Interactive Visualization for Network and Port Scan Detection

  • Chris Muelder
  • Kwan-Liu Ma
  • Tony Bartoletti
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3858)


Many times, network intrusion attempts begin with either a network scan, where a connection is attempted to every possible destination in a network, or a port scan, where a connection is attempted to each port on a given destination. Being able to detect such scans can help identify a more dangerous threat to a network. Several techniques exist to automatically detect scans, but these are mostly dependant on some threshold that an attacker could possibly avoid crossing. This paper presents a means to use visualization to detect scans interactively.


Network security information visualization intrusion detection user interfaces port scans network scans 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Becker, R.A., Eick, S.G., Wilks, A.R.: Visualizing network data. IEEE Transactions on Visualization and Computer Graphics 1(1), 16–28 (1995)CrossRefGoogle Scholar
  2. 2.
    Dokas, P., Ertoz, L., Kumar, V., Lazarevic, A., Srivastava, J., Tan, P.: Data mining for network intrusion detection. In: Proc. NSF Workshop on Next Generation Data Mining (2002)Google Scholar
  3. 3.
    Erbacher, R.F.: Visual traffic monitoring and evaluation. In: Proceedings of the Conference on Internet Performance and Control of Network Systems II, pp. 153–160 (2001)Google Scholar
  4. 4.
    Girardin, L., Brodbeck, D.: A visual approach for monitoring logs. In: Proceedings of the 12th Usenix System Administration conference, pp. 299–308 (1998)Google Scholar
  5. 5.
    Goldring, T.: Scatter (and other) plots for visualizing user profiling data and network traffic. In: VizSEC/DMSEC 2004: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pp. 119–123. ACM Press, New York (2004)CrossRefGoogle Scholar
  6. 6.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proc. IEEE Symposium on Security and Privacy (2004)Google Scholar
  7. 7.
    Kohonen, T.: Self-Organization and Associative Memory, 3rd edn. Springer, Berlin (1989)Google Scholar
  8. 8.
    Lakkaraju, K., Bearavolu, R., Yurcik, W.: NVisionIP—a traffic visualization tool for security analysis of large and complex networks. In: International Multiconference on Measurement, Modelling, and Evaluation of Computer-Communications Systems (Performance TOOLS) (2003)Google Scholar
  9. 9.
    Lau, S.: The spinning cube of potential doom. Communications of the ACM 47(6), 25–26 (2004)CrossRefGoogle Scholar
  10. 10.
    Marchette, D.J., Nair, V., Jordan, M., Lauritzen, S.L., Lawless, J.: Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint. In: Statistics for Engineering and Information Science. Springer, New York (2001)Google Scholar
  11. 11.
    McPherson, J., Ma, K.-L., Krystosk, P., Bartoletti, T., Christensen, M.: Portvis: A tool for port-based detection of security events. In: ACM VizSEC 2004 Workshop, pp. 73–81 (2004)Google Scholar
  12. 12.
    Mundiandy, K.: Case study: Visualizing time related events for intrusion detection. In: Proceedings of the IEEE Symposium on Information Visualization 2001, pp. 22–23 (2001)Google Scholar
  13. 13.
    Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the Internet Measurement Conference (2004)Google Scholar
  14. 14.
    Parno, B., Bartoletti, T.: Internet ballistics: Retrieving forensic data from network scans. In: Poster Presentation, the 13th USENIX Security Symposium (August 2004)Google Scholar
  15. 15.
    Portnoy, L., Eskin, E., Stolfo, S.J.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security, DMSA 2001 (2001)Google Scholar
  16. 16.
    Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the 2002 Usenix Security Symposium (2002)Google Scholar
  17. 17.
    Teoh, S.T., Ma, K.-L., Wu, S.F., Zhao, X.: Case study: Interactive visualization for internet security. In: Proc. IEEE Visualization (2002)Google Scholar
  18. 18.
    Young, F.W., Hamer, R.M.: Multidimensional Scaling: History, Theory and Applications. Erlbaum, New York (1987)Google Scholar
  19. 19.
    Yurcik, W., Barlow, J., Lakkaraju, K., Haberman, M.: Two visual computer network security monitoring tools incorporating operator interface requirements. In: ACM CHI Workshop on Human-Computer Interaction and Security Systems, HCISEC (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Chris Muelder
    • 1
  • Kwan-Liu Ma
    • 1
  • Tony Bartoletti
    • 2
  1. 1.University of CaliforniaDavis
  2. 2.Lawrence Livermore National Laboratory 

Personalised recommendations