Abstract
This article presents what we call the parallel coordinate attack visualization (PCAV) for detecting unknown large-scale Internet attacks including Internet worms, DDoS attacks and network scanning activities. PCAV displays network traffic on the plane of parallel coordinates using the flow information such as the source IP address, destination IP address, destination port and the average packet length in a flow. The parameters are used to draw each flow as a connected line on the plane, where a group of polygonal lines form a particular shape in case of attack. From the observation that each attack type of significance forms a unique pattern, we develop nine signatures and their detection mechanism based on an efficient hashing algorithm. Using the graphical signatures, PCAV can quickly detect new attacks and enable network administrators to intuitively recognize and respond to the attacks. Compared with existing visualization works, PCAV can handle hyper-dimensions, i.e., can visualize more than 3 parameters if necessary, which significantly reduces false positives. As a consequence, Internet worms are more precisely detectable by machine and more easily recognizable by human. Another strength of PCAV is handling flows instead of packets. Per-flow visualization greatly reduces the processing time and further provides compatibility with legacy routers which export flow information, e.g., as NetFlow does in Cisco routers. We demonstrate the effectiveness of PCAV using real-life Internet traffic traces. The PCAV program is publicly available.
Original language | English |
---|---|
Pages (from-to) | 276-288 |
Number of pages | 13 |
Journal | Computers and Security |
Volume | 28 |
Issue number | 5 |
DOIs | |
Publication status | Published - 2009 Jul |
Bibliographical note
Funding Information:This research was supported by the Ministry of Knowledge Economy, Korea, under the ITRC program (IITA-2008-C1090-0801-0016), IT R&D program of MKE/IITA [2008-S-026-01], the Basic Research Program of the Korea Science & Engineering Foundation, and the Defense Acquisition Program Administration and Agency for Defense Development under the contract UD060048AD.
Keywords
- DDoS attacks
- Internet attack visualization
- Internet worms
- Parallel coordinate attack visualization (PCAV)
- Parallel coordinates
ASJC Scopus subject areas
- General Computer Science
- Law