Upload File

visual support for analyzing network traffic and intrusion ...visual support for analyzing network...

  • Home
  • Documents
  • Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian
32
Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian Mansmann 1 Fabian Fischer 1 Daniel A. Keim 1 Stephen C. North 2 1 University of Konstanz, Germany 2 AT&T Research, Florham Park, NJ, U.S.A. Symposium on Computer-Human Interaction for Management of Information Technology, Baltimore, MD, 2009

Upload: others

Post on 23-Jun-2020

7 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic and

Intrusion Detection Events using TreeMap and

Graph Representations

Florian Mansmann1 Fabian Fischer1 Daniel A. Keim1 Stephen C. North2

1 University of Konstanz, Germany

2 AT&T Research, Florham Park, NJ, U.S.A.

Symposium on Computer-Human Interaction

for Management of Information Technology, Baltimore, MD, 2009

Page 2: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 2

Introduction

Photo by Guillaume Paumier / Wikimedia Commons, CC-by-sa-3.0

Page 3: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 3

Introduction

Photo by Guillaume Paumier / Wikimedia Commons, CC-by-sa-3.0

Do you still know,

what’s going on

in your network?

Page 4: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 4

How to combine all the data?

Intrusion Detection e.g. Generated IDS Events,

Firewall Logs

Network Traffic e.g. NetFlow connections,

Bandwidth data,…

Page 5: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 5

Visual Analytics with NFlowVis

Internet

Gateway

Private

Network

PostgreSQL

Intrusion Detection (Generated Events)

Network Traffic (NetFlow)

Page 6: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Daily Traffic Overview

Page 7: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Daily Traffic Overview (Flows per Minute Widget)

Page 8: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Intrusion Detection View

Page 9: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Intrusion Detection View – Select IDS Data Source

Page 10: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Intrusion Detection View – Suspicious Hosts

Page 11: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Intrusion Detection View – Suspicious Hosts

Page 12: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Home-Centric Network Visualization

Page 13: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Graph Visualization

Page 14: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Host Details View

Page 15: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

NetFlow Records

Page 16: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 16

Service Monitoring with NFlowVis

• Example: Conficker Worm (11/2008)

• Exploits MS08-067 vulnerability

• RPC over Port 445/TCP

• Are there any compromised

hosts in my network?

Page 17: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Intrusion Detection View – Suspicious Hosts

Page 18: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Home-Centric Network Visualization

Page 19: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 20

Analyzing SSH Attacks with NFlowVis

• How was our network affected by these attacks?

http://stats.denyhosts.net/stats.html

Page 20: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Remote Hosts with SSH connections (5th October 2009)

Page 21: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Home-Centric Network Visualization

Page 22: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Home-Centric Network Visualization (Drill-Down)

Page 23: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Home-Centric Network Visualization (Drill-Down)

Page 24: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Graph Visualization

Page 25: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Home-Centric Network Visualization (SSH Attacks on 5th October 2009)

Page 26: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Graph Visualization (SSH Attacks on 5th October 2009)

Page 27: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 28

Conclusions

• Intrusion Detection and Network

Monitoring combined

• Automated Analysis combined with

Interactive Exploration

• NFlowVis is a Visual Analytics System

for Network Data

Page 28: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 29

Thank you very much

for your attention!

Questions?

For further information about this work please contact

Fabian Fischer

Tel. +49 7531 88-2780

[email protected]

http://nflowvis.dbvis.de/

Page 29: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 30

References I

Ball, R., Fink, G., and North, C. (2004).

Home-centric visualization of network traffic for security

administration.

Proceedings of the 2004 ACM workshop on Visualization and data

mining for computer security, pages 55–64.

Holten, D. (2006).

Hierarchical Edge Bundles: Visualization of Adjacency

Relations in Hierarchical Data.

IEEE Trans. Vis. Comput. Graph., 12(5):741–748.

Page 30: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 31

References II

Ellson, J., Gansner, E., Koutsofios, L., North, S., and

Woodhull, G. (2002).

Graphviz-Open Source Graph Drawing Tools.

Lecture Notes in Computer Science, pages 483–484.

Shneiderman, B. (1992).

Tree visualization with tree-maps: 2-d space-filling approach.

ACM Trans. Graph., 11(1):92–99.

Page 31: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 32

Hierarchical Edge Bundling

Page 32: Visual Support for Analyzing Network Traffic and Intrusion ...Visual Support for Analyzing Network Traffic and Intrusion Detection Events using TreeMap and Graph Representations Florian

Visual Support for Analyzing Network Traffic | Fabian Fischer | CHIMIT 2009 page 33

Hierarchical Edge Bundling


Handling and Analyzing Marine Traffic Datapublications.lib.chalmers.se › records › fulltext › 237234 › 237234.pdf · Handling and Analyzing Marine Traffic Data Master of

Pentest Accountability By Analyzing Network Traffic ... · Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1 Presentation By Henk van Doorn & Marko

Network Analysis of the Traffic Lines of the Tourists ...€¦ · analyzing the traffic lines of the tourists visiting Kamikawa Central district. There is no data for analyzing traffic

Intrusion Detection Based on Traffic Analysis in Wireless Sensor Networks

Measuring and Analyzing Road Traffic Noise - CityHush · 2012-12-17 · Measuring and Analyzing Road Traffic Noise Stockholm, December 11, 2012 ... • 3 VGA ethernet cameras: -60°

ROUGH SETS FOR ANALYZING ROAD TRAFFIC …. Nithya, S. Sharmila Jeyarani, A. Pradeep Kumar 377 ROUGH SETS FOR ANALYZING ROAD TRAFFIC ACCIDENTS P. Nithya1, S. Sharmila Jeyarani2, A

A Dynamic Model of Traffic on the Web for Analyzing Network

Techniques and Tools for Analyzing Intrusion Alertsmalam/papers/IntrusionDetection/Ning - Techniques...Techniques and Tools for Analyzing Intrusion Alerts † 275 classified as anomaly

Toward Cost-Sensitive Modeling for Intrusion …ids.cs.columbia.edu/sites/default/files/jcs_lee.pdfstream of events being monitored by an IDS and analyzing the activities using intrusion

NSM and Intrusion Detection - Hurricane Labs · Network Security Monitoring (or NSM for short) is the practice of collecting and/or analyzing network traffic for the express use of

Capturing & Analyzing Network Traffic: tcpdump/tshark …netseclab.mu.edu.tr/lectures/ceng/ceng4541/Slides/04_CapturingAnd... · Capturing & Analyzing Network Traffic: tcpdump/tshark

3 UTILIZING INTRUSION PREVENTION SYSTEM TO … · UTILIZING INTRUSION PREVENTION SYSTEM TO FETCH ... First, it captures real traffic ... packets with the representative packets if

Residential Traffic Calming Program › UserFiles › Servers › Server... · speeds on selected residential streets. Clearly, traffic intrusion is a problem which impacts diverse

Analyzing urban traffic demand distribution and the correlation … · 2018. 11. 21. · ORIGINAL PAPER Open Access Analyzing urban traffic demand distribution and the correlation

Analyzing Your Network Traffic Using a One Armed Sniffer

Using Wireshark For Analyzing CIFS Traffic - SNIA

Traffic Crash Reconstruction & Prevention Analyzing and Tracking HBD

Analyzing Traffic Layout Using Dynamic Social Network Analysis · Analyzing Traffic Layout Using Dynamic Social Network Analysis by Dr. Islam El-adaway Richard A. Rula Endowed Professor

Road Traffic Noise Intrusion Assessment€¦ · Road Traffic Noise Intrusion Assessment Page 11 of 20 Ref: 6446-1.1R 17-Apr-18 5.0 ROAD TRAFFIC NOISE LEVELS 5.1 Measured Road Traffic

Interpreting Network Traffic: A Network Intrusion Detector ... · PDF fileInterpreting Network Traffic: A Network Intrusion ... or malicious character ... Since few people in the network

Controlling Traffic Using Intrusion and File Policies...Controlling Traffic Using Intrusion and File Policies ... can use an intrusion policy—called the default intrus ion policy—to

Anomaly-based Intrusion Detection from Traffic Datamining on

Network Intrusion Detection System. Network Intrusion Detection Basics Network intrusion detection systems are designed to sniff network traffic and

Network Intrusion Detection: Evasion, Traffic Normalization, and End

Techniques and Tools for Analyzing Intrusion Alertsreeves.csc.ncsu.edu/papers-and-other-stuff/2004-05-tissec... · Techniques and Tools for Analyzing Intrusion Alerts PENG NING, YUN

Monitoring and Analyzing Traffic - Cisco › ... › monitr_analysis.pdf · Cisco Prime Network Analysis Module User Guide 2 Monitoring and Analyzing Traffic Cisco Prime Network Analysis

Analyzing and Simulating Network Game Traffic

IOS Application Security Part 11 – Analyzing Network Traffic Over HTTP-HTTPS

Detecting Hackers (Analyzing Network Traffic) by Poisson Model Measure

Analyzing & Converting Organic Search Traffic

Green Lights Forever: Analyzing the Security of Traffic Infrastructure

Monitoring and Analyzing Traffic - Cisco › ... › monitr_analysis.pdf · 3-5 Cisco Prime Network Analysis Module User Guide OL-31779-01 Chapter 3 Monitoring and Analyzing Traffic

Analyzing your Tendenci traffic

Analyzing Website Traffic Dan Belhassen greatBIGnews.com Modern Earth Inc

Network Intrusion Detection: Evasion, Traffic Normalization, and End