Visual support for analyzing network traffic and intrusion detection events using TreeMap and graph representations

Authors:
Florian Mansmann;Fabian Fischer;Daniel A. Keim;Stephen C. North
Affiliations:
University of Konstanz, Konstanz, Germany;University of Konstanz, Konstanz, Germany;University of Konstanz, Konstanz, Germany;AT&T Research, Florham Park, NJ
Venue:
Proceedings of the Symposium on Computer Human Interaction for the Management of Information Technology
Year:
2009

Citing 16
Cited 8

Tree visualization with tree-maps: 2-d space-filling approach

ACM Transactions on Graphics (TOG)
Daytona and the fourth-generation language Cymbal

SIGMOD '99 Proceedings of the 1999 ACM SIGMOD international conference on Management of data
Gigascope: a stream database for network applications

Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Home-centric visualization of network traffic for security administration

Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
prefuse: a toolkit for interactive information visualization

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Closing-the-Loop in NVisionIP: Integrating Discovery and Search in Security Visualizations

VIZSEC '05 Proceedings of the IEEE Workshops on Visualization for Computer Security
Visualizing Cyber Attacks using IP Matrix

VIZSEC '05 Proceedings of the IEEE Workshops on Visualization for Computer Security
Preserving the Big Picture: Visual Network Traffic Analysis with TN

VIZSEC '05 Proceedings of the IEEE Workshops on Visualization for Computer Security
Visual Correlation of Network Alerts

IEEE Computer Graphics and Applications
A multifaceted approach to understanding the botnet phenomenon

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Hierarchical Edge Bundles: Visualization of Adjacency Relations in Hierarchical Data

IEEE Transactions on Visualization and Computer Graphics
Survey of network-based defense mechanisms countering the DoS and DDoS problems

ACM Computing Surveys (CSUR)
Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats

IEEE Transactions on Visualization and Computer Graphics
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Highly predictive blacklisting

SS'08 Proceedings of the 17th conference on Security symposium
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium

Proposing a multi-touch interface for intrusion detection environments

Proceedings of the Seventh International Symposium on Visualization for Cyber Security
PeekKernelFlows: peeking into IP flows

Proceedings of the Seventh International Symposium on Visualization for Cyber Security
Alerts visualization and clustering in network-based intrusion detection

Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Multistage attack detection system for network administrators using data mining

Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Digging into ip flow records with a visual kernel method

CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
QuizMap: open social student modeling and adaptive navigation support with TreeMaps

EC-TEL'11 Proceedings of the 6th European conference on Technology enhanced learning: towards ubiquitous learning
Process mining and security: visualization in database intrusion detection

PAISI'12 Proceedings of the 2012 Pacific Asia conference on Intelligence and Security Informatics
SPTrack: visual analysis of information flows within SELinux policies and attack logs

AMT'12 Proceedings of the 8th international conference on Active Media Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network security depends heavily on automated Intrusion Detection Systems (IDS) to sense malicious activity. Unfortunately, IDS often deliver both too much raw information, and an incomplete local picture, impeding accurate assessment of emerging threats. We propose a system to support analysis of IDS logs, that visually pivots large sets of Net-Flows. In particular, two visual representations of the flow data are compared: a TreeMap visualization of local network hosts, which are linked through hierarchical edge bundles with the external hosts, and a graph representation using a force-directed layout to visualize the structure of the host communication patterns. Three case studies demonstrate the capabilities of our tool to 1) analyze service usage in a managed network, 2) detect a distributed attack, and 3) investigate hosts in our network that communicate with suspect external IPs.