Svision: Visual Identification of Scanning and Denial of Service Attacks

We propose a novel graphical technique (SVision) for intrusion detection, which pictures the network as a community of hosts independently roaming in a 3D space defined by the set of services that they use. The aim of SVision is to graphically cluster the hosts into normal and abnormal ones, highlighting only the ones that are considered as a threat to the network. Our experimental results using DARPA 1999 and 2000 intrusion detection and evaluation datasets show the proposed technique as a good candidate for the detection of various threats of the network such as vertical and horizontal scanning, Denial of Service (DoS), and Distributed DoS (DDoS) attacks.

Authors:

• Iosif-Viorel Onut
• Bin Zhu
• Ali A. Ghorbani

Keywords:

• Anomaly Visualization
• Network Security
• Intrusion Detection.

References:

[1] R. F. Erbacher, Visual traffic monitoring and evaluation, Conference on
Internet Performance and Control of Network Systems II (Denver, CO,
USA), August 2001, pp. 153-160.
[2] Deborah Estrin, Mark Handley, John Heidemann, Steven McCanne,Ya
Xu, and Haobo Yu, Network visualization with the vint network
animator nam, Tech. Report 99-703, University of Southern California,
Los Angeles, March 1999.
[3] Mike Fisk, Steven Smith, Paul Weber, Satyam Kothapally, and Thomas
Caudell, Immersive network monitoring, The Passive and Active
Measurement Workshop (PAM2003) (SDSC at UC San Diego 9500
Gilman Drive La Jolla, CA 92093-0505 U.S.A.), April 2003.
[4] National Laboratory for Applied Network Research (NLANR)-s
Measurement & Operations Analysis Team (MOAT), CICHLID data
visualization software, http://moat.nlanr.net/Software/Cichlid/, 09 May
2005,last access.
[5] Frost and Sullivan, World intrusion detection and prevention systems
markets, Tech. report, Frost and Sullivan, 7550 West Interstate 10, Suite
400 San Antonio, Texas 78229-5616. USA, 25 June 2004.
[6] Lincoln Laboratory, Intrusion detection evaluation data set DARPA
1999, http://www.ll.mit.edu/IST/ideval/data/1999/1999 data index.html,
1999.
[7] Lincoln Laboratory, Intrusion detection evaluation data set DARPA
2000, http://www.ll.mit.edu/IST/ideval/data/2000/2000 data index.html,
2000.
[8] Tobias Oetiker and Dave Rand, Multi router traffic grapher (mrtg),
http://ee-staff.ethz.ch/oetiker/webtools/mrtg/, May 9, 2005 last access.
[9] D. Plonka, Flowscan: A network traffic flow reporting and visualization
tool, USENIX Fourteenth System Administration Conference LISA XIV
(New Orleans, LA), December 2000.
[10] Q1Labs, QRadar, http://www.q1labs.com/, May 9,2005, last access.
[11] Mark Spencer, Cheops network user interface, http://www.marko.net/
cheops/, May 9, 2005 last access.