Visualized information is a technique that can encode large amounts of complex interrelated data, being at the same time easily quantified, manipulated, and processed by a human user. Our aim is to develop a novel graphical technique for network traffic visualization that will easily highlight anomalies that can arise within the network. In our work we are exclusively concerned with all the information that can be extracted at the network layer (e.g., from the TCP/IP datagram). We choose to use the Darpa 1999 database given the fact that all the intrusions are labeled and we can easily observe the visualization behavior while the network is under attack. Although applied to a dataset, the visualization technique can work on-line in a network because it only uses data that can be extracted in a real-time manner. Experiments show our visualization technique to be a good medium when trying to identify possible anomalies of the network such as:DoS types of attacks (e.g.,Smurfand Mailbomb) as well as probing attacks (e.g.,Portsweepand IPsweep).
[1]
Deborah A. Frincke,et al.
Visual behavior characterization for intrusion and misuse detection
,
2001,
IS&T/SPIE Electronic Imaging.
[2]
Robert F. Erbacher,et al.
Improving Intrusion Analysis Effectiveness
,
.
[3]
Kofi Nyarko,et al.
Network intrusion visualization with NIVA, an intrusion detection visual analyzer with haptic integration
,
2002,
Proceedings 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems. HAPTICS 2002.
[4]
Robert F. Erbacher.
Visual traffic monitoring and evaluation
,
2001,
SPIE ITCom.
[5]
Vern Paxson,et al.
Automated packet trace analysis of TCP implementations
,
1997,
SIGCOMM '97.