Monitoring Network Traffic with Radial Traffic Analyzer

Similar documents

Chapter 32 Internet Security

Network Management & Security (CS 330) RMON

Chapter 10. Network Security

IP Filter/Firewall Setup

Open System Interconnection (OSI) Protocols

Firewalls. Network Security. Firewalls Defined. Firewalls

Guideline on Firewall

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

How To Set Up Mybpx Security Configuration Guide V1.2.2 (V1.3.2) On A Pc Or Mac)

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

Cisco PIX vs. Checkpoint Firewall

Application-layer protocols

CS 4803 Computer and Network Security

ZENworks 11 Support Pack 4 HTTP Proxy Reference. May 2016

Lab Configuring Access Policies and DMZ Settings

Chapter 11 Cloud Application Development

Security threats and network. Software firewall. Hardware firewall. Firewalls

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

Protocol Security Where?

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

Firewall. User Manual

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

!NAVSEC':!A!Recommender!System!for!3D! Network!Security!Visualiza<ons!

Network Address Translation (NAT)

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

ProxySG TechBrief Implementing a Reverse Proxy

12. Firewalls Content

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

On-Premises DDoS Mitigation for the Enterprise

Network Management Functions RMON1, RMON2. Network Management

Business Case for a DDoS Consolidated Solution

The Transport Layer. Antonio Carzaniga. October 24, Faculty of Informatics University of Lugano Antonio Carzaniga

Firewall Testing Methodology W H I T E P A P E R

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Flow Analysis Versus Packet Analysis. What Should You Choose?

Internet Traffic Measurement

Dragonframe License Manager User Guide Version 1.2.2

Cover. White Paper. (nchronos 4.1)

CMPSCI 453 Computer Networking. Professor V. Arun Department of Computer Science University of Massachusetts Amherst

Summer Internship 2013

Cisco IOS Flexible NetFlow Technology

Monitor network traffic in the Dashboard tab

COMPUTER NETWORKING PRIMER

The question becomes, How does the competent Windows IT professional open up their print server to their Mac clients?

Darstellung Unterschied ZyNOS Firmware Version 4.02 => 4.03

Configuring Network Load Balancing with Cerberus FTP Server

DATA MINING TOOL FOR INTEGRATED COMPLAINT MANAGEMENT SYSTEM WEKA 3.6.7

Flow Visualization Using MS-Excel

HTTPS HTTP. ProxySG Web Server. Client. ProxySG TechBrief Reverse Proxy with SSL. 1 Technical Brief

Stateful Inspection Technology

New Products and New Features May, 2015

An apparatus for P2P classification in Netflow traces

Innovative, High-Density, Massively Scalable Packet Capture and Cyber Analytics Cluster for Enterprise Customers

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Hadoop Technology for Flow Analysis of the Internet Traffic

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Network Security: A Practical Approach. Jan L. Harrington

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. 1

CSCI Firewalls and Packet Filtering

IDS / IPS. James E. Thiel S.W.A.T.

Figure 41-1 IP Filter Rules

Network Security Topologies. Chapter 11

Computer Networks. A Top-Down Approach. Behrouz A. Forouzan. and. Firouz Mosharraf. \Connect Mc \ Learn. Hill

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Proxy Server, Network Address Translator, Firewall. Proxy Server

DDoS Protection Technology White Paper

Cloudvue Remote Desktop Client GUI User Guide

COMP416 Lab (1) Wireshark I. 23 September 2013

Flashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out?

Voice Over IP and Firewalls

SAP WEB DISPATCHER Helps you to make decisions on Web Dispatcher implementation

Introduction. Interoperability & Tools Group. Existing Network Packet Capture Tools. Challenges for existing tools. Microsoft Message Analyzer

NEC contribution to OpenDaylight: Virtual Tenant Network (VTN)

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Analysis of Communication Patterns in Network Flows to Discover Application Intent

Are Second Generation Firewalls Good for Industrial Control Systems?

ENSC 427: Communication Networks

Networking for Caribbean Development

Performance Evaluation of Computer Networks

Chapter 7 Transport-Level Security

Smart Network Access System SmartNA 10 Gigabit Aggregating Filtering TAP

Automated Service Discovery for Enterprise Network Management

Overview - Using ADAMS With a Firewall

Trends and Differences in Connection-behavior within Classes of Internet Backbone Traffic

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Introduction to Wireshark Network Analysis

Quantum Hyper- V plugin

Transcription:

MonitoringNetworkTraffic withradialtrafficanalyzer DanielA.KeimFlorianMansmannJörnSchneidewindTobiasSchreck IEEESymposiumonVisualAnalyticsScienceandTechnology,2006 StefanHeinz SeminarVisualAnalytics SummerTerm2008

Motivation Internethasbecometheinformationmediumoffirst resort Eachhostonthenetworkfacesdifferentthreatsinthis environment Maliciouscode Denial of serviceattacks Attemptstohijackamachine

Motivation Howcanweidentifysuchthreats? Whatkindofdataistransferredbetweenmycomputer andothercomputersonthenetwork? localnetwork localhost internet

Motivation NetworkMonitoring Surveillanceofimportantperformancemetrics Goal:supervisefunctionality,detectandprevent potentialproblems,developeffectivecounter measuresforanomaliesandsabotage

DataSet Communicationdataiscomplex Largeamountsofdata Real timedata Interrelationshipsbetweencommunication connections Relationshipsmayvaryovertime

DataSet TechnicalBackground TCP/IPReferenceModel 1 ApplicationLayer 2 PresentationLayer 3 SessionLayer 4 TransportLayer 5 NetworkLayer 6 DataLinkLayer 7 PhysicalLayer 1 ApplicationLayer 2 PresentationLayer 3 SessionLayer 4 TransportLayer 5 NetworkLayer 6 DataLinkLayer 7 PhysicalLayer

DataSet TechnicalBackground TCP/IPReferenceModel 1 ApplicationLayer 2 PresentationLayer 3 SessionLayer 4 TransportLayer 5 NetworkLayer 6 DataLinkLayer 7 PhysicalLayer allowsmappingtoapplications packetlevel TCP,UDP IP Ports IP Address MAC Address 80(http) 192.168.23.42

DataSet Attributes Time SourceIPaddress&port DestinationIPaddress&port Payload

RelatedWork StephenLau TheSpinningCube ofpotentialdoom Communicationsof thacm,2004

RelatedWork AnitaKomledietal. AUser CentricLookat Glyph BasedSecurity Visualization IEEEWorkshopon Visualizationfor ComputerSecurity, 2005

RelatedWork StefanoForestietal. VisualCorrelationof NetworkAlerts. IEEEComputer Graphicsand Applications,2006

RelatedWork Howdoesthisapproachdifferfromtheseworks? Bringtogetherthecomplementingpiecesof information Easierreadingandinterpretation Easier to understandmetaphors

RadialTrafficAnalyzer Layout Attributesaremappedto differentrings Userselectsimportant attributestobedisplayed intheinnerrings Frominsidetooutsidethe attributesareused successivelyforgrouping andsorting

RadialTrafficAnalyzer Whyaradiallayout? Supportsbetterthetaskoffindingsuspiciouspatterns Userisnotmisguidedtoplacemoreimportanceonan itemduetoitspositionsontheleftorright

ColoringConcept Specialcolors Brightnessfor secure/unsecured Usesdistinctcolors foripadressesand ports

RadialTrafficAnalyzer Interactivity Positioningandthusimportancewithinthesorting ordercanbechangedusingdrag&dropoperations Tooltipsareusedtodisplaythefulllabelincaseof smallsegmentsandadditionalinformation(hostname, possibleapplicationprograms)

RadialTrafficAnalyzer Interactivity Detailedinformationforasegmentisaccessibleusing apopupmenu Differentmeasures:transferredbytes,numberof connections,numberofsessions Mouseclickfilters/discardsalltrafficwiththechosen attribute

RadialTrafficAnalyzer Flexibility

CombiningRTAwithGeospatialDisplays IdeaforHistoMap RetrievecountrynamesforIPaddressesusing Maxmind'sGeoIPDatabase Usesquarifiedtreemaplayout Sizeofrectanglescorrespondstotrafficvolume

CombiningRTAwithGeospatialDisplays

InteractiveExplorationofDataTrafficwith HierarchicalNetworkMaps FlorianMansmannSvetlanaVinnik IEEETransactionsonVisualizationandComputerGraphics,2006

HierarchicalNetworkMaps Displaythedistributionofsourceandtargetdatatraffic ofnetworknodes Visualizationofportactivity Alsoaspace fillingtechniquetreemap

HierarchicalNetworkMaps

HierarchicalNetworkMaps Layout Squarifiedtreemap Togetanalmoststaticmaplayout,thetotalsizeofthe networkanditscomponentsisused(userorientation) Nodesoncontinentandcountrylevelpreservetheir relativegeographicalposition NodesontheotherlevelsaresortedbyIPaddresses

HierarchicalNetworkMaps

HierarchicalNetworkMaps

HierarchicalNetworkMaps Filters Typeofload(packetssent,receivedortotal) Timeframe Portorportcluster Protocol

HierarchicalNetworkMaps Largeamountsofdata Itturnedouttobeinfeasibletoprocesstheentire networkdata Aggregationentrieswereused(#sessions,#packets transferred,bytestransferred) Usageofdatawarehousetechniques(OLAPcubes) SplitthelogintoaShortTermLog,MiddleTermLogand LongTermLog

HierarchicalNetworkMaps DescendingtothePixelLevel

HierarchicalNetworkMaps Interaction Usercanchoosewhichregionofthenetworkshould beinvestigatedfurther Drill down/roll up Additionalinformationviapopupmenu(interactive time,host,andportactivitydiagrams)

HierarchicalNetworkMaps

HierarchicalNetworkMaps Pros Integrationofgeographicalinformationwithaclever layout Nicedataoverview Cons Needsalotofdisplayspacedependingonthe granularitylevel Integrationofdetails

CombiningRTAwithGeospatialDisplays

RadialTrafficAnalyzer Animationovertime

RadialTrafficAnalyzer Animationovertime

RadialTrafficAnalyzer Animationovertime

RadialTrafficAnalyzer Animationovertime

RadialTrafficAnalyzer Classification

RadialTrafficAnalyzer Pros Easymetaphor(e.g.fastperceptionofthetraffic composition) Goodcolorscheme Combinationofmachinetechniquesandhuman capabilities

RadialTrafficAnalyzer Cons Displayspace/useoftooltips(especiallywhen displayingbothvisualizationsatonce) Noexplanationofthedatapreprocessingand performance

Summary