PCAV: internet attack visualization on parallel coordinates

Authors:
Hyunsang Choi;Heejo Lee
Affiliations:
Korea University, Seoul, South Korea;Korea University, Seoul, South Korea
Venue:
ICICS'05 Proceedings of the 7th international conference on Information and Communications Security
Year:
2005

Citing 5
Cited 3

Visual exploration of large data sets

Communications of the ACM
Automatically inferring patterns of resource consumption in network traffic

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
FlowScan: A Network Traffic Flow Reporting and Visualization Tool

LISA '00 Proceedings of the 14th USENIX conference on System administration
MULTOPS: a data-structure for bandwidth attack detection

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Real-time visualization of network attacks on high-speed links

IEEE Network: The Magazine of Global Internetworking

Is early warning of an imminent worm epidemic possible?

IEEE Network: The Magazine of Global Internetworking
Discernibility analysis and accuracy improvement of machine learning algorithms for network intrusion detection

ICC'09 Proceedings of the 2009 IEEE international conference on Communications
A study on malicious codes pattern advanced analysis using visualization

Multimedia Tools and Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper presents PCAV (Parallel Coordinates Attack Visualizer), a real-time visualization system for detecting large-scale Internet attacks including Internet worms, DDoS attacks and network scanning activities. PCAV displays network traffic on the plane of parallel coordinates using the source IP address, destination IP address, destination port and the average packet length in a flow. These four values are used to draw each flow as a connected line on the plane and surprisingly a group of lines forms a particular shape in case of attack. Thus, a simple but novel way of displaying traffic reveals ongoing attacks. From the fact that numerous types of attacks form a specific pattern of graphs, we have developed nine signatures and their detection mechanism using an efficient hashing algorithm. Using the graphical signatures, PCAV can quickly detect new attacks and enables network administrators to instantly recognize and respond to the attacks. Another strength of PCAV comes from handling flows instead of packets. Per-flow visualization greatly reduces the processing time and further provides compatibility with legacy routers which export flow information such as NetFlow in Cisco routers. We have demonstrated the effectiveness of PCAV using real attack traffics.