This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Detecting Flaws and Intruders with Visual Data Analysis
September/October 2004 (vol. 24 no. 5)
pp. 27-35
Soon Tee Teoh, University of California, Davis
Kwan-Liu Ma, University of California, Davis
Soon Felix Wu, University of California, Davis
T.J. Jankun-Kelly, Mississippi State University
To ensure the normal operation of a large computer network system, the common practice is to constantly collect system logs and analyze the network activities for detecting anomalies. Most of the analysis methods in use today are highly automated due to the enormous size of the collected data. Conventional automated methods are largely based on statistical modeling, and some employ machine learning. This article presents interactive visualization as an alternative and effective data exploration method for understanding the complex behaviors of computer network systems. It describes three log-file analysis applications, and demonstrates how the use of the authors' visualization-centered tools can lead to the discovery of flaws and intruders in the network systems.

1. C. Ahlberg and B. Shneiderman, "Visual Information Seeking: Tight Coupling of Dynamic Query Filters with Starfield Displays," Proc. CHI 1994: Human Factors in Computing Systems, ACM Press, 1994, pp. 313-317.
2. L. Girardin, "An Eye on Network Intruder-Administrator Shootouts," Proc. Workshop on Intrusion Detection and Network Monitoring (ID 99), Usenix Assoc., 1999, pp. 19-28.
3. S.T. Teoh et al., "Case Study: Interactive Visualization for Internet Security," Proc. IEEE Visualization Conf. 2002, IEEE CS Press, 2002, pp. 505-508.
4. T.J. Jankun-Kelly and K.-L. Ma, "MoireGraphs: Radial Focus+Context Visualization and Interaction for Graphs with Visual Nodes," Proc. 2003 IEEE Symp. Information Visualization, IEEE CS Press, 2003, pp. 59-66.
5. S.T. Teoh, K.-L. Ma, and S.F. Wu, "Visual Exploration Process for the Analysis of Internet Routing Data," Proc. IEEE Conf. Visualization 2003, IEEE CS Press, 2003, pp. 523-530.
6. S.T. Teoh and K.-L. Ma, "PaintingClass: Interactive Construction, Visualization, and Exploration of Decision Trees," Proc. 9th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, ACM Press, 2003, pp. 667-672.
7. E. Kandogan, "Visualizing Multidimensional Clusters, Trends, and Outliers Using Star Coordinates," Proc. 7th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, ACM Press, 2001, pp. 107-116.
1. M.G. Schultz et al., "Data Mining Methods for Detection of New Malicious Executables," Proc. IEEE Symp. Security and Privacy, IEEE CS Press, 2001, pp. 38-49.
2. A.K. Ghosh and A. Schwartzbard, "A Study in Using Neural Networks for Anomaly and Misuse Detection," Proc. 8th Usenix Security Symp., Usenix Assoc., 1999, pp. 141-152.
3. W. Lee, S.J. Stolfo, and W. Mok, "A Data Mining Framework for Building Intrusion Detection Models," Proc. 1999 IEEE Symp. Security and Privacy, IEEE CS Press, 1999, pp. 120-132.
4. N. Jiang, K. Hua, and S. Sheu, "Considering Both Intrapattern and Interpattern Anomalies for Intrusion Detection," Proc. IEEE Int'l Conf. Data Mining (ICDM 02), IEEE CS Press, 2002, pp. 637-640.
5. M.V. Mahoney and P.K. Chan, "Learning Rules for Anomaly Detection of Hostile Network Traffic," Proc. 3rd IEEE Int'l Conf. Data Mining (ICDM 03), IEEE CS Press, 2003, pp. 601-604.
6. C.C. Michael, "Finding the Vocabulary of Program Behavior Data for Anomaly Detection," Proc. 3rd DARPA Information Survivability Conf. and Exposition (DISCEX 03), IEEE CS Press, 2003, pp. 152-161.
7. R.F. Erbacher, K.L. Walker, and D.A. Fincke, "Intrusion and Misuse Detection in Large-Scale Systems," IEEE Computer Graphics and Applications, vol. 22, no. 1, Jan./Feb. 2002, pp. 38-48.
8. T. Takada and H. Koike, "Tudumi: Information Visualization System for Monitoring and Auditing Computer Logs," Proc. 6th Int'l Conf. Information Visualization, IEEE CS Press, 2002, pp. 570-576.
9. M. Ankerst, M. Ester, and H.-P. Kriegel, "Toward an Effective Cooperation of the User and the Computer for Classification," Proc. 6th Int'l Conf. Knowledge Discovery and Data Mining (KDD 00), ACM Press, 2000, pp. 179-188.
1. Y. Rekhter and T. Li, "A Border Gateway Protocol 4 (BGP-4)," IETF RFC 1771, 1995; http://www.rfc-editor.org/rfcrfc1771.txt .
2. T. Griffin and G. Wilfong, "An Analysis of BGP Convergence Properties," Proc. ACM Sigcomm, ACM Press, 1999, pp. 277-288.
3. D. Pei, X. Zhao, L. Wang, D. Massey, A. Mankin, S. Wu, and L. Zhang, Improving BGP Convergence through Consistency Assertions Proc. IEEE INFOCOM, June 2002.
4. L. Gao and J. Rexford, "Stable Internet Routing without Global Coordination," Proc. ACM Sigmetrics, ACM Press, 2000, pp. 307-317.

Index Terms:
information visualization, intrusion detection, visual data mining, network visualization, Internet routing stability
Citation:
Soon Tee Teoh, Kwan-Liu Ma, Soon Felix Wu, T.J. Jankun-Kelly, "Detecting Flaws and Intruders with Visual Data Analysis," IEEE Computer Graphics and Applications, vol. 24, no. 5, pp. 27-35, Sept.-Oct. 2004, doi:10.1109/MCG.2004.26
Usage of this product signifies your acceptance of the Terms of Use.