Email this article A Visualization Tool for Exploring Multi-scale Network Traffic Anomalies
Abstract
Since anomaly detection in Internet traffic is a crucial and unmet challenge, many anomaly detectors for backbone traffic have recently been proposed. However, evaluating anomaly detectors is a complicated task due to the lack of ground truth data. Our goal is to provide a good level of support for rapidly understanding traffic behaviors and assisting researchers in evaluating the effectiveness of anomaly detectors. This article presents an interactive tool that takes advantage of several graphical representations highlighting the different aspects of network traffic and anomalies. The proposed tool allows for exploration of network traffic at any temporal and/or spatial (address and port) scales. In addition, an accurate description of any subtraffic is available in the form of textual packet information, enabling complete understanding of the monitored traffic. We exhibit the effectiveness of the proposed tool by analyzing darknet traffic, backbone traffic, and anomalies reported by an anomaly detector. We illustrate a manual validation of the anomalous traffic reported by anomaly detectors, and inspect a recent and sophisticated threat: the Conficker worm. We also state several typical patterns that stand for different kinds of anomalies.
References
[1] P. Barford, J. Kline, D. Plonka, and A. Ron, “A signal analysis of network traffic anomalies,” IMW ’02, pp. 71–82, 2002.
doi:10.1145/637201.637210
[2] A. Lakhina, M. Crovella, and C. Diot, “Mining anomalies using traffic feature distributions,” SIGCOMM ’05, pp. 217– 228, 2005.
doi:10.1145/1090191.1080118
[3] G. Dewaele, K. Fukuda, P. Borgnat, P. Abry, and K. Cho, “Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures,” SIGCOMM LSAD ’07, pp. 145–152, 2007.
doi:10.1145/1352664.1352675
[4] R. Fontugne, Y. Himura, and K. Fukuda, “Evaluation of anomaly detection method based on pattern recognition,” IEICE Trans. on Commun., vol. E93-B, no. 2, Feb. 2010 (to appear).
[5] A. S. Haakon Ringberg and J. Rexford, “Webclass: adding rigor to manual labeling of traffic anomalies,” SIGCOMM CCR, vol. 38, no. 1, pp. 35–38, 2008.
doi:10.1145/1341431.1341437
[6] T. Karagiannis, K. Papagiannaki, and M. Faloutsos, “Blinc: multilevel traffic classification in the dark,” SIGCOMM ’05, vol. 35, no. 4, 2005.
[7] Tcpdump and libpcap, http://www.tcpdump.org/.
[8] F. Fischer, F. Mansmann, D. A. Keim, S. Pietzko, and M. Waldvogel, “Large-scale network monitoring for visual analysis of attacks,” VizSEC ’08, pp. 111–118, 2008.
[9] J. R. Goodall, W. G. Lutters, P. Rheingans, and A. Komlodi, “Focusing on context in network traffic analysis,” IEEE Comput. Graph. Appl., vol. 26, no. 2, pp. 72–80, 2006.
doi:10.1109/MCG.2006.31
PMid:16548462
[10] J.-P. van Riel and B. Irwin, “Inetvis, a visual tool for network telescope traffic analysis,” Afrigaph ’06, pp. 85–89, 2006.
doi:10.1145/1108590.1108604
[11] S. Lau, “The spinning cube of potential doom,” Commun. ACM, vol. 47, no. 6, pp. 25–26, 2004.
doi:10.1145/990680.990699
[12] B. Irwin and J. P. Riel, “Using inetvis to evaluate snort and bro scan detection on a network telescope,” VizSEC ’07, pp. 255–273, 2007.
[13] K. Lakkaraju, R. Bearavolu, A. Slagell, W. Yurcik, and S. North, “Closing-the-loop in nvisionip: Integrating discovery and search in security visualizations,” VizSEC ’05, p. 9, 2005.
[14] P. Ren, Y. Gao, Z. Li, Y. Chen, and B. Watson, “Idgraphs: Intrusion detection and analysis using histographs,” VizSEC ’05, 2005.
[15] R. Marty, Applied Security Visualization, 1st ed. Addison- Wesley Professional, August 2008.
[16] A. Inselberg, “The plane with parallel coordinates,” The Visual Computer, vol. V1, no. 4, pp. 69–91, December 1985.
doi:10.1007/BF01898350
[17] The c++ template image processing library. The CImg Library : http://cimg.sourceforge.net.
[18] K. Cho, K. Mitsuya, and A. Kato, “Traffic data repository at the WIDE project,” in USENIX 2000 Annual Technical Conference: FREENIX Track, June 2000, pp. 263–270.
[19] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson, “Characteristics of internet background radiation,” IMC ’04, pp. 27–40, 2004.
doi:10.1145/1028788.1028794
Full Text: PDF