Database Reference
In-Depth Information
Per-Hour Activity Around Day 290
278636
1227
1098047104
278636
(c)
Figure 9.14
(
Continued
)
Per-Minute Counts of (STATE==1) && (DP==5554)
47670
0
(a)
Figure 9.15
Two- and three-dimensional histograms are the building blocks
for visual data exploration of network trac analysis. Here we see evidence
of an organized scan: One or more remote hosts are probing sequential IP
addresses within a block of addresses, hoping to find a vulnerability. (a) This
histogram shows suspicious activity over a two-hour period at one-minute
temporal resolution. The spikes in this histogram correspond to the “sheets”
in the adjacent image. (b) A 3D histogram; the vertical axis is time, the other
two axes are the C and D octets of the destination host address. The “sheets”
indicate that the remote host(s) are performing a scan of all IP addresses
within a given IP address space, indicating the attack is a scan.
