|
Immersive Network Monitoring
By summarizing the traffic from the internet at large to our open
network and reviewing it at speeds ranging from a fraction of
real-time to one hundred times real-time, we are able to examine an
entire day's traffic in less than an hour while being able to maintain
an intuitive understanding of where the traffic is coming from, the
time of day and traffic texture. We can easily recognize IP scans and
port scans as well as other suspicious activity such as unexpected
mixtures of port usage between the same two hosts. Basic drill-down
and filtering capability allows us to narrow down our view and see
only what we want or need to at any moment, supporting analysts in
following up a hint discovered by reviewing the day's traffic
summaries or the data itself with our tool.
Why Immersive Visualization?
Graphs and charts such as logarithmic plots and strip charts of
traffic statistics have been put to good use in keeping track of
trends and understanding the general character of network traffic.
Only limited progress has been made in providing visual depictions of
the complex collections of information issuing from systems
monitoring network traffic. Various algorithmic techniques have been
used to reduce the amount of information to be reviewed. These
techniques primarily fall into the categories of statistical sampling
and integration. A global understanding of the data is thereby
offered at the expense of the detail. We have chosen to use the
richest visualization environment available to us today. We are not
only using three dimensional layouts of the data but we are embedding
them in a fully interactive, metaphorical world which evolves over
time. The amount of conceptual real estate available for encoding
the information increases multifold (though at some risk and expense
of ambiguity and potentially to clarity). Immersive, interactive,
metaphorical environments offers not only a great increase in
richness but a closer, more personal relationship to the data. We
are adding basic sound encoding of data as well to broaden and
reinforce the perceptual experience.
Approach
We are currently focusing on the exploration and analysis of Internet
traffic at the firewall of Los Alamos National Laboratory's open
network to aid in the task of network intrusion detection. The basic
approach we are taking is to simply map out the territory. Since this
is an abstract, virtual territory, we must first define a mapping from
the abstract world of fields of numerical values to a geometric layout
with glyphic representations. To motivate a specific geometric
layout, we sought an apt real-world metaphor for the task and domain
we are approaching. Considering that we are protecting our internal
network from intrusion by unknown external entities, we arrived
naturally at a model of self vs. other and defended territory. The
layout of the defended territory is motivated by the unbalanced
numbers involved (billions of IP addresses external to the network
versus hundreds or thousands of hosts in any typical Intranet). Our
goal in laying out these hosts and their interactions was both to use
the space available to us wisely so as to minimize occlusion and
overlap and to establish a relevant real-world metaphor. We arrived a
space defense metaphor with the external IP space distributed
throughout a hemispherical shell and the internal space distributed on
the surface of a disk on the ground. The firewall, where the data is
gathered, is represented by a hemispherical shield. All traffic
measured at the firewall is between an internal host and an external
host and must pass through the firewall shield. Traffic between hosts
are physical packages or energy rays starting at the originating host
(usually external) and ending at the destination host (usually
internal) and passing through the firewall.
Acknowledgements
This work is funded by the United States Department of Energy and
is the product of the efforts of LANL's Network Engineering Group
(CCN-5) and Decision Analysis (D) Division and the University of New
Mexico Albuquerque High Performance Computing Center (UNM AHPCC).
Primary contributors to the visualization work presented here are
Satyam Babu Kothapelly, Lisong Sun, Victor Vergera, Dr. Kenneth
L. Summers, Dr. Thomas P. Caudell of the UNM AHPCC, and Paul M. Weber,
and Steven A. Smith of LANL's D division. Data acquisition, analysis,
and retrieval was done by Paul Criscuolo, Mike Fisk, Tony Heaton,
Danny Quist, Ben Uphoff, and Ron Wilkins of the Network Engineering
Group (CCN-5 group).
|
Real-Time Measurement & Data Reduction
The session data presented visually is acquired using LANL-developed systems for capturing network traffic in real-time and producing session summary information containing both traffic statistics as well as heuristics describing directionality and protocol correctness.
Parallel Data Archival & Retrieval
With over a year of session data, the query and retrieval of network session information becomes a limiting factor in the ability of the user to explore and analyze data in real-time. DiSARM, our Distributed Signature and Anomaly Real-Time Monitoring system, provides parallelized data analysis, indexing, and query execution. We have created a tightly coupled integration of web-based information retrieval tools and the immersive visualization system.
|