Visual exploration of malicious network objects using semantic zoom, interactive encoding and dynamic queries

This paper explores the application of visualization techniques to aid in the analysis of malicious and non-malicious binary objects. These objects may include any logically distinct chunks of binary data such as image files, word processing documents and network packets. To facilitate this analysis, we present a novel visualization technique for comparing and navigating among 600-1000+ such objects at one time. While the visualization technique alone has powerful application for both directed and undirected exploration of many classes of binary objects, we chose to study network packets. To increase effectiveness, we strengthened the visualization technique with novel, domain-specific semantic zooming, interactive encoding and dynamic querying capabilities. We present results and lessons learned from implementing these techniques and from studying both malicious and non-malicious network packets. Our results indicate that the information visualization system we present is an efficient and effective way to compare large numbers of network packets, visually examine their payloads and navigate to areas of interest within large network datasets.

[1]  Kulsoom Abdullah,et al.  Passive visual fingerprinting of network attack tools , 2004, VizSEC/DMSEC '04.

[2]  Daniel A. Keim,et al.  Visualizing large-scale telecommunication networks and services , 1999, Proceedings Visualization '99 (Cat. No.99CB37067).

[3]  Kwan-Liu Ma,et al.  PortVis: a tool for port-based detection of security events , 2004, VizSEC/DMSEC '04.

[4]  A. Ferguson,et al.  The United States Military Academy , 2004 .

[5]  William Yurcik,et al.  Two Visual Computer Network Security Monitoring Tools Incorporating Operator Interface Requirements , 2003 .

[6]  James D. Hollan,et al.  Pad++: a zooming graphical interface for exploring alternate interface physics , 1994, UIST '94.

[7]  T. J. Jankun-Kelly,et al.  Detecting flaws and intruders with visual data analysis , 2004, IEEE Computer Graphics and Applications.

[8]  Michael I. Jordan,et al.  Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint , 2001 .

[9]  Chris North,et al.  Home-centric visualization of network traffic for security administration , 2004, VizSEC/DMSEC '04.

[10]  Hideki Koike,et al.  SnortView: visualization system of snort logs , 2004, VizSEC/DMSEC '04.

[11]  Thomas Goldring Scatter (and other) plots for visualizing user profiling data and network traffic , 2004, VizSEC/DMSEC '04.

[12]  InSeon Yoo,et al.  Visualizing windows executable viruses using self-organizing maps , 2004, VizSEC/DMSEC '04.

[13]  Pat Hanrahan,et al.  Interactive visualization of large graphs and networks , 2000 .

[14]  Yifan Li,et al.  VisFlowConnect: netflow visualizations of link relationships for security situational awareness , 2004, VizSEC/DMSEC '04.

[15]  Deborah A. Frincke,et al.  Intrusion and Misuse Detection in Large-Scale Systems , 2002, IEEE Computer Graphics and Applications.

[16]  Stefan Axelsson,et al.  Combining a bayesian classifier with visualisation: understanding the IDS , 2004, VizSEC/DMSEC '04.

[17]  T. J. Jankun-Kelly,et al.  Visual Data Analysis for Detecting Flaws and Intruders in Computer Network Systems , 2004 .

[18]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[19]  David J. Marchette,et al.  Computer Intrusion Detection and Network Monitoring , 2001, Statistics for Engineering and Information Science.

[20]  Daniel A. Keim,et al.  Visualizing large-scale telecommunication networks and services (case study) , 1999, VIS '99.

[21]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[22]  Wayne G. Lutters,et al.  An Information Visualization Framework for Intrusion Detection , 2004, CHI EA '04.

[23]  John T. Stasko,et al.  Attacking information visualization system usability overloading and deceiving the human , 2005, SOUPS '05.

[24]  Edwin H. Blake An extended platter metaphor for effective reconfigurable network visualization , 2004, Proceedings. Eighth International Conference on Information Visualisation, 2004. IV 2004..

[25]  B. Shneiderman,et al.  The dynamic HomeFinder: evaluating dynamic queries in a real-estate information exploration system , 1992, SIGIR '92.

[26]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.