Information Technology Reference
In-Depth Information
observed by looking at the black rectangles in the images. From a kernel func-
tion perspective this means that Aguri trees are thoroughly different, whereas a
'white' colour in the image means similar Aguri profiles.
Common attacks on honeypots are brute-force attacks against the honey-
pot or attacks compromising the honeypot in order to control the system or to
scan/launch new attacks against other targets. In the graphical representation,
four relevant patterns can be seen in Fig. 5 for the source profile (left). By help
of a manual exploration of the Netflow record data set, the three successive
'green' lines, annotated by 1 represent
ssh brute-force
attacks. In the bottom
of the source profile representation a 'coloured' line, annotated by 2 can inter-
preted as scanning activities of the operated honeypot against other hosts. For
the scanning activities it has been observed that attackers nearly used the full
available bandwidth for scanning entire sub-networks. These activities can be
observed because the scanning activities last over a longer time period inducing
that more Aguri profiles have similar structures.
The destination profile image (Fig. 5 right) gives a more fine-grained overview
about the targets of the attacker. The same pattern as for the source profile on
theleftfigure,annotatedby3and4canbeobserved,whichrepresentthecom-
munication intensity of both parties. Different patterns as the coloured segments
(4) represent the durations of the attackers stay at a dedicated target and the
amount of exchanged trac. Another observation is that dominant TCP ses-
sions, like ssh brute-force attacks, are represented in intense colours, whereas
scanning activities are represented by dark colours. This can be explained by
the used kernel function, which has a dominant topological kernel part in the
volume/trac part. It is shown that PeekKernelFlows can first detect anomalies
by the evaluation of the kernel function and then easily represent them on the
visual interface for the network operators.
4 Related Work
Netflow records are commonly used in network monitoring activities. A feature
is that they can be generated for most different tra
c types. Since most com-
mercially available routers support netflow exports today, costs have been cut a
lot. The main drawback of Netflow records is the storage or the mechanisms for
online analysis. While introducing Netflow sampling [7], the problem is partially
solved, but finding good sampling rates remains dicult. In recent past, a lot of
significant progress has been made in the evaluation of Netflow data, pure statis-
tics have been replaced by complex machine learning techniques as Flow Mining
[9] or kernel methods. The analysis of Netflow records is time-consuming, com-
plex and error prone. To facilitate network operators duty, it is often referred
to visualization for the analysis of large scale data. Goodall et al. [5] present
a visualization tool for port usage, called FlowViz. Their tool refers to a rect-
angle coloration technique, such that the idea of rectangles is similar to our,
but we refer to a mapping of a kernel value onto the RGB-color space. Mans-
mann et al. [6] use TreeMaps for their intrusion detection system evaluation.
Search WWH ::
Custom Search