Show simple item record

dc.contributor.authorEl-Shehaly, Mai Hassanen_US
dc.date.accessioned2014-03-14T20:43:41Z
dc.date.available2014-03-14T20:43:41Z
dc.date.issued2009-08-03en_US
dc.identifier.otheretd-08172009-081704en_US
dc.identifier.urihttp://hdl.handle.net/10919/34606
dc.description.abstractNetwork packet traces, despite having a lot of noise, contain priceless information, especially for investigating security incidents or troubleshooting performance problems. However, given the gigabytes of flow crossing a typical medium sized enterprise network every day, spotting malicious activity and analyzing trends in network behavior becomes a tedious task. Further, computational mechanisms for analyzing such data usually take substantial time to reach interesting patterns and often mislead the analyst into reaching false positives, benign traffic being identified as malicious, or false negatives, where malicious activity goes undetected. Therefore, the appropriate representation of network traffic data to the human user has been an issue of concern recently. Much of the focus, however, has been on visualizing TCP traffic alone while adapting visualization techniques for the data fields that are relevant to this protocol's traffic, rather than on the multivariate nature of network security data in general, and the fact that forensic analysis, in order to be fast and effective, has to take into consideration different parameters for each protocol. In this thesis, we bring together two powerful tools from different areas of application: SiLK (System for Internet-Level Knowledge), for command-based network trace analysis; and ComVis, a generic information visualization tool. We integrate the power of both tools by aiding simplified interaction between them, using a simple GUI, for the purpose of visualizing network traces, characterizing interesting patterns, and fingerprinting related activity. To obtain realistic results, we applied the visualizations on anonymized packet traces from Lawrence Berkley National Laboratory, captured on selected hours across three months. We used a sliding window approach in visually examining traces for two transport-layer protocols: ICMP and UDP. The main contribution of this research is a protocol-specific framework of visualization for ICMP and UDP data. We explored relevant header fields and the visualizations that worked best for each of the two protocols separately. The resulting views led us to a number of guidelines that can be vital in the creation of "smart books" describing best practices in using visualization and interaction techniques to maintain network security; while creating visual fingerprints which were found unique for individual types of scanning activity. Our visualizations use a multiple-views approach that incorporates the power of two-dimensional scatter plots, histograms, parallel coordinates, and dynamic queries.en_US
dc.publisherVirginia Techen_US
dc.relation.haspartLiterature-2.pdfen_US
dc.rightsI hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to Virginia Tech or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report.en_US
dc.subjectScan Detectionen_US
dc.subjectNetwork Security Visualizationen_US
dc.subjectNetwork Traffic Visualizationen_US
dc.subjectNetwork Traffic Analysisen_US
dc.subjectVisualization toolsen_US
dc.subjectTraffic Analysis Toolsen_US
dc.subjectInformation Visualizationen_US
dc.titleA Visualization Framework for SiLK Data exploration and Scan Detectionen_US
dc.typeThesisen_US
dc.contributor.departmentComputer Scienceen_US
thesis.degree.nameMaster of Scienceen_US
thesis.degree.levelmastersen_US
thesis.degree.grantorVirginia Polytechnic Institute and State Universityen_US
dc.contributor.committeechairGracanin, Denisen_US
dc.contributor.committeememberEhrich, Roger W.en_US
dc.identifier.sourceurlhttp://scholar.lib.vt.edu/theses/available/etd-08172009-081704/en_US
dc.contributor.committeecochairAbdel-Hamid, Aymanen_US
dc.date.sdate2009-08-17en_US
dc.date.rdate2009-09-21
dc.date.adate2009-09-21en_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record