The Parallel Coordinates Methodology to Study Suspicious Behavior on a Computer Network

Main Article Content

ณัฐโชติ พรหมฤทธิ
อนิราช มิ่งขวัญ

Abstract

- In this paper, the suspicious behavior on a computer network is used to analyze by detecting the violation behavior of network security policies. This paper proposed the user investigations with visualization time machine for network forensic (UIV) model. The proposed model is used parallel coordinates, which can be presented as the relationship of various parameters such as user, source ip address, time, destination ip address, destination service and domain name. For this system, the model is tested by simulated attack. The result of experiment shows that (i) the attacked signatures are different depended on situation attacked and (ii) the analyst are able to tracking individual behavior using UIV model.

Article Details

How to Cite
[1]
พรหมฤทธิ ณ. and มิ่งขวัญ อ., “The Parallel Coordinates Methodology to Study Suspicious Behavior on a Computer Network”, JIST, vol. 2, no. 1, pp. 12–20, Jun. 2011.
Section
Research Article: Soft Computing (Detail in Scope of Journal)

References

1. J. Haggerty, D. Llewellyn-Jones, and M. Taylor, “Forweb: file fingerprinting for automated network forensics investigations,” in e-Forensics ’08: Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, January 2008, pp. 1-6.

2. M. I. Cohen, “Source attribution for network address translated forensic captures,” Digital Investigation, vol. 5, pp. 138-145, 2009.

3. R. Hadjidj, M. Debbabi, H. Lounis, F. Iqbal, A. Szporer, and D. Benredjem, “Towards an integrated e-mail forensic analysis framework,” Digital Investigation, vol. 5, pp.124-137, 2009.

4. H. Choi, H. Lee, and H. Kim, “Fast detection and visualization of network attacks on parallel coordinates,” Computers and Security, vol. 28, pp. 276-288, 2009.

5. R. Ball, G. A. Fink, and C. North, “Home-centric visualization of network traffic for security administration,” in VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 2004, pp. 55-64.

6. D. Phan, A. Paepcke, , and T. Winograd, “Progressive multiples for communication-minded visualization,” in Graphics Interface Conference, May 2007, pp. 225-232.

7. X. Yin, W. Yurcik, M. Treaster, Y. Li, and K. Lakkaraju, “Visflowconnect: netflow visualizations of link relationships for security situational awareness,” in VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 2004, pp. 26-34.

8. G. Conti and K. Abdullah, “Passive visual fingerprinting of network attack tools,” in VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 2004, pp. 45-54.

9. S. Krasser, G. Conti, J. Grizzard, J. Gribschaw, and H. Owen, “Real-time and forensic network data analysis using animated and coordinated visualization,” in Information Assurance Workshop, 2005. IAW ’05. Proceedings from the Sixth Annual IEEE SMC, June 2005, pp. 42-49.

10. G. Conti, K. Abdullah, J. Grizzard, J. Stasko, J. A. Copeland, M. Ahamad, H. L. Owen, and C. Lee, “Countering security information overload through alert and packet visualization,” IEEE Comput. Graph., vol. 26, pp. 60-70, March/April 2006.

11. A. Inselberg, “Multidimensional detective,” in INFOVIS ’97: Proceedings of the 1997 IEEE Symposium on Information Visualization (InfoVis ’97), 1997, pp. 100– 107.

12. N. Promrit and A. Mingkhwan, “User investigations with visualization time machine for network forensic,” Information Technology Journal, vol. 11, pp. 31–36, 201