Li Zheng,Gang Yu,Yuntian Zheng

DOI: https://doi.org/10.1007/s11265-023-01836-0

2023-02-01

Journal of Signal Processing Systems

Abstract:Data visualization is an important approach for data analysis, which can reveal the patterns and characteristics of complex datasets through visual processing, and provide aid for data analysts. In recent years, with the expansion of Internet users and the rich diversity of various Internet applications, the importance of network security is increasing. In the field of network security data analysis, it is a developing direction to use data visualization methods and visual analysis tools to assist manual analysis. In this paper, a visualization system for network security data is designed and implemented, which is mainly based on network flow records and security policies. The node centrality measurement and high-dimensional data visualization methods are comprehensively applied, and an interactive visualization approach is proposed. The IP topology is presented in three different view modes: static analysis, temporal analysis and exploration analysis. In addition, the high-dimensional projection map takes flow, security policy and IP address as analysis objects and selects several dimensional features as indicators. After visual presentation, the distribution of the stream set and IP set contained in the record after projection in the selected dimension space can be obtained, so that the analyst can find the points with significant abnormal eigenvalue distribution, and deduce the possible situation based on this. After testing, the system can accept the new original data record file, and quickly generate the corresponding visualization content, which can be used for the visualization analysis of network security optimization tool software, and has been used in the actual system.

computer science, information systems,engineering, electrical & electronic

Shuying Chang,Xuesong Qiu,Zhipeng Gao,Ke Liu,Feng Qi

DOI: https://doi.org/10.1109/CNSM.2010.5691206

2010-01-01

Abstract:With the development of high-speed networks, the challenge of effectively analyzing the massive data source for anomaly detection and diagnosis is yet to be resolved. This paper proposes a new flow-based anomaly detection method based on summary data structures and combinations of traffic features. Using IPFIX flow records as input, parallel sketches are established for chosen traffic features respectively. For each sketch, we use Holt-Winters forecasting technique to achieve their forecast sketches and deviation matrixes. When the deviation exceeds a certain threshold, sub-alarms will be generated. According to the characteristics of various attacks and combinations of traffic features, sub-alarms can be merged into final alarms. While sketches of flows are being constructed, destination addresses are recorded in linked lists which are used to locate victims by a series of set operations. This method can not only detect the existence of anomalies in near real time, but can roughly indicate the anomaly types and locate abnormal addresses.

Sheng Zhang,Ronghua Shi,Jue Zhao

DOI: https://doi.org/10.3837/tiis.2016.06.019

2016-01-01

KSII Transactions on Internet and Information Systems

Abstract:Owing to their low scalability, weak support on big data, insufficient data collaborative analysis and inadequate situational awareness, the traditional methods fail to meet the needs of the security data analysis. This paper proposes visualization methods to fuse the multi-source security data and grasp the network situation. Firstly, data sources are classified at their collection positions, with the objects of security data taken from three different layers. Secondly, the Heatmap is adopted to show host status; the Treemap is used to visualize Netflow logs; and the radial Node-link diagram is employed to express IPS logs. Finally, the Labeled Treemap is invented to make a fusion at data-level and the Time-series features are extracted to fuse data at feature-level. The comparative analyses with the prize-winning works prove this method enjoying substantial advantages for network analysts to facilitate data feature fusion, better understand network security situation with a unified, convenient and accurate mode.

Xiaofei Bu,Yu-E Sun,Yang Du,Xiaocan Wu,Boyu Zhang,He Huang

DOI: https://doi.org/10.1007/s12083-020-01036-8

2021-01-11

Abstract:Detecting the flows with abnormally large spreads over big network data can help us identify network attacks, such as DDoS attacks and scanners. Most per-flow measurement studies use compact data structures to reduce their memory requirements, fitting in the limited on-chip memory and catching up with the line rate. In this paper, we study a novel problem called spread estimation among multi-periods to measure the total number of distinct elements or the number of distinct <i>k</i>-persistent elements in a flow among multiple traffic measurement periods. In our design, we use an on-chip/off-chip model to record the per-flow traffic information, which uses small on-chip memory and matches the line rate, <i>i.e.</i>, we use on-chip memory to filter out the duplicates, sample the elements, and store the sampled traffic data in off-chip memory. By performing the set operations on the sampled traffic data, we can derive the total number of distinct elements and the number of distinct <i>k</i>-persistent elements among multiple periods based on probability analysis. The experimental results on real Internet traffic traces show that, when performing spread estimation among multiple periods, our estimator is efficient in memory usage and estimation accuracy and can efficiently detect the stealthy DDoS attack and scanners.

computer science, information systems,telecommunications

Duanming Shen,Dexin Qiao,Qing Li,Na Zhang,Wenbo Zhang,Haiyan Xin,Haisheng Gu

2021-01-01

Abstract:With the rapid development of Internet technology, it has been widely used in various fields and has become an indispensable part of the public’s production and life. However, the subsequent network security problems have emerged one after another, which are influenced by many factors from the outside world, resulting in abnormal flow and easily affecting users’ network usage status. In this conte...

Liu Bin,Lin Chuang,Qiao Jian,He Jianping,Peter Ungsunan

DOI: https://doi.org/10.1016/j.comnet.2007.12.004

IF: 5.493

2008-01-01

Computer Networks

Abstract:In this paper, a flow analysis and monitoring system based on NetFlow is introduced. The system is built on a Browser–Server framework, aimed at enterprise networks. Data collection and display are separated into two modules, which makes the system clearly demarcated and easy to deploy. The data collection module receives and analyzes NetFlow-exported packets and inserts per flow record information into the Oracle database. The display module acts as a J2EE web server, fetches real-time or history traffic information from the database and shows it to web users. In addition to the above-mentioned functions, the most important part of the system is an IDS. A real-time anomalous traffic monitoring module with a stable matching pattern algorithm and two traffic statistic based intrusion detection algorithms – one algorithm is based on variance similarity while the other is based on Euclidean distance – are embedded in the system to detect worm and other malicious attacks. With the aim of identifying anomalous network traffic simply and effectively, a proved “join” strategy is also designed along with the two traffic statistic based intrusion detection algorithms. The whole IDS module is able to run with low computational complexity and high detection accuracy. Finally, we conduct experiments to verify the performance of our system.

Fangfang Zhou,Ronghua Shi,Ying Zhao,Yezi Huang,Xing Liang

DOI: https://doi.org/10.1007/978-3-319-03584-0_30

2013-01-01

Abstract:Situational awareness is defined as the ability to effectively determine an overall computer network status based on relationships between security events in multiple dimensions. Unfortunately, as the lack of tools to synthetically analyze the security logs generated by kinds of network security products, such as NetFlow, Firewall and Host Security, it is difficult to monitor and perceive network security situational awareness. Information visualization allows users to discover and analyze large amounts of information through visual exploration and interaction efficiently. Even with the aid of visualization, identifying the attack patterns from big multi-source data and recognizing the abnormal from visual clutter are still challenges. In this paper, a novel visualization system, NetSecRadar, is proposed for network security situational awareness based on multi-source logs, which can monitor the network and perceive the overall view of the security situation by using radial graph. NetSecRadar utilizes a hierarchical force-directed graph layout for arrangement of thousands of hosts to better use the available screen space, and provides the method to quantify the dangerous levels of the security events, and finds the correlations of security events generated by multi-source logs and perceives the patterns of abnormal in situational awareness, and synthesizes interactions, filtering and drill-down to understand the detail information. To demonstrate the system’s capabilities, we utilize the VAST Challenge 2013 as case study.

Qiuzheng Ren,Xiaofeng Qiu,Pengcheng Chen,XiaoDong Liang

DOI: https://doi.org/10.1109/iccps.2015.7454146

2015-01-01

Abstract:With the rapid development of SDN, its security problem is increasingly outstanding. Because of the openness and intelligence of SDN, the flow can be dispatched and controlled globally by the network controller. However there is not a mechanism that provides a clear visibility of the distribution, path and traffic of the whole network flows for the security equipment. Now many security detection methods need to know the distribution and behaviors of the global flows. So the paper proposes a new mechanism named global flow table and corresponding algorithms to realize the global flows' collection, the whole network flow path computation and global flows storing. This method can provide both the global details of the whole network topology and the key information of per flow mentioned above conveniently and directly for the security equipment. And we also design a structure to store the details of all flows. Then we analyze the time performance of the algorithm theoretically. The experimental result verifies the theoretical analysis and concludes that the algorithm has a good time performance. The primary affecting factors of the algorithm are the number of the flow tables and the ratio of the links to the switches.

Luming Yang,Shaojing Fu,Xuyun Zhang,Shize Guo,Yongjun Wang,Chi Yang

DOI: https://doi.org/10.1007/s11280-022-01057-8

2022-01-01

World Wide Web

Abstract:As the 5G rolls out around the world, many edge applications will be deployed by app vendors and accessed by massive end-users. Efficient detection of malicious network behavior is paid more and more attention. The current traffic detection work is still stuck on the analysis of high-dimensional data. It will restrict the improvement of threat monitoring and network governance when facing massive network flows. Characterization of network flows within simple domains is required to simplify the process of network analysis. Traffic characterization is a key task that allows service providers to detect and intercept anomalous traffic, such that high QoS (Quality of Service) and service availability are maintained and spread of malicious content is prevented. Unfortunately, there is still a lack of research on the concrete characterization of network data. Analogous to spectrum, in this paper, we proposed the concept of FlowSpectrum for the first time in order to represent the network flow, concretely. In the FlowSpectrum, network flow is represented as a spectral line rather than the raw data or a feature vector of the network flow. All flows are able to be mapped as spectral lines, and traffic identification is achieved by analyzing the positions of spectral lines. FlowSpectrum can significantly reduce the complexity of network traffic behavior analysis while enhancing the interpretability of detection and facilitating cyberspace behavior management. We designed a neural network structure based on semi-supervised AutoEncoder for decomposition and dimensionality reduction of network flows in FlowSpectrum. The characterization capability of FlowSpectrum is proved by thorough experiments. Moreover, we realized the correspondence between network behaviors and intervals of spectral lines, preliminarily. Generally speaking, FlowSpectrum can provide new ideas for the field of network traffic analysis.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Qiuzhen Huang

DOI: https://doi.org/10.1016/j.jnca.2011.06.006

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.

Ronghua Shi,Mengjie Yang,Ying Zhao,Fangfang Zhou,Wei Huang,Sheng Zhang

DOI: https://doi.org/10.1109/jsyst.2014.2358997

IF: 4.802

2015-01-01

IEEE Systems Journal

Abstract:Network forensics requires analysts to efficiently reason about various attack phenomena from massive data. Visualization techniques can convert abstract data into visual sensitive graphics; thus, forensic officers can extract useful information quickly. In this paper, we present a matrix-based visualization system for visualized forensic analysis on unintelligible traffic datasets. The system consists of three collaborative views, including the Timeline view integrating active features and individual dispersions based on information entropies for the perception of the overall time series, the Matrix view balancing the expression of network structure and distributions of IPs and ports for efficient events tracing, and the Historical view comparing statuses in successive time slots for dynamic trends tracking. The system provides a multilevel analysis architecture and multifaceted perspectives for comprehensive cognition in traffic forensics. In case studies, we describe the forensic process of this system, including identifying port scan, distributed denial of service, and botnet attacks, on the datasets in VAST Challenge 2013.

Zongyi Zhao,Xingang Shi,Zhiliang Wang,Qing Li,Han Zhang,Xia Yin

DOI: https://doi.org/10.1109/tpds.2021.3099442

IF: 5.3

2022-05-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Traditional tools like NetFlow face great challenges as both the speed and the complexity of the network traffic increase. To keep the pace up, we propose HashFlow for more efficient and accurate collection of flow records. HashFlow keeps large flows in its main flow table and uses an ancillary table to summarize the other flows when the main table is full. With our flow collision resolution and flow record promotion schemes, a flow in the ancillary table is promoted back to the main flow table with a guaranteed probability when it becomes large enough. These operations can be performed highly efficiently, so HashFlow can keep up with ultra-high traffic speed. We implement HashFlow in a Tofino switch, and using traces from different operational networks, we compare its performance against some state-of-the-art flow measurement algorithms. Our experiments show that, for various types of traffic analysis applications, HashFlow consistently demonstrates clearly better performance than its competitors. For example, the performance of HashFlow in flow size estimation, flow size distribution estimation and heavy hitter detection is up to 21, 60 and 35 percent better than those of the best competitors respectively, and these merits of HashFlow come with almost no degradation of throughput.

computer science, theory & methods,engineering, electrical & electronic

Xin Fan,Wenjie Luo,Xiaoju Dong,Rui Su

DOI: https://doi.org/10.1007/978-981-13-2203-7_45

2018-01-01

Abstract:Analyzing network data is one of the important means to safeguard network security. However, how to detect anomalies and trace back the origin of attacks in the enlarging scale of network data is still a challenge now. This paper designs and implements a network visualization system, which meets three main requirements: the situation awareness of the whole network, the rapid detection of anomalies, and the track of attack source. To combine multiple visualization technologies reasonably, the system provides information from three levels. It also uses unsupervised learning methods to detect anomalies in different ways. Therefore, the system enhances the ability of identifying abnormal behaviors from network data. Its efficiency is tested by the usage of data in the ChinaVis 2016.

Chuanpu Fu,Qi Li,Ke Xu

DOI: https://doi.org/10.48550/arXiv.2301.13686

2023-01-31

Abstract:In this paper, we propose HyperVision, a realtime unsupervised machine learning (ML) based malicious traffic detection system. Particularly, HyperVision is able to detect unknown patterns of encrypted malicious traffic by utilizing a compact inmemory graph built upon the traffic patterns. The graph captures flow interaction patterns represented by the graph structural features, instead of the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the connectivity, sparsity, and statistical features of the graph, which allows HyperVision to detect various encrypted attack traffic without requiring any labeled datasets of known attacks. Moreover, we establish an information theory model to demonstrate that the information preserved by the graph approaches the ideal theoretical bound. We show the performance of HyperVision by real-world experiments with 92 datasets including 48 attacks with encrypted malicious traffic. The experimental results illustrate that HyperVision achieves at least 0.92 AUC and 0.86 F1, which significantly outperform the state-of-the-art methods. In particular, more than 50% attacks in our experiments can evade all these methods. Moreover, HyperVision achieves at least 80.6 Gb/s detection throughput with the average detection latency of 0.83s.

Cryptography and Security

Yan Ruo-Yu,Zheng Qing-Hua

DOI: https://doi.org/10.1109/isda.2008.167

2008-01-01

Abstract:The idea of using entropy measurement to detect anomalies or analyze traffic characteristics has been floating around the research community for some time. But all these entropy-based approaches are single-scale based "complexity" methods and fail to account for the multiple time scales inherent in time series. In order to fulfill this goal we have introduced Renyi entropy based method: multi-scale entropy (MSE). In this paper, a kind of port-to-port traffic in router is presented, which we call IF-flow. IF-flows can amplify the ratio of attack traffic to normal traffic. We apply MSE to the analysis of IF-flow time series in time scales, and find some interesting results. One of results supports a general view that flow count metric has a more powerful ability to detect many types of anomalies than byte and packet count metric. We also use MSE to detect anomaly existed in IF-flow time series. The experimental results indicate MSE can detect anomaly accurately.

Liang Zhang,Tianhe Chi,Xin Zhang

DOI: https://doi.org/10.1109/IGARSS.2009.5417336

2009-01-01

Abstract:To analyze large amounts of numerical data, one of the most useful approaches is to use scientific visualization to transform them into graphical images. Flow visualization as one of the challenging topics has played important roles in oceanic data analysis. There are many techniques have been presented in the past decade, but most of them can't get high performance to visualize large-scale flow data in real time. To deduce the computational complexity brought by large flow dataset, feature-based expression will be a helpful way. However, how to get the result images quickly without costing much time for feature extraction and analysis is a very important problem to deal.Based on the common characteristic of flow and the unchangeable scale feather of spiral line, we present a new distributing strategy which needn't locate feature points very accurately and didn't rely on the type of feature fields. The visualization procedure not only can straight forward automatically but also can be changed with user's interactive command. The flow data obtained from the South Sea of China was verified and simulated. The result shows that this method using spiral strategy not templates to setting the seeds to emphasize the interesting fields is much faster and flexible, especially in large-scale flow data visualization

Said Jawad Saidi,Aniss Maghsoudlou,Damien Foucard,Georgios Smaragdakis,Ingmar Poese,Anja Feldmann

DOI: https://doi.org/10.1109/TNSM.2020.3034278

2020-10-27

Abstract:Many network operations, ranging from attack investigation and mitigation to traffic management, require answering network-wide flow queries in seconds. Although flow records are collected at each router, using available traffic capture utilities, querying the resulting datasets from hundreds of routers across sites and over time, remains a significant challenge due to the sheer traffic volume and distributed nature of flow records. In this paper, we investigate how to improve the response time for a priori unknown network-wide queries. We present Flowyager, a system that is built on top of existing traffic capture utilities. Flowyager generates and analyzes tree data structures, that we call Flowtrees, which are succinct summaries of the raw flow data available by capture utilities. Flowtrees are self-adjusted data structures that drastically reduce space and transfer requirements, by 75% to 95%, compared to raw flow records. Flowyager manages the storage and transfers of Flowtrees, supports Flowtree operators, and provides a structured query language for answering flow queries across sites and time periods. By deploying a Flowyager prototype at both a large Internet Exchange Point and a Tier-1 Internet Service Provider, we showcase its capabilities for networks with hundreds of router interfaces. Our results show that the query response time can be reduced by an order of magnitude when compared with alternative data analytics platforms. Thus, Flowyager enables interactive network-wide queries and offers unprecedented drill-down capabilities to, e.g., identify DDoS culprits, pinpoint the involved sites, and determine the length of the attack.

Networking and Internet Architecture

Sepehr Sabour,Sanjeev Rao,Majid Ghaderi

DOI: https://doi.org/10.1109/isc253183.2021.9562915

2021-09-07

Abstract:Nowadays, many cities are equipped with surveillance systems and traffic control centers to monitor vehicular traffic for road safety and efficiency. The monitoring process is mostly done manually which is inefficient and expensive. In recent years, several data-driven solutions have been proposed in the literature to automatically analyze traffic flow data using machine learning techniques. However, existing solutions require large and comprehensive datasets for training which are not readily available, thus limiting their application. In this paper, we develop a traffic anomaly detection system, referred to as DeepFlow, based on Siamese neural networks, which are suitable in scenarios where only small datasets are available for training. Our model can detect abnormal traffic flows by analyzing the trajectory data collected from the vehicles in a fleet. To evaluate DeepFlow, we use realistic vehicular traffic simulations in SUMO. Our results show that DeepFlow detects abnormal traffic patterns with an F1 score of 78%, while outperforming other existing approaches including: Dynamic Time Warping (DTW), Global Alignment Kernels (GAK), and iForest.

Lei Shi,Qi Liao,Xiaohua Sun,Yarui Chen,Chuang Lin

DOI: https://doi.org/10.1109/bigdata.2013.6691629

2013-01-01

Abstract:The visualization of complex network traffic involving a large number of communication devices is a common yet challenging task. Traditional layout methods create the network graph with overwhelming visual clutter, which hinders the network understanding and traffic analysis tasks. The existing graph simplification algorithms (e.g. community-based clustering) can effectively reduce the visual complexity, but lead to less meaningful traffic representations. In this paper, we introduce a new method to the traffic monitoring and anomaly analysis of large networks, namely Structural Equivalence Grouping (SEG). Based on the intrinsic nature of the computer network traffic, SEG condenses the graph by more than 20 times while preserving the critical connectivity information. Computationally, SEG has a linear time complexity and supports undirected, directed and weighted traffic graphs up to a million nodes. We have built a Network Security and Anomaly Visualization (NSAV) tool based on SEG and conducted case studies in several real-world scenarios to show the effectiveness of our technique.

Michael Collins,Jyotirmoy V. Deshmukh,Dristi Dinesh,Mukund Raghothaman,Srivatsan Ravi,Yuan Xia

2024-03-03

Abstract:Network security analysts gather data from diverse sources, from high-level summaries of network flow and traffic volumes to low-level details such as service logs from servers and the contents of individual packets. They validate and check this data against traffic patterns and historical indicators of compromise. Based on the results of this analysis, a decision is made to either automatically manage the traffic or report it to an analyst for further investigation. Unfortunately, due rapidly increasing traffic volumes, there are far more events to check than operational teams can handle for effective forensic analysis. However, just as packets are grouped into flows that share a commonality, we argue that a high-level construct for grouping network flows into a set a flows that share a hypothesis is needed to significantly improve the quality of operational network response by increasing Events Per Analysts Hour (EPAH).

Networking and Internet Architecture