Journal in Computer Virology

, Volume 6, Issue 1, pp 1–29 | Cite as

Applied parallel coordinates for logs and network traffic attack analysis

Original Paper

Abstract

By looking on how computer security issues are handled today, dealing with numerous and unknown events is not easy. Events need to be normalized, abnormal behaviors must be described and known attacks are usually signatures. Parallel coordinates plot offers a new way to deal with such a vast amount of events and event types: instead of working with an alert system, an image is generated so that issues can be visualized. By simply looking at this image, one can see line patterns with particular color, thickness, frequency, or convergence behavior that gives evidence of subtle data correlation. This paper first starts with the mathematical theory needed to understand the power of such a system and later introduces the Picviz software which implements part of it. Picviz dissects acquired data into a graph description language to make a parallel coordinate picture of it. Its architecture and features are covered with examples of how it can be used to discover security related issues.

Keywords

Visualization Parallel coordinates Data-mining Logs Computer security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Conti, G., Abdullah, K.: Passive visual fingerprinting of network attack tools. In: VizSEC/DMSEC ’04: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 45–54. ACM, New York, NY, USA (2004)Google Scholar
  2. 2.
    Gansner E.R., Koutsofios E., North S.C., Phong Vo K.: A technique for drawing directed graphs. IEEE Trans. Softw. Eng. 19, 214–230 (1993)CrossRefGoogle Scholar
  3. 3.
    Grinstein, G., Mihalisin, T., Hinterberger, H., Inselberg, A.: Visualizing multidimensional (multivariate) data and relations. In: VIS ’94: Proceedings of the Conference on Visualization ’94, pp. 404–409. IEEE Computer Society Press, Los Alamitos, CA, USA (1994)Google Scholar
  4. 4.
    Hamming R.: Error detecting and error correcting codes. Bell Syst. Tech. J. 29, 147–160 (1950)MathSciNetGoogle Scholar
  5. 5.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET’08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pp. 1–9. USENIX Association, Berkeley, CA, USA (2008)Google Scholar
  6. 6.
    Inselberg, A., Avidan, T.: The automated multidimensional detective. In: INFOVIS ’99: Proceedings of the 1999 IEEE Symposium on Information Visualization, p. 112. IEEE Computer Society, Washington, DC, USA (1999)Google Scholar
  7. 7.
    Inselberg, A., Avidan, T.: Classification and visualization for high-dimensional data. In: KDD ’00: Proceedings of the Sixth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 370–374. ACM, New York, NY, USA (2000)Google Scholar
  8. 8.
    Inselberg, A., Dimsdale, B.: Parallel coordinates for visualizing multi-dimensional geometry. In: CG International ’87 on Computer Graphics 1987, pp. 25–44. Springer, New York, NY, USA (1987)Google Scholar
  9. 9.
    Inselberg A., Dimsdale B.: Multidimensional lines ii: proximity and applications. SIAM J. Appl. Math. 54(2), 578–596 (1994)MATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. Tech. Rep. 8 (1966)Google Scholar
  11. 11.
    Stubblefield A., Ioannidis J., Rubin A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (wep). ACM Trans. Inf. Syst. Secur. 7(2), 319–332 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag France 2009

Authors and Affiliations

  1. 1.Honeynet Project French ChapterParisFrance
  2. 2.Lycée la Martinière Monplaisir, Laboratoire de MathématiquesLyon Cedex 08France

Personalised recommendations