Visual correlation of host processes and network traffic

Author

Fink, Glenn A. ; Muessig, Paul ; North, Chris

Author_Institution

Virginia Polytech. Inst. & State Univ., USA

fYear

2005

fDate

26 Oct. 2005

Firstpage

11

Lastpage

19

Abstract

Anomalous communication patterns are one of the leading indicators of computer system intrusions according to the system administrators we have interviewed. But a major problem is being able to correlate across the host/network boundary to see how network connections are related to running processes on a host. This paper introduces Portall, a visualization tool that gives system administrators a view of the communicating processes on the monitored machine correlated with the network activity in which the processes participate. Portall is a prototype of part of the Network Eye framework we have introduced in an earlier paper (Ball, et al., 2004). We discuss the Portall visualization, the supporting infrastructure it requires, and a formative usability study we conducted to obtain administrators´ reactions to the tool.

Keywords

computer network management; data visualisation; security of data; telecommunication security; Network Eye framework; Portall visualization; anomalous communication patterns; computer security; computer system intrusion; information visualization; network activity monitoring; network traffic; system administration; visual correlation; Computer security; Data security; Data visualization; Humans; Information security; Intrusion detection; Operating systems; Sockets; Telecommunication traffic; Usability;

fLanguage

English

Publisher

ieee

Conference_Titel

Visualization for Computer Security, 2005. (VizSEC 05). IEEE Workshop on

Print_ISBN

0-7803-9477-1

Type

conf

DOI

10.1109/VIZSEC.2005.1532061

Filename

1532061