Fast detection and visualization of network attacks on parallel coordinates

Hyunsang Choi, Heejo Lee, Hyogon Kim

Research output: Contribution to journalArticlepeer-review

73 Citations (Scopus)

Abstract

This article presents what we call the parallel coordinate attack visualization (PCAV) for detecting unknown large-scale Internet attacks including Internet worms, DDoS attacks and network scanning activities. PCAV displays network traffic on the plane of parallel coordinates using the flow information such as the source IP address, destination IP address, destination port and the average packet length in a flow. The parameters are used to draw each flow as a connected line on the plane, where a group of polygonal lines form a particular shape in case of attack. From the observation that each attack type of significance forms a unique pattern, we develop nine signatures and their detection mechanism based on an efficient hashing algorithm. Using the graphical signatures, PCAV can quickly detect new attacks and enable network administrators to intuitively recognize and respond to the attacks. Compared with existing visualization works, PCAV can handle hyper-dimensions, i.e., can visualize more than 3 parameters if necessary, which significantly reduces false positives. As a consequence, Internet worms are more precisely detectable by machine and more easily recognizable by human. Another strength of PCAV is handling flows instead of packets. Per-flow visualization greatly reduces the processing time and further provides compatibility with legacy routers which export flow information, e.g., as NetFlow does in Cisco routers. We demonstrate the effectiveness of PCAV using real-life Internet traffic traces. The PCAV program is publicly available.

Original languageEnglish
Pages (from-to)276-288
Number of pages13
JournalComputers and Security
Volume28
Issue number5
DOIs
Publication statusPublished - 2009 Jul

Bibliographical note

Funding Information:
This research was supported by the Ministry of Knowledge Economy, Korea, under the ITRC program (IITA-2008-C1090-0801-0016), IT R&D program of MKE/IITA [2008-S-026-01], the Basic Research Program of the Korea Science & Engineering Foundation, and the Defense Acquisition Program Administration and Agency for Defense Development under the contract UD060048AD.

Keywords

  • DDoS attacks
  • Internet attack visualization
  • Internet worms
  • Parallel coordinate attack visualization (PCAV)
  • Parallel coordinates

ASJC Scopus subject areas

  • General Computer Science
  • Law

Fingerprint

Dive into the research topics of 'Fast detection and visualization of network attacks on parallel coordinates'. Together they form a unique fingerprint.

Cite this