{"title":"可视化网络数据用于入侵检测","authors":"K. Abdullah, C. Lee, G. Conti, J. Copeland","doi":"10.1109/IAW.2005.1495940","DOIUrl":null,"url":null,"abstract":"As the trend of successful network attacks continue to rise, better forms of intrusion detection and prevention are needed. This paper addresses network traffic visualization techniques that aid an administrator in recognizing attacks in real time. Our approach improves upon current techniques that lack effectiveness due to an overemphasis on flow, nodes, or assumed familiarity with the attack tool, causing either late reaction or missed detection. A port-based overview of network activity produces a improved representation for detecting and responding to malicious activity. We have found that presenting an overview using stacked histograms of aggregate port activity, combined with the ability to drill-down for finer details allows small, yet important details to be noticed and investigated without being obscured by large, usual traffic. Due to the amount of traffic as well as the range of possible port numbers and IP addresses, scaling techniques are necessary to help provide this overview. We provide graphs with examples of forensic findings. Finally, we describe our future plans for using live traffic in addition to our forensic visualization techniques.","PeriodicalId":252208,"journal":{"name":"Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop","volume":"31 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-06-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"73","resultStr":"{\"title\":\"Visualizing network data for intrusion detection\",\"authors\":\"K. Abdullah, C. Lee, G. Conti, J. Copeland\",\"doi\":\"10.1109/IAW.2005.1495940\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"As the trend of successful network attacks continue to rise, better forms of intrusion detection and prevention are needed. This paper addresses network traffic visualization techniques that aid an administrator in recognizing attacks in real time. Our approach improves upon current techniques that lack effectiveness due to an overemphasis on flow, nodes, or assumed familiarity with the attack tool, causing either late reaction or missed detection. A port-based overview of network activity produces a improved representation for detecting and responding to malicious activity. We have found that presenting an overview using stacked histograms of aggregate port activity, combined with the ability to drill-down for finer details allows small, yet important details to be noticed and investigated without being obscured by large, usual traffic. Due to the amount of traffic as well as the range of possible port numbers and IP addresses, scaling techniques are necessary to help provide this overview. We provide graphs with examples of forensic findings. Finally, we describe our future plans for using live traffic in addition to our forensic visualization techniques.\",\"PeriodicalId\":252208,\"journal\":{\"name\":\"Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop\",\"volume\":\"31 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2005-06-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"73\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IAW.2005.1495940\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IAW.2005.1495940","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
As the trend of successful network attacks continue to rise, better forms of intrusion detection and prevention are needed. This paper addresses network traffic visualization techniques that aid an administrator in recognizing attacks in real time. Our approach improves upon current techniques that lack effectiveness due to an overemphasis on flow, nodes, or assumed familiarity with the attack tool, causing either late reaction or missed detection. A port-based overview of network activity produces a improved representation for detecting and responding to malicious activity. We have found that presenting an overview using stacked histograms of aggregate port activity, combined with the ability to drill-down for finer details allows small, yet important details to be noticed and investigated without being obscured by large, usual traffic. Due to the amount of traffic as well as the range of possible port numbers and IP addresses, scaling techniques are necessary to help provide this overview. We provide graphs with examples of forensic findings. Finally, we describe our future plans for using live traffic in addition to our forensic visualization techniques.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
