Visual Analytics for Root DNS Data

The analysis of vast amounts of network data for monitoring and safeguarding a core pillar of the internet, the root DNS, is an enormous challenge. Understanding the distribution of the queries received by the root DNS, and how those queries change over time, in an intuitive manner is sought. Traditional query analysis is performed packet by packet, lacking global, temporal, and visual coherence, obscuring latent trends and clusters. Our approach leverages the pattern recognition and computational power of deep learning with 2D and 3D rendering techniques for quick and easy interpretation and interaction with vast amount of root DNS network traffic. Working with real-world DNS experts, our visualization reveals several surprising latent clusters of queries, potentially malicious and benign, discovers previously unknown characteristics of a real-world root DNS DDOS attack, and uncovers unforeseen changes in the distribution of queries received over time. These discoveries will provide DNS analysts with a deeper understanding of the nature of the DNS traffic under their charge, which will help them safeguard the root DNS against future attack.

[1]  Heidrun Schumann,et al.  The Design Space of Implicit Hierarchy Visualization: A Survey , 2011, IEEE Transactions on Visualization and Computer Graphics.

[2]  John T. Stasko,et al.  Attacking information visualization system usability overloading and deceiving the human , 2005, SOUPS '05.

[3]  Raheem A. Beyah,et al.  P3D: A parallel 3D coordinate visualization for advanced network scans , 2013, 2013 IEEE International Conference on Communications (ICC).

[4]  Stephen G. Eick,et al.  Engineering Perceptually Effective Visualizations for Abstract Data , 1994, Scientific Visualization.

[5]  Kulsoom Abdullah,et al.  Visualizing network data for intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[6]  Xiaoping Fan,et al.  IDSRadar: a real-time visualization framework for IDS alerts , 2012, Science China Information Sciences.

[7]  Koji Nakao,et al.  DAEDALUS-VIZ: novel real-time 3D visualization for darknet monitoring-based alert system , 2012, VizSec '12.

[8]  Shiyang Chen,et al.  Visualizing and characterizing DNS lookup behaviors via log-mining , 2015, Neurocomputing.

[9]  Robert Kisteleki,et al.  Visualization and Monitoring for the Identification and Analysis of DNS Issues , 2015 .

[10]  Chris North,et al.  Visualizing cyber security: Usable workspaces , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[11]  Stephen Lau,et al.  The Spinning Cube of Potential Doom , 2004, CACM.

[12]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[13]  Les Smith,et al.  Semi-supervised Time Series Modeling for Real-Time Flux Domain Detection on Passive DNS Traffic , 2014, MLDM.

[14]  Yacin Nadji,et al.  Towards designing effective visualizations for DNS-based network threat analysis , 2017, 2017 IEEE Symposium on Visualization for Cyber Security (VizSec).

[15]  Yuan Yu,et al.  TensorFlow: A system for large-scale machine learning , 2016, OSDI.

[16]  Yarden Livnat,et al.  A visualization paradigm for network intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[17]  Rosane Minghim,et al.  A Framework for Exploring Multidimensional Data with 3D Projections , 2011, Comput. Graph. Forum.

[18]  Heejo Lee,et al.  BotXrayer : Exposing Botnets by Visualizing DNS Traffic , 2009 .

[19]  Diane Staheli,et al.  BubbleNet: A Cyber Security Dashboard for Visualizing Patterns , 2016, Comput. Graph. Forum.

[20]  Aupetit Michael,et al.  Visualization of actionable knowledge to mitigate DRDoS attacks , 2016 .

[21]  George Varghese,et al.  Network monitoring using traffic dispersion graphs (tdgs) , 2007, IMC '07.

[22]  Angela Orebaugh,et al.  Wireshark & Ethereal Network Protocol Analyzer Toolkit , 2007 .

[23]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[24]  Philippe Castagliola,et al.  A Comparison of the Readability of Graphs Using Node-Link and Matrix-Based Representations , 2004 .

[25]  Yang Wang,et al.  Visual Detection of Anomalies in DNS Query Log Data , 2014, 2014 IEEE Pacific Visualization Symposium.

[26]  Arjan Kuijper,et al.  Visual Analysis of Large Graphs: State‐of‐the‐Art and Future Research Challenges , 2011, Eurographics.

[27]  Lisandro Zambenedetti Granville,et al.  A Survey on Information Visualization for Network and Service Management , 2016, IEEE Communications Surveys & Tutorials.

[28]  Dennis Gamayunov,et al.  Visualization of complex attacks and state of attacked network , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[29]  Colin Ware,et al.  Information Visualization: Perception for Design , 2000 .

[30]  Wayne G. Lutters,et al.  The Work of Intrusion Detection: Rethinking the Role of Security Analysts , 2004, AMCIS.

[31]  Jin Cao,et al.  Identifying suspicious activities through DNS failure graph analysis , 2010, The 18th IEEE International Conference on Network Protocols.

[32]  Geoffrey E. Hinton,et al.  Rectified Linear Units Improve Restricted Boltzmann Machines , 2010, ICML.

[33]  Barbara Tversky,et al.  Animation: can it facilitate? , 2002, Int. J. Hum. Comput. Stud..

[34]  Mats Lind,et al.  2D vs 3D, implications on spatial memory , 2001, IEEE Symposium on Information Visualization, 2001. INFOVIS 2001..

[35]  Ernestina Menasalvas Ruiz,et al.  New insights into the suitability of the third dimension for visualizing multivariate/multidimensional data: A study based on loss of quality quantification , 2016, Inf. Vis..

[36]  Giovane C. M. Moura,et al.  Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event , 2016, Internet Measurement Conference.

[37]  Ali A. Ghorbani,et al.  BotViz: A memory forensic-based botnet detection and visualization approach , 2017, 2017 International Carnahan Conference on Security Technology (ICCST).

[38]  Steve Mansfield-Devine,et al.  The growth and evolution of DDoS , 2015, Netw. Secur..

[39]  Raheem A. Beyah,et al.  NAVSEC: a recommender system for 3D network security visualizations , 2013, VizSec '13.