Abstract
This paper presents PCAV (Parallel Coordinates Attack Visualizer), a real-time visualization system for detecting large-scale Internet attacks including Internet worms, DDoS attacks and network scanning activities. PCAV displays network traffic on the plane of parallel coordinates using the source IP address, destination IP address, destination port and the average packet length in a flow. These four values are used to draw each flow as a connected line on the plane and surprisingly a group of lines forms a particular shape in case of attack. Thus, a simple but novel way of displaying traffic reveals ongoing attacks. From the fact that numerous types of attacks form a specific pattern of graphs, we have developed nine signatures and their detection mechanism using an efficient hashing algorithm. Using the graphical signatures, PCAV can quickly detect new attacks and enables network administrators to instantly recognize and respond to the attacks. Another strength of PCAV comes from handling flows instead of packets. Per-flow visualization greatly reduces the processing time and further provides compatibility with legacy routers which export flow information such as NetFlow in Cisco routers. We have demonstrated the effectiveness of PCAV using real attack traffics.
This work was supported in part by the ITRC program of the Korea Ministry of Information & Communications.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Inselberg, A.: The plane with parallel coordinates. The Visual Computer 1, 69–91 (1985)
Information visualization resources, http://www.infovis.org
Gil, T., Poletto, M.: MULTOPS: a data-structure for bandwidth attack detection. In: USENIX Security Symposium (2001)
Keim, D.: Visual exploration of large databases. Communications of the ACM, 38–44 (2001)
Cisco NetFlow, http://www.cisco.com/warp/public/732/Tech/netflow
Axelsson, S.: Visualization for intrusion detection: Hooking the worm. ESORICS (2003)
nProbe, http://www.ntop.org/nProbe.html
Plonka, D.: Flowscan: A Network Traffic Flow Reporting and Visualization Tool. USENIX LISA (2000)
Estan, C., Savage, S., Varghese, G.: Automatically Inferring Patterns of Resource Consumption in Network Traffic. In: ACM SIGCOMM (2003)
Kim, H., Kang, I., Bahk, S.: Real-time Visualization of Network Attacks on High-speed Link. IEEE Network Magazine (2004)
Mazu Network Profiler, http://www.mazunetwork.com
Solka, J.L., Marchette, D.L., Wallet, B.: Statistical visualization methods for intrusion detection. Computing Science and Statistics (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Choi, H., Lee, H. (2005). PCAV: Internet Attack Visualization on Parallel Coordinates. In: Qing, S., Mao, W., López, J., Wang, G. (eds) Information and Communications Security. ICICS 2005. Lecture Notes in Computer Science, vol 3783. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11602897_38
Download citation
DOI: https://doi.org/10.1007/11602897_38
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30934-5
Online ISBN: 978-3-540-32099-9
eBook Packages: Computer ScienceComputer Science (R0)