NVisionIP: netflow visualizations of system state for security situational awareness

The number of attacks against large computer systems is currently growing at a rapid pace. Despite the best efforts of security analysts, large organizations are having trouble keeping on top of the current state of their networks. In this paper, we describe a tool called NVisionIP that is designed to increase the security analyst's situational awareness. As humans are inherently visual beings, NVisionIP uses a graphical representation of a class-B network to allow analysts to quickly visualize the current state of their network. We present an overview of NVisionIP along with a discussion of various types of security-related scenarios that it can be used to detect.

[1]  William Yurcik,et al.  A Prototype Tool for Visual Data Mining of Network Traffic for Intrusion Detection , 2003 .

[2]  Yifan Li,et al.  VisFlowConnect: providing security situational awareness by visualizing network traffic flows , 2004, IEEE International Conference on Performance, Computing, and Communications, 2004.

[3]  Edward R. Tufte,et al.  The Visual Display of Quantitative Information , 1986 .

[4]  Ben Shneiderman,et al.  Tree visualization with tree-maps: 2-d space-filling approach , 1992, TOGS.

[5]  William Yurcik,et al.  A visualization tool for situational awareness of tactical and strategic security events on large and complex computer networks , 2003, IEEE Military Communications Conference, 2003. MILCOM 2003..

[6]  Edward Rolf Tufte,et al.  The visual display of quantitative information , 1985 .

[7]  William Yurcik,et al.  NVisionIP: an interactive network flow visualization tool for security , 2004, 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No.04CH37583).

[8]  Martin Roesch,et al.  SNORT: The Open Source Network Intrusion Detection System 1 , 2002 .

[9]  Kwan-Liu Ma,et al.  Case study: Interactive visualization for Internet security , 2002, IEEE Visualization, 2002. VIS 2002..

[10]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[11]  Craig A. N. Soules,et al.  Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior , 2003, USENIX Security Symposium.

[12]  Linda Winkler,et al.  Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics , 2000, LISA.

[13]  R. Kitchin,et al.  The Atlas of Cyberspace , 2001 .

[14]  David Plonka,et al.  FlowScan: A Network Traffic Flow Reporting and Visualization Tool , 2000, LISA.

[15]  Stephen Lau,et al.  The Spinning Cube of Potential Doom , 2004, CACM.

[16]  Steve Romig,et al.  The OSU Flow-tools Package and CISCO NetFlow Logs , 2000, LISA.

[17]  Deborah A. Frincke,et al.  Intrusion and Misuse Detection in Large-Scale Systems , 2002, IEEE Computer Graphics and Applications.

[18]  William Yurcik,et al.  Two Visual Computer Network Security Monitoring Tools Incorporating Operator Interface Requirements , 2003 .

[19]  Deborah A. Frincke,et al.  Visual behavior characterization for intrusion and misuse detection , 2001, IS&T/SPIE Electronic Imaging.

[20]  P. Fayers,et al.  The Visual Display of Quantitative Information , 1990 .

[21]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.