This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
IDGraphs: Intrusion Detection and Analysis Using Stream Compositing
March/April 2006 (vol. 26 no. 2)
pp. 28-39
ASCII Text
x 
 
Pin Ren, Yan Gao, Zhichun Li, Yan Chen, Benjamin Watson, "IDGraphs: Intrusion Detection and Analysis Using Stream Compositing," IEEE Computer Graphics and Applications, vol. 26, no. 2, pp. 28-39, March/April, 2006.
 
 
BibTex
x
 
@article{ 10.1109/MCG.2006.36,
author = {Pin Ren and Yan Gao and Zhichun Li and Yan Chen and Benjamin Watson},
title = {IDGraphs: Intrusion Detection and Analysis Using Stream Compositing},
journal ={IEEE Computer Graphics and Applications},
volume = {26},
number = {2},
issn = {0272-1716},
year = {2006},
pages = {28-39},
doi = {http://doi.ieeecomputersociety.org/10.1109/MCG.2006.36},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}
 
 
RefWorks Procite/RefMan/Endnote
x 
 
TY - MGZN
JO - IEEE Computer Graphics and Applications
TI - IDGraphs: Intrusion Detection and Analysis Using Stream Compositing
IS - 2
SN - 0272-1716
SP28
EP39
EPD - 28-39
A1 - Pin Ren,
A1 - Yan Gao,
A1 - Zhichun Li,
A1 - Yan Chen,
A1 - Benjamin Watson,
PY - 2006
KW - Intrusion Detection
KW - Security Visualization
KW - Interactive System
KW - Brushing and Linking
KW - Correlation Matrix
KW - Dynamic Query
VL - 26
JA - IEEE Computer Graphics and Applications
ER -
 
Pin Ren, Northwestern University
Yan Gao, Northwestern University
Zhichun Li, Northwestern University
Yan Chen, Northwestern University
Benjamin Watson, North Carolina State University
Traffic anomalies and attacks are commonplace in today's networks and identifying them rapidly and accurately is critical for operators of large networks. For a statistical intrusion detection system (IDS), it's crucial to detect at the flow-level. However, existing IDS systems offer only limited support for interactively examining detected intrusions and anomalies, analyzing worm propagation patterns, and discovering correlated attacks. These problems are becoming even more acute as the traffic on today's high-speed routers continues to grow. IDGraphs is an interactive visualization system for intrusion detection that addresses these challenges. The central visualization in the system is a flow-level trace plotted with time on the horizontal axis and the total number of unsuccessful connections (indicating suspicious traffic) on the vertical axis. The article summarizes a stack of tens or hundreds of thousands of these traces using the histographs technique, which composites the traces and maps data density at each pixel to brightness. Users can zoom into or interactively query the summary view, performing analysis by highlighting subsets of the traces. For example, brushing a linked correlation matrix view highlights traces with similar patterns, revealing distributed attacks that are difficult to detect using standard statistical analysis. The article discusses the application of IDGraphs to a real network router data set with millions of flow-level records representing total traffic in the terabyte range. The system successfully detects and analyzes a variety of attacks and anomalies, including port scanning, worm outbreaks, stealthy TCP SYN flooding, and some distributed attacks.

1. D. Moore, G. Voelker, and S. Savage, "Inferring Internet Denial of Service Activity," Proc. USENIX Security Symp., Usenix Assoc., 2001, PP. 9-22.
2. V. Paxson, "Bro: A System for Detecting Network Intruders in Real Time," Computer Networks, vol. 31, no. 23-24, 1999, pp. 2435-2463.
3. P. Ren and B. Watson, Histographs: Interactive Visualization of Complex Data with Graphs, tech. report NWU-CS-05-12, Dept. Computer Sciences, Northwestern Univ., 2005; http:/www.cs.northwestern.edu/ publications/techreports/2005_TR/ NWU-CS-05-12.pdf.
4. H.N. Wang, D.L. Zhang, and K.G. Shin, "Change Point Monitoring for Detection of DoS Attacks," IEEE Trans. Dependable and Secure Computing, vol. 1, no. 4, 2004, pp. 193-208.
5. S. Staniford, J.A. Hoagland, and J.M. McAlerney, "Practical Automated Detection of Stealthy Portscans," J. Computer Security, vol. 10, no. 1-2, 2002, pp. 105-136.
6. D.F. Jerding and J.T. Stasko, "The Information Mural: A Technique for Displaying and Navigating Large Information Spaces," IEEE Trans. Visualization and Computer Graphics, vol. 4, no. 3, 1998, pp. 257-271.
7. B. Shneiderman, "The Eyes Have It: A Task by Data Type Taxonomy for Information Visualizations," Proc. IEEE Symp. Visual Languages, IEEE CS Press, 1996, p. 336.
8. M. Friendly, "Corrgrams: Exploratory Displays for Correlation Matrices," American Statistician, vol. 56, no. 4, 2002, pp. 316-324.
9. Y. Gao, Z. Li, and Y. Chen, "A DoS Resilient Flow-Level Intrusion Detection Approach for High-Speed Networks," to be published in Proc. 26th Int'l Conf. Distributed Computing, 2006.
10. J. McPherson et al., "PortVis: A Tool for Port-Based Detection of Security Events," Proc. ACM Workshop Visualization and Data Mining for Computer Security, (VizSEC/DMSEC), ACM Press, 2004, pp. 73-81.
11. X. Yin et al., "VisFlowConnect: NetFlow Visualizations of Link Relationships for Security Situational Awareness," Proc. ACM Workshop Visualization and Data Mining for Computer Security (VizSEC/DMSEC), ACM Press, 2004, pp. 26-34.
12. K. Lakkaraju, W. Yurcik, and A.J. Lee, "NVisionIP: NetFlow Visualizations of System State for Security Situational Awareness," Proc. ACM Workshop Visualization and Data Mining for Computer Security (VizSEC/DMSEC), ACM Press, 2004, pp. 65-72.
13. K. Abdullah et al., "IDS RainStorm: Visualizing IDS Alarms," Proc. IEEE VizSEC, IEEE CS Press, 2005, pp. 1-10.
1. V. Paxson, "Bro: A System for Detecting Network Intruders in Real Time," Computer Networks, vol. 31, no. 23-24, 1999, pp. 2435-2463.
2. M. Roesch, Snort: The Lightweight Network Intrusion Detection System 2001; http://www.snort.org/docslisapaper.txt.
3. D. Moore, G. Voelker, and S. Savage, "Inferring Internet Denial of Service Activity," Proc. USENIX Security Symp., Usenix Assoc., 2001, pp. 9-22.
4. Y. Gao, Z. Li, and Y. Chen, "A DoS Resilient Flow-Level Intrusion Detection Approach for High-Speed Networks," to be published in Proc. 26th Int'l Conf. Distributed Computing, 2006.
5. C. Abad et al., "Log Correlation for Intrusion Detection: A Proof of Concept," Proc. Ann. Computer Security Applications Conf. (ACSAC), IEEE CS Press, 2003, pp. 255-264.
6. K. Lakkaraju, W. Yurcik, and A.J. Lee, "NVisionIP: Netflow Visualizations of System State for Security Situational Awareness," Proc. ACM Workshop Visualization and Data Mining for Computer Security (VizSEC/DMSEC), ACM Press, 2004, pp. 65-72.
7. S. Lau, "The Spinning Cube of Potential Doom," Comm. ACM, vol. 47, no. 6, 2004, pp. 25-26.
8. J. McPherson et al., "PortVis: A Tool for Port-Based Detection of Security Events," Proc. ACM Workshop Visualization and Data Mining for Computer Security (VizSEC/DMSEC), ACM Press, 2004, pp. 73-81.
9. X. Yin et al., "VisFlowConnect: NetFlow Visualizations of Link Relationships for Security Situational Awareness," Proc. ACM Workshop Visualization and Data Mining for Computer Security (VizSEC/DMSEC), ACM Press, 2004, pp. 26-34.
10. K. Abdullah et al., "IDS RainStorm: Visualizing IDS Alarms," Proc. IEEE VizSEC Visualization for Computer Security, IEEE CS Press, 2005, pp. 1-10.

Index Terms:
Intrusion Detection, Security Visualization, Interactive System, Brushing and Linking, Correlation Matrix, Dynamic Query
Citation:
Pin Ren, Yan Gao, Zhichun Li, Yan Chen, Benjamin Watson, "IDGraphs: Intrusion Detection and Analysis Using Stream Compositing," IEEE Computer Graphics and Applications, vol. 26, no. 2, pp. 28-39, March-April 2006, doi:10.1109/MCG.2006.36
Usage of this product signifies your acceptance of the Terms of Use.