9,205 research outputs found
An Iterative and Toolchain-Based Approach to Automate Scanning and Mapping Computer Networks
As today's organizational computer networks are ever evolving and becoming
more and more complex, finding potential vulnerabilities and conducting
security audits has become a crucial element in securing these networks. The
first step in auditing a network is reconnaissance by mapping it to get a
comprehensive overview over its structure. The growing complexity, however,
makes this task increasingly effortful, even more as mapping (instead of plain
scanning), presently, still involves a lot of manual work. Therefore, the
concept proposed in this paper automates the scanning and mapping of unknown
and non-cooperative computer networks in order to find security weaknesses or
verify access controls. It further helps to conduct audits by allowing
comparing documented with actual networks and finding unauthorized network
devices, as well as evaluating access control methods by conducting delta
scans. It uses a novel approach of augmenting data from iteratively chained
existing scanning tools with context, using genuine analytics modules to allow
assessing a network's topology instead of just generating a list of scanned
devices. It further contains a visualization model that provides a clear, lucid
topology map and a special graph for comparative analysis. The goal is to
provide maximum insight with a minimum of a priori knowledge.Comment: 7 pages, 6 figure
Sonification of Network Traffic Flow for Monitoring and Situational Awareness
Maintaining situational awareness of what is happening within a network is
challenging, not least because the behaviour happens within computers and
communications networks, but also because data traffic speeds and volumes are
beyond human ability to process. Visualisation is widely used to present
information about the dynamics of network traffic dynamics. Although it
provides operators with an overall view and specific information about
particular traffic or attacks on the network, it often fails to represent the
events in an understandable way. Visualisations require visual attention and so
are not well suited to continuous monitoring scenarios in which network
administrators must carry out other tasks. Situational awareness is critical
and essential for decision-making in the domain of computer network monitoring
where it is vital to be able to identify and recognize network environment
behaviours.Here we present SoNSTAR (Sonification of Networks for SiTuational
AwaReness), a real-time sonification system to be used in the monitoring of
computer networks to support the situational awareness of network
administrators. SoNSTAR provides an auditory representation of all the TCP/IP
protocol traffic within a network based on the different traffic flows between
between network hosts. SoNSTAR raises situational awareness levels for computer
network defence by allowing operators to achieve better understanding and
performance while imposing less workload compared to visual techniques. SoNSTAR
identifies the features of network traffic flows by inspecting the status flags
of TCP/IP packet headers and mapping traffic events to recorded sounds to
generate a soundscape representing the real-time status of the network traffic
environment. Listening to the soundscape allows the administrator to recognise
anomalous behaviour quickly and without having to continuously watch a computer
screen.Comment: 17 pages, 7 figures plus supplemental material in Github repositor
A Novel Visualization Method for Detecting DDoS Network Attacks
With the rapid growth of networks in size and complexity, netwok administrators today are facing more and more challenges for protecting their networked computers and other devices from all kinds of attacks. Unlike the traditional methods of analyzing textual log data, a visual interactive system called DDoSViewer is proposed in this paper for detecting DDoS kind of network attacks. DDoSViewer is specifically designed for detecting DDoS attacks through the analysis of visual patterns. We will discuss the data sources, visual structures and interactive functions that are used in the proposed visualization system. We will also discuss the advantages and disadvantages of the existing visual solutions for DDoS detection. The extraction and analysis of network data, the calculation and display of graphic elements¿ attributes and the pre-characteristics of DDoS attacks are all included in the new visualization technique. The experiments showed that the new system can detect DDoS attacks effectivel
A characteristic-based visual analytics approach to detect subtle attacks from NetFlow records
Security is essentially important for any enterprise networks. Denial of service, port scanning, and data exfiltration are among of the most common network intrusions. It\u27s urgent for network administrators to detect such attacks effectively and efficiently from network traffic. Though there are many intrusion detection systems (IDSs) and approaches, Visual Analytics (VA) provides a human-friendly approach to detect network intrusions with situational awareness functionality. Overview visualization is the first and most important step in a VA approach. However, many VA systems cannot effectively identify subtle attacks from massive traffic data because of the incapability of overview visualizations. In this work, we developed two overviews and tried to identify subtle attacks directly from these two overviews. Moreover, zoomed-in visualizations were also provided for further investigation. The primary data source was NetFlow and we evaluated the VA system with datasets from Mini Challenge 3 of VAST challenge 2013. Evaluation results indicated that the VA system can detect all the labeled intrusions (denial of service, port scanning and data exfiltration) with very few false alerts
Neural visualization of network traffic data for intrusion detection
This study introduces and describes a novel intrusion detection system (IDS) called MOVCIDS (mobile visualization connectionist IDS). This system applies neural projection architectures to detect anomalous situations taking place in a computer network. By its advanced visualization facilities, the proposed IDS allows providing an overview of the network traffic as well as identifying anomalous situations tackled by computer networks, responding to the challenges presented by volume, dynamics and diversity of the traffic, including novel (0-day) attacks. MOVCIDS provides a novel point of view in the field of IDSs by enabling the most interesting projections (based on the fourth order statistics; the kurtosis index) of a massive traffic dataset to be extracted. These projections are then depicted through a functional and mobile visualization interface, providing visual information of the internal structure of the traffic data. The interface makes MOVCIDS accessible from any mobile device to give more accessibility to network administrators, enabling continuous visualization, monitoring and supervision of computer networks. Additionally, a novel testing technique has been developed to evaluate MOVCIDS and other IDSs employing numerical datasets. To show the performance and validate the proposed IDS, it has been tested in different real domains containing several attacks and anomalous situations. In addition, the importance of the temporal dimension on intrusion detection, and the ability of this IDS to process it, are emphasized in this workJunta de Castilla and Leon project BU006A08, Business intelligence for production within the framework of the Instituto Tecnologico de Cas-tilla y Leon (ITCL) and the Agencia de Desarrollo Empresarial (ADE), and the Spanish Ministry of Education and Innovation project CIT-020000-2008-2. The authors would also like to thank the vehicle interior manufacturer, Grupo Antolin Ingenieria S. A., within the framework of the project MAGNO2008-1028-CENIT Project funded by the Spanish Government
Designing an interactive visualization for intrusion detection systems with video game theory and technology
With an ever increasing number of attacks on networks that have an even more increasing amount of information being communicated across them, the old means of examining network data for intruders and malicious acts through text no longer works. Even with the help of filters and data aggregation there is too much for a person to read through and get a clear understanding of what is happen across a network, causing security officers to many times miss intrusions. With an overwhelming amount of false alerts from incorrectly setup Intrusion Detection Systems and not enough time to sift through them all, a new means of displaying and interacting with the network data presented by intrusion detection system is needed. That is why there has been an increase in research about how to create visualizations for networks that will allow someone to better understand what is happening across a network. Using previous research as well as a study of the theory and architecture used by the video game industry on interactive environments, it is possible to create an intuitive interactive visual environment of network data that will help network administrators more effectively understand their networks and where potential threats may lurk. Therefore, this proposed design attempts to help solve the problem of network communication comprehension
Feature selection and visualization techniques for network anomaly detector
Intrusion detection systems have been widely used as burglar alarms in the computer security field. There are two major types of detection techniques: misuse detection and anomaly detection. Although misuse detection can detect known attacks with lower false positive rate, anomaly detection is capable of detecting any new or varied attempted intrusion as long as the attempted intrusions disturb the normal states of the systems. The network anomaly detector is employed to monitor a segment of network for any suspicious activities based on the sniffered network traffic. The fast speed of network and wide use of encryption techniques make it almost unpractical to read payload information for the network anomaly detector. This work tries to answer the question: What are the best features for network anomaly detector? The main experiment data sets are from 1999 DARPA Lincoln Library off-line intrusion evaluation project since it is still the most comprehensive public benchmark data up to today. Firstly, 43 features of different levels and protocols are defined. Using the first three weeks as training data and last two weeks as testing data, the performance of the features are testified by using 5 different classifiers. Secondly, the feasibility of feature selection is investigated by employing some filter and wrapper techniques such as Correlation Feature Selection, etc. Thirdly, the effect of changing overlap and time window for the network anomaly detector is investigated. At last, GGobi and Mineset are utilized to visualize intrusion detections to save time and effort for system administrators. The results show the capability of our features is not limited to probing attacks and denial of service attacks. They can also detect remote to local attacks and backdoors. The feature selection techniques successfully reduce the dimensionality of the features from 43 to 10 without performance degrading. The three dimensional visualization pictures provide a straightforward view of normal network traffic and malicious attacks. The time plot of key features can be used to aid system administrators to quickly locate the possible intrusions
- …