Svision: Visual Identification of Scanning and Denial of Service Attacks

Iosif-Viorel Onut; Bin Zhu; Ali A. Ghorbani

Commenced in January 2007

Frequency: Monthly

Edition: International

Paper Count: 32794

Svision: Visual Identification of Scanning and Denial of Service Attacks

Authors: Iosif-Viorel Onut, Bin Zhu, Ali A. Ghorbani

Abstract:

We propose a novel graphical technique (SVision) for intrusion detection, which pictures the network as a community of hosts independently roaming in a 3D space defined by the set of services that they use. The aim of SVision is to graphically cluster the hosts into normal and abnormal ones, highlighting only the ones that are considered as a threat to the network. Our experimental results using DARPA 1999 and 2000 intrusion detection and evaluation datasets show the proposed technique as a good candidate for the detection of various threats of the network such as vertical and horizontal scanning, Denial of Service (DoS), and Distributed DoS (DDoS) attacks.

Keywords: Anomaly Visualization, Network Security, Intrusion Detection.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1334421

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1656

References:

[1] R. F. Erbacher, Visual traffic monitoring and evaluation, Conference on Internet Performance and Control of Network Systems II (Denver, CO, USA), August 2001, pp. 153-160.
[2] Deborah Estrin, Mark Handley, John Heidemann, Steven McCanne,Ya Xu, and Haobo Yu, Network visualization with the vint network animator nam, Tech. Report 99-703, University of Southern California, Los Angeles, March 1999.
[3] Mike Fisk, Steven Smith, Paul Weber, Satyam Kothapally, and Thomas Caudell, Immersive network monitoring, The Passive and Active Measurement Workshop (PAM2003) (SDSC at UC San Diego 9500 Gilman Drive La Jolla, CA 92093-0505 U.S.A.), April 2003.
[4] National Laboratory for Applied Network Research (NLANR)-s Measurement & Operations Analysis Team (MOAT), CICHLID data visualization software, http://moat.nlanr.net/Software/Cichlid/, 09 May 2005,last access.
[5] Frost and Sullivan, World intrusion detection and prevention systems markets, Tech. report, Frost and Sullivan, 7550 West Interstate 10, Suite 400 San Antonio, Texas 78229-5616. USA, 25 June 2004.
[6] Lincoln Laboratory, Intrusion detection evaluation data set DARPA 1999, http://www.ll.mit.edu/IST/ideval/data/1999/1999 data index.html, 1999.
[7] Lincoln Laboratory, Intrusion detection evaluation data set DARPA 2000, http://www.ll.mit.edu/IST/ideval/data/2000/2000 data index.html, 2000.
[8] Tobias Oetiker and Dave Rand, Multi router traffic grapher (mrtg), http://ee-staff.ethz.ch/oetiker/webtools/mrtg/, May 9, 2005 last access.
[9] D. Plonka, Flowscan: A network traffic flow reporting and visualization tool, USENIX Fourteenth System Administration Conference LISA XIV (New Orleans, LA), December 2000.
[10] Q1Labs, QRadar, http://www.q1labs.com/, May 9,2005, last access.
[11] Mark Spencer, Cheops network user interface, http://www.marko.net/ cheops/, May 9, 2005 last access.