visflowconnect-ip : a link-based visualization of netflows
TRANSCRIPT
![Page 1: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/1.jpg)
William Yurcik<[email protected]>
National Center for Supercomputing Applications (NCSA)University of Illinois at Urbana-Champaign
FIRST’06 Baltimore Maryland USA
VisFlowConnect-IP:A Link-Based Visualization of Netflows for
Security Monitoring
![Page 2: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/2.jpg)
• Motivation• Network Visualization for Security• Our Approach: VisFlowConnect-IP• Use Examples• Future Work: Link-Based Clustering• Summary
Slide 2/58
![Page 3: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/3.jpg)
•• MotivationMotivation• Network Visualization for Security• Our Approach: VisFlowConnect-IP• Use Examples• Future Work: Link-Based Clustering• Summary
Slide 3/58
![Page 4: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/4.jpg)
![Page 5: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/5.jpg)
![Page 6: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/6.jpg)
More Lessons Learned from Castles• Even medieval castles have monitoring
systems for their innermost keeps
• Internet security should be designed like a castle, with multiple layers of defenses for an attacker to avoid detection– Reduces the space of actions that an attacker can
take and remain undetected– Components of a security monitoring framework can
monitor each other
• Have clear observation points – Internet analogy are data source and process
Slide 6/58
![Page 7: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/7.jpg)
Fort McHenry
![Page 8: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/8.jpg)
OODA Loop
Slide 8/58
![Page 9: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/9.jpg)
OODA Loop for Internet Security
Data Sources (empirical, simulation, analytical)
Storage(distributed, fast, convenient)
Processing(computation, data analysis, discovery)
Human Collaboration(virtual presence, transparent)
Inferences for Action
Slide 9/58
![Page 10: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/10.jpg)
Visualization in OODA Loop
Inferences for Action
Processing(computation, data analysis, discovery)
Data Sources (empirical, simulation, analytical)
Storage(distributed, fast, convenient)
Human Collaboration(virtual presence, transparent)
visualizationvisualizationdisplay systems display systems
Slide 10/58
![Page 11: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/11.jpg)
What is Visualization?
1.235 4.3512.981 7.9897.112 5.2319.722 7.1111.562 7.544
Visual Representation
Model
Visual Representation
Model
Data Image
Slide 11/58
![Page 12: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/12.jpg)
Visualization Can HelpEmpirical Data:Visual vs Numerical (Visual Wins!)*Visual vs Auditory (Visual Wins)*Visual vs Tactile (Visual Wins)*Visual Spatial vs Visual Color (Visual Spatial Wins!)*[Chris Wickens, National Academy of Sciences Workshop on Visualizing Uncertainty, March 3, 2005]
Slide 12/58
![Page 13: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/13.jpg)
Visualization Can HelpEmpirical Data:Visual vs Numerical (Visual Wins!)*Visual vs Auditory (Visual Wins)*Visual vs Tactile (Visual Wins)*Visual Spatial vs Visual Color (Visual Spatial Wins!)*[Chris Wickens, National Academy of Sciences Workshop on Visualizing Uncertainty, March 3, 2005]
How?1) See Previously Obscured Things2) See New Things Faster (I never saw that before)3) Share Insights (Do you see what I mean?)
Slide 13/58
![Page 14: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/14.jpg)
• Motivation•• Network Visualization for SecurityNetwork Visualization for Security• Our Approach: VisFlowConnect-IP• Use Examples• Future Work: Link-Based Clustering• Summary
Slide 14/58
![Page 15: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/15.jpg)
Current Net Vis Security Ops ToolsSlide 15/58
![Page 16: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/16.jpg)
Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/screenshot: http://www.solaris4you.dk/sniffersSS.html
Slide 16/58
![Page 17: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/17.jpg)
Lumeta’s Peacock DiagramsSlide 17/58
![Page 18: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/18.jpg)
Caida’s WalrusSlide 18/58
![Page 19: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/19.jpg)
Research: Network Viz for Security• Host-based
approaches
– Represent each host by a point
– Fix each host at a certain position according to its IP
– Visualize statistics of each host
• Link-based approaches
– Represent each host by a point
– Fix each host at a certain position according to its IP
– Visualize traffic between hosts by linkages
(NVisionIP- NCSA) (Teoh et al, 2004)
Slide 19/58
(Elisha-Teoh et al)
![Page 20: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/20.jpg)
AT&T’s GraphizSlide 20/58
![Page 21: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/21.jpg)
Graphviz againSlide 21/58
![Page 22: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/22.jpg)
• Motivation• Network Visualization for Security•• Our Approach: Our Approach: VisFlowConnectVisFlowConnect--IPIP• Use Examples• Future Work: Link-Based Clustering• Summary
Slide 22/58
![Page 23: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/23.jpg)
Our Design Goals
• Traffic dynamics over time • Filtering • Scalability• Expose hidden structures & patterns for
further investigation
Slide 23/58
![Page 24: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/24.jpg)
System Architecture
Netflow Logs
Traffic Statistics
Host 1
Host 2
Host k
…………
Host Traffic Statistics
Visualizationag
ent
Slide 24/58
![Page 25: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/25.jpg)
Reading Netflow Logs• An agent reads records log (or streaming)
– send record to VisFlowConnect-IP when requested
• Reorder NetFlow records with record buffer– records are not strictly sorted by time stamps– use a record buffer
Slide 25/58
![Page 26: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/26.jpg)
VisFlowConnectVisFlowConnect--IPIPSlide 26/58
![Page 27: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/27.jpg)
outside outside domains domains axisaxis
inside inside hostshostsaxisaxis
outside outside domains domains axisaxis
VisFlowConnectVisFlowConnect--IPIPMain ViewMain View
Slide 27/58
![Page 28: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/28.jpg)
Internal Internal network network sourcessources
Internal Internal network network receiversreceivers
VisFlowConnectVisFlowConnect--IPIPInternal ViewInternal View
Slide 28/58
![Page 29: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/29.jpg)
NVisionIPVisFlowConnect-IPVisFlowConnectVisFlowConnect--IPIPDomain ViewDomain View
see see activity activity within an within an external external network network domaindomain
Slide 29/58
![Page 30: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/30.jpg)
Creating Dynamic Animation• Visualizing traffic statistics with
time– update visualization after
each time unit• How to arrange
domains/hosts?– 100s of domains/hosts;
added/removed in time– fairly stable positioning
• Solution: sort by IP– domain/hosts move up or down
Slide 30/58
![Page 31: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/31.jpg)
Time Window• User is usually interested in most recent
traffic (e.g., in last minute or last hour)• VisFlowConnect-IP only visualizes traffic
in a user adjustable time window
– Update traffic statistics when• A record comes into time window• A record goes out of time window
Slide 31/58
![Page 32: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/32.jpg)
Time Dynamics
time axistime axis
time windowtime window
timestamptimestamp
Slide 32/58
analog analog clockclock
![Page 33: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/33.jpg)
Filtering/Highlighting Capability
• Approach– Filter out “good” traffic
• User specifies a list of filters:+: (SrcIP=141.142.0.0−141.142.255.255), (SrcPort=1−1000)
//keep all records from domain 141.142.x.x, from port 1 – 1000−: (SrcPort=80)−: (DstPort=80)
//discard records of http traffic
– Highlight “traffic of interest”• traffic colored by port
Slide 33/58
![Page 34: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/34.jpg)
Highlighting “Traffic of Interest”
highlighted highlighted portsports
File I/OFile I/O
VCR controlsVCR controls
Net Net DomainDomain
highlighted flowhighlighted flow
Slide 34/58
![Page 35: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/35.jpg)
Storing Traffic Statistics
• Store traffic statistics involving each domain by a sorted tree– only necessary
information for visualization is stored
– statistics for every domain or host can be updated efficiently
Host statistics
Sorted tree of domains
Slide 35/58
![Page 36: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/36.jpg)
Scalability Experiments
Runtime & Memory
wrt records
Slide 36/58
Runtime & Memory
wrt time window size
![Page 37: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/37.jpg)
• Motivation• Network Visualization for Security• Our Approach: VisFlowConnect-IP•• Use ExamplesUse Examples• Future Work: Link-Based Clustering• Summary
Slide 37/58
![Page 38: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/38.jpg)
Example 1: MS Blaster
• MS Blaster virus causes machines to send out 92 byte pakcets to many machines
Slide 38/58
![Page 39: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/39.jpg)
Example 2: ?
multiple connections to NCSA multiple connections to NCSA cluster from same domain cluster from same domain
(scan?, (scan?, DoSDoS?)?)
Slide 39/58
![Page 40: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/40.jpg)
Example 2: ?
Source:Source:
consecutive consecutive IP addressesIP addresses
Destination:Destination:
consecutive consecutive IP addressesIP addresses
multiple connections to NCSA multiple connections to NCSA cluster from same domain cluster from same domain
(scan?, (scan?, DoSDoS?)?)
Slide 40/58
![Page 41: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/41.jpg)
Example 2: Grid Networking
Source:Source:
consecutive consecutive IP addressesIP addresses
Destination:Destination:
consecutive consecutive IP addressesIP addresses
clustercluster--toto--cluster communicationscluster communications
multiple connections to NCSA multiple connections to NCSA cluster from same domain cluster from same domain
(scan?, (scan?, DoSDoS?)?)
Slide 41/58
![Page 42: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/42.jpg)
Example 3: ?Slide 42/58
![Page 43: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/43.jpg)
Example 3: ?
NCSA web serversNCSA web servers
Slide 43/58
![Page 44: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/44.jpg)
Example 3: Web Crawlersmuitiplemuitiple crawlers indexing NCSA web server contentcrawlers indexing NCSA web server content
NCSA web serversNCSA web serversWeb crawlersWeb crawlers
Slide 44/58
![Page 45: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/45.jpg)
• Motivation• Network Visualization for Security• Our Approach: VisFlowConnect-IP• Use Examples•• Future Work: LinkFuture Work: Link--Based ClusteringBased Clustering• Summary
Slide 45/58
![Page 46: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/46.jpg)
Visual Clustering of Hosts• Visual clustering of hosts by link analysis
– represent each host by a point– arrange hosts so related hosts are clustered
Slide 46/58
![Page 47: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/47.jpg)
Relationships between Hosts• Direct communications
– traffic intensity between two hosts
• Indirect communications– eg two basketball fans
• Port Activity (Services)– Eg web servers/surfers, IRC
NBA
NCAA
ESPN
IRC
IRC
Slide 47/58
![Page 48: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/48.jpg)
Initialization of Nodes
Colored points represent internal hosts, and gray points represent external ones. Size of a point is proportional to logarithm of traffic volume involving this host.
Slide 48/58
![Page 49: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/49.jpg)
Identifying Clusters• A cluster is a dense region in the viz space
– divide the space into many small grids– DBSCAN to find such dense grids– highlight dense grids and connect grids
Slide 49/58
![Page 50: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/50.jpg)
2003-10-3, 1-2pm
These green nodes are from 141.142.44.2x, which should be a cluster. They have much traffic in port 90.
90
Slide 50/58
![Page 51: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/51.jpg)
• Motivation• Network Visualization for Security• Our Approach: VisFlowConnect-IP• Use Examples• Future Work: Link-Based Clustering•• SummarySummary
Slide 51/58
![Page 52: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/52.jpg)
Summary• VisFlowConnect-IP can visualize traffic in near-
realtime for security monitoring purposes• VisFlowConnect-IP is being ported to other
specialized security domains– storage systems, linux clusters, etc.
• Distribution Website<http://security.ncsa.uiuc.edu/distribution/VisFlowConnectDownLoad.html>
• Publications<http://www.ncassr.org/projects/sift/papers/>
Slide 52/58
![Page 53: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/53.jpg)
VizSEC Workshops
<http://www.projects.ncassr.org/sift/vizsec/>
Slide 53/58
![Page 54: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/54.jpg)
References• William Yurcik, "Visualizing NetFlows for Security at Line Speed: The SIFT Tool Suite," 19th Usenix
Large Installation System Administration Conference (LISA), San Diego, CA USA, 2005.
• Xiaoxin Yin, William Yurcik, and Adam Slagell, "VisFlowConnect-IP: An Animated Link Analysis Tool for Visualizing Netflows," FLOCON - Network Flow Analysis Workshop, Pittsburgh PA USA, 2005.
• Xiaoxin Yin, William Yurcik, and Adam Slagell, "The Design of VisFlowConnect-IP: a Link Analysis System for IP Security Situational Awareness," 3rd IEEE Intl. Workshop on Information Assurance (IWIA) University of Maryland USA, 2005.
• Xiaoxin Yin, William Yurcik, Michael Treaster, Yifan Li, and Kiran Lakkaraju " VisFlowConnect: NetFlowVisualizations of Link Relationships for Security Situational Awareness," CCS Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC) held in conjunction with 11th ACM Conf. on Computer and Communications Security, 2004.
• Xiaoxin Yin, William Yurcik, Yifan Li, Kiran Lakkaraju, Cristina Abad, "VisFlowConnect: Providing Security Situational Awareness by Visualizing Network Traffic Flows," 23rd IEEE Intl. Performance Computing and Communications Conference (IPCCC), 2004.
• Cristina Abad, Yifan Li, Kiran Lakkaraju, Xiaoxin Yin, and William Yurcik, "Correlation Between NetFlowSystem and Network Views for Intrusion Detection," Workshop on Link Analysis, Counter-terrorism, and Privacy held in conjunction with the SIAM International Conference on Data Mining (ICDM), 2004.
Slide 54/58
![Page 55: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/55.jpg)
VisFlowConnect-IP<http://security.ncsa.uiuc.edu/distribution/VisFlowConnectDownLoad.html>
Q & A
Slide 55/58
![Page 56: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/56.jpg)
Disclaimer:
• This material is, in part, based upon work supported by the Office of Naval Research.
• Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the Office of Naval Research.
Slide 56/58
![Page 57: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/57.jpg)
![Page 58: VisFlowConnect-IP : A Link-Based Visualization of NetFlows](https://reader036.vdocuments.mx/reader036/viewer/2022062303/62a5f11e525b0e1e877a5a18/html5/thumbnails/58.jpg)
NetFlows for SecurityNetFlows can identify connection-oriented attacks like DoS, DDoS, malware distribution, worm scanning, etc…
• How many users are on the network at any given time? (upgrades)
• Top N talkers? Top N destination ports?• How long do users surf?• Where do they go? Where did they come from?• Are users following the security policy?• Is there traffic to vulnerable hosts?• Can you identify and block bad guys?
Slide 58/58