Graphical analysis of network traffic flows helps security analysts detect patterns or behaviors that would not be obvious in a text-based environment. The growing volume of network data generated and captured makes it increasingly difficult to detect increasingly sophisticated reconnaissance and stealthy network attacks. We propose a network flow filtering mechanism that leverages the exposure maps technique of Whyte et al. (2007), reducing the traffic for the visualization process according to the network services being offered. This allows focus to be limited to selected subsets of the network traffic, for example what might be categorized (correctly or otherwise) as the unexpected or potentially malicious portion. In particular, we use this technique to filter out traffic from sources that have not gained knowledge from the network in question. We evaluate the benefits of our technique on different visualizations of network flows. Our analysis shows a significant decrease in the volume of network traffic that is to be visualized, resulting in visible patterns and insights not previously apparent.

Additional Metadata
Persistent URL dx.doi.org/10.1109/ACSAC.2008.16
Conference 24th Annual Computer Security Applications Conference, ACSAC 2008
Citation
Alsaleh, M. (Mansour), Barrera, D. (David), & Van Oorschot, P. (2008). Improving security visualization with exposure map filtering. Presented at the 24th Annual Computer Security Applications Conference, ACSAC 2008. doi:10.1109/ACSAC.2008.16