Visualization for Network Traffic Monitoring & Security

Size: px

Start display at page:

Download "Visualization for Network Traffic Monitoring & Security"

Lorin Townsend
8 years ago
Views:

1 Visualization for Network Traffic Monitoring & Security Erwan ISIT/KYUSHU, Supélec 2006

2 Plan Visualization Visualization Host based Network based Between networks Other prototypes Pre-processing PGVis PGVis3D

3 Introduction Network security Computer networks: targets of a large scale of attacks. Network traffic analysis and network traffic monitoring: a way to detect and maybe prevent these attacks. But, the data to process is really huge! A solution? To take advantage of human visual processing and pattern recognition.

Network traffic analysis and network traffic monitoring: a way to detect and

4 Visualization techniques Several classifications By the data type and the task to perform with the data [Shneiderman, 1996]. By the data type and the steps to perform in order to create the visualization [Chi, 2000]. A mantra! "Overview first, zoom and filter, then details-on-demand".

By the data type and the steps to perform in order to create the

5 Network traffic analysis Host based Network based Between networks Other prototypes Pre-processing Modus operandi Capture the raw traffic of the network through various kind of probes. Usually, automatic processing (optional), then text-based display of the data. For the visualization, quite the same: direct visualization or pre-processing. Classification of the visualization systems By the level from which they consider the network.

Usually, automatic processing (optional), then text-based display of the data.

6 EtherApe Visualization Host based Network based Between networks Other prototypes Pre-processing

7 Host based Network based Between networks Other prototypes Pre-processing VISUAL [Ball et al., 2004]

8 Host based Network based Between networks Other prototypes Pre-processing NVisionIP [Lakkaraju et al., 2004]

9 Between networks Visualization Host based Network based Between networks Other prototypes Pre-processing Few prototypes... Visualization system based on BGP routing protocol analysis [Teoh et al., 2004].

10 Host based Network based Between networks Other prototypes Pre-processing PortVis [McPherson et al., 2004] Features Disclose as little information as possible on network topology. Data aggregation by TCP ports.

, 2004] Features Disclose as little information as

11 Host based Network based Between networks Other prototypes Pre-processing "Spinning cube of potential doom" [Lau, 2004]

12 PGVis PGVis3D PGVis Interactive grid system Two groups of two grids that represent several parts of the network. One group stands for the monitored network. The other group stands for the "outside" network. Grids are colored according to network activity. The network traffic is displayed by colored lines joining the different grids parts.

The other group stands for the "outside" network.

13 Common traffic Visualization PGVis PGVis3D

14 Portscan Visualization PGVis PGVis3D

15 PGVis PGVis3D BitTorrent traffic (two different BitTorrent files)

16 PGVis PGVis3D PGVis3D Some usability and scalability issues with PGVis... Try to combine 2D and 3D representations of the network to solve those issues extension of PGVis. 3D representation: textured cubes standing for selected network zones. 2D representation: interactive grids similar to the ones used in PGVis.

17 PGVis3D (common traffic) PGVis PGVis3D

18 Future work? Finalize the current prototypes. IPv6 mapping.

19 Questions-answers Visualization Any questions?

20 Appendix Bibliography Bibliography I Ball, R., Fink, G. A., and North, C. (2004). Home-centric visualization of network traffic for security administration. In VizSEC/DMSEC 04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 55 64, New York, NY, USA. ACM Press. Chi, E. H. (2000). A taxonomy of visualization techniques using the data state reference model. In INFOVIS 00: Proceedings of the IEEE Symposium on Information Vizualization 2000, page 69, Washington, DC, USA. IEEE Computer Society. Lakkaraju, K., Yurcik, W., and Lee, A. J. (2004). Nvisionip: netflow visualizations of system state for security situational awareness. In VizSEC/DMSEC 04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 65 72, New York, NY, USA. ACM Press. Lau, S. (2004). The spinning cube of potential doom. Commun. ACM, 47(6): McPherson, J., Ma, K.-L., Krystosk, P., Bartoletti, T., and Christensen, M. (2004). Portvis: a tool for port-based detection of security events. In VizSEC/DMSEC 04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 73 81, New York, NY, USA. ACM Press.

A taxonomy of visualization techniques using the data state reference model. In INFOVIS 00: Proceedings of the IEEE Symposium on Information Vizualization 2000, page 69, Washington, DC, USA.

21 Appendix Bibliography Bibliography II Shneiderman, B. (1996). The eyes have it: A task by data type taxonomy for information visualizations. In VL, pages Teoh, S. T., Ma, K.-L., Wu, S. F., and Jankun-Kelly, T. J. (2004). Detecting flaws and intruders with visual data analysis. IEEE Comput. Graph. Appl., 24(5):27 35.

An Adaptable Innovative Visualization For Multiple Levels of Users

World Applied Sciences Journal 15 (5): 722-727, 2011 ISSN 1818-4952 IDOSI Publications, 2011 An Adaptable Innovative Visualization For Multiple Levels of Users Doris Hooi-Ten Wong and Sureswaran Ramadass