Feature selection and visualization techniques for network anomaly detector

Intrusion detection systems have been widely used as burglar alarms in the computer security field. There are two major types of detection techniques: misuse detection and anomaly detection. Although misuse detection can detect known attacks with lower false positive rate, anomaly detection is capable of detecting any new or varied attempted intrusion as long as the attempted intrusions disturb the normal states of the systems. The network anomaly detector is employed to monitor a segment of network for any suspicious activities based on the sniffered network traffic. The fast speed of network and wide use of encryption techniques make it almost unpractical to read payload information for the network anomaly detector. This work tries to answer the question: What are the best features for network anomaly detector? The main experiment data sets are from 1999 DARPA Lincoln Library off-line intrusion evaluation project since it is still the most comprehensive public benchmark data up to today. Firstly, 43 features of different levels and protocols are defined. Using the first three weeks as training data and last two weeks as testing data, the performance of the features are testified by using 5 different classifiers. Secondly, the feasibility of feature selection is investigated by employing some filter and wrapper techniques such as Correlation Feature Selection, etc. Thirdly, the effect of changing overlap and time window for the network anomaly detector is investigated. At last, GGobi and Mineset are utilized to visualize intrusion detections to save time and effort for system administrators. The results show the capability of our features is not limited to probing attacks and denial of service attacks. They can also detect remote to local attacks and backdoors. The feature selection techniques successfully reduce the dimensionality of the features from 43 to 10 without performance degrading. The three dimensional visualization pictures provide a straightforward view of normal network traffic and malicious attacks. The time plot of key features can be used to aid system administrators to quickly locate the possible intrusions

A dynamic three-dimensional network visualization program for integration into cyberciege and other network visualization scenarios

Detailed information and intellectual understanding of a network's topology and vulnerabilities is invaluable to better securing computer networks. Network protocol analyzers and intrusion detection systems can provide this additional information. In particular, game-based trainers, such as CyberCIEGE, have been shown to improve the level of training and understanding of network security professionals. This thesis' objective is to enhance these applications by developing NTAV3D, or, Network Topology and Attack Visualizer (Three Dimensional). NTAV3D is a tool that displays network topology, vulnerabilities, and attacks in an interactive, three dimensional environment. This augments the design and gameplay of CyberCIEGE by increasing gameplayer interaction and data display. Additionally, NTAV3D can be expanded to provide this capability to network analysis and intrusion detection tools. Furthermore, NTAV3D expands on ideas and results from related work of the best ways to visualize network topology, vulnerabilities, and attacks. NTAV3D was created using open-source software technologies including Xj3D, X3D, Java, and XML. It is also one of the first applications to be built with only the Xj3D toolkit. Therefore, the development process allowed evaluation of these technologies, resulting in recommendations for future improvements.http://archive.org/details/adynamicthreedim109453384US Navy (USN) authors.Approved for public release; distribution is unlimited

A Survey on Information Visualization for Network and Service Management

Network and service management encompasses a set of activities, methods, procedures, and tools whose ultimate goal is to guarantee the proper functioning of a networked system. Computational tools are essential to help network administrators in their daily tasks, and information visualization techniques are of great value in such context. In essence, information visualization techniques associated to visual analytics aim at facilitating the tasks of network administrators in the process of monitoring and maintaining the network health. This paper surveys the use of information visualization techniques as a tool to support the network and service management process. Through a Systematic Literature Review (SLR), we provide a historical overview and discuss the current state of the art in the field. We present a classification of 285 articles and papers from 1985 to 2013, according to an information visualization taxonomy as well as a network and service management taxonomy. Finally, we point out future research directions and opportunities regarding the use of information visualization in network and service management