SNAPS: Semantic network traffic analysis through projection and selection

Bram C.M. Cappers, Jarke J. van Wijk
2015 2015 IEEE Symposium on Visualization for Cyber Security (VizSec)  
Fig. 1. Network traffic exploration at the level of semantics through the creation of three selections of interest in parallel. Abstract-Most network traffic analysis applications are designed to discover malicious activity by only relying on high-level flowbased message properties. However, to detect security breaches that are specifically designed to target one network (e.g., Advanced Persistent Threats), deep packet inspection and anomaly detection are indispensible. In this paper, we focus
more » ... n how we can support experts in discovering whether anomalies at message level imply a security risk at network level. In SNAPS (Semantic Network traffic Analysis through Projection and Selection), we provide a bottom-up pixel-oriented approach for network traffic analysis where the expert starts with low-level anomalies and iteratively gains insight in higher level events through the creation of multiple selections of interest in parallel. The tight integration between visualization and machine learning enables the expert to iteratively refine anomaly scores, making the approach suitable for both post-traffic analysis and online monitoring tasks. To illustrate the effectiveness of this approach, we present example explorations on two real-world data sets for the detection and understanding of potential Advanced Persistent Threats in progress.
doi:10.1109/vizsec.2015.7312768 dblp:conf/vizsec/CappersW15 fatcat:odzwew3d7fcgfodr4t2nhsrsai