VisFlowCluster-IP: Connectivity-based visual clustering of network hosts

Xiaoxin Yin; William Yurcik; Adam Slagell

doi:10.1007/0-387-33406-8_24

VisFlowCluster-IP: Connectivity-based visual clustering of network hosts

Xiaoxin Yin, William Yurcik, Adam Slagell

National Center for Supercomputing Applications (NCSA)

Research output: Chapter in Book/Report/Conference proceeding › Chapter

Abstract

With the increasing number of hostile network attacks, anomaly detection for network security has become an urgent task. As there have not been highly effective solutions for automatic intrusion detection, especially for detecting newly emerging attacks, network traffic visualization has become a promising technique for assisting network administrators to monitor network traffic and detect abnormal behaviors. In this paper we present VisFlowCluster-IP, a powerful tool for visualizing network traffic flows using network logs. It models the network as a graph by modeling hosts as graph nodes. It utilizes the force model to arrange graph nodes on a two-dimensional space, so that groups of related nodes can be visually clustered in a manner apparent to human eyes. We also propose an automated method for finding clusters of closely connected hosts in the visualization space. We present three real cases that validate the effectiveness of VisFlowCluster-IP in identifying abnormal behaviors.

Original language	English (US)
Title of host publication	Security and Privacy in Dynamic Environments
Subtitle of host publication	Proceedings of the IFIP TC-11 21st International Information Security Conference (SEC 2006), 22-24 May 2006, Karlstad, Sweden
Editors	Simone Fischer-Hubner, Stefan Lindskog, Guerin Lassous, Louise Yngstrom
Pages	284-295
Number of pages	12
DOIs	https://doi.org/10.1007/0-387-33406-8_24
State	Published - 2006

Publication series

Name	IFIP International Federation for Information Processing
Volume	201
ISSN (Print)	1571-5736

ASJC Scopus subject areas

Information Systems and Management

Access to Document

10.1007/0-387-33406-8_24

Fingerprint Dive into the research topics of 'VisFlowCluster-IP: Connectivity-based visual clustering of network hosts'. Together they form a unique fingerprint.

Cite this

Yin, X., Yurcik, W., & Slagell, A. (2006). VisFlowCluster-IP: Connectivity-based visual clustering of network hosts. In S. Fischer-Hubner, S. Lindskog, G. Lassous, & L. Yngstrom (Eds.), Security and Privacy in Dynamic Environments: Proceedings of the IFIP TC-11 21st International Information Security Conference (SEC 2006), 22-24 May 2006, Karlstad, Sweden (pp. 284-295). (IFIP International Federation for Information Processing; Vol. 201). https://doi.org/10.1007/0-387-33406-8_24

VisFlowCluster-IP : Connectivity-based visual clustering of network hosts. / Yin, Xiaoxin; Yurcik, William; Slagell, Adam.

Security and Privacy in Dynamic Environments: Proceedings of the IFIP TC-11 21st International Information Security Conference (SEC 2006), 22-24 May 2006, Karlstad, Sweden. ed. / Simone Fischer-Hubner; Stefan Lindskog; Guerin Lassous; Louise Yngstrom. 2006. p. 284-295 (IFIP International Federation for Information Processing; Vol. 201).

Research output: Chapter in Book/Report/Conference proceeding › Chapter

Yin, X, Yurcik, W & Slagell, A 2006, VisFlowCluster-IP: Connectivity-based visual clustering of network hosts. in S Fischer-Hubner, S Lindskog, G Lassous & L Yngstrom (eds), Security and Privacy in Dynamic Environments: Proceedings of the IFIP TC-11 21st International Information Security Conference (SEC 2006), 22-24 May 2006, Karlstad, Sweden. IFIP International Federation for Information Processing, vol. 201, pp. 284-295. https://doi.org/10.1007/0-387-33406-8_24

Yin X, Yurcik W, Slagell A. VisFlowCluster-IP: Connectivity-based visual clustering of network hosts. In Fischer-Hubner S, Lindskog S, Lassous G, Yngstrom L, editors, Security and Privacy in Dynamic Environments: Proceedings of the IFIP TC-11 21st International Information Security Conference (SEC 2006), 22-24 May 2006, Karlstad, Sweden. 2006. p. 284-295. (IFIP International Federation for Information Processing). https://doi.org/10.1007/0-387-33406-8_24

Yin, Xiaoxin ; Yurcik, William ; Slagell, Adam. / VisFlowCluster-IP : Connectivity-based visual clustering of network hosts. Security and Privacy in Dynamic Environments: Proceedings of the IFIP TC-11 21st International Information Security Conference (SEC 2006), 22-24 May 2006, Karlstad, Sweden. editor / Simone Fischer-Hubner ; Stefan Lindskog ; Guerin Lassous ; Louise Yngstrom. 2006. pp. 284-295 (IFIP International Federation for Information Processing).

@inbook{de7b0c0906774fda9ca4732f471ca2db,

title = "VisFlowCluster-IP: Connectivity-based visual clustering of network hosts",

abstract = "With the increasing number of hostile network attacks, anomaly detection for network security has become an urgent task. As there have not been highly effective solutions for automatic intrusion detection, especially for detecting newly emerging attacks, network traffic visualization has become a promising technique for assisting network administrators to monitor network traffic and detect abnormal behaviors. In this paper we present VisFlowCluster-IP, a powerful tool for visualizing network traffic flows using network logs. It models the network as a graph by modeling hosts as graph nodes. It utilizes the force model to arrange graph nodes on a two-dimensional space, so that groups of related nodes can be visually clustered in a manner apparent to human eyes. We also propose an automated method for finding clusters of closely connected hosts in the visualization space. We present three real cases that validate the effectiveness of VisFlowCluster-IP in identifying abnormal behaviors.",

author = "Xiaoxin Yin and William Yurcik and Adam Slagell",

note = "Funding Information: As fully automated intrusion detection systems have not been able to provide a highly effective solution to protect network systems, humans are still in-the-loop of * This research was supported in part by a grant from the Office of Naval Research (ONR) under the auspices of the National Center for Advanced Secure Systems Research (NCASSR) <h ttp://www.ncassr.org>.",

year = "2006",

doi = "10.1007/0-387-33406-8_24",

language = "English (US)",

isbn = "038733405X",

series = "IFIP International Federation for Information Processing",

pages = "284--295",

editor = "Simone Fischer-Hubner and Stefan Lindskog and Guerin Lassous and Louise Yngstrom",

booktitle = "Security and Privacy in Dynamic Environments",

}

TY - CHAP

T1 - VisFlowCluster-IP

T2 - Connectivity-based visual clustering of network hosts

AU - Yin, Xiaoxin

AU - Yurcik, William

AU - Slagell, Adam

N1 - Funding Information: As fully automated intrusion detection systems have not been able to provide a highly effective solution to protect network systems, humans are still in-the-loop of * This research was supported in part by a grant from the Office of Naval Research (ONR) under the auspices of the National Center for Advanced Secure Systems Research (NCASSR) <h ttp://www.ncassr.org>.

PY - 2006

Y1 - 2006

N2 - With the increasing number of hostile network attacks, anomaly detection for network security has become an urgent task. As there have not been highly effective solutions for automatic intrusion detection, especially for detecting newly emerging attacks, network traffic visualization has become a promising technique for assisting network administrators to monitor network traffic and detect abnormal behaviors. In this paper we present VisFlowCluster-IP, a powerful tool for visualizing network traffic flows using network logs. It models the network as a graph by modeling hosts as graph nodes. It utilizes the force model to arrange graph nodes on a two-dimensional space, so that groups of related nodes can be visually clustered in a manner apparent to human eyes. We also propose an automated method for finding clusters of closely connected hosts in the visualization space. We present three real cases that validate the effectiveness of VisFlowCluster-IP in identifying abnormal behaviors.

AB - With the increasing number of hostile network attacks, anomaly detection for network security has become an urgent task. As there have not been highly effective solutions for automatic intrusion detection, especially for detecting newly emerging attacks, network traffic visualization has become a promising technique for assisting network administrators to monitor network traffic and detect abnormal behaviors. In this paper we present VisFlowCluster-IP, a powerful tool for visualizing network traffic flows using network logs. It models the network as a graph by modeling hosts as graph nodes. It utilizes the force model to arrange graph nodes on a two-dimensional space, so that groups of related nodes can be visually clustered in a manner apparent to human eyes. We also propose an automated method for finding clusters of closely connected hosts in the visualization space. We present three real cases that validate the effectiveness of VisFlowCluster-IP in identifying abnormal behaviors.

UR - http://www.scopus.com/inward/record.url?scp=33845521036&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33845521036&partnerID=8YFLogxK

U2 - 10.1007/0-387-33406-8_24

DO - 10.1007/0-387-33406-8_24

M3 - Chapter

AN - SCOPUS:33845521036

SN - 038733405X

SN - 9780387334059

T3 - IFIP International Federation for Information Processing

SP - 284

EP - 295

BT - Security and Privacy in Dynamic Environments

A2 - Fischer-Hubner, Simone

A2 - Lindskog, Stefan

A2 - Lassous, Guerin

A2 - Yngstrom, Louise

ER -