TVi: a visual querying system for network monitoring and anomaly detection

Authors:
Alberto Boschetti;Luca Salgarelli;Chris Muelder;Kwan-Liu Ma
Affiliations:
University of Brescia NTW group Brescia, Italy;University of Brescia NTW group Brescia, Italy;University of California Davis VIDI Lab Davis, CA;University of California Davis VIDI Lab Davis, CA
Venue:
Proceedings of the 8th International Symposium on Visualization for Cyber Security
Year:
2011

Citing 22
Cited 1

The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Reordering the Reorderable Matrix as an Algorithmic Problem

Diagrams '00 Proceedings of the First International Conference on Theory and Application of Diagrams
The Spinning Cube of Potential Doom

Communications of the ACM - Wireless sensor networks
NVisionIP: netflow visualizations of system state for security situational awareness

Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
PortVis: a tool for port-based detection of security events

Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Countering Security Information Overload through Alert and Packet Visualization

IEEE Computer Graphics and Applications
Fast principal component analysis using fixed-point algorithm

Pattern Recognition Letters
Sensitivity of PCA for traffic anomaly detection

Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
An overview of anomaly detection techniques: Existing solutions and latest technological trends

Computer Networks: The International Journal of Computer and Telecommunications Networking
Network monitoring using traffic dispersion graphs (tdgs)

Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Applied Security Visualization

Applied Security Visualization
An empirical evaluation of entropy-based traffic anomaly detection

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
On the Visualization of Social and other Scale-Free Networks

IEEE Transactions on Visualization and Computer Graphics
FloVis: Flow Visualization System

CATCH '09 Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security
Unveiling core network-wide communication patterns through application traffic activity graph decomposition

Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Efficient computation of PCA with SVD in SQL

Proceedings of the 2nd Workshop on Data Mining using Matrices and Tensors
Network anomaly detection and classification via opportunistic sampling

IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
An experimental comparison of fast algorithms for drawing general large graphs

GD'05 Proceedings of the 13th international conference on Graph Drawing
Representing unevenly-spaced time series data for visualization and interactive exploration

INTERACT'05 Proceedings of the 2005 IFIP TC13 international conference on Human-Computer Interaction
Histogram-based traffic anomaly detection

IEEE Transactions on Network and Service Management

Visualizing big network traffic data using frequent pattern mining and hypergraphs

Computing

Quantified Score

Hi-index	0.00

Visualization

Abstract

Monitoring, anomaly detection and forensics are essential tasks that must be carried out routinely for every computer network. The sheer volume of data generated by conventional anomaly detection tools such as Snort often makes it difficult to explain the nature of an attack and track down its source. In this paper we present TVi, a tool that combines multiple visual representations of network traces carefully designed and tightly coupled to support different levels of visual-based querying and reasoning required for making sense of complex traffic data. TVi allows analysts to visualize data starting at a high level, providing information related to the entire network, and easily move all the way down to a very low level, providing detailed information about selected hosts, anomalies and attack paths. We designed TVi with scalability and extensibility in mind: its DBMS foundations make it scalable with virtually no limitations, and other state-of-the-art IDS, like Snort or Bro, can be easily integrated in our tool. We demonstrate with two case studies, a synthetic dataset (DARPA 1999) and a real one (University of Brescia, UniBS, 2009), how TVi can enhance a network administrator's ability to reveal hidden patterns in network traces and link their key information so as to easily reveal details that by merely observing Snort's output would go unnoticed. We make TVi's source code available to the community under an Open Source license.