Passive Visual Fingerprinting of Network Attack Tools

[swapnil700]

Passive Visual Fingerprinting of Network Attack Tools

[attachment=16431]
RELATED WORK
The primary contributions of this work include the
demonstration of the efficacy of fingerprinting common
attack tools, the ability to provide rapid insight into the
attacker s operating system type and the possible
lineage of the code in use, the ability to detect some
classes of stealthy attacks and the ability to detect slow
scans despite the visual noise of legitimate traffic

3. NETWORK SECURITY VISUALIZATION
PROCESS
We chose a comprehensive approach to visualize
network attacks that included consideration of all TCP,
UDP, IP and Ethernet header fields as well as many
features that can be derived from this data.

Network Layer (IP)
Network layer packets are used for host-to-host
communication across the Internet and have been
subject to much abuse by malicious entities. While we
chose to focus our visualizations on the source and
destination IP address fields there are many areas for
future work.

3.2.2 Feature Construction
Feature construction allows one to add new attributes
to the packet capture dataset constructed based upon
the captured data as well as information from the
network security domain[27]. We chose the following
candidate features as useful for visualization: