Abstract
Many methods have been developed for monitoring network traffic, both using visualization and statistics. Most of these methods focus on the detection of suspicious or malicious activities. But what they often fail to do refine and exercise measures that contribute to the characterization of such activities and their sources, once they are detected. In particular, many tools exist that detect network scans or visualize them at a high level, but not very many tools exist that are capable of categorizing and analyzing network scans. This paper presents a means of facilitating the process of characterization by using visualization and statistics techniques to analyze the patterns found in the timing of network scans through a method of continuous improvement in measures that serve to separate the components of interest in the characterization so the user can control separately for the effects of attack tool employed, performance characteristics of the attack platform, and the effects of network routing in the arrival patterns of hostile probes. The end result is a system that allows large numbers of network scans to be rapidly compared and subsequently identified.
| Original language | English (US) |
|---|---|
| Title of host publication | IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings |
| Pages | 29-38 |
| Number of pages | 10 |
| DOIs | |
| State | Published - Dec 1 2005 |
| Event | IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05 - Minneapolis, MN, United States Duration: Oct 26 2005 → Oct 26 2005 |
Other
| Other | IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05 |
|---|---|
| Country | United States |
| City | Minneapolis, MN |
| Period | 10/26/05 → 10/26/05 |
Fingerprint
Keywords
- Adversary characterization
- Clustering
- Cyber forensics
- Graph visualization
- Information visualization
- Network scans
- Scalograms
- Security visualization
- Wavelets
ASJC Scopus subject areas
- Engineering(all)
Cite this
A visualization methodology for characterization of network scans. / Muelder, Chris; Ma, Kwan-Liu; Bartoletti, Tony.
IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings. 2005. p. 29-38 1532063.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - A visualization methodology for characterization of network scans
AU - Muelder, Chris
AU - Ma, Kwan-Liu
AU - Bartoletti, Tony
PY - 2005/12/1
Y1 - 2005/12/1
N2 - Many methods have been developed for monitoring network traffic, both using visualization and statistics. Most of these methods focus on the detection of suspicious or malicious activities. But what they often fail to do refine and exercise measures that contribute to the characterization of such activities and their sources, once they are detected. In particular, many tools exist that detect network scans or visualize them at a high level, but not very many tools exist that are capable of categorizing and analyzing network scans. This paper presents a means of facilitating the process of characterization by using visualization and statistics techniques to analyze the patterns found in the timing of network scans through a method of continuous improvement in measures that serve to separate the components of interest in the characterization so the user can control separately for the effects of attack tool employed, performance characteristics of the attack platform, and the effects of network routing in the arrival patterns of hostile probes. The end result is a system that allows large numbers of network scans to be rapidly compared and subsequently identified.
AB - Many methods have been developed for monitoring network traffic, both using visualization and statistics. Most of these methods focus on the detection of suspicious or malicious activities. But what they often fail to do refine and exercise measures that contribute to the characterization of such activities and their sources, once they are detected. In particular, many tools exist that detect network scans or visualize them at a high level, but not very many tools exist that are capable of categorizing and analyzing network scans. This paper presents a means of facilitating the process of characterization by using visualization and statistics techniques to analyze the patterns found in the timing of network scans through a method of continuous improvement in measures that serve to separate the components of interest in the characterization so the user can control separately for the effects of attack tool employed, performance characteristics of the attack platform, and the effects of network routing in the arrival patterns of hostile probes. The end result is a system that allows large numbers of network scans to be rapidly compared and subsequently identified.
KW - Adversary characterization
KW - Clustering
KW - Cyber forensics
KW - Graph visualization
KW - Information visualization
KW - Network scans
KW - Scalograms
KW - Security visualization
KW - Wavelets
UR - http://www.scopus.com/inward/record.url?scp=33749513452&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33749513452&partnerID=8YFLogxK
U2 - 10.1109/VIZSEC.2005.1532063
DO - 10.1109/VIZSEC.2005.1532063
M3 - Conference contribution
SN - 0780394771
SN - 9780780394773
SN - 0780394771
SN - 9780780394773
SP - 29
EP - 38
BT - IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings
ER -