ABSTRACT
The number of attacks against large computer systems is currently growing at a rapid pace. Despite the best efforts of security analysts, large organizations are having trouble keeping on top of the current state of their networks. In this paper, we describe a tool called NVisionIP that is designed to increase the security analyst's situational awareness. As humans are inherently visual beings, NVisionIP uses a graphical representation of a class-B network to allow analysts to quickly visualize the current state of their network. We present an overview of NVisionIP along with a discussion of various types of security-related scenarios that it can be used to detect.
- Argus -- metrics. Web Page, Mar. 2001. h http://www.qosient.com/argus/metrics.htm i.Google Scholar
- Ratna Bearavolu, Kiran Lakkaraju, William Yurcik, and Hrishikesh Raje. A visualization tool for situational awareness of tactical and strategic security events on large and complex computer networks. In IEEE Military Communications Conference (Milcom), 2003. Google ScholarDigital Library
- CERT/CC Statistics 1988--2003, Jan. 2004. h http://www.cert.org/stats/i. (Jun. 2004).Google Scholar
- Martin Dodge and Rob Kitchin. Atlas of Cyberspace. Addison Wesley, Harlow, England, 2001.Google Scholar
- Jana Dunn. Security applications for cisco net ow data. Technical report, SANS, Jul. 2001. h http: //www.sans.org/rr/papers/index.php?id=778 i.Google Scholar
- Robert F. Erbacher and Deborah Frincke. Visual behavior characterization for intrusion and misuse detection. In SPIE '2001 Conference on Visual Data Exploration and Analysis VIII, pages 210--218, Jan. 2001.Google Scholar
- Robert F. Erbacher, Kenneth L. Walker, and Deborah A. Frincke. Intrusion and misuse detection in large-scale systems. Computer Graphics and Applications, 22(1):38--48, Jan.--Feb. 2002. Google ScholarDigital Library
- Mark Fullmer and Steve Romig. The osu ow-tools package and cisco net ow logs. In 14th Systems Administration Conference (LISA 2000), Dec. 2000. Google ScholarDigital Library
- NCSA Automated Learning Group. D2K Toolkit User Manual. National Center for Supercomputing Applications, Apr. 2003. h http: //algdocs.ncsa.uiuc.edu/TU-20030425-1.pdf i .Google Scholar
- Gene H. Kim and Eugene H. Spafford. The design and implementation of tripwire: a file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and communications security, pages 18--29. ACM Press, 1994. Google ScholarDigital Library
- Samuel T. King and Peter M. Chen. Backtracking intrusions. In Proceedings of the 2003 Symposium on Operating Systems Principles (SOSP), Oct. 2003. Google ScholarDigital Library
- Kiran Lakkaraju, Ratna Bearavolu, and William Yurcik. Nvisionip -- a traffic visualization tool for security analysis of large and complex networks. In International Multiconference on Measurement, Modelling, and Evaluation of Computer-Communications Systems Performance TOOLS, 2003.Google Scholar
- Kiran Lakkaraju, William Yurcik, Ratna Bearavolu, and Adam J. Lee. NVisionIP: An Interactive Network Flow Visualization Tool for Security. In IEEE International Conference on Systems, Man, and Cybernetics (SMC), 2004.Google Scholar
- Stephen Lau. The spinning cube of potential doom. Communications of the ACM, 47(6):25--26, Jun. 2004. Google ScholarDigital Library
- John-Paul Navarro, Bill Nickless, and Linda Winkler. Combining cisco net ow exports with relational database technology for usage statistics, intrusion detection, and network forensics. In 14th Systems Administration Conference (LISA 2000), Dec. 2000. Google ScholarDigital Library
- The network simulator -- ns--2. Web Page, May 2004. h http://www.isi.edu/nsnam/ns/ i .Google Scholar
- OPNET Technologies, Inc. Web Page, Jun. 2004. h http://www.opnet.com i .Google Scholar
- Adam G. Pennington, John D. Strunk, John Linwood, Griffin, Craig A.N. Soules, Garth R. Goodson, and Gregory R. Ganger. Storage-based intrusion detection: Watching storage activity for suspicious behavior. In USENIX Security Symposium 2003, 2003. h http: //www.pdl.cmu.edu/PDL-FTP/Secure/usenix03.pdf i . Google ScholarDigital Library
- Dave Plonka. Flowscan: A network traffic ow reporting and visualization tool. In 14th Systems Administration Conference (LISA 2000), Dec. 2000. Google ScholarDigital Library
- Secure decisions. Web Page, Jun. 2004. h http://www.securedecisions.com/ i .Google Scholar
- Ben Shneiderman. Tree visualization with tree-maps: 2-d space-filling approach. ACM Trans. Graph., 11(1):92--99, 1992. Google ScholarDigital Library
- Security incident fusion toolkit SIFT, Jun.Google Scholar
- CERT Advisory CA-2003-04 MS-SQL Server Worm. Web Page, Jan. 2003. h http: //www.cert.org/advisories/CA-2003-04.html i .Google Scholar
- Snort: The open source network intrusion detection system. Web Page, Jun. 2004. h http://www.snort.org i .Google Scholar
- Security threat manager. Web Page, Jun. 2004. h http://www.open.com/products/threatmanager/ threatmanager.shtml% i .Google Scholar
- Soon Tee Teoh, Kwan-Liu Ma, S. Felix Wu, and Xiaoliang Zhao. Case study: Interactive visualization for internet security. In IEEE Visualization, 2002. Google ScholarDigital Library
- Edward R. Tufte. The Visual Display of Quantitative Information. Graphics Press, P.O. Box 430, Cheshire, CT 06410, Second edition, Jan. 2001. Google ScholarDigital Library
- United States Department of Homeland Security. Team Coordination Training, Student Guide, May 2004. h http://www.cgaux.info/g_ocx/training/tct/ i .Google Scholar
- Xiaoxin Yin, William Yurcik, Yifan Li, Kiran Lakkaraju, and Cristina Abad. Vis owconnect: Providing security situational awareness by visualizing network traffic ows. In Workshop on Information Assurance (WIA04) held in conjunction with the 23rd IEEE International Performance Computing and Communications Conference (IPCCC), 2004.Google Scholar
- William Yurcik, James Barlow, Kiran Lakkaraju, and Mike Haberman. Two visual computer network security monitoring tools incorporating operator interface. In ACM CHI Workshop on Human-Computer Interaction and Security Systems (HCISEC), 2003.Google Scholar
- William Yurcik, Kiran Lakkaraju, James Barlow, and Jeff Rosendale. A prototype tool for visual data mining of network traffic for intrusion detection. In 3rd IEEE International Conference on Data Mining (ICDM) Workshop on Data Mining for Computer Security (DMSEC), 2003.Google Scholar
Index Terms
- NVisionIP: netflow visualizations of system state for security situational awareness
Recommendations
VisFlowConnect: netflow visualizations of link relationships for security situational awareness
VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer securityWe present a visualization design to enhance the ability of an administrator to detect and investigate anomalous traffic between a local network and external domains. Central to the design is a parallel axes view which displays NetFlow records as links ...
Tool update: NVisionIP improvements (difference view, sparklines, and shapes)
VizSEC '06: Proceedings of the 3rd international workshop on Visualization for computer securityThis paper highlights major enhancements made to the security visualization tool -- NVisionIP -- since it was first presented at the VizSEC/DMSEC 2004 Workshop.
Closing-the-Loop in NVisionIP: Integrating Discovery and Search in Security Visualizations
VIZSEC '05: Proceedings of the IEEE Workshops on Visualization for Computer SecurityThe field of security visualization is in need of a paradigm shift in order to allow visualization tools to be practically used by security engineers. Security engineers must complete two different tasks, that of Discovery of a pattern, and that of ...
Comments