Information Technology Reference
In-Depth Information
2.3 Visualizing Processed Netflow Records
The visualization task has two modules, the
AguriViz
-module is the mapping of
kernel values into an image and the
AguriUI
-module is the user interface. The
main task is the mapping of a kernel function value
K
i
onto an RGB scheme
image. A vector
v
describing the tra
c evolution is created and mapped into a
colored rectangle. The colour of the rectangle is a function over a kernel score
K
i
, where the colour intensity describes the evolution of the network topology
and trac load. An RGB [3]-mapping function is used for the generation of
the image. The simplified RGB 3-byte scheme is used, where each byte stands
for a different colour. By this, a kernel value
K
i
is mapped onto the RGB-
scheme where the lower bits represent the colour 'blue', the next bits are colour
'green' and the higher bits are the colour 'red'. The RGB mapping function
k
i
is
defined as
k
i
· B
i
(
k
i
· B
)
·
2
24
+
I
k
=
(4)
where
B
isabrightnessfactorprovidingahigherdecimalprecisionofakernel
value
K
i
.
I
is an intensity factor to linearly shift the kernel values in the RGB-
space for better visibility. The rectangles are sequentially mapped onto the image
that is defined as a 2-dimensional space having a (
x, y
)coordinatesystem.The
rectangle has a size of
rxr
pixels. The first rectangle is located in the top left
corner of the image having coordinates (
x
0
,y
0
). The
i
-th rectangle is placed on
coordinates (
x
i
+
r, y
i
). When inserting a line break, coordinates for
x
are reset
to0andfor
y
are incremented by the rectangle height
r
.Tohaveanactualview
of the network trac, a freshness parameter
Γ
has been introduce for the image,
Γ
=
η · width · height
(5)
where
η
is the time window for exporting Aguri trees and
height
,
width
the image
size. This freshness parameter has been introduced, because the data window size
impacts the image freshness, so a small window means fresher images, whereas
for large data windows an image reflects an network evolution overview.
The main interests are first, the detection if a host performs scanning on other
systems or, if there are dominant (i.e. like ssh-brute force attack) respectively
long-lasting TCP sessions on the network and secondly, to get insights into the
tra
c to a host.
The
AguriUI
-module represents the outcomes of the
AguriViz
-module on a
visual user interface. It shows the outcomes for the Aguri source profiles as well
as the outcomes for the destination profiles. Different configuration parameters
can be realized on this interface by a network operator. The graphical repre-
sentation looks similar to a Self-Organizing-Map, but is only a simple graphical
representation. A representation of the
AguriUI
-module is shown in Fig. 2. The
different parameters can be adjusted by the network operator, like the moni-
toring time for Aguri profiles (
η
), Brightness (
B
)orIntensity(
I
). Additionally,
statistical information in text-form has been added.
Search WWH ::
Custom Search