A Novel Visualization Approach for Efficient Network-wide Traffic Monitoring

Network traffic visualization provides very effective means for monitoring anomalous activities as well as detecting large scale network attacks. This work proposes a novel and flexible technique for representing traffic activities that reside in network flows and their patterns. The technique utilizes a set of different space-filling curves (SFC) to map the collected statistics to images that emphasize traffic patterns. Our approach to use the enhanced locality of SFC clustering property makes anomalies such as large scale DDoS attacks and scanning activities easily identifiable, compared to other traditional techniques. Also, widely dispersed communication patterns are rendered easier to understand using our proposed traffic-to-image mappings. This new representation preserves traffic properties leading to more accurate and robust anomaly detection even if aggressive compression is performed on the resulting images. In addition, using our proposed technique, the relation between multiple packet fields can be easily obtained to analyze correlated attacks.

[1]  Kwan-Liu Ma,et al.  A visualization methodology for characterization of network scans , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[2]  Kwan-Liu Ma,et al.  Case study: Interactive visualization for Internet security , 2002, IEEE Visualization, 2002. VIS 2002..

[3]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[4]  Albert G. Greenberg,et al.  Network anomography , 2005, IMC '05.

[5]  H. Sagan Space-filling curves , 1994 .

[6]  A. L. Narasimha Reddy,et al.  A study of analyzing network traffic as images in real-time , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[7]  Christos Faloutsos,et al.  Analysis of the Clustering Properties of the Hilbert Space-Filling Curve , 2001, IEEE Trans. Knowl. Data Eng..

[8]  Kwan-Liu Ma,et al.  Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP , 2004, VizSEC/DMSEC '04.

[9]  Kwan-Liu Ma,et al.  Interactive Visualization for Network and Port Scan Detection , 2005, RAID.

[10]  Daniel A. Keim,et al.  The Gridfit algorithm: an efficient and effective approach to visualizing large amo , 1998 .

[11]  Walid G. Aref,et al.  Performance of multi-dimensional space-filling curves , 2002, GIS '02.

[12]  Chris North,et al.  Root polar layout of Internet address data for security administration , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[13]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.