Visual Analysis of Network Traffic for Resource Planning, Interactive

Visual Analysis of Network Traffic
for Resource Planning,
Interactive Monitoring, and
Interpretation of Security Threats
by Florian Mansmann, Daniel A. Keim, Stephen C. North,
Brian Rexroad, and Daniel Sheleheda
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
1
by Sorin Stancu-Mara
Why?
• Visualize internet activity
• Visualize large portions of the internet
• Aggregate data according to
– Continent
– Country
– As
– IP Prefix
• Identify emerging threats and network
anomalies
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
2
by Sorin Stancu-Mara
Data
• Collect via different methods
– Border gate router log
– Flow traces
– Router logs
– GeoIP
• Store everything in a commercial OLAP
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
3
by Sorin Stancu-Mara
Data
• 2 Dimensions:
– Address space:
•
•
•
•
7 continents
190 countries
23054 autonomous systems
197427 prefixes
– Time:
•
•
•
•
•
•
•
Millisecond
Seconds
Minutes
Hours
Days
Months
Years
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
4
by Sorin Stancu-Mara
Display
•
•
•
•
•
Use hierarchical tress
Each node = a rectangle
All children -- inside the parent
Parent size ~ no. nodes it contains
Each leaf color = analyzed fact
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
5
by Sorin Stancu-Mara
Features
•
•
•
•
•
Complete space utilization
Rather easy to generate
Stable under strong changes
Easy to understand
Hard to comperhand
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
6
by Sorin Stancu-Mara
HistoMap - limitations
• Must remove less significant nodes
• Doesn’t aggregate properly under zooming
• Displays only node measurements not
interactions
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
7
by Sorin Stancu-Mara
HistoMap results
Geographic HistoMap
layout of the upper two
levels of the IP
hierarchy. Size represents
the number of IP addresses
assigned to each
country. A seventh
continent is placed below
Australia to visualize ASes
without country reference,
anonymous proxies, and
satellite providers.
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
8
by Sorin Stancu-Mara
HistoMap results
HistoMap 1D layout of all
autonomous systems in
Germany. The
measure (number of incoming
connections) of each item is
expressed
through color.
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
9
by Sorin Stancu-Mara
Order Preserving Layout
• Use StripTree Layout
– Star with a row
• Add nodes while the
aspect ratio decreases
• Create a new row and
continue
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
10
by Sorin Stancu-Mara
HistoMap – The Internet
Anonymized
outgoing traffic
connections from
our university
gateway on
November 29th,
2005 showing all
197427 IP
prefixes
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
11
by Sorin Stancu-Mara
HistoMap – Botnet Spread
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
12
by Sorin Stancu-Mara
HistoMap – Botnet Spread
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
13
by Sorin Stancu-Mara
HistoMap – Botnet Spread
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
14
by Sorin Stancu-Mara
Conclusions
•
•
•
•
Easy to render
Easy to understand
Stable under changes
Can highlight hierarchical structure and
leaf measurements
• Doesn’t show node interactions
• Requires OLAP data provider
Visual Analysis of Network Traffic for Resource Planning,
Interactive Monitoring, and Interpretation of Security Threats
March 20, 2009
15
by Sorin Stancu-Mara