Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network...
Transcript of Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network...
![Page 1: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/1.jpg)
Visual Support for Analyzing Network Traffic and
Intrusion Detection Events using TreeMap and
Graph Representations
Florian Mansmann1 Fabian Fischer1 Daniel A. Keim1 Stephen C. North2
1 University of Konstanz, Germany
2 AT&T Research, Florham Park, NJ, U.S.A.
Symposium on Computer-Human Interaction
for Management of Information Technology, Baltimore, MD, 2009
![Page 2: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/2.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 2
Introduction
Photo by Guillaume Paumier / Wikimedia Commons, CC-by-sa-3.0
![Page 3: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/3.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 3
Introduction
Photo by Guillaume Paumier / Wikimedia Commons, CC-by-sa-3.0
Do you still know,
what’s going on
in your network?
![Page 4: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/4.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 4
How to combine all the data?
Intrusion Detection e.g. Generated IDS Events,
Firewall Logs
Network Traffic e.g. NetFlow connections,
Bandwidth data,…
![Page 5: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/5.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 5
Visual Analytics with NFlowVis
Internet
Gateway
Private
Network
PostgreSQL
Intrusion Detection (Generated Events)
Network Traffic (NetFlow)
![Page 6: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/6.jpg)
Daily Traffic Overview
![Page 7: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/7.jpg)
Daily Traffic Overview (Flows per Minute Widget)
![Page 8: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/8.jpg)
Intrusion Detection View
![Page 9: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/9.jpg)
Intrusion Detection View – Select IDS Data Source
![Page 10: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/10.jpg)
Intrusion Detection View – Suspicious Hosts
![Page 11: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/11.jpg)
Intrusion Detection View – Suspicious Hosts
![Page 12: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/12.jpg)
Home-Centric Network Visualization
![Page 13: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/13.jpg)
Graph Visualization
![Page 14: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/14.jpg)
Host Details View
![Page 15: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/15.jpg)
NetFlow Records
![Page 16: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/16.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 16
Service Monitoring with NFlowVis
• Example: Conficker Worm (11/2008)
• Exploits MS08-067 vulnerability
• RPC over Port 445/TCP
• Are there any compromised
hosts in my network?
![Page 17: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/17.jpg)
Intrusion Detection View – Suspicious Hosts
![Page 18: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/18.jpg)
Home-Centric Network Visualization
![Page 19: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/19.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 20
Analyzing SSH Attacks with NFlowVis
• How was our network affected by these attacks?
http://stats.denyhosts.net/stats.html
![Page 20: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/20.jpg)
Remote Hosts with SSH connections (5th October 2009)
![Page 21: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/21.jpg)
Home-Centric Network Visualization
![Page 22: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/22.jpg)
Home-Centric Network Visualization (Drill-Down)
![Page 23: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/23.jpg)
Home-Centric Network Visualization (Drill-Down)
![Page 24: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/24.jpg)
Graph Visualization
![Page 25: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/25.jpg)
Home-Centric Network Visualization (SSH Attacks on 5th October 2009)
![Page 26: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/26.jpg)
Graph Visualization (SSH Attacks on 5th October 2009)
![Page 27: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/27.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 28
Conclusions
• Intrusion Detection and Network
Monitoring combined
• Automated Analysis combined with
Interactive Exploration
• NFlowVis is a Visual Analytics System
for Network Data
![Page 28: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/28.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 29
Thank you very much
for your attention!
Questions?
For further information about this work please contact
Fabian Fischer
Tel. +49 7531 88-2780
http://nflowvis.dbvis.de/
![Page 29: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/29.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 30
References I
Ball, R., Fink, G., and North, C. (2004).
Home-centric visualization of network traffic for security
administration.
Proceedings of the 2004 ACM workshop on Visualization and data
mining for computer security, pages 55–64.
Holten, D. (2006).
Hierarchical Edge Bundles: Visualization of Adjacency
Relations in Hierarchical Data.
IEEE Trans. Vis. Comput. Graph., 12(5):741–748.
![Page 30: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/30.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 31
References II
Ellson, J., Gansner, E., Koutsofios, L., North, S., and
Woodhull, G. (2002).
Graphviz-Open Source Graph Drawing Tools.
Lecture Notes in Computer Science, pages 483–484.
Shneiderman, B. (1992).
Tree visualization with tree-maps: 2-d space-filling approach.
ACM Trans. Graph., 11(1):92–99.
![Page 31: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/31.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 32
Hierarchical Edge Bundling
![Page 32: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian](https://reader034.fdocuments.net/reader034/viewer/2022050715/5f0b7cd77e708231d430c386/html5/thumbnails/32.jpg)
Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 33
Hierarchical Edge Bundling