. of Computer Science, UMC 4205, Logan, UT 84322, Phone: 435-797-3291, Fax:

More information

A Novel Visualization Method for Detecting DDoS Network Attacks

A Novel Visualization Method for Detecting DDoS Network Attacks A Novel Visualization Method for Detecting DDoS Network Attacks Jiawan Zhang 1, Guoqiang Yang 1, Liangfu Lu 2,*, Mao Lin Huang 3, 1. School of Computer Science and Technology, Tianjin University, Tianjin,P.R.China;

More information

Dell SonicWALL report portfolio

Dell SonicWALL report portfolio Dell SonicWALL report portfolio Table of contents Dell SonicWALL Global Management System (GMS ) and Analyzer reports I. Sample on-screen reports II. Sample PDF-generated reports Dell SonicWALL Scrutinizer

More information

Introducing IBM s Advanced Threat Protection Platform

Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM

More information

Intelligent Classification and Visualization of Network Scans

Intelligent Classification and Visualization of Network Scans UCRL-CONF-228878 Intelligent Classification and Visualization of Network Scans L. Chen, C. Muelder, K. Ma, A. Bartoletti March 9, 2007 ACM SIGKDD 2007 San Jose, CA, United States August 12, 2007 through

More information

A Frequency-Based Approach to Intrusion Detection

A Frequency-Based Approach to Intrusion Detection A Frequency-Based Approach to Intrusion Detection Mian Zhou and Sheau-Dong Lang School of Electrical Engineering & Computer Science and National Center for Forensic Science, University of Central Florida,

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

Intelligent Worms: Searching for Preys

Intelligent Worms: Searching for Preys Intelligent Worms: Searching for Preys By Zesheng Chen and Chuanyi Ji ABOUT THE AUTHORS. Zesheng Chen is currently a Ph.D. Candidate in the Communication Networks and Machine Learning Group at the School

More information

NVisionIP: An Interactive Network Flow Visualization Tool for Security

NVisionIP: An Interactive Network Flow Visualization Tool for Security NVisionIP: An Interactive Network Flow Visualization Tool for Security Kiran Lakkaraju William Yurcik Ratna Bearavolu Adam J. Lee National Center for Supercomputing Applications (NCSA) University of Illinois,

More information

Security Visualization Past, Present, Future

Security Visualization Past, Present, Future Security Visualization Past, Present, Future Greg Conti West Point @cyberbgone http://dl.acm.org/citation.cfm?id=2671501 http://link.springer.com/chapter/10.1007%2f978-3-540-85933-8_11 http://images.cdn.stuff.tv/sites/stuff.tv/files/styles/big-image/public/25-best-hacker-movies-ever-the-matrix.jpg?itok=kiwtknw1

More information

Overview. Security System Administration

Overview. Security System Administration Better Tools for System Administration: Enhancing the Human-Computer Interface with Visualization Bill Yurcik Manager, NCSA Security Research National Center for Advanced Secure

More information

BGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project

BGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project BGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project Advisor: Sharon Goldberg Adam Udi 1 Introduction Interdomain routing, the primary method of communication on the internet,

More information

RAVEN, Network Security and Health for the Enterprise

RAVEN, Network Security and Health for the Enterprise RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations

More information

Intelligent Routing Platform White Paper

Intelligent Routing Platform White Paper White Paper Table of Contents 1. Executive Summary...3 2. The Challenge of a Multi-Homed Environment...4 3. Network Congestion and Blackouts...4 4. Intelligent Routing Platform...5 4.1 How It Works...5

More information

Index Terms Domain name, Firewall, Packet, Phishing, URL.

Index Terms Domain name, Firewall, Packet, Phishing, URL. BDD for Implementation of Packet Filter Firewall and Detecting Phishing Websites Naresh Shende Vidyalankar Institute of Technology Prof. S. K. Shinde Lokmanya Tilak College of Engineering Abstract Packet

More information

IBM SECURITY QRADAR INCIDENT FORENSICS

IBM SECURITY QRADAR INCIDENT FORENSICS IBM SECURITY QRADAR INCIDENT FORENSICS DELIVERING CLARITY TO CYBER SECURITY INVESTIGATIONS Gyenese Péter Channel Sales Leader, CEE IBM Security Systems 12014 IBM Corporation Harsh realities for many enterprise

More information

Avaya ExpertNet Lite Assessment Tool

Avaya ExpertNet Lite Assessment Tool IP Telephony Contact Centers Mobility Services WHITE PAPER Avaya ExpertNet Lite Assessment Tool April 2005 avaya.com Table of Contents Overview... 1 Network Impact... 2 Network Paths... 2 Path Generation...

More information

OFFLINE NETWORK INTRUSION DETECTION: MINING TCPDUMP DATA TO IDENTIFY SUSPICIOUS ACTIVITY KRISTIN R. NAUTA AND FRANK LIEBLE.

OFFLINE NETWORK INTRUSION DETECTION: MINING TCPDUMP DATA TO IDENTIFY SUSPICIOUS ACTIVITY KRISTIN R. NAUTA AND FRANK LIEBLE. OFFLINE NETWORK INTRUSION DETECTION: MINING TCPDUMP DATA TO IDENTIFY SUSPICIOUS ACTIVITY KRISTIN R. NAUTA AND FRANK LIEBLE Abstract With the boom in electronic commerce and the increasing global interconnectedness

More information

First Line of Defense

First Line of Defense First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Powerful web-based security analytics portal with easy-to-read security dashboards Proactive

More information

Visualizing Threats: Improved Cyber Security Through Network Visualization

Visualizing Threats: Improved Cyber Security Through Network Visualization Visualizing Threats: Improved Cyber Security Through Network Visualization Intended audience This white paper has been written for anyone interested in enhancing an organizational cyber security regime

More information

KEITH LEHNERT AND ERIC FRIEDRICH

KEITH LEHNERT AND ERIC FRIEDRICH MACHINE LEARNING CLASSIFICATION OF MALICIOUS NETWORK TRAFFIC KEITH LEHNERT AND ERIC FRIEDRICH 1. Introduction 1.1. Intrusion Detection Systems. In our society, information systems are everywhere. They

More information

Compliance Guide: ASD ISM OVERVIEW

Compliance Guide: ASD ISM OVERVIEW Compliance Guide: ASD ISM OVERVIEW Australian Information Security Manual Mapping to the Principles using Huntsman INTRODUCTION In June 2010, The Australian Government Protective Security Policy Framework

More information

A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL

A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL Christopher Schwagele Supervisor: Barry Irwin Computer Science Department, Rhodes University 29 July 2010 Abstract Network

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Solution Brief Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Finding

More information

Situational Awareness Through Network Visualization

Situational Awareness Through Network Visualization CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP Situational Awareness Through Network Visualization Pacific Northwest National Laboratory Daniel M. Best Bryan Olsen 11/25/2014 Introduction

More information

Exterior Gateway Protocols (BGP)

Exterior Gateway Protocols (BGP) Exterior Gateway Protocols (BGP) Internet Structure Large ISP Large ISP Stub Dial-Up ISP Small ISP Stub Stub Stub Autonomous Systems (AS) Internet is not a single network! The Internet is a collection

More information

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning Niara Security Analytics Automatically detect attacks on the inside using machine learning Automatically detect attacks on the inside Supercharge analysts capabilities Enhance existing security investments

More information

REAL TIME TRAFFIC LIGHT CONTROL USING IMAGE PROCESSING

REAL TIME TRAFFIC LIGHT CONTROL USING IMAGE PROCESSING REAL TIME TRAFFIC LIGHT CONTROL USING IMAGE PROCESSING Ms.PALLAVI CHOUDEKAR Ajay Kumar Garg Engineering College, Department of electrical and electronics Ms.SAYANTI BANERJEE Ajay Kumar Garg Engineering

More information

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture Using LYNXeon with NetFlow to Complete Your Cyber Security Picture 21CT.COM Combine NetFlow traffic with other data sources and see more of your network, over a longer period of time. Introduction Many

More information

Validating the System Behavior of Large-Scale Networked Computers

Validating the System Behavior of Large-Scale Networked Computers Validating the System Behavior of Large-Scale Networked Computers Chen-Nee Chuah Robust & Ubiquitous Networking (RUBINET) Lab http://www.ece.ucdavis.edu/rubinet Electrical & Computer Engineering University

More information

Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1. Network Security. Canada France Meeting on Security, Dec 06-08

Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1. Network Security. Canada France Meeting on Security, Dec 06-08 Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1 Network Security Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 2 Collaboration with Frank Akujobi

More information

First Line of Defense

First Line of Defense First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible

More information

Behavioral Segmentation

Behavioral Segmentation Behavioral Segmentation TM Contents 1. The Importance of Segmentation in Contemporary Marketing... 2 2. Traditional Methods of Segmentation and their Limitations... 2 2.1 Lack of Homogeneity... 3 2.2 Determining

More information

Efficiently Managing Firewall Conflicting Policies

Efficiently Managing Firewall Conflicting Policies Efficiently Managing Firewall Conflicting Policies 1 K.Raghavendra swamy, 2 B.Prashant 1 Final M Tech Student, 2 Associate professor, Dept of Computer Science and Engineering 12, Eluru College of Engineeering

More information

Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats

Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats by Florian Mansmann, Daniel A. Keim, Stephen C. North, Brian Rexroad, and Daniel

More information

Flexible Web Visualization for Alert-Based Network Security Analytics

Flexible Web Visualization for Alert-Based Network Security Analytics Flexible Web Visualization for Alert-Based Network Security Analytics Lihua Hao 1, Christopher G. Healey 1, Steve E. Hutchinson 2 1 North Carolina State University, 2 U.S. Army Research Laboratory lhao2@ncsu.edu

More information

3. Dataset size reduction. 4. BGP-4 patterns. Detection of inter-domain routing problems using BGP-4 protocol patterns P.A.

3. Dataset size reduction. 4. BGP-4 patterns. Detection of inter-domain routing problems using BGP-4 protocol patterns P.A. Newsletter Inter-domain QoS, Issue 8, March 2004 Online monthly journal of INTERMON consortia Dynamic information concerning research, standardisation and practical issues of inter-domain QoS --------------------------------------------------------------------

More information

VAST: Visualizing Autonomous System Topology

VAST: Visualizing Autonomous System Topology VAST: Visualizing Autonomous System Topology Jon Oberheide Networking Research and Development Merit Network Inc. Ann Arbor, MI 48105 jonojono@umich.edu Manish Karir Networking Research and Development

More information

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection for Mobile Ad Hoc Networks Intrusion Detection for Mobile Ad Hoc Networks Tom Chen SMU, Dept of Electrical Engineering tchen@engr.smu.edu http://www.engr.smu.edu/~tchen TC/Rockwell/5-20-04 SMU Engineering p. 1 Outline Security problems

More information

Detecting Network Anomalies. Anant Shah

Detecting Network Anomalies. Anant Shah Detecting Network Anomalies using Traffic Modeling Anant Shah Anomaly Detection Anomalies are deviations from established behavior In most cases anomalies are indications of problems The science of extracting

More information

Data Visualisation and Statistical Analysis Within the Decision Making Process

Data Visualisation and Statistical Analysis Within the Decision Making Process Data Visualisation and Statistical Analysis Within the Decision Making Process Jamie Mahoney Centre for Educational Research and Development, University of Lincoln, Lincoln, UK. Keywords: Abstract: Data

More information

Introducing FortiDDoS. Mar, 2013

Introducing FortiDDoS. Mar, 2013 Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline

More information

Intro to Firewalls. Summary

Intro to Firewalls. Summary Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer

More information

Network- vs. Host-based Intrusion Detection

Network- vs. Host-based Intrusion Detection Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477

More information

Security Event Management. February 7, 2007 (Revision 5)

Security Event Management. February 7, 2007 (Revision 5) Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST

More information

A Catechistic Method for Traffic Pattern Discovery in MANET

A Catechistic Method for Traffic Pattern Discovery in MANET A Catechistic Method for Traffic Pattern Discovery in MANET R. Saranya 1, R. Santhosh 2 1 PG Scholar, Computer Science and Engineering, Karpagam University, Coimbatore. 2 Assistant Professor, Computer

More information

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing

More information

Insider Threat Detection Using Graph-Based Approaches

Insider Threat Detection Using Graph-Based Approaches Cybersecurity Applications & Technology Conference For Homeland Security Insider Threat Detection Using Graph-Based Approaches William Eberle Tennessee Technological University weberle@tntech.edu Lawrence

More information

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ

More information

BARE PCB INSPECTION BY MEAN OF ECT TECHNIQUE WITH SPIN-VALVE GMR SENSOR

BARE PCB INSPECTION BY MEAN OF ECT TECHNIQUE WITH SPIN-VALVE GMR SENSOR BARE PCB INSPECTION BY MEAN OF ECT TECHNIQUE WITH SPIN-VALVE GMR SENSOR K. Chomsuwan 1, S. Yamada 1, M. Iwahara 1, H. Wakiwaka 2, T. Taniguchi 3, and S. Shoji 4 1 Kanazawa University, Kanazawa, Japan;

More information

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity NIP IDS Product Overview The Network Intelligent Police (NIP) Intrusion Detection System (IDS) is a new generation of session-based intelligent network IDS developed by Huaweisymantec. Deployed in key

More information

How to Detect and Prevent Cyber Attacks

How to Detect and Prevent Cyber Attacks Distributed Intrusion Detection and Attack Containment for Organizational Cyber Security Stephen G. Batsell 1, Nageswara S. Rao 2, Mallikarjun Shankar 1 1 Computational Sciences and Engineering Division

More information

SIP Service Providers and The Spam Problem

SIP Service Providers and The Spam Problem SIP Service Providers and The Spam Problem Y. Rebahi, D. Sisalem Fraunhofer Institut Fokus Kaiserin-Augusta-Allee 1 10589 Berlin, Germany {rebahi, sisalem}@fokus.fraunhofer.de Abstract The Session Initiation

More information

Threat intelligence visibility the way forward. Mike Adler, Senior Product Manager Assure Threat Intelligence

Threat intelligence visibility the way forward. Mike Adler, Senior Product Manager Assure Threat Intelligence Threat intelligence visibility the way forward Mike Adler, Senior Product Manager Assure Threat Intelligence The modern challenge Today, organisations worldwide need to protect themselves against a growing

More information

How To Understand and Configure Your Network for IntraVUE

How To Understand and Configure Your Network for IntraVUE How To Understand and Configure Your Network for IntraVUE Summary This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

The Quality of Internet Service: AT&T s Global IP Network Performance Measurements

The Quality of Internet Service: AT&T s Global IP Network Performance Measurements The Quality of Internet Service: AT&T s Global IP Network Performance Measurements In today's economy, corporations need to make the most of opportunities made possible by the Internet, while managing

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Collect network security device configuration data to

More information

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to: Border Gateway Protocol Exterior routing protocols created to: control the expansion of routing tables provide a structured view of the Internet by segregating routing domains into separate administrations

More information

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report. http://hpcrd.lbl.gov/hepcybersecurity/

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report. http://hpcrd.lbl.gov/hepcybersecurity/ An Integrated CyberSecurity Approach for HEP Grids Workshop Report http://hpcrd.lbl.gov/hepcybersecurity/ 1. Introduction The CMS and ATLAS experiments at the Large Hadron Collider (LHC) being built at

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

Analysis of Internet Topologies

Analysis of Internet Topologies Analysis of Internet Topologies Ljiljana Trajković ljilja@cs.sfu.ca Communication Networks Laboratory http://www.ensc.sfu.ca/cnl School of Engineering Science Simon Fraser University, Vancouver, British

More information

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Journal homepage: www.mjret.in DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Maharudra V. Phalke, Atul D. Khude,Ganesh T. Bodkhe, Sudam A. Chole Information Technology, PVPIT Bhavdhan Pune,India maharudra90@gmail.com,

More information

An Adaptable Innovative Visualization For Multiple Levels of Users

An Adaptable Innovative Visualization For Multiple Levels of Users World Applied Sciences Journal 15 (5): 722-727, 2011 ISSN 1818-4952 IDOSI Publications, 2011 An Adaptable Innovative Visualization For Multiple Levels of Users Doris Hooi-Ten Wong and Sureswaran Ramadass

More information

Application Security Backgrounder

Application Security Backgrounder Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International

More information

IBM Security. 2013 IBM Corporation. 2013 IBM Corporation

IBM Security. 2013 IBM Corporation. 2013 IBM Corporation IBM Security Security Intelligence What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure

More information

Finding Anomalies in Time- Series using Visual Correla/on for Interac/ve Root Cause Analysis

Finding Anomalies in Time- Series using Visual Correla/on for Interac/ve Root Cause Analysis VizSec 2013 October 14, 2013 Atlanta GA, USA Finding Anomalies in Time- Series using Visual Correla/on for Interac/ve Root Cause Analysis Florian Stoffel, Fabian Fischer, Daniel A. Keim Data Analysis and

More information

A solution for comprehensive network security

A solution for comprehensive network security Applied mathematics in Engineering, Management and Technology 2 (6) 2014:22-26 www.amiemt-journal.com A solution for comprehensive network security Seyed Mehdi Mousavi Payam Noor University (PNU), IRAN

More information

STEALTHWATCH MANAGEMENT CONSOLE

STEALTHWATCH MANAGEMENT CONSOLE STEALTHWATCH MANAGEMENT CONSOLE The System by Lancope is a leading solution for network visibility and security intelligence across physical and virtual environments. With the System, network operations

More information

Fuzzy Network Profiling for Intrusion Detection

Fuzzy Network Profiling for Intrusion Detection Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University

More information

Attack graph analysis using parallel algorithm

Attack graph analysis using parallel algorithm Attack graph analysis using parallel algorithm Dr. Jamali Mohammad (m.jamali@yahoo.com) Ashraf Vahid, MA student of computer software, Shabestar Azad University (vahid.ashraf@yahoo.com) Ashraf Vida, MA

More information

NSC 93-2213-E-110-045

NSC 93-2213-E-110-045 NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends

More information

Impact of BGP Dynamics on Router CPU Utilization

Impact of BGP Dynamics on Router CPU Utilization Impact of BGP Dynamics on Router CPU Utilization Sharad Agarwal 1, Chen-Nee Chuah 2, Supratik Bhattacharyya 3, and Christophe Diot 4 1 University of California, Berkeley, USA, sagarwal@cs.berkeley.edu

More information

Worldwide Security and Vulnerability Management 2009 2013 Forecast and 2008 Vendor Shares

Worldwide Security and Vulnerability Management 2009 2013 Forecast and 2008 Vendor Shares EXCERPT Worldwide Security and Vulnerability Management 2009 2013 Forecast and 2008 Vendor Shares IN THIS EXCERPT Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015

More information

Network TrafficBehaviorAnalysisby Decomposition into Control and Data Planes

Network TrafficBehaviorAnalysisby Decomposition into Control and Data Planes Network TrafficBehaviorAnalysisby Decomposition into Control and Data Planes Basil AsSadhan, Hyong Kim, José M. F. Moura, Xiaohui Wang Carnegie Mellon University Electrical and Computer Engineering Department

More information

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY SEPTEMBER 2004 1 Overview Challenge To troubleshoot capacity and quality problems and to understand

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

How To Create An Analysis Tool For A Micro Grid

How To Create An Analysis Tool For A Micro Grid International Workshop on Visual Analytics (2012) K. Matkovic and G. Santucci (Editors) AMPLIO VQA A Web Based Visual Query Analysis System for Micro Grid Energy Mix Planning A. Stoffel 1 and L. Zhang

More information

Network Level Multihoming and BGP Challenges

Network Level Multihoming and BGP Challenges Network Level Multihoming and BGP Challenges Li Jia Helsinki University of Technology jili@cc.hut.fi Abstract Multihoming has been traditionally employed by enterprises and ISPs to improve network connectivity.

More information

A Review on Zero Day Attack Safety Using Different Scenarios

A Review on Zero Day Attack Safety Using Different Scenarios Available online www.ejaet.com European Journal of Advances in Engineering and Technology, 2015, 2(1): 30-34 Review Article ISSN: 2394-658X A Review on Zero Day Attack Safety Using Different Scenarios

More information

CHAPTER 1 INTRODUCTION

CHAPTER 1 INTRODUCTION 21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless

More information

The Role of Size Normalization on the Recognition Rate of Handwritten Numerals

The Role of Size Normalization on the Recognition Rate of Handwritten Numerals The Role of Size Normalization on the Recognition Rate of Handwritten Numerals Chun Lei He, Ping Zhang, Jianxiong Dong, Ching Y. Suen, Tien D. Bui Centre for Pattern Recognition and Machine Intelligence,

More information

A Survey, Taxonomy, and Analysis of Network Security Visualization Techniques

A Survey, Taxonomy, and Analysis of Network Security Visualization Techniques Georgia State University ScholarWorks @ Georgia State University Computer Science Theses Department of Computer Science 1-12-2006 A Survey, Taxonomy, and Analysis of Network Security Visualization Techniques

More information

Step-by-Step Guide to Bi-Parental Linkage Mapping WHITE PAPER

Step-by-Step Guide to Bi-Parental Linkage Mapping WHITE PAPER Step-by-Step Guide to Bi-Parental Linkage Mapping WHITE PAPER JMP Genomics Step-by-Step Guide to Bi-Parental Linkage Mapping Introduction JMP Genomics offers several tools for the creation of linkage maps

More information