By summarizing the traffic from the internet at large to our open network and reviewing it at speeds ranging from a fraction of real-time to one hundred times real-time, we are able to examine an entire day's traffic in less than an hour while being able to maintain an intuitive understanding of where the traffic is coming from, the time of day and traffic texture. We can easily recognize IP scans and port scans as well as other suspicious activity such as unexpected mixtures of port usage between the same two hosts. Basic drill-down and filtering capability allows us to narrow down our view and see only what we want or need to at any moment, supporting analysts in following up a hint discovered by reviewing the day's traffic summaries or the data itself with our tool.

Why Immersive Visualization?

Graphs and charts such as logarithmic plots and strip charts of traffic statistics have been put to good use in keeping track of trends and understanding the general character of network traffic. Only limited progress has been made in providing visual depictions of the complex collections of information issuing from systems monitoring network traffic. Various algorithmic techniques have been used to reduce the amount of information to be reviewed. These techniques primarily fall into the categories of statistical sampling and integration. A global understanding of the data is thereby offered at the expense of the detail. We have chosen to use the richest visualization environment available to us today. We are not only using three dimensional layouts of the data but we are embedding them in a fully interactive, metaphorical world which evolves over time. The amount of conceptual real estate available for encoding the information increases multifold (though at some risk and expense of ambiguity and potentially to clarity). Immersive, interactive, metaphorical environments offers not only a great increase in richness but a closer, more personal relationship to the data. We are adding basic sound encoding of data as well to broaden and reinforce the perceptual experience.

Approach

We are currently focusing on the exploration and analysis of Internet traffic at the firewall of Los Alamos National Laboratory's open network to aid in the task of network intrusion detection. The basic approach we are taking is to simply map out the territory. Since this is an abstract, virtual territory, we must first define a mapping from the abstract world of fields of numerical values to a geometric layout with glyphic representations. To motivate a specific geometric layout, we sought an apt real-world metaphor for the task and domain we are approaching. Considering that we are protecting our internal network from intrusion by unknown external entities, we arrived naturally at a model of self vs. other and defended territory. The layout of the defended territory is motivated by the unbalanced numbers involved (billions of IP addresses external to the network versus hundreds or thousands of hosts in any typical Intranet). Our goal in laying out these hosts and their interactions was both to use the space available to us wisely so as to minimize occlusion and overlap and to establish a relevant real-world metaphor. We arrived a space defense metaphor with the external IP space distributed throughout a hemispherical shell and the internal space distributed on the surface of a disk on the ground. The firewall, where the data is gathered, is represented by a hemispherical shield. All traffic measured at the firewall is between an internal host and an external host and must pass through the firewall shield. Traffic between hosts are physical packages or energy rays starting at the originating host (usually external) and ending at the destination host (usually internal) and passing through the firewall.

Acknowledgements

This work is funded by the United States Department of Energy and is the product of the efforts of LANL's Network Engineering Group (CCN-5) and Decision Analysis (D) Division and the University of New Mexico Albuquerque High Performance Computing Center (UNM AHPCC). Primary contributors to the visualization work presented here are Satyam Babu Kothapelly, Lisong Sun, Victor Vergera, Dr. Kenneth L. Summers, Dr. Thomas P. Caudell of the UNM AHPCC, and Paul M. Weber, and Steven A. Smith of LANL's D division. Data acquisition, analysis, and retrieval was done by Paul Criscuolo, Mike Fisk, Tony Heaton, Danny Quist, Ben Uphoff, and Ron Wilkins of the Network Engineering Group (CCN-5 group).

Real-Time Measurement & Data Reduction

The session data presented visually is acquired using LANL-developed systems for capturing network traffic in real-time and producing session summary information containing both traffic statistics as well as heuristics describing directionality and protocol correctness.

Parallel Data Archival & Retrieval

With over a year of session data, the query and retrieval of network session information becomes a limiting factor in the ability of the user to explore and analyze data in real-time. DiSARM, our Distributed Signature and Anomaly Real-Time Monitoring system, provides parallelized data analysis, indexing, and query execution. We have created a tightly coupled integration of web-based information retrieval tools and the immersive visualization system.