A Novel Visualization Approach for Efficient Network Scans Detection

Zhang, Jiawan; Li, Liang; Lu, Lidan; Zhou, Ning

doi:10.1109/sectech.2008.47

Cited by 8 publications

(5 citation statements)

References 7 publications

(5 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, brushing may become tedious when trying to select the behavior of one coordinate out of multiple coordinates. Scanveiwer [16] combines scatterplots, parallel coordinates, histograms and color maps into a single tool. However, occlusions due to large volumes of datasets result in cluttered visualizations and may cause data to be overlooked.…”

Section: A 2d Visualizations For Network Scanningmentioning

confidence: 99%

P3D: A parallel 3D coordinate visualization for advanced network scans

Nunnally

Chi

Abdullah

et al. 2013

2013 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

As network attacks increase in complexity, network administrators will continue to struggle with analyzing security data immediately and efficiently. To alleviate these challenges, researchers are looking into various visualization techniques (e.g., two-dimensional (2D) and three-dimensional (3D)) to detect, identify, and analyze malicious attacks. This paper discusses the benefits of using a stereoscopic 3D parallel visualization techniques for network scanning, in particular, when addressing occlusion-based visualization attacks intended to confuse network administrators. To our knowledge, no 2D or 3D tool exists that analyzes these attacks. Hence, we propose a novel 3D Parallel coordinate visualization tool for advanced network scans and attacks called P3D. P3D uses flow data, filtering techniques, and state-of-the art 3D technologies to help network administrators detect distributed and coordinated network scans. Compared to other 2D and 3D network security visualization tools, P3D prevents occlusion-based visualization attacks (e.g., Windshield Wiper and Port Source Confusion attacks). We validate our tool with use-cases from emulated distributed scanning attacks. Our evaluation shows P3D allows users to extract new information about scans and minimize information overload by adding an extra dimension and awareness region in the visualization.

show abstract

Section: A 2d Visualizations For Network Scanningmentioning

confidence: 99%

P3D: A parallel 3D coordinate visualization for advanced network scans

Nunnally

Chi

Abdullah

et al. 2013

2013 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

show abstract

“…Visualization systems and tools have been substantially designed and implemented to detect port scanning and other network intrusions in the past decade [1,3,7,8,11,13]. One popular approach is to visualize network connections to identify port-scan patterns.…”

Section: Related Work and Motivationsmentioning

confidence: 99%

“…Conti and Abdullah visualized the packet information such as IP and port with parallel coordinate plots to identify port scanning [3]. Similarly, Jiawan et al used traffic activities among hosts and mapped the collected datagram to graphs that emphasize port-scan patterns [8]. However, the port-scan traffic in these two approaches may be obscured by high-volume normal traffic, and therefore the corresponding patterns cannot be effectively shown on the screen and then detected by the human eye.…”

Section: Related Work and Motivationsmentioning

confidence: 99%

Detecting subtle port scans through characteristics based on interactive visualization

Wang

Yang

Chen

2014

Proceedings of the 3rd Annual Conference on Research in Information Technology

View full text Add to dashboard Cite

Port-scan detection is essentially vital to enterprise networks, since many intrusions start with scanning. A port scan can be obvious or subtle in terms of the volume of network traffic. In this paper, we propose a creative approach by combining the characteristic-based method and visual analytics to detect those hard-to-find subtle scans as well as obvious scans in an enterprise environment. The goal of designing this system is to provide useful information and implications about port-scan attackers and benign hosts to a network security team in a simple and efficient manner. The major components of the system consist of three different semantic level visualizations. Through several use cases, we illustrate how the system can detect both obvious and subtle port-scanning activities. The analysis approach proposed in this study proves to be effective by identifying all the port-scan attackers in the data sets.

show abstract

“…The hypothesis is that incorporating additional approaches to assist the visualization will provide more narrowly focused visual displays. Compared to earlier work that used visualization techniques for network scan detection [1,6,7], the proposed work is novel in the sense that graph-theoretical algorithms are used for preprocessing, and processed graph models instead of packet flows/connections are used in visual displays. In [6,1], a line is rendered to show a connection between a remote IP address and a local IP address and in [6] an additional histogram is used to show the number of datagrams of different type.…”

Section: Introductionmentioning

confidence: 99%

“…Compared to earlier work that used visualization techniques for network scan detection [1,6,7], the proposed work is novel in the sense that graph-theoretical algorithms are used for preprocessing, and processed graph models instead of packet flows/connections are used in visual displays. In [6,1], a line is rendered to show a connection between a remote IP address and a local IP address and in [6] an additional histogram is used to show the number of datagrams of different type. In [7], a 256x256 grid is used to plot the scans, where the x and y coordinates are the third and fourth bytes of the destination IP addresses scanned ("c" and "d" in the address a.b.c.d), and the color represents metrics based on statistical information regarding the arrival time at that IP address.…”

Section: Introductionmentioning

confidence: 99%

Visualizing graph features for fast port scan detection

Cheng

Erbacher

2013

Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop

View full text Add to dashboard Cite

Detection of sophisticated network scans, such as low and slow scans, requires correlation of large amounts of network data over long periods of time. The volume of data obfuscating such scans can be overwhelming and makes computation challenging. Such scans pose network security risks since identifying running services, the goal of executing such scans, is the first step in launching an attack on the scanned host. To detect sophisticated scans we propose the integration of graph feature extraction techniques with visualization to simultaneously optimize computational complexity and human analyst time. The integrated approach uses graph modeling and preprocessing to make visual displays easy to comprehend, and uses human intervention to avoid solving NP-hard computational problems while still providing real-time visualization.

show abstract

A Novel Visualization Approach for Efficient Network Scans Detection

Cited by 8 publications

References 7 publications

P3D: A parallel 3D coordinate visualization for advanced network scans

P3D: A parallel 3D coordinate visualization for advanced network scans

Detecting subtle port scans through characteristics based on interactive visualization

Visualizing graph features for fast port scan detection

Contact Info

Product

Resources

About