Real-time visualization of network behaviors for situational awareness

Plentiful, complex, and dynamic data make understanding the state of an enterprise network difficult. Although visualization can help analysts understand baseline behaviors in network traffic and identify off-normal events, visual analysis systems often do not scale well to operational data volumes (in the hundreds of millions to billions of transactions per day) nor to analysis of emergent trends in real-time data. We present a system that combines multiple, complementary visualization techniques coupled with in-stream analytics, behavioral modeling of network actors, and a high-throughput processing platform called MeDICi. This system provides situational understanding of real-time network activity to help analysts take proactive response steps. We have developed these techniques using requirements gathered from the government users for which the tools are being developed. By linking multiple visualization tools to a streaming analytic pipeline, and designing each tool to support a particular kind of analysis (from high-level awareness to detailed investigation), analysts can understand the behavior of a network across multiple levels of abstraction.

[1]  Diane Lambert,et al.  Detecting fraud in the real world , 2002 .

[2]  David Plonka,et al.  FlowScan: A Network Traffic Flow Reporting and Visualization Tool , 2000, LISA.

[3]  Marc Alexa,et al.  Visualizing time-series on spirals , 2001, IEEE Symposium on Information Visualization, 2001. INFOVIS 2001..

[4]  Adam Wynne,et al.  The MeDICi Integration Framework: A Platform for High Performance Data Streaming Applications , 2008, Seventh Working IEEE/IFIP Conference on Software Architecture (WICSA 2008).

[5]  Geoff Hulten,et al.  Mining high-speed data streams , 2000, KDD '00.

[6]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[7]  Edward Swing Flodar: Flow Visualization of Network Traffic , 1998, IEEE Computer Graphics and Applications.

[8]  Pradeep Kumar Ray,et al.  A Flexible, High Performance Service-Oriented Architecture for Detecting  Cyber Attacks , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[9]  Edwin H. Blake An extended platter metaphor for effective reconfigurable network visualization , 2004, Proceedings. Eighth International Conference on Information Visualisation, 2004. IV 2004..

[10]  Eamonn J. Keogh,et al.  HOT SAX: efficiently finding the most unusual time series subsequence , 2005, Fifth IEEE International Conference on Data Mining (ICDM'05).

[11]  Sushil Jajodia,et al.  Multiple coordinated views for network attack graphs , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[12]  Arun K. Pujari,et al.  QROCK: A quick version of the ROCK algorithm for clustering of categorical data , 2005, Pattern Recognit. Lett..

[13]  Andreas Paepcke,et al.  Visual Analysis of Network Flow Data with Timelines and Event Plots , 2007, VizSEC.

[14]  Tamara Munzner,et al.  LiveRAC: interactive visual exploration of system management time-series data , 2008, CHI.

[15]  Eamonn J. Keogh,et al.  A symbolic representation of time series, with implications for streaming algorithms , 2003, DMKD '03.

[16]  Kulsoom Abdullah,et al.  Visualizing network data for intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[17]  S. Nanda,et al.  A highly scalable model for network attack identification and path prediction , 2007, Proceedings 2007 IEEE SoutheastCon.

[18]  John McHugh,et al.  FloVis: Flow Visualization System , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.