Cyber Security Through Visualization
|
|
- June Flynn
- 8 years ago
- Views:
Transcription
1 Cyber Security Through Visualization Kwan-Liu Ma Department of Computer Science University of California at Davis Networked computers are subject to attack, misuse, and abuse. Organizations and individuals are making every effort to build and maintain trustworthy computing systems. The main strategy is to closely monitor and inspect network activities by collecting and analyzing data about the network traffic and the trails of system usage. The analysis usually requires large amounts of finely detailed, high-dimensional data to enable analysts to uncover hidden threats and make calculated predictions in a timely fashion. The traditional, signature-based and statistical methods are limited in their capability to cope with the large, evolving data and the dynamic nature of the Internet. Visualization proves effective to aid in understanding large, high-dimensional data commonly found in many demanding applications such as large-scale scientific simulations and biomedicine. There is thus a growing interest in the development of visualization methods as alternative or complementary solutions to the pressing cyber security problems (Brodley, Chan, Lippmann & Yurcik 2004, Ma, North & Yurcik 2005). The challenge is to develop new visual representations, layout methods, user interfaces, and interaction techniques that can effectively facilitate visual interrogation and communication of the vast amounts of cyber security information. Visual data analysis is inherently an iterative process, where each iteration provides more insight into the data being shown. A typical example of this process occurs with any type of overview plus detail visualization. Patterns in the overview tend to direct what the user chooses to view in more detail, and the detailed view can provide insight on regions of the overview. This drill-down process, starting at a high semantic level and progressing to more detailed views, creates a feedback loop as shown in Figure 1, which can lend itself well to visualizing the relationships between large number of objects, such as port and network scans. In most cases, different visual representations are needed for constructing these different views. In particular, each specific region of interest may be defined in a space of arbitrary dimensions. The challenge is thus to seek the best space and visual representation in that space for each type of analysis task. I show with three different tasks how visualization can assist in the analysis of computer network activities for detecting anomalies using the drill-down process. Copyright c 2006, Australian Computer Society, Inc. This paper appeared at Asia Pacific Symposium on Information Visualization (APVIS 2006), Tokyo, Japan. Conferences in Research and Practice in Information Technology, Vol. 60. K. Misue, K. Sugiyama and J. Tanaka, Ed. Reproduction for academic, not-for profit purposes permitted provided this text is included. Figure 1: The process of visual data analysis is inherently iterative to see both summary and details in context. Analysis of Internet Routing Data The Internet can be considered as a set of subnetworks, each of which represents an organization s network. The problem of packet routing can simplify to routing data between these larger entities, referred to Autonomous Systems, according to the Border Gateway Protocol (BGP). For data packets to arrive at the correct destination, these Autonomous Systems exchange network reachability information in the form of BGP path announcements. Studying and understanding the dynamics of BGP routing changes is thus crucial to ensuring robust network performance. A drill-down process of analysis (Teoh, Jankun-Kelly, Ma & Wu 2004) can start by looking at the aggregate information about routing changes over a complete period of time, followed by examining routing update messages over selected period of time and their corresponding statistical values; next, particular instances of instability can be visualized in detail. Figure 2 shows a two-level aggregate data browser which displays the distribution of the BGP announcements over a 1-year period (bottom), and allows the analyst to select a focused period of several minutes. Figure 3 shows the color coded text visualization of individual BGP path announcements as well as statistical measures of the routing updates during the focused period. This joint visualization al-
2 Figure 2: A two-level aggregate data browser can cover a wide range of granularity. Bottom: At the overview level, the analyst first looks at the aggregate information of the entire time period (typically one year) and specifies a period to focus on. Top: At the next level, the focus can be further narrowed down to a period of several minutes. Figure 3: Left: Text visualization of a sequence of Autonomous System (AS) path announcements. Each unique AS path is shown in a different color, which effectively forms visual patterns of the updates such as oscillations, repeats, or slow convergences. Right: Statistical measures corresponding to each announcement can be used to help verify any detected anomaly. lows for verification of the visual and statistical information for anomaly detection (Teoh, Zhang, Tseng, Ma & Wu 2004). After instability events are identified, it is possible to see the distribution of different events, their severity, duration, and frequency all in one single visualization (Teoh, Ma & Wu 2003), as shown in Figure 4. Port Data Visualization Scanning a network is a very common first step in a network intrusion attempt. Crackers frequently scan entire ranges of ports, looking for open ports that can be exploited to gain access to a system. Worms and viruses often target specific ports in an attempt to locate systems that are vulnerable to the mechanisms they use to spread. These attacks are all recorded in security logs, but these logs are time-consuming for administrators to analyze by hand. One way to understand the collected security logs is to produce images of network traffic by choosing axes that correspond to important features of the data, creating a grid based on these axes and then assigning each cell of the grid with a visual property such as color to represent the network activity there. The drill-down process of analyzing port data begins with an overview that presents a time-ordered view of the entire data set. The goal here is to choose a particular range of time to zoom into. In the following steps, detailed views are created to eventu- Figure 4: Visualization of instability events for a particular IP prefix. Each event is represented by a circle and a base. The area of the circle is proportion to the number of announcements and each color segment indicates a specific type of instability. The triangular base shows the duration of the event. The position of each circle is placed to avoid occlusion. Nevertheless, tall events suggest that there are many events at that time. ally reach an atomic unit of network security interest, which may represent a port scan, an intrusive attack, the activities of spyware, the flocking of employees to Web news sites after a major news event, or any other discrete feature that can be identified in the data. Figure 5 shows, from left to right, a 3-tier process for studying TCP port data (Muelder, Ma & Bartoletti 2005a), in which the left most image displays a highly condensed port data over a period of time such as a week or a month. Each row of the visualization represents one unit (generally an hour) of time. Each pixel corresponds to a range of ports and is colored according to the level of activity on the ports during the time unit. Figure 6 shows different levels of enhancement can bring out port scans; furthermore, using different data metrics can reveal different patterns in the data leading to new discoveries (Muelder et al. 2005a). The grid visualization, shown in the middle of Figure 5, depicts the the activity during a given time unit. It consists of a dot on the grid for each of the 65,536 ports. The user can select a port to see detailed information about that port and its surrounding ports, as shown in the upper right image in Figure 5. The bottom right picture shows a single port over the entire time range, for each of the metrics of interest including, from top to bottom, session count, destination count, source count, the ratio of source and destination, and country count. Such a visualization is useful for finding relationships between metrics, as well as showing periodic structures in the data such as the change in web traffic throughout the day. Figure 7 presents some distinct patterns of activity. Scan Characterization In order to obfuscate an attack, an attacker frequently alters identifying features like source IP addresses. Thus, in order to identify an attacker, some more immutable aspect of the attack must be considered, such as packet arrival timing, which is dependent on several factors that are difficult to alter, such as hardware or operating system limitations or router delays. However, due to the chaotic nature of packet arrival times, one must analyze a large quantity of packets. Network scans provide a good source of such timing information. It is thus beneficial to take network scan
3 Figure 5: A drill-down process for finding network scans by applying it to a 24 hour long dataset at 10 minute resolution. Starting at the timeline on the left, a spike is found on a high port that crosses several hours. One of these hours is then selected for viewing in the grid based visualization shown in the middle. In it, there is exactly one port with unusually large values in the range of ports that correspond to the spike. The range around this port is zoomed into which reveals in the bottom-right image that an abnormally large number of destinations being connected to by a small number of sources, which means that this is likely a network scan. Figure 6: Visualization of the entire time range with enhancement to bring out port scans corresponding to a particular spike using the activity-level histogram and gradient editor shown on the bottom. timing information and use visualization techniques to characterize the scans. An underlying premise of this approach to the network scan characterization problem is that humans are creatures of habit (and autonomous software applications even more so.) Having created an environment of attack tools with which they have become familiar, they tend to reuse those tools and support systems in future activities. The particular settings employed would likely remain consistent as well, both out of familiarity and a desire to properly compare recent results with earlier findings. Additionally, other software processes that may be running concurrently in support of analysis or ancillary activities compete with and impact the performance of their network activities in reliably consistent ways, imposing uniquely identifiable characteristics in the sequence and packet arrival times of high packet count interactions. Individual scans can be shown with a grid-based visualization, where the axes are the third and forth octets of the destination IP addresses, and the color is based on a metric derived from timing information. Metrics range from simple metrics such as arrival time of the first probe or number of probes for each address to complex metrics such as deviation from a linear expected arrival time for each destination. Patterns that are nearly identical in one metric can be distinct in others. Figure 8 shows such scan visualizations. The relationships between network scans may be understood by statistically comparing pairs of scans and it is also possible to get a quantitative measure on how well they match. However, because the scans are too chaotic to compare directly, frequency analysis, such as Fourier transforms or wavelet transforms, can be used to convert the scan patterns into scalograms, which can then be systematically compared (Muelder, Ma & Bartoletti 2005b). Although network scan patterns can exhibit a periodic or quasi-periodic structure, they often contain gaps, aperiodic aberrations and regions where the relative phase of the periodic structures has shifted, which are things that Fourier analysis has been found to not handle well. Wavelets, on the other hand, are relatively resistant to phase Figure 7: Plots metrics versus time for individual ports. In each example, the session count (the first metric) is highlighted. The other four metrics shown are destination address count, source address count, unique source and destination pair count, and country count. The usage of Port 80 (upper left) is very periodic while Port (upper right) has a fairly constant level of activity, with a few spikes. Port (lower left) is more erratic, though, interestingly, its usage drops noticeably as time goes on. Port (lower right) has one of the most suspicious usage graph; it is only used a few times, but it is used fairly heavily during those times.
4 Figure 8: Visualization of individual scans showing patterns that can easily be compared by eye. These images show the arrival time of the first connection attempt to each address, with blue being early in the scan, red being late in the scan, and black being an address that had no connection attempt. shifts and noise. Figure 9 shows that dissimilar patterns result ine different scalograms. At this point, the scans can be directly visualized individually, but when dealing with large numbers of scans, this is unfeasible. So, once the scans are isolated, in order to automatically compare them, fingerprints are generated to be fed into an overview visualization. This overview of the relationships between the scans and the detailed view of individual pairs of scans for comparison purposes compose an overview plus detail feedback loop. As described before, the overview allows the analyst to drill down into certain areas, by showing them in the detailed view. The overview can be provided by a graph visualization of the relationship between scans. Each node is a scan, and each edge is their relationship. The edge weights are derived from the wavelet analysis of the scans, and they range from 0, which means the scans are completely different, to 1 which means they are identical. The graph can be displayed with a force directed layout algorithm and edges below a particular threshold may be dropped for clarity. The resulting image then shows clusters of scans that are similar, as shown in Figure 10. The user can start with such an overview graph and then drill down to detailed characteristics of the scans in the same cluster. In this way, a graph of a large number of scans can be rapidly compared and subsequently identified. Furthermore, it is very helpful to allow the analyst to bias the overview in a manner reflecting the cognitive insight gained from looking at the detail view (Muelder et al. 2005b). This enhances the feedback loop by allowing information gained by viewing the details of network scans to be reflected back in the overview. Figure 9: Wavelet scalograms reduce large complex pattern to smaller simpler vectors that can be compared. This example was made using a metric based on the number of visits per unique address, with black to red gradient, where black is no probes and red is the maximum for that scan. Top: Similar scans have similar wavelet scalograms. Bottom: Dissimilar scans have very different scalograms. Concluding Remarks Visualization leverages human s extraordinary ability to detect patterns in images; nevertheless, by itself visualization does not answer all the questions the analyst has. Visualization is best for guiding a complex data analysis process since visualization is particularly good for showing an overview of the data, which can direct the analyst s attention to the aspects of the data that require further investigations, as demonstrated by the three examples I have given. The ability to show details in context with visualization is also very powerful. To fight against the in- Figure 10: Graph visualization of network scans. Clusters contain scans with a general pattern. A representative example from each selected cluster is shown.
5 creasingly creative and malicious attacks to network security I believe a promising approach is to add intelligent reasoning with learning capabilities into the visualization directed analysis. Cyber security is a much broader topic than ensuring the normal operation of a computer network. The task of analyzing network security data represents only a small subset of the greater security problem that we are faced with today. For example, data collected for intelligence information analysis are more heterogeneous, including text, measurements from sensors, imagery, video and audio from diverse sources. What visual representations should we use to study such heterogeneous data in a unified manner? What would be the meaningful linkages among the disparate data to facilitate cross-exploration? For the field of information visualization, this new class of problems presents many challenges and open research questions. We have only addressed a very small fraction of these challenges. Please join me in this research endeavor. References Brodley, C., Chan, P., Lippmann, R. & Yurcik, B., eds (2004), Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), ACM. Ma, K.-L., North, S. & Yurcik, B., eds (2005), Proceedings of the IEEE Workshop on Visualization for Computer Security 2005 (VizSEC 2005), IEEE Computer Society. Muelder, C., Ma, K.-L. & Bartoletti, T. (2005a), Interactive visualization for network and port scan detection, in Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection (RAID 2005). Muelder, C., Ma, K.-L. & Bartoletti, T. (2005b), A visualization methodlogy for characterization of network scans, in Proceedings of the Workshop on Visualization for Computer Security (VizSEC 2005), pp Teoh, S. T., Jankun-Kelly, T. J., Ma, K.-L. & Wu, S. F. (2004), Visual data analysis for detecting flaws and intruders in computer network systems, IEEE Computer Graphics and Applications (special issue on Visual Analytics) 24(5), Teoh, S. T., Ma, K.-L. & Wu, S. F. (2003), Visual exploration process for the analysis of internet routing data, in Proceedings of the IEEE Visualization 2003 Conference, pp Teoh, S. T., Zhang, K., Tseng, S.-M., Ma, K.-L. & Wu, S. F. (2004), Combining visual and automated data mining for near-real-time anomaly detection and analysis in gbp, in Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), pp
A Visualization Methodology for Characterization of Network Scans
A Visualization Methodology for Characterization of Network Scans Chris Muelder University of California, Davis Kwan-Liu Ma University of California, Davis Tony Bartoletti Lawrence Livermore National Laboratory
More informationVisualization for Network Traffic Monitoring & Security
Visualization for Network Traffic Monitoring & Security Erwan ISIT/KYUSHU, Supélec 2006 Plan Visualization Visualization Host based Network based Between networks Other prototypes Pre-processing PGVis
More informationA Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.
A Framework for Effective Alert Visualization Uday Banerjee Jon Ramsey SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.com Abstract Any organization/department that
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationSimplified Network Traffic Visualization for Real-Time Security Analysis
Simplified Network Traffic Visualization for Real-Time Security Analysis Matthew Dean and Lucas Vespa Department of Computer Science University of Illinois Springfield Springfield, IL 62703 Abstract Although
More informationInteractive Visualization for Network and Port Scan Detection
Interactive Visualization for Network and Port Scan Detection Chris Muelder 1, Kwan-Liu Ma 1, and Tony Bartoletti 2 1 University of California, Davis 2 Lawrence Livermore National Laboratory Abstract.
More informationA Visualization Technique for Monitoring of Network Flow Data
A Visualization Technique for Monitoring of Network Flow Data Manami KIKUCHI Ochanomizu University Graduate School of Humanitics and Sciences Otsuka 2-1-1, Bunkyo-ku, Tokyo, JAPAPN manami@itolab.is.ocha.ac.jp
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationAPPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION
18-19 September 2014, BULGARIA 137 Proceedings of the International Conference on Information Technologies (InfoTech-2014) 18-19 September 2014, Bulgaria APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK
More informationVisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring
VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign byurcik@ncsa.uiuc.edu
More information2 Technologies for Security of the 2 Internet
2 Technologies for Security of the 2 Internet 2-1 A Study on Process Model for Internet Risk Analysis NAKAO Koji, MARUYAMA Yuko, OHKOUCHI Kazuya, MATSUMOTO Fumiko, and MORIYAMA Eimatsu Security Incidents
More informationThe Scientific Data Mining Process
Chapter 4 The Scientific Data Mining Process When I use a word, Humpty Dumpty said, in rather a scornful tone, it means just what I choose it to mean neither more nor less. Lewis Carroll [87, p. 214] In
More informationReal-Time Interactive Visual Port Monitoring and Analysis
Real-Time Interactive Visual Port Monitoring and Analysis Robert F. Erbacher 1 and Menashe Garber 2 1 Utah State University, Dept. of Computer Science, UMC 4205, Logan, UT 84322, Phone: 435-797-3291, Fax:
More informationA Novel Visualization Method for Detecting DDoS Network Attacks
A Novel Visualization Method for Detecting DDoS Network Attacks Jiawan Zhang 1, Guoqiang Yang 1, Liangfu Lu 2,*, Mao Lin Huang 3, 1. School of Computer Science and Technology, Tianjin University, Tianjin,P.R.China;
More informationDell SonicWALL report portfolio
Dell SonicWALL report portfolio Table of contents Dell SonicWALL Global Management System (GMS ) and Analyzer reports I. Sample on-screen reports II. Sample PDF-generated reports Dell SonicWALL Scrutinizer
More informationIntroducing IBM s Advanced Threat Protection Platform
Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM
More informationIntelligent Classification and Visualization of Network Scans
UCRL-CONF-228878 Intelligent Classification and Visualization of Network Scans L. Chen, C. Muelder, K. Ma, A. Bartoletti March 9, 2007 ACM SIGKDD 2007 San Jose, CA, United States August 12, 2007 through
More informationA Frequency-Based Approach to Intrusion Detection
A Frequency-Based Approach to Intrusion Detection Mian Zhou and Sheau-Dong Lang School of Electrical Engineering & Computer Science and National Center for Forensic Science, University of Central Florida,
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationIntelligent Worms: Searching for Preys
Intelligent Worms: Searching for Preys By Zesheng Chen and Chuanyi Ji ABOUT THE AUTHORS. Zesheng Chen is currently a Ph.D. Candidate in the Communication Networks and Machine Learning Group at the School
More informationNVisionIP: An Interactive Network Flow Visualization Tool for Security
NVisionIP: An Interactive Network Flow Visualization Tool for Security Kiran Lakkaraju William Yurcik Ratna Bearavolu Adam J. Lee National Center for Supercomputing Applications (NCSA) University of Illinois,
More informationSecurity Visualization Past, Present, Future
Security Visualization Past, Present, Future Greg Conti West Point @cyberbgone http://dl.acm.org/citation.cfm?id=2671501 http://link.springer.com/chapter/10.1007%2f978-3-540-85933-8_11 http://images.cdn.stuff.tv/sites/stuff.tv/files/styles/big-image/public/25-best-hacker-movies-ever-the-matrix.jpg?itok=kiwtknw1
More informationOverview. Security System Administration
Better Tools for System Administration: Enhancing the Human-Computer Interface with Visualization Bill Yurcik Manager, NCSA Security Research National Center for Advanced Secure
More informationBGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project
BGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project Advisor: Sharon Goldberg Adam Udi 1 Introduction Interdomain routing, the primary method of communication on the internet,
More informationRAVEN, Network Security and Health for the Enterprise
RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations
More informationIntelligent Routing Platform White Paper
White Paper Table of Contents 1. Executive Summary...3 2. The Challenge of a Multi-Homed Environment...4 3. Network Congestion and Blackouts...4 4. Intelligent Routing Platform...5 4.1 How It Works...5
More informationIndex Terms Domain name, Firewall, Packet, Phishing, URL.
BDD for Implementation of Packet Filter Firewall and Detecting Phishing Websites Naresh Shende Vidyalankar Institute of Technology Prof. S. K. Shinde Lokmanya Tilak College of Engineering Abstract Packet
More informationIBM SECURITY QRADAR INCIDENT FORENSICS
IBM SECURITY QRADAR INCIDENT FORENSICS DELIVERING CLARITY TO CYBER SECURITY INVESTIGATIONS Gyenese Péter Channel Sales Leader, CEE IBM Security Systems 12014 IBM Corporation Harsh realities for many enterprise
More informationAvaya ExpertNet Lite Assessment Tool
IP Telephony Contact Centers Mobility Services WHITE PAPER Avaya ExpertNet Lite Assessment Tool April 2005 avaya.com Table of Contents Overview... 1 Network Impact... 2 Network Paths... 2 Path Generation...
More informationOFFLINE NETWORK INTRUSION DETECTION: MINING TCPDUMP DATA TO IDENTIFY SUSPICIOUS ACTIVITY KRISTIN R. NAUTA AND FRANK LIEBLE.
OFFLINE NETWORK INTRUSION DETECTION: MINING TCPDUMP DATA TO IDENTIFY SUSPICIOUS ACTIVITY KRISTIN R. NAUTA AND FRANK LIEBLE Abstract With the boom in electronic commerce and the increasing global interconnectedness
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Powerful web-based security analytics portal with easy-to-read security dashboards Proactive
More informationVisualizing Threats: Improved Cyber Security Through Network Visualization
Visualizing Threats: Improved Cyber Security Through Network Visualization Intended audience This white paper has been written for anyone interested in enhancing an organizational cyber security regime
More informationKEITH LEHNERT AND ERIC FRIEDRICH
MACHINE LEARNING CLASSIFICATION OF MALICIOUS NETWORK TRAFFIC KEITH LEHNERT AND ERIC FRIEDRICH 1. Introduction 1.1. Intrusion Detection Systems. In our society, information systems are everywhere. They
More informationCompliance Guide: ASD ISM OVERVIEW
Compliance Guide: ASD ISM OVERVIEW Australian Information Security Manual Mapping to the Principles using Huntsman INTRODUCTION In June 2010, The Australian Government Protective Security Policy Framework
More informationA LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL
A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL Christopher Schwagele Supervisor: Barry Irwin Computer Science Department, Rhodes University 29 July 2010 Abstract Network
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationFull-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform
Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Solution Brief Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Finding
More informationSituational Awareness Through Network Visualization
CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP Situational Awareness Through Network Visualization Pacific Northwest National Laboratory Daniel M. Best Bryan Olsen 11/25/2014 Introduction
More informationExterior Gateway Protocols (BGP)
Exterior Gateway Protocols (BGP) Internet Structure Large ISP Large ISP Stub Dial-Up ISP Small ISP Stub Stub Stub Autonomous Systems (AS) Internet is not a single network! The Internet is a collection
More informationNiara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning
Niara Security Analytics Automatically detect attacks on the inside using machine learning Automatically detect attacks on the inside Supercharge analysts capabilities Enhance existing security investments
More informationREAL TIME TRAFFIC LIGHT CONTROL USING IMAGE PROCESSING
REAL TIME TRAFFIC LIGHT CONTROL USING IMAGE PROCESSING Ms.PALLAVI CHOUDEKAR Ajay Kumar Garg Engineering College, Department of electrical and electronics Ms.SAYANTI BANERJEE Ajay Kumar Garg Engineering
More informationUsing LYNXeon with NetFlow to Complete Your Cyber Security Picture
Using LYNXeon with NetFlow to Complete Your Cyber Security Picture 21CT.COM Combine NetFlow traffic with other data sources and see more of your network, over a longer period of time. Introduction Many
More informationValidating the System Behavior of Large-Scale Networked Computers
Validating the System Behavior of Large-Scale Networked Computers Chen-Nee Chuah Robust & Ubiquitous Networking (RUBINET) Lab http://www.ece.ucdavis.edu/rubinet Electrical & Computer Engineering University
More informationEvangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1. Network Security. Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1 Network Security Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 2 Collaboration with Frank Akujobi
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible
More informationBehavioral Segmentation
Behavioral Segmentation TM Contents 1. The Importance of Segmentation in Contemporary Marketing... 2 2. Traditional Methods of Segmentation and their Limitations... 2 2.1 Lack of Homogeneity... 3 2.2 Determining
More informationEfficiently Managing Firewall Conflicting Policies
Efficiently Managing Firewall Conflicting Policies 1 K.Raghavendra swamy, 2 B.Prashant 1 Final M Tech Student, 2 Associate professor, Dept of Computer Science and Engineering 12, Eluru College of Engineeering
More informationVisual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats
Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats by Florian Mansmann, Daniel A. Keim, Stephen C. North, Brian Rexroad, and Daniel
More informationFlexible Web Visualization for Alert-Based Network Security Analytics
Flexible Web Visualization for Alert-Based Network Security Analytics Lihua Hao 1, Christopher G. Healey 1, Steve E. Hutchinson 2 1 North Carolina State University, 2 U.S. Army Research Laboratory lhao2@ncsu.edu
More information3. Dataset size reduction. 4. BGP-4 patterns. Detection of inter-domain routing problems using BGP-4 protocol patterns P.A.
Newsletter Inter-domain QoS, Issue 8, March 2004 Online monthly journal of INTERMON consortia Dynamic information concerning research, standardisation and practical issues of inter-domain QoS --------------------------------------------------------------------
More informationVAST: Visualizing Autonomous System Topology
VAST: Visualizing Autonomous System Topology Jon Oberheide Networking Research and Development Merit Network Inc. Ann Arbor, MI 48105 jonojono@umich.edu Manish Karir Networking Research and Development
More informationIntrusion Detection for Mobile Ad Hoc Networks
Intrusion Detection for Mobile Ad Hoc Networks Tom Chen SMU, Dept of Electrical Engineering tchen@engr.smu.edu http://www.engr.smu.edu/~tchen TC/Rockwell/5-20-04 SMU Engineering p. 1 Outline Security problems
More informationDetecting Network Anomalies. Anant Shah
Detecting Network Anomalies using Traffic Modeling Anant Shah Anomaly Detection Anomalies are deviations from established behavior In most cases anomalies are indications of problems The science of extracting
More informationData Visualisation and Statistical Analysis Within the Decision Making Process
Data Visualisation and Statistical Analysis Within the Decision Making Process Jamie Mahoney Centre for Educational Research and Development, University of Lincoln, Lincoln, UK. Keywords: Abstract: Data
More informationIntroducing FortiDDoS. Mar, 2013
Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline
More informationIntro to Firewalls. Summary
Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationSecurity Event Management. February 7, 2007 (Revision 5)
Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST
More informationA Catechistic Method for Traffic Pattern Discovery in MANET
A Catechistic Method for Traffic Pattern Discovery in MANET R. Saranya 1, R. Santhosh 2 1 PG Scholar, Computer Science and Engineering, Karpagam University, Coimbatore. 2 Assistant Professor, Computer
More informationTake the Red Pill: Becoming One with Your Computing Environment using Security Intelligence
Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing
More informationInsider Threat Detection Using Graph-Based Approaches
Cybersecurity Applications & Technology Conference For Homeland Security Insider Threat Detection Using Graph-Based Approaches William Eberle Tennessee Technological University weberle@tntech.edu Lawrence
More informationPAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ
PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ
More informationBARE PCB INSPECTION BY MEAN OF ECT TECHNIQUE WITH SPIN-VALVE GMR SENSOR
BARE PCB INSPECTION BY MEAN OF ECT TECHNIQUE WITH SPIN-VALVE GMR SENSOR K. Chomsuwan 1, S. Yamada 1, M. Iwahara 1, H. Wakiwaka 2, T. Taniguchi 3, and S. Shoji 4 1 Kanazawa University, Kanazawa, Japan;
More informationProduct Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity
NIP IDS Product Overview The Network Intelligent Police (NIP) Intrusion Detection System (IDS) is a new generation of session-based intelligent network IDS developed by Huaweisymantec. Deployed in key
More informationHow to Detect and Prevent Cyber Attacks
Distributed Intrusion Detection and Attack Containment for Organizational Cyber Security Stephen G. Batsell 1, Nageswara S. Rao 2, Mallikarjun Shankar 1 1 Computational Sciences and Engineering Division
More informationSIP Service Providers and The Spam Problem
SIP Service Providers and The Spam Problem Y. Rebahi, D. Sisalem Fraunhofer Institut Fokus Kaiserin-Augusta-Allee 1 10589 Berlin, Germany {rebahi, sisalem}@fokus.fraunhofer.de Abstract The Session Initiation
More informationThreat intelligence visibility the way forward. Mike Adler, Senior Product Manager Assure Threat Intelligence
Threat intelligence visibility the way forward Mike Adler, Senior Product Manager Assure Threat Intelligence The modern challenge Today, organisations worldwide need to protect themselves against a growing
More informationHow To Understand and Configure Your Network for IntraVUE
How To Understand and Configure Your Network for IntraVUE Summary This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationThe Quality of Internet Service: AT&T s Global IP Network Performance Measurements
The Quality of Internet Service: AT&T s Global IP Network Performance Measurements In today's economy, corporations need to make the most of opportunities made possible by the Internet, while managing
More informationIBM Security QRadar Risk Manager
IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Collect network security device configuration data to
More informationInter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:
Border Gateway Protocol Exterior routing protocols created to: control the expansion of routing tables provide a structured view of the Internet by segregating routing domains into separate administrations
More informationAn Integrated CyberSecurity Approach for HEP Grids. Workshop Report. http://hpcrd.lbl.gov/hepcybersecurity/
An Integrated CyberSecurity Approach for HEP Grids Workshop Report http://hpcrd.lbl.gov/hepcybersecurity/ 1. Introduction The CMS and ATLAS experiments at the Large Hadron Collider (LHC) being built at
More informationDeploying Firewalls Throughout Your Organization
Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense
More informationBanking Security using Honeypot
Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information
More informationAnalysis of Internet Topologies
Analysis of Internet Topologies Ljiljana Trajković ljilja@cs.sfu.ca Communication Networks Laboratory http://www.ensc.sfu.ca/cnl School of Engineering Science Simon Fraser University, Vancouver, British
More informationDDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR
Journal homepage: www.mjret.in DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Maharudra V. Phalke, Atul D. Khude,Ganesh T. Bodkhe, Sudam A. Chole Information Technology, PVPIT Bhavdhan Pune,India maharudra90@gmail.com,
More informationAn Adaptable Innovative Visualization For Multiple Levels of Users
World Applied Sciences Journal 15 (5): 722-727, 2011 ISSN 1818-4952 IDOSI Publications, 2011 An Adaptable Innovative Visualization For Multiple Levels of Users Doris Hooi-Ten Wong and Sureswaran Ramadass
More informationApplication Security Backgrounder
Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
More informationIBM Security. 2013 IBM Corporation. 2013 IBM Corporation
IBM Security Security Intelligence What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure
More informationFinding Anomalies in Time- Series using Visual Correla/on for Interac/ve Root Cause Analysis
VizSec 2013 October 14, 2013 Atlanta GA, USA Finding Anomalies in Time- Series using Visual Correla/on for Interac/ve Root Cause Analysis Florian Stoffel, Fabian Fischer, Daniel A. Keim Data Analysis and
More informationA solution for comprehensive network security
Applied mathematics in Engineering, Management and Technology 2 (6) 2014:22-26 www.amiemt-journal.com A solution for comprehensive network security Seyed Mehdi Mousavi Payam Noor University (PNU), IRAN
More informationSTEALTHWATCH MANAGEMENT CONSOLE
STEALTHWATCH MANAGEMENT CONSOLE The System by Lancope is a leading solution for network visibility and security intelligence across physical and virtual environments. With the System, network operations
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationAttack graph analysis using parallel algorithm
Attack graph analysis using parallel algorithm Dr. Jamali Mohammad (m.jamali@yahoo.com) Ashraf Vahid, MA student of computer software, Shabestar Azad University (vahid.ashraf@yahoo.com) Ashraf Vida, MA
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationImpact of BGP Dynamics on Router CPU Utilization
Impact of BGP Dynamics on Router CPU Utilization Sharad Agarwal 1, Chen-Nee Chuah 2, Supratik Bhattacharyya 3, and Christophe Diot 4 1 University of California, Berkeley, USA, sagarwal@cs.berkeley.edu
More informationWorldwide Security and Vulnerability Management 2009 2013 Forecast and 2008 Vendor Shares
EXCERPT Worldwide Security and Vulnerability Management 2009 2013 Forecast and 2008 Vendor Shares IN THIS EXCERPT Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015
More informationNetwork TrafficBehaviorAnalysisby Decomposition into Control and Data Planes
Network TrafficBehaviorAnalysisby Decomposition into Control and Data Planes Basil AsSadhan, Hyong Kim, José M. F. Moura, Xiaohui Wang Carnegie Mellon University Electrical and Computer Engineering Department
More informationCISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY
CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY SEPTEMBER 2004 1 Overview Challenge To troubleshoot capacity and quality problems and to understand
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationHow To Create An Analysis Tool For A Micro Grid
International Workshop on Visual Analytics (2012) K. Matkovic and G. Santucci (Editors) AMPLIO VQA A Web Based Visual Query Analysis System for Micro Grid Energy Mix Planning A. Stoffel 1 and L. Zhang
More informationNetwork Level Multihoming and BGP Challenges
Network Level Multihoming and BGP Challenges Li Jia Helsinki University of Technology jili@cc.hut.fi Abstract Multihoming has been traditionally employed by enterprises and ISPs to improve network connectivity.
More informationA Review on Zero Day Attack Safety Using Different Scenarios
Available online www.ejaet.com European Journal of Advances in Engineering and Technology, 2015, 2(1): 30-34 Review Article ISSN: 2394-658X A Review on Zero Day Attack Safety Using Different Scenarios
More informationCHAPTER 1 INTRODUCTION
21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless
More informationThe Role of Size Normalization on the Recognition Rate of Handwritten Numerals
The Role of Size Normalization on the Recognition Rate of Handwritten Numerals Chun Lei He, Ping Zhang, Jianxiong Dong, Ching Y. Suen, Tien D. Bui Centre for Pattern Recognition and Machine Intelligence,
More informationA Survey, Taxonomy, and Analysis of Network Security Visualization Techniques
Georgia State University ScholarWorks @ Georgia State University Computer Science Theses Department of Computer Science 1-12-2006 A Survey, Taxonomy, and Analysis of Network Security Visualization Techniques
More informationStep-by-Step Guide to Bi-Parental Linkage Mapping WHITE PAPER
Step-by-Step Guide to Bi-Parental Linkage Mapping WHITE PAPER JMP Genomics Step-by-Step Guide to Bi-Parental Linkage Mapping Introduction JMP Genomics offers several tools for the creation of linkage maps
More information