State Transition Analysis: A Rule-Based Intrusion Detection Approach
IEEE Transactions on Software Engineering
Intrusion detection techniques for mobile wireless networks
Wireless Networks
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
VisFlowConnect: netflow visualizations of link relationships for security situational awareness
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Passive visual fingerprinting of network attack tools
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
NVisionIP: netflow visualizations of system state for security situational awareness
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Preserving the Big Picture: Visual Network Traffic Analysis with TN
VIZSEC '05 Proceedings of the IEEE Workshops on Visualization for Computer Security
The devil and packet trace anonymization
ACM SIGCOMM Computer Communication Review
ComVis: A Coordinated Multiple Views System for Prototyping New Visualization Technology
IV '08 Proceedings of the 2008 12th International Conference Information Visualisation
Visual Analytics for Network Flow Analysis
CATCH '09 Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security
| Hi-index | 0.00 |
Network packet traces, despite having a lot of noise, contain priceless information, especially for investigating security incidents. However, given the gigabytes of flow crossing a typical medium sized enterprise network every day, spotting malicious activity and analyzing trends in network behavior becomes a tedious task. Computational mechanisms for analyzing such data usually take substantial time to detect interesting patterns and often mislead the analyst into reaching false positives or false negatives. Therefore, the appropriate representation of network traffic data to the human user has been an issue of concern recently. Much of the focus, however, has been on visualizing TCP traffic alone while adapting visualization techniques for the fields that are relevant to this protocol's traffic, rather than on the multivariate nature of network security data, in general, and the fact that forensic analysis, in order to be fast and effective, has to take into consideration different parameters for each protocol. In this paper, we bring together two powerful tools: SiLK (System for Internet-Level Knowledge), for command-based network trace analysis; and ComVis, a generic information visualization tool. We integrate the powers of both tools by aiding simplified interaction between them, using a simple GUI, for the purpose of visualizing network traces, characterizing interesting patterns, and fingerprinting related activity. We applied the visualizations on anonymized packet traces from Lawrence Berkley National Laboratory, captured on selected hours across three months. We used a sliding window approach in visually examining traces for two transport-layer protocols: ICMP and UDP. The main contribution of this research is a protocol-specific framework of visualization for ICMP and UDP traffic data.