P3D: A parallel 3D coordinate visualization for advanced network scans

As network attacks increase in complexity, network administrators will continue to struggle with analyzing security data immediately and efficiently. To alleviate these challenges, researchers are looking into various visualization techniques (e.g., two-dimensional (2D) and three-dimensional (3D)) to detect, identify, and analyze malicious attacks. This paper discusses the benefits of using a stereoscopic 3D parallel visualization techniques for network scanning, in particular, when addressing occlusion-based visualization attacks intended to confuse network administrators. To our knowledge, no 2D or 3D tool exists that analyzes these attacks. Hence, we propose a novel 3D Parallel coordinate visualization tool for advanced network scans and attacks called P3D. P3D uses flow data, filtering techniques, and state-of-the art 3D technologies to help network administrators detect distributed and coordinated network scans. Compared to other 2D and 3D network security visualization tools, P3D prevents occlusion-based visualization attacks (e.g., Windshield Wiper and Port Source Confusion attacks). We validate our tool with use-cases from emulated distributed scanning attacks. Our evaluation shows P3D allows users to extract new information about scans and minimize information overload by adding an extra dimension and awareness region in the visualization.

[1]  Hideki Koike,et al.  SnortView: visualization system of snort logs , 2004, VizSEC/DMSEC '04.

[2]  D. Ghazanfarpour,et al.  3 D graph Visualization prototype system for Intrusion Detection : A surveillance aid to security analysts , 2006 .

[3]  Jayant Gadge,et al.  Port scan detection , 2008, 2008 16th IEEE International Conference on Networks.

[4]  Lloyd G. Greenwald,et al.  Tolerating adversaries in the estimation of network parameters from noisy data: A nonlinear filtering approach , 2009, MILCOM 2009 - 2009 IEEE Military Communications Conference.

[5]  Colin Ware,et al.  Information Visualization: Perception for Design , 2000 .

[6]  Helwig Hauser,et al.  Angular brushing of extended parallel coordinates , 2002, IEEE Symposium on Information Visualization, 2002. INFOVIS 2002..

[7]  Dirk Reiners,et al.  Exploring three-dimensional visualization for intrusion detection , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[8]  John McHugh,et al.  NetBytes Viewer: An Entity-Based NetFlow Visualization Utility for Identifying Intrusive Behavior , 2007, VizSEC.

[9]  Raheem A. Beyah,et al.  3DSVAT: A 3D Stereoscopic Vulnerability Assessment Tool for network security , 2012, 37th Annual IEEE Conference on Local Computer Networks.

[10]  John R. Goodall,et al.  Visualization is better! A comparative evaluation , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[11]  Heejo Lee,et al.  Fast detection and visualization of network attacks on parallel coordinates , 2009, Comput. Secur..

[12]  Andy Cockburn,et al.  Revisiting 2D vs 3D Implications on Spatial Memory , 2004, AUIC.

[13]  Alejandro Carvajal Quantitative comparison between the use of 3D vs 2D visualization tools to present building design proposals to non-spatial skilled end users , 2005, Ninth International Conference on Information Visualisation (IV'05).

[14]  Sindhu Kakuru Behavior based network traffic analysis tool , 2011, 2011 IEEE 3rd International Conference on Communication Software and Networks.

[15]  Geoffrey S. Hubona,et al.  The relative contributions of stereo, lighting, and background scenes in promoting 3D depth visualization , 1999, TCHI.

[16]  John T. Stasko,et al.  Attacking information visualization system usability overloading and deceiving the human , 2005, SOUPS '05.

[17]  Daniel A. Keim,et al.  Information Visualization and Visual Data Mining , 2002, IEEE Trans. Vis. Comput. Graph..

[18]  Stephen Lau,et al.  The Spinning Cube of Potential Doom , 2004, CACM.

[19]  Zhang Jiawan,et al.  A Novel Visualization Approach for Efficient Network Scans Detection , 2008, 2008 International Conference on Security Technology.

[20]  Kwan-Liu Ma,et al.  PortVis: a tool for port-based detection of security events , 2004, VizSEC/DMSEC '04.

[21]  Kulsoom Abdullah,et al.  Passive visual fingerprinting of network attack tools , 2004, VizSEC/DMSEC '04.