(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No.

4, 2010

Expert-Aware Approach: An Innovative Approach To Improve Network Data Visualization
Doris Hooi-Ten Wong
National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia 11800, Penang, MALAYSIA doris@nav6.org

Kok-Soon Chai
National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia 11800, Penang, MALAYSIA kschai@nav6.org

Sureswaran Ramadass
National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia 11800, Penang, MALAYSIA sures@nav6.org
Abstract—Computers have been infected by the computer anomalies. The availability of network data visualization tools greatly facilitate to perceive computer users from being affected by these anomalies. Many of the network data visualization tools are designed particularly for users with advanced network knowledge even though the tools are indispensable by diverse computer users. We proposed an expert-aware approach to designing a system which formulated with a large amount of network data and adaptive for diverse computer users. In the preliminary phase, we construct an intelligent expertise classification algorithm which provides a default setting for the expert-aware network data visualization tool. Besides, the tool will learn from continual user feedbacks in order to statistically satisfy the needs of majority tool users. In this paper, we will focus on the expert-aware approach with the users’ expertise level in network security and adapts the visualization views that are best suitable for the computer user. Our initial results from the approach implementation showed that it is capable of representing several of network security data not only from small network but also for complicated high dimensional network data. Our main focus in this paper is to fulfill different requirements from diverse computer users. Keywords- network data visualization tool, network knowledge, expert-aware approach, network security.

Nicolas Vavasseur
Université de Franche Comté 16 route de Gray 25030 Besançon cedex, FRANCE nicolas.vavasseur@edu.univ-fcomte.fr awareness, although the tools are indispensable by various types of computer users. There are numbers of network data visualization tools that perform network security data in their respective way such as, bar graph, pie chart and others data visualization techniques. The network data are easily represented to users by using a bar chart or pie chart if they are a small amount, but very difficult for beginner computer user to understand the data structures information [1]. An intelligence approach shall come into the priority in order to improve the network data visualization. A scalable and intelligence expertaware approach works by representing the network data in a more comprehensive way, effectively combining maximizing level of understanding among diverse computer users. In Section II of this paper, we presented existing network data visualization tools and problems. In Section III, we discussed the architecture of the expert-aware approach. Finally, we discussed comparisons between expert-aware approach and existing approaches in section IV. The expected results of the proposed method and the contributions will be made in Section V and following by a conclusion of the paper in Section VI. II. EXISTING NETWORK DATA VISUALIZATION TOOLS AND PROBLEMS

I.

INTRODUCTION

The evolution of hardware technology resulted in ton of data being captured and stored. Large volume of network data is being requested by diverse computer users. The network data are represented to computer users by using different kinds of existing network data visualization tools. Nowadays, many computers have been infected with the computer anomalies. The availability of network data visualization tools greatly facilitated to detect, perceive and defend computer users from being affected by these anomalies. This definitely entailed enormous network data visualization tools to completely represent network security data to the computer users. However, many of the network data visualization tools are designed particularly for users with advanced network

There are number of tools in the visualization area that have applied on the network data visualization. Commonly, network security data monitoring is the part that most of the visualization applications have been focused on more compared with others. Information on malicious attacks that have been triggered by using an abnormal detection device will be presented to the network administrators [2]. There are some other areas that visualization tools have focused on such as network intrusion detection and general network traffic. In this section, we discussed eight existing network data visualization tools which consist of network data and network security visualization tool. Network data visualization tools namely, WatchPoint, ntop, Nodemap while network security visualization tools are VISUAL, SCPD, PortVis, NVisionIP and NIVA.

A shorter version of this paper will appear in Proceedings of 2nd International Conference on Network Applications, Protocols and Services (published by IEEE Conference Publication Services), 22-23 September 2010, Alor Setar, Kedah Darul Aman, MALAYSIA.
1 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, 2010

A. Network Data Visualization Tools 1) Watch Point: WatchPoint is designed for presenting real-time and historical view for the network parameters. Besides, it is used to assemble and store the configured sources of network data and able to present instant comparisons of the current network without any loss of network data [3]. The disadvantage of Watch Point is the visualization will only be understood by network experts. 2) ntop: ntop has been designed for analysing traffic patterns. Some of the system experts have extended ntop by adding embedded NIDS (Network Intrusion Detection System) in order to improve the system. ntop NIDS is very distinctive with its knowledge compare with current NIDS. It is also dynamic and not specified at ntop start-up by means of configuration files [4]. The disadvantages are designed for those network experts and no customization are being allowed in ntop. 3) Nodemap: Nodemap is designed for the purpose to present SNMP queries against network devices as well as to determine the complicated networks link status. The detailed information on network link status will be presented at lowlevels visualization together with higher levels summarizations. This is to ensure network computer user can be easily to determine the current state of a network and gained enough information to analyse performance complaints without needing to know every single detail about the network. Besides, Nodemap is also useful for tracking DoS packets flow in complex networks [5]. The disadvantages of this tool are only targeted to network computer user with higher network data knowledge and not permitted for customization from the computer users. B. Network Security Visualization Tools 1) VISUAL: Visual Information Security Utility for Administration Live (VISUAL) is a network security visualization tool that allows network administrators to examine the communication networks between internal and external hosts, in order to rapidly aware the security conditions of their network [6]. VISUAL applied the concept of dividing network space into a local network address space and a remote network address space (rest of the internet). In order to produce its data visualizations, data will be taken from the log files of Tcpdump or Wireshark. Previously, it was known as Ethereal [7][8] until Summer 2006 due to trademark disagreement. It is an open source tool which contributed to Unix and Windows, especially for network protocol analyser purpose. The advantage of VISUAL is to provide a quick overview of the current and recent communication patterns among the monitored network. Administrators can specify their network and remote IP by using home and remote IP filter as shown in Figure 2 in [6]. Based on the information provided by IP filter, administrators can identify any single external hosts that are

connected with the number of internal hosts from a grid, which may be relevant to be used in their network. The grid represents home hosts; based on connection lines it allows the network administrator to check the total traffic that exchanged between home host and external host [6]. The disadvantages of VISUAL are useful for only small networks such as home network and meaningful for network experts. 2) SCPD: Another network security visualizations tool such as Spinning Cube of Potential Doom (SCPD) is designed for network professional and also presented simple information on the network security frequency and threats extent to beginner [9]. An example of SCPD has been shown in [9]. The advantage of SCPD is that it provided a complete map of internet address space indicating the frequency and origin of scanning activity will be provided by SCPD. User would be able to visualize easily about the sensor data from a large network. Rainbow color map has been used for the cube colors dots of incomplete connections [9]. Port scans on a single host represented by vertical lines and others scan across hosts will be represented by horizontal lines. The disadvantages of SCPD are simple information is being presented to lower expertise and customization is not provided in this system. 3) PortVis: Another network security visualization tool is PortVis as shown in Figure 1 in [10]. It was focusing on a single host at a time and doing the analysing on it. It designed for outside security specialists. The main advantage of this tool is to present outside data entities to outside security specialists. Information such as each TCP port during a period of one hour is being visualized and large scale of security occurrence will be detected by PortVis. PortVis also allow for small scale security occurrence detection, which allowed for further investigation. The drawbacks of PortVis are focusing on a single host at a time and only security specialists will comprehend on the shown information from PortVis. 4) NVIsionIP: Besides that, Figure 1 shown the NVisionIP in [11] is also a visualization tool that targeted to provide and improve the overall situational awareness of the network among network security administrators. A graphical representation of a class-B network and numbers of different views of the data will be presented to network security administrators. There are three main visualization views in a single application of NVisionIP, namely Galaxy, Small Multiple and Machine visualization views. NVisionIP targeted to improve the interactivity among this visualization views by allowing them to transferring data from one visualization views to other visualization views. The shortcoming of NVisionIP is the information and visualization views only meaningful to security administrators.

2

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, 2010

Others computer users with lower knowledge will find this view meaningless for them 5) NIVA: Network Intrusion Visualization Application (NIVA) is another network security awareness tool [12]. It is an intrusion detection data visualizer which integrated with haptic features. The novel haptic feature allows users to sense and interactively analyse intrusion detection data over time and also using three-dimensional space. The advantage of NIVA is it provides visual and other approach for the visual purposes. Users can fully sense the network intrusion by using haptic features. The disadvantages of NIVA are the approach is working well in individual network instead of huge network and not applicable to beginner or lower network awareness experts. III. ARCHITECTURE OF EXPERT-AWARE APPROACH

1) Details of Expert Level-One (Beginner): The expert level-one screen as shown in Figure 1 considers the user as a beginner in computer sciences, or at least someone who has very basic and common computer awareness. Based on the user requirements, system generates the initial screen for computer users, which are Figure 1 and 2. There are three types of data that will be shown on the expert level-one default screen: a) Node: Composing the network represented by a machine icon, including IP addresses such as IP source, IP destination and date of the analysis, displayed when mouse moving above the concerned node. b) Address book: Containing every computer shown on the screen, allowing the user to have an overall view of who is connected on the network. c) Worm detection: The system detects any kind of worms that present in the network and it will immediately launch a pop-up window informing where the infection comes from. An icon will appear on the involved node to show that to the user in a more visual way.

A. Two-Dimensional Architecture Development We proposed an expert-aware approach to designing a system which formulated with a large amount of highdimensional network data and adaptive for different types of users. Our proposed architecture not only focuses on a small network but also on a complicated network data. In the preliminary phase, we were conducting a knowledge survey among different types of computer users and collecting data from them. This survey is important in order to collect the network knowledge level and requirements on the network from different types of computer users. Diverse computer users provided us with their requirement of network data details. We construct an intelligent expertise classification algorithm which provides a default setting for the expert-aware network data visualization tool based on the knowledge survey results. The system will learn from continual user feedbacks in order to statistically satisfy the needs of majority tool users. Our focus in on network security data and the expert-aware approach looks at the users’ expertise level in network security and adapts the most comprehensive visualization screens that are best for the user understanding. In our initial architecture design, expert levels will be the most crucial and particular component. We will examine the level of computer users. From the experts’ examination, we concluded them into initial three different default levels, which are the expert level-one also known as beginner, level-two or intermediate and level-three or advanced. The details of those different levels will be discussed in the following subsections. This subsection will discuss more about the development of two-dimensional screens for expert level-one and level-two whereas the next subsection will discuss more about the development in three-dimensional which targeted expert levelthree. The architecture is mostly based on the node concept. A node is an entity (class, in our case with object-oriented programming) containing several elements such as, an icon (type depends on the programming language used), a x coordinates and a y coordinates as an Integer type (to localize the icon in the scene), some Strings containing the different IP addresses, a date type and also a list of nodes.

Figure 1. Expert level-one screen shot.

Figure 2. Expert level-one screen shot with simple worm detection alert.

2) Details of Expert Level-Two (Intermediate): Figure 3 showed the screen shot of expert level-two. In this expert level, users consider as someone who has a little knowledge in computer network. Three new types of data have been added to the screen and some interactivity elements have been

3

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, 2010

provided into this expert level. Animation features have been included in the development phase for expert level-two. The links between computers have been replaced by more complex entities exchanges. a) Packets per sec: This information is represented by the speed of the packets coming from a computer to another. It showed that the packet between the two nodes become faster and the packet per second value of the network become higher. b) Network utilization: This data is shown using the color of the packets by following this criteria; if it turns out that the network is subject to a high utilization, the color of the packets will be dark. And if the network is very less in used, the color of packets will be slightly lighter. c) Packets size ratio: It is represented on the screen by the size of the packets that are exchanged between two machines.

on network security data and network data. Figure 7 and 8 shown the screens shot of our initial development which is still ongoing process and will be improved from time to time.

Figure 7. Expert level-three single view screen shot.

Figure 3. Expert level-two screen shot.

Figure 8. Expert level-three multiple view screen shot.

B. Three-Dimensional Architecture Development Basically the three-dimensional (3D) architecture development is targeted to expert level-three. The computer users with high network knowledge will easily comprehend with the 3D appearances. There is an EntityNode class to represent a machine (blue sphere) and its IP address. The constructor of this class takes three parameters: the radius of the sphere, the vector locating the sphere and the String which will be display above the machine. Part of the programming has been shown in Figure 4. The size of the text is then reduced because of the huge default size that Java3D provides to its Text3D instances. The Request class which make a 3D text going from an EntityNode to another one. The constructor of this class takes three parameters: a first EntityNode, from where the text will come, a second EntityNode which will be the destination of the text. The last parameter is the speed that the request will have to go from the start point to the destination point. Figure 5 has shown the programming to create the text. Once, we have created the text, we need to use several Java 3D classes to make it move. The most important one is the PositionPathInterpolator object as shown in Figure 6. 1) Details of Expert Level-Three (Advanced): Computer user in expert level-three is expecting to have high awareness

IV.

DISCUSSIONS AND CONTRIBUTIONS

In this section, we will briefly summarize and compare our proposed expert-aware approach with the existing network security visualization tools. A brief comparison summary among existing network data visualization tools according to their advantages and disadvantages is shown in Table 1.
Table 1. Comparison summary between expert-aware approach and existing works.

No. 1.

Tools Watch Point ntop

Advantages 1.providing both a real-time and historical view 1.classifying traffic hence recognizing specific attacks 1.produces visualizations to convey the "holistic" state of the network.

Disadvantages 1. meaningless to beginner user 1. meaningless to beginner user 1. meaningless to beginner user

2.

3.

Nodemap

4

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, 2010

4.

VISUAL

1.present a quick overview of the current and recent communication patterns 1. present a complete map of internet address space

5.

SCPD

6.

PortVis

1. present outside data entities

7.

NVisionIP

8.

NIVA

1. present class-B network and numbers of different views of the data 1. as an intrusion detection data visualizer which integrated with haptic features 1. targeted on different types of computer users 2. focus on small and huge network

1. only focus on small network 2. meaningless to beginner user 1. simple information is presented 2. customization not provided 1. only focus on single host 2. meaningless to beginner user 1. meaningless to beginner user

it lays out complicated network data on comprehensive representation, and added further advantage by making it possible to display very large volume of network data by allowing the different level of computer users to view the different level of network data details. It is able to show not only the small portion of network security data but all relevant data to different types of user. The main contribution of our approach is targeted to fulfill diverse computer users’ requirement on the different levels of network data details. Our approach has also been tested among the researchers and non-researchers from National Advanced IPv6 Centre, Universiti Sains Malaysia. Besides, small network and complicated network will put in concern in this approach development. V. CONCLUSION

9.

ExpertAware Approach

1. working well in individual network 2. meaningless to beginner user 1. required input from computer users

In this research, we proposed and implemented an innovative and intuitive expert-aware approach for the network data visualization tools, which improved the existing network data visualization tools. Our experiments in a network lab suggest that the tool can be potential be further improved as the tool has a high potential to a wide range of computer users in the visualization area. The initial result showed that the expert-aware approach has the capability for intelligence adjustment change whenever network data are updated. It will also improve on performance, effectiveness, and efficiency of network data visualization. The well-developed network data visualization approach makes it a promising network data visualization tool for the future. ACKNOWLEDGMENT Our special thanks to Institute of Postgraduate Studies (IPS), Universiti Sains Malaysia (USM) for their financial support by awarding Doris Hooi-Ten Wong the Fellowship Scheme. We would like to thank to National Advanced IPv6 (NAv6), Universiti Sains Malaysia (USM) colleagues for their willingness to spare and contribute their guidance. REFERENCES
[1] S. M. Bruls, K. Huizing, and J. Van Wijk, “Squarified treemaps,” In Proceedings of the Joint Eurographics and IEEE TCVG Symposium on Visualization (VisSym), 33–42, 2000. M. Allen, P. McLachlan, “NAV Network Analysis Visualization,” University of British Columbia, [Online, 29 May 2009]. WildPackets. Watch Point. http://www.wildpackets.com/products/monitoring_and_reporting/watchp oint, [Online, 1 January 2010]. Ntop. http://www.ntop.org/documentation.html, [Online, 1 May 2009]. M. Newton, http://nodemap.internode.on.net/, [Online, 29 May 2009]. R. Ball, G. A. Fink, and C. North, “Home-centric visualization of network traffic for security administration,” VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 55–64. ACM Press, 2004. V. Jacobson, C. Leres, and S. McCanne, TCPdump public repository, http://kb.pert.geant.net/PERTKB/TcpDump, cited September, 2009. G. Combs, Ethereal downloadable at: http://www.ethereal.com/,cited September, 2009.

Initial results of the implementation of the expert-aware approach for the network data visualization tool show that it is capable of representing several of network data not only on two-dimensional space in a computer but also threedimensional space. The tool able to represent different level of network data details to different levels of users. Our proposed approach is tested with dataset that has been captured by using network monitoring system and system acceptance surveys have been conducted among diverse computer users (beginner, intermediate and advanced) to get the feedback from them in order to improve the algorithm approach. System features such as effectiveness and efficiency have been improved based on the evaluation analysis result. The visualization effectiveness has been enhanced by presenting sufficient network data to relevant computer user as well as the visualization efficiency has been improved by maximizing network data understanding among computer users. The results from the evaluation also showed that the expertaware approach that applied in network data visualization is similar to some other existing network data visualization tools,

[2] [3]

[4] [5] [6]

[7] [8]

5

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, 2010
S. Lau, “The Spinning of Potential Doom,” Commun. ACM, 47(6):25– 26, 2004. [10] J. McPherson, K. L. Ma, P. Krystosk, Tony Bartoletti, and Marvin Christensen, “Portvis: a tool for port-based detection of security events,” In VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 73–81. ACM Press, 2004. [11] K. Lakkaraju, W. Yurcik, and A. J. Lee. “NVisionIP: Net-flow visualizations of system state for security situational awareness,” In VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 65–72. ACM Press, 2004. [12] K. Nyarko, T. Capers, C. Scott, and K. Ladeji-Osias, “Network intrusion visualization with NIVA, an intrusion detection visual analyzer with haptic integration,” in Haptic Interfaces for Virtual Environment and Teleoperator Systems, 2002. HAPTICS 2002 Proceedings, 10th Symposium on, 2002. [9]

AUTHORS PROFILE Doris Hooi-Ten Wong is a PhD candidate in National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia (USM). She obtained her B.Sc. (Hons) in Multimedia degree from the Universiti Utara Malaysia in 2008. Her research objectives are to design and develop a new framework, expert-aware approach and intelligence algorithm in network data visualization. She is a member of the Asia-Pacific Advance Network (APAN) as well as the secretariat of APAN Malaysia (APAN-MY). Sureswaran Ramadass (PhD) is a Professor and the Director of the National Advanced IPv6 Centre (NAv6) at Universiti Sains Malaysia (USM). He is also the founder of Mlabs Systems Berhad (MLABS), a public listed company on the MESDAQ. Prof Dr Sureswaran obtained his BsEE/CE (Magna Cum Laude) and Masters in Electrical and Computer Engineering from the University of Miami in 1987 and 1990 respectively. He obtained his doctorate from USM in 2000 while serving as a full time faculty in the School of Computer Sciences. His research areas include the Multimedia Conferencing System, Distributed Systems and Network Entities, Real Time Enterprise Network Monitoring, Real Time Enterprise System Security, Satellite and Wireless Networks, IPv6 Research, Development and Consultancy, and Digital Library Systems.

Kok-Soon Chai (PhD) is a Senior Lecturer of the National Advanced IPv6 Centre (NAv6) at Universiti Sains Malaysia (USM). He was a pioneer and section manager for the embedded software group, Plexus Technology Group in Penang, Malaysia. He led a team of software engineers designing automotive, medical and networking products for US companies. Prior to joining Plexus, he worked at design centers at Agilent and Motorola. He was also involved in research projects sponsored by Airbus UK at the University of Warwick. He is a regular speaker at many conferences. He pioneers the function-class decomposition and UML for embedded software design and presented this approach at the Embedded Systems Conference in Silicon Valley. He obtained a perfect score of 6 out of 6 for the technical content of the presentation averaging from the feedbacks of the attendees. He holds a number of publications in international journal, IEEE conferences, Motorola Software, Systems and Simulation (S3) conference, and a US patent application. He holds a PhD in Engineering from the University of Warwick, UK.

Nicolas Vavasseur is a Master candidate from Université de Franche Comté. His Master industrial training has been taken in National Advanced IPv6 Centre (NAv6) of year 2010.

6

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, 2010

Figure 4. Screen shot of programming to create node.

Figure 5. Screen shot of programming to create text.

Figure 6. Screen shot of programming to create animation.

7

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.