Backhoe, a Packet Trace and Log Browser

  • Sergey Bratus
  • Axel Hansen
  • Fabio Pellacini
  • Anna Shubina
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5210)

Abstract

We present Backhoe, a tool for browsing packet trace or other event logs that makes it easy to spot “statistical novelties” in the traffic, i.e. changes in the character of frequency distributions of feature values and in mutual relationships between pairs of features. Our visualization uses feature entropy and mutual information displays as either the top-level summary of the dataset or alongside the data. Our tool makes it easy to switch between absolute and conditional metrics, and observe their variations at a glance. We successfully used Backhoe for analysis of proprietary protocols.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aslam, J., Bratus, S., Pavlu, V.: Semi-supervised data organization for interactive anomaly analysis. In: ICMLA 2006: Proceedings of the 5th International Conference on Machine Learning and Applications, pp. 55–62 (2006)Google Scholar
  2. 2.
    Chow, C., Liu, C.: Approximating discrete probability distributions with dependence trees. In: IEEE Trans. Information Theory, vol. 14, pp. 462–467 (1968)Google Scholar
  3. 3.
    Conti, G.: Security Data Visualization: Graphical Techniques for Network Analysis. No Starch Press (2007)Google Scholar
  4. 4.
    Gu, Y., McCallum, A., Towsley, D.: Detecting anomalies in network traffic using maximum entropy estimation. In: IMC 2005: Proceedings of the 5th ACM SIGCOMM conference on Internet measurement, pp. 1–6 (2005)Google Scholar
  5. 5.
    Heer, J., Card, S.K., Landay, J.A.: Prefuse: a toolkit for interactive information visualization. In: CHI 2005: Proceedings of the SIGCHI conference on Human factors in computing systems, pp. 421–430 (2005)Google Scholar
  6. 6.
    Keim, D.A.: Designing pixel-oriented visualization techniques: Theory and applications. IEEE Transactions on Visualization and Computer Graphics 6(1), 59–78 (2000)CrossRefGoogle Scholar
  7. 7.
    Lakhina, A., Crovella, M., Diot, C.: Characterization of network-wide anomalies in traffic flows. In: IMC 2004: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pp. 201–206 (2004)Google Scholar
  8. 8.
    Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proc. of the 2001 IEEE Symposium on Security and Privacy, pp. 130–143 (2001)Google Scholar
  9. 9.
    Wattenberg, M.: Baby names, visualization, and social data analysis. In: INFOVIS 2005: Proceedings of the Proceedings of the 2005 IEEE Symposium on Information Visualization, p. 1 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Sergey Bratus
    • 1
  • Axel Hansen
    • 1
  • Fabio Pellacini
    • 1
  • Anna Shubina
    • 1
  1. 1.Dartmouth CollegeUSA

Personalised recommendations