TVi

A visual querying system for network monitoring and anomaly detection

Alberto Boschetti, Luca Salgarelli, Chris Muelder, Kwan-Liu Ma

Research output: Chapter in Book/Report/Conference proceedingConference contribution

12 Citations (Scopus)

Abstract

Monitoring, anomaly detection and forensics are essential tasks that must be carried out routinely for every computer network. The sheer volume of data generated by conventional anomaly detection tools such as Snort often makes it difficult to explain the nature of an attack and track down its source. In this paper we present TVi, a tool that combines multiple visual representations of network traces carefully designed and tightly coupled to support different levels of visual-based querying and reasoning required for making sense of complex traffic data. TVi allows analysts to visualize data starting at a high level, providing information related to the entire network, and easily move all the way down to a very low level, providing detailed information about selected hosts, anomalies and attack paths. We designed TVi with scalability and extensibility in mind: its DBMS foundations make it scalable with virtually no limitations, and other state-of-the-art IDS, like Snort or Bro, can be easily integrated in our tool. We demonstrate with two case studies, a synthetic dataset (DARPA 1999) and a real one (University of Brescia, UniBS, 2009), how TVi can enhance a network administrator's ability to reveal hidden patterns in network traces and link their key information so as to easily reveal details that by merely observing Snort's output would go unnoticed. We make TVi's source code available to the community under an Open Source license.

Original languageEnglish (US)
Title of host publicationProceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec'11
DOIs
StatePublished - Sep 6 2011
Event8th International Symposium on Visualization for Cyber Security, VizSec'11 - Pittsburgh, PA, United States
Duration: Jul 20 2011Jul 20 2011

Other

Other8th International Symposium on Visualization for Cyber Security, VizSec'11
CountryUnited States
CityPittsburgh, PA
Period7/20/117/20/11

Fingerprint

Monitoring
Computer networks
Scalability

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this

Boschetti, A., Salgarelli, L., Muelder, C., & Ma, K-L. (2011). TVi: A visual querying system for network monitoring and anomaly detection. In Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec'11 https://doi.org/10.1145/2016904.2016905

TVi : A visual querying system for network monitoring and anomaly detection. / Boschetti, Alberto; Salgarelli, Luca; Muelder, Chris; Ma, Kwan-Liu.

Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec'11. 2011.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Boschetti, A, Salgarelli, L, Muelder, C & Ma, K-L 2011, TVi: A visual querying system for network monitoring and anomaly detection. in Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec'11. 8th International Symposium on Visualization for Cyber Security, VizSec'11, Pittsburgh, PA, United States, 7/20/11. https://doi.org/10.1145/2016904.2016905
Boschetti A, Salgarelli L, Muelder C, Ma K-L. TVi: A visual querying system for network monitoring and anomaly detection. In Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec'11. 2011 https://doi.org/10.1145/2016904.2016905
Boschetti, Alberto ; Salgarelli, Luca ; Muelder, Chris ; Ma, Kwan-Liu. / TVi : A visual querying system for network monitoring and anomaly detection. Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec'11. 2011.
@inproceedings{aa96e196a65f48dcaa6ed148dc44844e,
title = "TVi: A visual querying system for network monitoring and anomaly detection",
abstract = "Monitoring, anomaly detection and forensics are essential tasks that must be carried out routinely for every computer network. The sheer volume of data generated by conventional anomaly detection tools such as Snort often makes it difficult to explain the nature of an attack and track down its source. In this paper we present TVi, a tool that combines multiple visual representations of network traces carefully designed and tightly coupled to support different levels of visual-based querying and reasoning required for making sense of complex traffic data. TVi allows analysts to visualize data starting at a high level, providing information related to the entire network, and easily move all the way down to a very low level, providing detailed information about selected hosts, anomalies and attack paths. We designed TVi with scalability and extensibility in mind: its DBMS foundations make it scalable with virtually no limitations, and other state-of-the-art IDS, like Snort or Bro, can be easily integrated in our tool. We demonstrate with two case studies, a synthetic dataset (DARPA 1999) and a real one (University of Brescia, UniBS, 2009), how TVi can enhance a network administrator's ability to reveal hidden patterns in network traces and link their key information so as to easily reveal details that by merely observing Snort's output would go unnoticed. We make TVi's source code available to the community under an Open Source license.",
author = "Alberto Boschetti and Luca Salgarelli and Chris Muelder and Kwan-Liu Ma",
year = "2011",
month = "9",
day = "6",
doi = "10.1145/2016904.2016905",
language = "English (US)",
isbn = "9781450306799",
booktitle = "Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec'11",

}

TY - GEN

T1 - TVi

T2 - A visual querying system for network monitoring and anomaly detection

AU - Boschetti, Alberto

AU - Salgarelli, Luca

AU - Muelder, Chris

AU - Ma, Kwan-Liu

PY - 2011/9/6

Y1 - 2011/9/6

N2 - Monitoring, anomaly detection and forensics are essential tasks that must be carried out routinely for every computer network. The sheer volume of data generated by conventional anomaly detection tools such as Snort often makes it difficult to explain the nature of an attack and track down its source. In this paper we present TVi, a tool that combines multiple visual representations of network traces carefully designed and tightly coupled to support different levels of visual-based querying and reasoning required for making sense of complex traffic data. TVi allows analysts to visualize data starting at a high level, providing information related to the entire network, and easily move all the way down to a very low level, providing detailed information about selected hosts, anomalies and attack paths. We designed TVi with scalability and extensibility in mind: its DBMS foundations make it scalable with virtually no limitations, and other state-of-the-art IDS, like Snort or Bro, can be easily integrated in our tool. We demonstrate with two case studies, a synthetic dataset (DARPA 1999) and a real one (University of Brescia, UniBS, 2009), how TVi can enhance a network administrator's ability to reveal hidden patterns in network traces and link their key information so as to easily reveal details that by merely observing Snort's output would go unnoticed. We make TVi's source code available to the community under an Open Source license.

AB - Monitoring, anomaly detection and forensics are essential tasks that must be carried out routinely for every computer network. The sheer volume of data generated by conventional anomaly detection tools such as Snort often makes it difficult to explain the nature of an attack and track down its source. In this paper we present TVi, a tool that combines multiple visual representations of network traces carefully designed and tightly coupled to support different levels of visual-based querying and reasoning required for making sense of complex traffic data. TVi allows analysts to visualize data starting at a high level, providing information related to the entire network, and easily move all the way down to a very low level, providing detailed information about selected hosts, anomalies and attack paths. We designed TVi with scalability and extensibility in mind: its DBMS foundations make it scalable with virtually no limitations, and other state-of-the-art IDS, like Snort or Bro, can be easily integrated in our tool. We demonstrate with two case studies, a synthetic dataset (DARPA 1999) and a real one (University of Brescia, UniBS, 2009), how TVi can enhance a network administrator's ability to reveal hidden patterns in network traces and link their key information so as to easily reveal details that by merely observing Snort's output would go unnoticed. We make TVi's source code available to the community under an Open Source license.

UR - http://www.scopus.com/inward/record.url?scp=80052302116&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80052302116&partnerID=8YFLogxK

U2 - 10.1145/2016904.2016905

DO - 10.1145/2016904.2016905

M3 - Conference contribution

SN - 9781450306799

BT - Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec'11

ER -