Graphics Reference
In-Depth Information
row from the log file created by the intrusion software—that is, an
anomalous network event that could be related to an attack. There are 19
different types of links as indicated in the legend associated with
Figure 9-4
.
About eight to ten unique colors can be reasonably distinguished when used
as thin lines, so line type (for example, solid, dashed, wavy, zigzag, arrowed,
and so on) is combined with color to create uniquely identifiable lines. Even
though there are three variations of purple lines, each one has a unique line
type, for example, dashed purple for Spoof, solid purple for Teardrop, and
an arrow line for Timeout Error.
Figure 9-4:
This graph of anomalous events on a computer network
shows nodes representing computers, and a wide variety of events
indicated by link color and line type.
You can see many different components in the resulting visualization. In
most components, all the links in that component are the same color. The
giantpurplecomponent iscomprised ofonlytwonodesandabout100links,
all of the same type. This may indicate some behavior that is anomalous
to the intrusion system but possibly benign or expected by the network
administrators (perhaps some form of data update or a configured
download script).
On the other hand, some components have multiple types of links. The large
component near the bottom left is shown larger in
Figure 9-5
.
The triangle
nearthecenter(128.70.100.158) isapotentialattackerusingmultipleattack
types against different target computers (circles), along with potential
collaborators (other triangles). This could be indicative of suspect behavior.
