Processing Data to Construct Practical Visualizations for Network Security

Network vulnerabilities are increasingly rampant despite advances in Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). Even as funding and work by government, industry, and academia to counter these vulnerabilities increases, over 1,000 variants of worms and viruses have been discovered during the past six months [1], and the level of network traffi c increases as capacity increases. [2] Network monitoring systems are already choked performing packet analyses for large networks, and traffi c increases worsens the problem. [3] Information visualization methods deal with large datasets and provide far more insight and understanding to a human analyst than viewing text alone. [4] When techniques of information visualization have been applied to the network security domain, studies have shown a signifi cant decrease in the time required to determine many types of network threats. The use of visualization with network data to aid in security is growing, but more work is still required. This article describes methods developed to scale a large amount of network data into meaningful visualizations for intrusion detection. These techniques were incorporated into the design and implementation of a tool to facilitate log analysis for IDSs. Capturing network traffi c, the tool’s design, the data-scaling method used before plotting, and defi nitions and illustrations of several threat models will be discussed. Capturing and Parsing Network Data Tcpdump, a standard packet-capturing tool, collects network data, and the parameters used for visualization are then parsed from the network packet headers. The advantage of parsing network packets, compared to traffi c-fl ow information, is that real-time processing on network packets can be performed instantaneously without having to wait for a fl ow to end compared to analyzing fl ow statistics. In our system, packet headers are parsed for information, but not the payload of the packet. This design choice was made because processing each packet payload would greatly increase the processing burden on the monitoring system. During the design of our system, we considered requirements for both forensic analysis and real-time traffi c monitoring. Forensic analysis is used on static network captures after an incident has occurred. This is often performed by browsing through the capture logs with tools such as Ethereal [5] and is considered a tedious process. Currently, we have used forensic Honeynet traffi c captures from the Georgia Institute of Technology network [6] and the Honeynet Scan of the Month [7], because they provide a good benchmark to test the effectiveness of the tool.

[1]  Atul Prakash,et al.  Designing a Publish-Subscribe Substrate for Privacy/Security in Pervasive Environments , 2006, 2006 ACS/IEEE International Conference on Pervasive Services.

[2]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[3]  Ganesh S. Oak Information Visualization Introduction , 2022 .

[4]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[5]  Norbert Blei,et al.  Door to Door , 1985 .

[6]  Daniel A. Keim,et al.  Hierarchical Pixel Bar Charts , 2002, IEEE Trans. Vis. Comput. Graph..

[7]  Hideki Koike,et al.  SnortView: visualization system of snort logs , 2004, VizSEC/DMSEC '04.

[8]  Rita Yerkes,et al.  We Are All in This Together , 1985 .

[9]  Anind K. Dey,et al.  Managing Personal Information Disclosure in Ubiquitous Computing Environments , 2003 .

[10]  L. Levi On Joint Stock Companies , 1870 .

[11]  Simon S. Y. Shim,et al.  Issues in high-speed Internet security , 2004, Computer.

[12]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[13]  Yifan Li,et al.  VisFlowConnect: netflow visualizations of link relationships for security situational awareness , 2004, VizSEC/DMSEC '04.

[14]  Joan Feigenbaum,et al.  Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[15]  James A. Landay,et al.  An architecture for privacy-sensitive ubiquitous computing , 2004, MobiSys '04.

[16]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[17]  Kevin Borders,et al.  CPOL: high-performance policy evaluation , 2005, CCS '05.