Preserving the big picture: Visual network traffic analysis with TNV

John R. Goodall; Wayne G. Lutters; Penny Rheingans; Anita Komlodi

doi:10.1109/VIZSEC.2005.1532065

Preserving the big picture: Visual network traffic analysis with TNV

John R. Goodall, Wayne G. Lutters, Penny Rheingans, Anita Komlodi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

88 Scopus citations

Abstract

When performing packet-level analysis in intrusion detection, analysts often lose sight of the "big picture" while examining these low-level details. In order to prevent this loss of context and augment the available tools for intrusion detection analysis tasks, we developed an information visualization tool, the Time-based Network traffic Visualizer (TNV). TNV is grounded in an understanding of the work practices of intrusion detection analysts, particularly foregrounding the overarching importance of context and time in the process of intrusion detection analysis. The main visual component of TNV is a matrix showing network activity of hosts over time, with connections between hosts superimposed on the matrix, complemented by multiple, linked views showing port activity and the details of the raw packets. Providing low-level textual data in the context of a high-level, aggregated graphical display enables analysts to examine packet-level details within the larger context of activity. This combination has the potential to facilitate the intrusion detection analysis tasks and help novice analysts learn what constitutes "normal" on a particular network.

Original language	English
Title of host publication	IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings
Pages	47-54
Number of pages	8
DOIs	https://doi.org/10.1109/VIZSEC.2005.1532065
State	Published - 2005
Externally published	Yes
Event	IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05 - Minneapolis, MN, United States Duration: Oct 26 2005 → Oct 26 2005

Publication series

Name	IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings

Conference

Conference	IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05
Country/Territory	United States
City	Minneapolis, MN
Period	10/26/05 → 10/26/05

Keywords

Information visualization
Intrusion detection
Network analysis
Network visualization

Access to Document

10.1109/VIZSEC.2005.1532065

Cite this

Goodall, J. R., Lutters, W. G., Rheingans, P., & Komlodi, A. (2005). Preserving the big picture: Visual network traffic analysis with TNV. In IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings (pp. 47-54). Article 1532065 (IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings). https://doi.org/10.1109/VIZSEC.2005.1532065

@inproceedings{3f37021f2cd342a98e8ea4823f2f0a69,

title = "Preserving the big picture: Visual network traffic analysis with TNV",

abstract = "When performing packet-level analysis in intrusion detection, analysts often lose sight of the {"}big picture{"} while examining these low-level details. In order to prevent this loss of context and augment the available tools for intrusion detection analysis tasks, we developed an information visualization tool, the Time-based Network traffic Visualizer (TNV). TNV is grounded in an understanding of the work practices of intrusion detection analysts, particularly foregrounding the overarching importance of context and time in the process of intrusion detection analysis. The main visual component of TNV is a matrix showing network activity of hosts over time, with connections between hosts superimposed on the matrix, complemented by multiple, linked views showing port activity and the details of the raw packets. Providing low-level textual data in the context of a high-level, aggregated graphical display enables analysts to examine packet-level details within the larger context of activity. This combination has the potential to facilitate the intrusion detection analysis tasks and help novice analysts learn what constitutes {"}normal{"} on a particular network.",

keywords = "Information visualization, Intrusion detection, Network analysis, Network visualization",

author = "Goodall, {John R.} and Lutters, {Wayne G.} and Penny Rheingans and Anita Komlodi",

year = "2005",

doi = "10.1109/VIZSEC.2005.1532065",

language = "English",

isbn = "0780394771",

series = "IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings",

pages = "47--54",

booktitle = "IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings",

note = "IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05 ; Conference date: 26-10-2005 Through 26-10-2005",

}

Goodall, JR, Lutters, WG, Rheingans, P & Komlodi, A 2005, Preserving the big picture: Visual network traffic analysis with TNV. in IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings., 1532065, IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings, pp. 47-54, IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Minneapolis, MN, United States, 10/26/05. https://doi.org/10.1109/VIZSEC.2005.1532065

Preserving the big picture: Visual network traffic analysis with TNV. / Goodall, John R.; Lutters, Wayne G.; Rheingans, Penny et al.
IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings. 2005. p. 47-54 1532065 (IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Preserving the big picture

T2 - IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05

AU - Goodall, John R.

AU - Lutters, Wayne G.

AU - Rheingans, Penny

AU - Komlodi, Anita

PY - 2005

Y1 - 2005

N2 - When performing packet-level analysis in intrusion detection, analysts often lose sight of the "big picture" while examining these low-level details. In order to prevent this loss of context and augment the available tools for intrusion detection analysis tasks, we developed an information visualization tool, the Time-based Network traffic Visualizer (TNV). TNV is grounded in an understanding of the work practices of intrusion detection analysts, particularly foregrounding the overarching importance of context and time in the process of intrusion detection analysis. The main visual component of TNV is a matrix showing network activity of hosts over time, with connections between hosts superimposed on the matrix, complemented by multiple, linked views showing port activity and the details of the raw packets. Providing low-level textual data in the context of a high-level, aggregated graphical display enables analysts to examine packet-level details within the larger context of activity. This combination has the potential to facilitate the intrusion detection analysis tasks and help novice analysts learn what constitutes "normal" on a particular network.

AB - When performing packet-level analysis in intrusion detection, analysts often lose sight of the "big picture" while examining these low-level details. In order to prevent this loss of context and augment the available tools for intrusion detection analysis tasks, we developed an information visualization tool, the Time-based Network traffic Visualizer (TNV). TNV is grounded in an understanding of the work practices of intrusion detection analysts, particularly foregrounding the overarching importance of context and time in the process of intrusion detection analysis. The main visual component of TNV is a matrix showing network activity of hosts over time, with connections between hosts superimposed on the matrix, complemented by multiple, linked views showing port activity and the details of the raw packets. Providing low-level textual data in the context of a high-level, aggregated graphical display enables analysts to examine packet-level details within the larger context of activity. This combination has the potential to facilitate the intrusion detection analysis tasks and help novice analysts learn what constitutes "normal" on a particular network.

KW - Information visualization

KW - Intrusion detection

KW - Network analysis

KW - Network visualization

UR - http://www.scopus.com/inward/record.url?scp=33749532337&partnerID=8YFLogxK

U2 - 10.1109/VIZSEC.2005.1532065

DO - 10.1109/VIZSEC.2005.1532065

M3 - Conference contribution

AN - SCOPUS:33749532337

SN - 0780394771

SN - 9780780394773

SN - 0780394771

SN - 9780780394773

T3 - IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings

SP - 47

EP - 54

BT - IEEE Workshop on Visualization for Computer Security 2005, VizSEC 05, Proceedings

Y2 - 26 October 2005 through 26 October 2005

ER -

Preserving the big picture: Visual network traffic analysis with TNV

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this