Accommodating IPv6 Addresses in Security Visualization Tools *

Visualization is used by security analysts to help detect patterns and trends in large volumes of network traffic data. With IPv6 slowly being deployed around the world, network intruders are beginning to adapt their tools and techniques to work over IPv6 (versus IPv4). Many tools for visualizing network activity, while useful for detecting large-scale attacks and network behavior anomalies, still only support IPv4. In this article, we explore the current state of IPv6 support in some popular security visualization tools and identify the roadblocks preventing those tools from supporting the new protocol. We propose a filtering technique that helps reduce the occlusion of IPv6 sources on graphs and enables IPv4 visualization tools to display both IPv4 and IPv6 sources on a single graph. We also suggest using treemaps for visually representing the vast space of remote addresses in IPv6.

[1]  Ben Shneiderman,et al.  Ordered treemap layouts , 2001, IEEE Symposium on Information Visualization, 2001. INFOVIS 2001..

[2]  John McHugh,et al.  FloVis: Flow Visualization System , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[3]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[4]  Stephen E. Deering,et al.  Internet Protocol, Version 6 (IPv6) Specification , 1995, RFC.

[5]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[6]  Paul C. van Oorschot,et al.  Security visualization tools and IPv6 addresses , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[7]  Barry Irwin,et al.  InetVis, a visual tool for network telescope traffic analysis , 2006, AFRIGRAPH '06.

[8]  Hideki Koike,et al.  Visualizing cyber attacks using IP matrix , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..