A characteristic-based visual analytics approach to detect subtle attacks from NetFlow records

Author

Weijie Wang, Purdue University

Date of Award

Spring 2015

Degree Type

Thesis

Degree Name

Master of Science (MS)

Department

Computer and Information Technology

First Advisor

Baijian Yang

Committee Chair

Baijian Yang

Committee Member 1

Yingjie Chen

Committee Member 2

Raymond Hansen

Abstract

Security is essentially important for any enterprise networks. Denial of service, port scanning, and data exfiltration are among of the most common network intrusions. It's urgent for network administrators to detect such attacks effectively and efficiently from network traffic. Though there are many intrusion detection systems (IDSs) and approaches, Visual Analytics (VA) provides a human-friendly approach to detect network intrusions with situational awareness functionality. Overview visualization is the first and most important step in a VA approach. However, many VA systems cannot effectively identify subtle attacks from massive traffic data because of the incapability of overview visualizations. In this work, we developed two overviews and tried to identify subtle attacks directly from these two overviews. Moreover, zoomed-in visualizations were also provided for further investigation. The primary data source was NetFlow and we evaluated the VA system with datasets from Mini Challenge 3 of VAST challenge 2013. Evaluation results indicated that the VA system can detect all the labeled intrusions (denial of service, port scanning and data exfiltration) with very few false alerts.

Recommended Citation

Wang, Weijie, "A characteristic-based visual analytics approach to detect subtle attacks from NetFlow records" (2015). Open Access Theses. 626.
https://docs.lib.purdue.edu/open_access_theses/626