A visualization methodology for characterization of network scans

Chris Muelder, Kwan-Liu Ma, Tony Bartoletti

Research output: Chapter in Book/Report/Conference proceedingConference contribution

37 Citations (Scopus)

Abstract

Many methods have been developed for monitoring network traffic, both using visualization and statistics. Most of these methods focus on the detection of suspicious or malicious activities. But what they often fail to do refine and exercise measures that contribute to the characterization of such activities and their sources, once they are detected. In particular, many tools exist that detect network scans or visualize them at a high level, but not very many tools exist that are capable of categorizing and analyzing network scans. This paper presents a means of facilitating the process of characterization by using visualization and statistics techniques to analyze the patterns found in the timing of network scans through a method of continuous improvement in measures that serve to separate the components of interest in the characterization so the user can control separately for the effects of attack tool employed, performance characteristics of the attack platform, and the effects of network routing in the arrival patterns of hostile probes. The end result is a system that allows large numbers of network scans to be rapidly compared and subsequently identified.

Original languageEnglish (US)
Title of host publicationIEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings
Pages29-38
Number of pages10
DOIs
StatePublished - Dec 1 2005
EventIEEE Workshop on Visualization for Computer Security 2005, VizSEC 05 - Minneapolis, MN, United States
Duration: Oct 26 2005Oct 26 2005

Other

OtherIEEE Workshop on Visualization for Computer Security 2005, VizSEC 05
CountryUnited States
CityMinneapolis, MN
Period10/26/0510/26/05

Fingerprint

Visualization
Statistics
Network routing
Monitoring

Keywords

  • Adversary characterization
  • Clustering
  • Cyber forensics
  • Graph visualization
  • Information visualization
  • Network scans
  • Scalograms
  • Security visualization
  • Wavelets

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Muelder, C., Ma, K-L., & Bartoletti, T. (2005). A visualization methodology for characterization of network scans. In IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings (pp. 29-38). [1532063] https://doi.org/10.1109/VIZSEC.2005.1532063

A visualization methodology for characterization of network scans. / Muelder, Chris; Ma, Kwan-Liu; Bartoletti, Tony.

IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings. 2005. p. 29-38 1532063.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Muelder, C, Ma, K-L & Bartoletti, T 2005, A visualization methodology for characterization of network scans. in IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings., 1532063, pp. 29-38, IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Minneapolis, MN, United States, 10/26/05. https://doi.org/10.1109/VIZSEC.2005.1532063
Muelder C, Ma K-L, Bartoletti T. A visualization methodology for characterization of network scans. In IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings. 2005. p. 29-38. 1532063 https://doi.org/10.1109/VIZSEC.2005.1532063
Muelder, Chris ; Ma, Kwan-Liu ; Bartoletti, Tony. / A visualization methodology for characterization of network scans. IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings. 2005. pp. 29-38
@inproceedings{10afa9b6a224440ebf1af187b6ff70b8,
title = "A visualization methodology for characterization of network scans",
abstract = "Many methods have been developed for monitoring network traffic, both using visualization and statistics. Most of these methods focus on the detection of suspicious or malicious activities. But what they often fail to do refine and exercise measures that contribute to the characterization of such activities and their sources, once they are detected. In particular, many tools exist that detect network scans or visualize them at a high level, but not very many tools exist that are capable of categorizing and analyzing network scans. This paper presents a means of facilitating the process of characterization by using visualization and statistics techniques to analyze the patterns found in the timing of network scans through a method of continuous improvement in measures that serve to separate the components of interest in the characterization so the user can control separately for the effects of attack tool employed, performance characteristics of the attack platform, and the effects of network routing in the arrival patterns of hostile probes. The end result is a system that allows large numbers of network scans to be rapidly compared and subsequently identified.",
keywords = "Adversary characterization, Clustering, Cyber forensics, Graph visualization, Information visualization, Network scans, Scalograms, Security visualization, Wavelets",
author = "Chris Muelder and Kwan-Liu Ma and Tony Bartoletti",
year = "2005",
month = "12",
day = "1",
doi = "10.1109/VIZSEC.2005.1532063",
language = "English (US)",
isbn = "0780394771",
pages = "29--38",
booktitle = "IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings",

}

TY - GEN

T1 - A visualization methodology for characterization of network scans

AU - Muelder, Chris

AU - Ma, Kwan-Liu

AU - Bartoletti, Tony

PY - 2005/12/1

Y1 - 2005/12/1

N2 - Many methods have been developed for monitoring network traffic, both using visualization and statistics. Most of these methods focus on the detection of suspicious or malicious activities. But what they often fail to do refine and exercise measures that contribute to the characterization of such activities and their sources, once they are detected. In particular, many tools exist that detect network scans or visualize them at a high level, but not very many tools exist that are capable of categorizing and analyzing network scans. This paper presents a means of facilitating the process of characterization by using visualization and statistics techniques to analyze the patterns found in the timing of network scans through a method of continuous improvement in measures that serve to separate the components of interest in the characterization so the user can control separately for the effects of attack tool employed, performance characteristics of the attack platform, and the effects of network routing in the arrival patterns of hostile probes. The end result is a system that allows large numbers of network scans to be rapidly compared and subsequently identified.

AB - Many methods have been developed for monitoring network traffic, both using visualization and statistics. Most of these methods focus on the detection of suspicious or malicious activities. But what they often fail to do refine and exercise measures that contribute to the characterization of such activities and their sources, once they are detected. In particular, many tools exist that detect network scans or visualize them at a high level, but not very many tools exist that are capable of categorizing and analyzing network scans. This paper presents a means of facilitating the process of characterization by using visualization and statistics techniques to analyze the patterns found in the timing of network scans through a method of continuous improvement in measures that serve to separate the components of interest in the characterization so the user can control separately for the effects of attack tool employed, performance characteristics of the attack platform, and the effects of network routing in the arrival patterns of hostile probes. The end result is a system that allows large numbers of network scans to be rapidly compared and subsequently identified.

KW - Adversary characterization

KW - Clustering

KW - Cyber forensics

KW - Graph visualization

KW - Information visualization

KW - Network scans

KW - Scalograms

KW - Security visualization

KW - Wavelets

UR - http://www.scopus.com/inward/record.url?scp=33749513452&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33749513452&partnerID=8YFLogxK

U2 - 10.1109/VIZSEC.2005.1532063

DO - 10.1109/VIZSEC.2005.1532063

M3 - Conference contribution

SN - 0780394771

SN - 9780780394773

SN - 0780394771

SN - 9780780394773

SP - 29

EP - 38

BT - IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings

ER -