International Journal of Information, Control and Computer Sciences ISSN: 2517-9942 Vol:1, No:6, 2007 1671 Abstract—We propose a novel graphical technique (SVision) for intrusion detection, which pictures the network as a community of hosts independently roaming in a 3D space defined by the set of services that they use. The aim of SVision is to graphically cluster the hosts into normal and abnormal ones, highlighting only the ones that are considered as a threat to the network. Our experimental results using DARPA 1999 and 2000 intrusion detection and evaluation datasets show the proposed technique as a good candidate for the detection of various threats of the network such as vertical and horizontal scanning, Denial of Service (DoS), and Distributed DoS (DDoS) attacks. Keywords—Anomaly Visualization, Network Security, Intrusion Detection. I. INTRODUCTION ATA visualization represents a fundamental part of the current network security practices, providing the network administrators with important information regarding the state of the network as well possible threats that exist. Frost and Sullivan [5], recently reported that only 11.6% of the available Intrusion Prevention Systems (IPSs) in 2003 were set to prevention mode by the administrators. Consequently, in all the other cases, the network administrator is the one that decides upon the proper response that has to be enforced. In order to do that, he/she has to have a deep understanding of the current state of the network, and this is mostly achieved through different network visualization techniques. Thus, despite all the existing criticisms against the visualization techniques as a detection method, we do not anticipate its possible replacement in the near future. We propose a network visualization technique that allows the security personnel to easily identify potential anomalies in the network. The network is depicted as a community of hosts that are roaming inside a three dimensional space. Since a network might have hundreds of hosts, the proposed view highlights only the ones that might represent a potential threat to the network, while the normal hosts overlap near the center of the view. Manuscript received May 15, 2005. Iosif-Viorel Onut is pursuing Ph.D., in Computer Science at Faculty of Computer Science, University of New Brunswick, Canada. (e-mail: onut.viorel@ unb.ca). Bin Zhu is pursuing M.Sc., in Computer Science at Faculty of Computer Science, University of New Brunswick, Canada. (e-mail: bin.zhu@ unb.ca) Ali A. Ghorbani is with Faculty of Computer Science, University of New Brunswick, Canada. (e-mail: ghorbani@unb.ca). Our experimental results conducted on two of the well known intrusion detection and evaluation datasets (i.e., DARPA 99 [6] and DARPA 2000 [7]) empirically proved the technique to be successful against main types of Denial of Service (DoS) attacks, Distributed DoS (DDoS) attacks, as well as vertical and horizontal scanning attacks. This paper is organized as follows: Section II presents some of the important existing visualization techniques. Section III describes the proposed visualization technique presenting the main outcomes and drawbacks of the representation. Next, Section IV presents the empirical results against the common attacks such as DoS, DDoS, and probing. Finally, the last section summarizes the conclusions and presents possible future improvements. II. BACKGROUND REVIEW Visualization techniques are some of the pioneers approaches successfully applied in the network area. Network administrators tend to be very comfortable with network data presented in the form of charts, functions, and tables. The network visualization techniques do target most aspects of the network security including topology representation, protocol communication, and congestion control, to name a few. M. Spencer [11] proposed a visualization technique that displays the network topology, assisting the security personnel in detecting possible failure points and checking the availability of the devices within the network. R. F. Erbacher [1] proposed a similar technique that uses a glyph based approach in order to represent not only the topology of the network but also its load. In the same line of work, D. Estrin et. al. [2] proposed a visualization system that shows network topologies animations, measuring packet loss rates for various links in order to detect potential connectivity problems. The most common visualization technique remains the two dimensional graphs where one dimension represents the time coordinate (e.g., usually x axis), while the second axis represents a particular feature of the network. Moreover, by the use of colors, multiple graphs can be mixed in a single view [9], [2], [8], [10]. Such visualization tools have been widely used by network administrators to monitor the network links and identify abnormal external behavior such as DDoS, DoS, Scanning, and Worms, as well as improper internal activity such as P2P file sharing. As more powerful computation capability becomes available, visual representation of network has evolved from Svision: Visual Identification of Scanning and Denial of Service Attacks Iosif-Viorel Onut, Bin Zhu, and Ali A. Ghorbani D