TY - JOUR
T1 - IDGraphs
T2 - Intrusion detection and analysis using stream compositing
AU - Ren, Pin
AU - Gao, Yan
AU - Li, Zhichun
AU - Chen, Yan
AU - Watson, Benjamin
N1 - Funding Information:
This research was supported by National Science Foundation grant 0093172. We thank Peter Dinda for his suggestions and John Kristoff for his practitioner’s viewpoint.
PY - 2006/3
Y1 - 2006/3
N2 - Traffic anomalies and attacks are common-place in today's networks and identifying them rapidly and accurately is critical for operators of large networks. For a statistical intrusion detection system (IDS), it's crucial to detect at the flow-level. However, existing IDS systems offer only limited support for interactively examining detected intrusions and anomalies, analyzing worm propagation patterns, and discovering correlated attacks. These problems are becoming even more acute as the traffic on today's high-speed routers continues to grow. IDGraphs is an interactive visualization system for intrusion detection that addresses these challenges. The central visualization in the system is a flow-level trace plotted with time on the horizontal axis and the total number of unsuccessful connections (indicating suspicious traffic) on the vertical axis. The article summarizes a stack of tens or hundreds of thousands of these traces using the histographs technique, which composites the traces and maps data density at each pixel to brightness. Users can zoom into or interactively query the summary view, performing analysis by highlighting subsets of the traces. For example, brushing a linked correlation matrix view highlights traces with similar patterns, revealing distributed attacks that are difficult to detect using standard statistical analysis. The article discusses the application of IDGraphs to a real network router data set with millions of flow-level records representing total traffic in the terabyte range. The system successfully detects and analyzes a variety of attacks and anomalies, including port scanning, worm outbreaks, stealthy TCP SYN flooding, and some distributed attacks.
AB - Traffic anomalies and attacks are common-place in today's networks and identifying them rapidly and accurately is critical for operators of large networks. For a statistical intrusion detection system (IDS), it's crucial to detect at the flow-level. However, existing IDS systems offer only limited support for interactively examining detected intrusions and anomalies, analyzing worm propagation patterns, and discovering correlated attacks. These problems are becoming even more acute as the traffic on today's high-speed routers continues to grow. IDGraphs is an interactive visualization system for intrusion detection that addresses these challenges. The central visualization in the system is a flow-level trace plotted with time on the horizontal axis and the total number of unsuccessful connections (indicating suspicious traffic) on the vertical axis. The article summarizes a stack of tens or hundreds of thousands of these traces using the histographs technique, which composites the traces and maps data density at each pixel to brightness. Users can zoom into or interactively query the summary view, performing analysis by highlighting subsets of the traces. For example, brushing a linked correlation matrix view highlights traces with similar patterns, revealing distributed attacks that are difficult to detect using standard statistical analysis. The article discusses the application of IDGraphs to a real network router data set with millions of flow-level records representing total traffic in the terabyte range. The system successfully detects and analyzes a variety of attacks and anomalies, including port scanning, worm outbreaks, stealthy TCP SYN flooding, and some distributed attacks.
UR - http://www.scopus.com/inward/record.url?scp=33645238804&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33645238804&partnerID=8YFLogxK
U2 - 10.1109/MCG.2006.36
DO - 10.1109/MCG.2006.36
M3 - Article
C2 - 16548458
AN - SCOPUS:33645238804
VL - 26
SP - 28
EP - 39
JO - IEEE Computer Graphics and Applications
JF - IEEE Computer Graphics and Applications
SN - 0272-1716
IS - 2
ER -