Expert-Aware Approach: An Innovative Approach To Improve Network Data Visualization by ijcsiseditor


									                                                                (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                          Vol. 8, No. 4, 2010

Expert-Aware Approach: An Innovative Approach To
        Improve Network Data Visualization
                  Doris Hooi-Ten Wong                                                           Kok-Soon Chai
         National Advanced IPv6 Centre (NAv6)                                      National Advanced IPv6 Centre (NAv6)
               Universiti Sains Malaysia                                                 Universiti Sains Malaysia
              11800, Penang, MALAYSIA                                                   11800, Penang, MALAYSIA

                  Sureswaran Ramadass                                                         Nicolas Vavasseur
         National Advanced IPv6 Centre (NAv6)                                           Université de Franche Comté
               Universiti Sains Malaysia                                                       16 route de Gray
              11800, Penang, MALAYSIA                                                 25030 Besançon cedex, FRANCE

Abstract—Computers have been infected by the computer                     awareness, although the tools are indispensable by various
anomalies. The availability of network data visualization tools           types of computer users. There are numbers of network data
greatly facilitate to perceive computer users from being affected         visualization tools that perform network security data in their
by these anomalies. Many of the network data visualization tools          respective way such as, bar graph, pie chart and others data
are designed particularly for users with advanced network                 visualization techniques. The network data are easily
knowledge even though the tools are indispensable by diverse              represented to users by using a bar chart or pie chart if they are
computer users. We proposed an expert-aware approach to                   a small amount, but very difficult for beginner computer user to
designing a system which formulated with a large amount of                understand the data structures information [1]. An intelligence
network data and adaptive for diverse computer users. In the
                                                                          approach shall come into the priority in order to improve the
preliminary phase, we construct an intelligent expertise
classification algorithm which provides a default setting for the
                                                                          network data visualization. A scalable and intelligence expert-
expert-aware network data visualization tool. Besides, the tool           aware approach works by representing the network data in a
will learn from continual user feedbacks in order to statistically        more comprehensive way, effectively combining maximizing
satisfy the needs of majority tool users. In this paper, we will          level of understanding among diverse computer users.
focus on the expert-aware approach with the users’ expertise                  In Section II of this paper, we presented existing network
level in network security and adapts the visualization views that         data visualization tools and problems. In Section III, we
are best suitable for the computer user. Our initial results from         discussed the architecture of the expert-aware approach.
the approach implementation showed that it is capable of                  Finally, we discussed comparisons between expert-aware
representing several of network security data not only from small         approach and existing approaches in section IV. The expected
network but also for complicated high dimensional network data.           results of the proposed method and the contributions will be
Our main focus in this paper is to fulfill different requirements         made in Section V and following by a conclusion of the paper
from diverse computer users.                                              in Section VI.
   Keywords- network data visualization tool, network knowledge,           II.   EXISTING NETWORK DATA VISUALIZATION TOOLS AND
expert-aware approach, network security.                                                        PROBLEMS
                                                                              There are number of tools in the visualization area that have
                       I.    INTRODUCTION                                 applied on the network data visualization. Commonly, network
    The evolution of hardware technology resulted in ton of               security data monitoring is the part that most of the
data being captured and stored. Large volume of network data              visualization applications have been focused on more
is being requested by diverse computer users. The network data            compared with others. Information on malicious attacks that
are represented to computer users by using different kinds of             have been triggered by using an abnormal detection device will
existing network data visualization tools. Nowadays, many                 be presented to the network administrators [2]. There are some
computers have been infected with the computer anomalies.                 other areas that visualization tools have focused on such as
The availability of network data visualization tools greatly              network intrusion detection and general network traffic. In this
facilitated to detect, perceive and defend computer users from            section, we discussed eight existing network data visualization
being affected by these anomalies. This definitely entailed               tools which consist of network data and network security
enormous network data visualization tools to completely                   visualization tool. Network data visualization tools namely,
represent network security data to the computer users.                    WatchPoint, ntop, Nodemap while network security
However, many of the network data visualization tools are                 visualization tools are VISUAL, SCPD, PortVis, NVisionIP
designed particularly for users with advanced network                     and NIVA.

A shorter version of this paper will appear in Proceedings of 2nd International Conference on Network Applications, Protocols and Services
(published by IEEE Conference Publication Services), 22-23 September 2010, Alor Setar, Kedah Darul Aman, MALAYSIA.
                                                                                                      ISSN 1947-5500
                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                       Vol. 8, No. 4, 2010
A. Network Data Visualization Tools                                     connected with the number of internal hosts from a grid, which
  1) Watch Point: WatchPoint is designed for presenting                 may be relevant to be used in their network. The grid represents
real-time and historical view for the network parameters.               home hosts; based on connection lines it allows the network
Besides, it is used to assemble and store the configured sources        administrator to check the total traffic that exchanged between
of network data and able to present instant comparisons of the          home host and external host [6].
current network without any loss of network data [3].                     The disadvantages of VISUAL are useful for only small
  The disadvantage of Watch Point is the visualization will             networks such as home network and meaningful for network
only be understood by network experts.                                  experts.

  2) ntop: ntop has been designed for analysing traffic                    2) SCPD: Another network security visualizations tool
patterns. Some of the system experts have extended ntop by              such as Spinning Cube of Potential Doom (SCPD) is designed
adding embedded NIDS (Network Intrusion Detection System)               for network professional and also presented simple information
in order to improve the system. ntop NIDS is very distinctive           on the network security frequency and threats extent to
with its knowledge compare with current NIDS. It is also                beginner [9]. An example of SCPD has been shown in [9].
dynamic and not specified at ntop start-up by means of                     The advantage of SCPD is that it provided a complete map
configuration files [4].                                                of internet address space indicating the frequency and origin of
  The disadvantages are designed for those network experts              scanning activity will be provided by SCPD. User would be
and no customization are being allowed in ntop.                         able to visualize easily about the sensor data from a large
                                                                        network. Rainbow color map has been used for the cube colors
   3) Nodemap: Nodemap is designed for the purpose to                   dots of incomplete connections [9]. Port scans on a single host
present SNMP queries against network devices as well as to              represented by vertical lines and others scan across hosts will
determine the complicated networks link status. The detailed            be represented by horizontal lines.
information on network link status will be presented at low-               The disadvantages of SCPD are simple information is being
levels visualization together with higher levels summarizations.        presented to lower expertise and customization is not provided
This is to ensure network computer user can be easily to                in this system.
determine the current state of a network and gained enough
information to analyse performance complaints without                      3) PortVis: Another network security visualization tool is
needing to know every single detail about the network.                  PortVis as shown in Figure 1 in [10]. It was focusing on a
Besides, Nodemap is also useful for tracking DoS packets flow           single host at a time and doing the analysing on it. It designed
in complex networks [5].                                                for outside security specialists.
   The disadvantages of this tool are only targeted to network             The main advantage of this tool is to present outside data
computer user with higher network data knowledge and not                entities to outside security specialists. Information such as each
permitted for customization from the computer users.                    TCP port during a period of one hour is being visualized and
                                                                        large scale of security occurrence will be detected by PortVis.
B. Network Security Visualization Tools                                 PortVis also allow for small scale security occurrence
                                                                        detection, which allowed for further investigation.
   1) VISUAL: Visual Information Security Utility for
                                                                           The drawbacks of PortVis are focusing on a single host at a
Administration Live (VISUAL) is a network security
                                                                        time and only security specialists will comprehend on the
visualization tool that allows network administrators to
                                                                        shown information from PortVis.
examine the communication networks between internal and
external hosts, in order to rapidly aware the security conditions          4) NVIsionIP: Besides that, Figure 1 shown the NVisionIP
of their network [6]. VISUAL applied the concept of dividing            in [11] is also a visualization tool that targeted to provide and
network space into a local network address space and a remote           improve the overall situational awareness of the network
network address space (rest of the internet). In order to produce       among network security administrators. A graphical
its data visualizations, data will be taken from the log files of       representation of a class-B network and numbers of different
Tcpdump or Wireshark. Previously, it was known as Ethereal              views of the data will be presented to network security
[7][8] until Summer 2006 due to trademark disagreement. It is           administrators. There are three main visualization views in a
an open source tool which contributed to Unix and Windows,              single application of NVisionIP, namely Galaxy, Small
especially for network protocol analyser purpose.                       Multiple and Machine visualization views. NVisionIP targeted
   The advantage of VISUAL is to provide a quick overview of            to improve the interactivity among this visualization views by
the current and recent communication patterns among the                 allowing them to transferring data from one visualization views
monitored network. Administrators can specify their network             to other visualization views.
and remote IP by using home and remote IP filter as shown in               The shortcoming of NVisionIP is the information and
Figure 2 in [6]. Based on the information provided by IP filter,        visualization views only meaningful to security administrators.
administrators can identify any single external hosts that are

                                                                                                    ISSN 1947-5500
                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                       Vol. 8, No. 4, 2010
Others computer users with lower knowledge will find this                 1) Details of Expert Level-One (Beginner): The expert
view meaningless for them                                               level-one screen as shown in Figure 1 considers the user as a
                                                                        beginner in computer sciences, or at least someone who has
  5) NIVA: Network Intrusion Visualization Application                  very basic and common computer awareness. Based on the user
(NIVA) is another network security awareness tool [12]. It is           requirements, system generates the initial screen for computer
an intrusion detection data visualizer which integrated with            users, which are Figure 1 and 2. There are three types of data
haptic features. The novel haptic feature allows users to sense         that will be shown on the expert level-one default screen:
and interactively analyse intrusion detection data over time and             a) Node: Composing the network represented by a
also using three-dimensional space.                                     machine icon, including IP addresses such as IP source, IP
  The advantage of NIVA is it provides visual and other                 destination and date of the analysis, displayed when mouse
approach for the visual purposes. Users can fully sense the             moving above the concerned node.
network intrusion by using haptic features.                                  b) Address book: Containing every computer shown on
  The disadvantages of NIVA are the approach is working well            the screen, allowing the user to have an overall view of who is
in individual network instead of huge network and not                   connected on the network.
applicable to beginner or lower network awareness experts.
                                                                             c) Worm detection: The system detects any kind of
                                                                        worms that present in the network and it will immediately
     III.   ARCHITECTURE OF EXPERT-AWARE APPROACH                       launch a pop-up window informing where the infection comes
                                                                        from. An icon will appear on the involved node to show that to
A. Two-Dimensional Architecture Development                             the user in a more visual way.
    We proposed an expert-aware approach to designing a
system which formulated with a large amount of high-
dimensional network data and adaptive for different types of
users. Our proposed architecture not only focuses on a small
network but also on a complicated network data. In the
preliminary phase, we were conducting a knowledge survey
among different types of computer users and collecting data
from them. This survey is important in order to collect the
network knowledge level and requirements on the network
from different types of computer users. Diverse computer users
provided us with their requirement of network data details. We
construct an intelligent expertise classification algorithm which
provides a default setting for the expert-aware network data
visualization tool based on the knowledge survey results. The
system will learn from continual user feedbacks in order to                Figure 1. Expert level-one screen shot.
statistically satisfy the needs of majority tool users. Our focus
in on network security data and the expert-aware approach
looks at the users’ expertise level in network security and
adapts the most comprehensive visualization screens that are
best for the user understanding.
    In our initial architecture design, expert levels will be the
most crucial and particular component. We will examine the
level of computer users. From the experts’ examination, we
concluded them into initial three different default levels, which
are the expert level-one also known as beginner, level-two or
intermediate and level-three or advanced. The details of those
different levels will be discussed in the following subsections.
This subsection will discuss more about the development of
two-dimensional screens for expert level-one and level-two
whereas the next subsection will discuss more about the
development in three-dimensional which targeted expert level-              Figure 2. Expert level-one screen shot with simple worm
three. The architecture is mostly based on the node concept. A             detection alert.
node is an entity (class, in our case with object-oriented
programming) containing several elements such as, an icon                 2) Details of Expert Level-Two (Intermediate): Figure 3
(type depends on the programming language used), a x                    showed the screen shot of expert level-two. In this expert
coordinates and a y coordinates as an Integer type (to localize         level, users consider as someone who has a little knowledge in
the icon in the scene), some Strings containing the different IP        computer network. Three new types of data have been added
addresses, a date type and also a list of nodes.                        to the screen and some interactivity elements have been

                                                                                                         ISSN 1947-5500
                                                               (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                         Vol. 8, No. 4, 2010
provided into this expert level. Animation features have been             on network security data and network data. Figure 7 and 8
included in the development phase for expert level-two. The               shown the screens shot of our initial development which is still
links between computers have been replaced by more complex                ongoing process and will be improved from time to time.
entities exchanges.
     a) Packets per sec: This information is represented by
the speed of the packets coming from a computer to another. It
showed that the packet between the two nodes become faster
and the packet per second value of the network become
     b) Network utilization: This data is shown using the
color of the packets by following this criteria; if it turns out
that the network is subject to a high utilization, the color of the
packets will be dark. And if the network is very less in used,
the color of packets will be slightly lighter.
    c) Packets size ratio: It is represented on the screen by
the size of the packets that are exchanged between two
machines.                                                                     Figure 7. Expert level-three single view screen shot.

                                                                             Figure 8. Expert level-three multiple view screen shot.
    Figure 3. Expert level-two screen shot.

B. Three-Dimensional Architecture Development                                          IV.     DISCUSSIONS AND CONTRIBUTIONS
    Basically the three-dimensional (3D) architecture                     In this section, we will briefly summarize and compare our
development is targeted to expert level-three. The computer               proposed expert-aware approach with the existing network
users with high network knowledge will easily comprehend                  security visualization tools. A brief comparison summary
with the 3D appearances.                                                  among existing network data visualization tools according to
    There is an EntityNode class to represent a machine (blue             their advantages and disadvantages is shown in Table 1.
sphere) and its IP address. The constructor of this class takes
three parameters: the radius of the sphere, the vector locating            Table 1. Comparison summary between expert-aware approach and existing
the sphere and the String which will be display above the                  works.
machine. Part of the programming has been shown in Figure 4.                No.     Tools             Advantages                  Disadvantages
    The size of the text is then reduced because of the huge
default size that Java3D provides to its Text3D instances.                  1.      Watch             1.providing both a          1. meaningless
    The Request class which make a 3D text going from an                            Point             real-time and               to beginner
EntityNode to another one. The constructor of this class takes                                        historical view             user
three parameters: a first EntityNode, from where the text will              2.      ntop              1.classifying               1. meaningless
come, a second EntityNode which will be the destination of the                                        traffic hence               to beginner
text. The last parameter is the speed that the request will have                                      recognizing                 user
to go from the start point to the destination point. Figure 5 has                                     specific attacks
shown the programming to create the text.
    Once, we have created the text, we need to use several Java             3.      Nodemap           1.produces                  1. meaningless
3D classes to make it move. The most important one is the                                             visualizations to           to beginner
PositionPathInterpolator object as shown in Figure 6.                                                 convey the                  user
                                                                                                      "holistic" state of
  1) Details of Expert Level-Three (Advanced): Computer                                               the network.
user in expert level-three is expecting to have high awareness

                                                                                                           ISSN 1947-5500
                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                        Vol. 8, No. 4, 2010
  4.    VISUAL         1.present a quick     1. only focus             it lays out complicated network data on comprehensive
                       overview of the       on small                  representation, and added further advantage by making it
                       current and recent    network                   possible to display very large volume of network data by
                       communication         2. meaningless            allowing the different level of computer users to view the
                       patterns              to beginner               different level of network data details. It is able to show not
                                             user                      only the small portion of network security data but all relevant
  5.    SCPD           1. present a          1. simple                 data to different types of user.
                       complete map of       information is               The main contribution of our approach is targeted to fulfill
                       internet address      presented                 diverse computer users’ requirement on the different levels of
                       space                 2.                        network data details. Our approach has also been tested among
                                             customization             the researchers and non-researchers from National Advanced
                                             not provided              IPv6 Centre, Universiti Sains Malaysia.
  6.    PortVis        1. present outside    1. only focus                Besides, small network and complicated network will put in
                       data entities         on single host            concern in this approach development.
                                             2. meaningless
                                             to beginner
                                                                                                 V.     CONCLUSION
  7.    NVisionIP      1. present class-B    1. meaningless               In this research, we proposed and implemented an
                       network and           to beginner               innovative and intuitive expert-aware approach for the
                       numbers of            user                      network data visualization tools, which improved the existing
                       different views of                              network data visualization tools. Our experiments in a network
                       the data                                        lab suggest that the tool can be potential be further improved
                                                                       as the tool has a high potential to a wide range of computer
  8.    NIVA           1. as an intrusion    1. working well           users in the visualization area. The initial result showed that
                       detection data        in individual
                                                                       the expert-aware approach has the capability for intelligence
                       visualizer which      network
                                                                       adjustment change whenever network data are updated. It will
                       integrated with       2. meaningless            also improve on performance, effectiveness, and efficiency of
                       haptic features       to beginner               network data visualization. The well-developed network data
                                             user                      visualization approach makes it a promising network data
  9.    Expert-        1. targeted on        1. required               visualization tool for the future.
        Aware          different types of    input from
        Approach       computer users        computer users
                       2. focus on small                                                        ACKNOWLEDGMENT
                       and huge network                                    Our special thanks to Institute of Postgraduate Studies
                                                                       (IPS), Universiti Sains Malaysia (USM) for their financial
   Initial results of the implementation of the expert-aware           support by awarding Doris Hooi-Ten Wong the Fellowship
approach for the network data visualization tool show that it is       Scheme. We would like to thank to National Advanced IPv6
capable of representing several of network data not only on            (NAv6), Universiti Sains Malaysia (USM) colleagues for their
                                                                       willingness to spare and contribute their guidance.
two-dimensional space in a computer but also three-
dimensional space. The tool able to represent different level of
network data details to different levels of users. Our proposed                                     REFERENCES
approach is tested with dataset that has been captured by using        [1]   S. M. Bruls, K. Huizing, and J. Van Wijk, “Squarified treemaps,” In
network monitoring system and system acceptance surveys                      Proceedings of the Joint Eurographics and IEEE TCVG Symposium on
                                                                             Visualization (VisSym), 33–42, 2000.
have been conducted among diverse computer users (beginner,            [2]   M. Allen, P. McLachlan, “NAV Network Analysis Visualization,”
intermediate and advanced) to get the feedback from them in                  University of British Columbia, [Online, 29 May 2009].
order to improve the algorithm approach. System features such          [3]   WildPackets. Watch Point.
as effectiveness and efficiency have been improved based on        
the evaluation analysis result. The visualization effectiveness              oint, [Online, 1 January 2010].
                                                                       [4]   Ntop., [Online, 1 May 2009].
has been enhanced by presenting sufficient network data to             [5]   M. Newton,, [Online, 29 May 2009].
relevant computer user as well as the visualization efficiency         [6]   R. Ball, G. A. Fink, and C. North, “Home-centric visualization of
has been improved by maximizing network data understanding                   network traffic for security administration,” VizSEC/DMSEC ’04:
among computer users.                                                        Proceedings of the 2004 ACM workshop on Visualization and data
   The results from the evaluation also showed that the expert-              mining for computer security, pages 55–64. ACM Press, 2004.
                                                                       [7]   V. Jacobson, C. Leres, and S. McCanne, TCPdump public repository,
aware approach that applied in network data visualization is       , cited September, 2009.
similar to some other existing network data visualization tools,       [8]   G. Combs, Ethereal downloadable at:,cited
                                                                             September, 2009.

                                                                                                      ISSN 1947-5500
                                                                           (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                                     Vol. 8, No. 4, 2010
[9]  S. Lau, “The Spinning of Potential Doom,” Commun. ACM, 47(6):25–
     26, 2004.
[10] J. McPherson, K. L. Ma, P. Krystosk, Tony Bartoletti, and Marvin
     Christensen, “Portvis: a tool for port-based detection of security events,”
     In VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on
     Visualization and data mining for computer security, pages 73–81. ACM
     Press, 2004.
[11] K. Lakkaraju, W. Yurcik, and A. J. Lee. “NVisionIP: Net-flow
     visualizations of system state for security situational awareness,” In
     VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on
     Visualization and data mining for computer security, pages 65–72. ACM
     Press, 2004.
[12] K. Nyarko, T. Capers, C. Scott, and K. Ladeji-Osias, “Network intrusion
     visualization with NIVA, an intrusion detection visual analyzer with
     haptic integration,” in Haptic Interfaces for Virtual Environment and
     Teleoperator Systems, 2002. HAPTICS 2002 Proceedings, 10th
     Symposium on, 2002.

                           AUTHORS PROFILE

                                  Doris Hooi-Ten Wong is a PhD                                                   Sureswaran Ramadass (PhD) is a
                                  candidate in National Advanced IPv6                                            Professor and the Director of the National
                                  Centre (NAv6), Universiti Sains Malaysia                                       Advanced IPv6 Centre (NAv6) at Universiti
                                  (USM). She obtained her B.Sc. (Hons) in                                        Sains Malaysia (USM). He is also the
                                  Multimedia degree from the Universiti                                          founder of Mlabs Systems Berhad
                                  Utara Malaysia in 2008. Her research                                           (MLABS), a public listed company on the
                                  objectives are to design and develop a                                         MESDAQ. Prof Dr Sureswaran obtained his
                                  new framework, expert-aware approach                                           BsEE/CE (Magna Cum Laude) and Masters
                                  and intelligence algorithm in network                                          in Electrical and Computer Engineering
                                  data visualization. She is a member of the                                     from the University of Miami in 1987 and
                                  Asia-Pacific Advance Network (APAN)                                            1990 respectively. He obtained his doctorate
                                  as well as the secretariat of APAN                                             from USM in 2000 while serving as a full
                                  Malaysia (APAN-MY).                                                            time faculty in the School of Computer
                                                                                                                 Sciences. His research areas include the
                                                                                                                 Multimedia       Conferencing       System,
                                  Kok-Soon Chai (PhD) is a Senior Lecturer                                       Distributed Systems and Network Entities,
                                  of the National Advanced IPv6 Centre                                           Real Time Enterprise Network Monitoring,
                                  (NAv6) at Universiti Sains Malaysia                                            Real Time Enterprise System Security,
                                  (USM). He was a pioneer and section                                            Satellite and Wireless Networks, IPv6
                                  manager for the embedded software group,                                       Research, Development and Consultancy,
                                  Plexus Technology Group in Penang,                                             and Digital Library Systems.
                                  Malaysia. He led a team of software
                                  engineers designing automotive, medical
                                  and networking products for US companies.
                                  Prior to joining Plexus, he worked at design                                   Nicolas Vavasseur is a Master candidate
                                  centers at Agilent and Motorola. He was                                        from Université de Franche Comté. His
                                  also involved in research projects sponsored                                   Master industrial training has been taken in
                                  by Airbus UK at the University of Warwick.                                     National Advanced IPv6 Centre (NAv6) of
                                  He is a regular speaker at many conferences.                                   year 2010.
                                  He       pioneers      the      function-class
                                  decomposition and UML for embedded
                                  software design and presented this approach
                                  at the Embedded Systems Conference in
                                  Silicon Valley. He obtained a perfect score
                                  of 6 out of 6 for the technical content of the
                                  presentation averaging from the feedbacks
                                  of the attendees. He holds a number of
                                  publications in international journal, IEEE
                                  conferences, Motorola Software, Systems
                                  and Simulation (S3) conference, and a US
                                  patent application. He holds a PhD in
                                  Engineering from the University of
                                  Warwick, UK.

                                                                                                                ISSN 1947-5500
                                                            (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                      Vol. 8, No. 4, 2010

Figure 4. Screen shot of programming to create node.

Figure 5. Screen shot of programming to create text.

Figure 6. Screen shot of programming to create animation.

                                                                                                 ISSN 1947-5500

To top