Parallel Coordinate Attack Visualization

This homepage presents what we call the parallel coordinate attack visualization (PCAV) for detecting large-scale Internet attacks including Internet worms, DDoS attacks and network scanning activities. PCAV displays network traffic on the plane of parallel coordinates using the flow information such as the source IP address, destination IP address, destination port and the average packet length in a flow. The parameters are used to draw each flow as a connected line on the plane, where a group of lines forms a particular shape in case of attack. From the observation that each attack type of significance forms a unique pattern, we develop nine signatures and their detection mechanism based on an efficient hashing algorithm. Using the graphical signatures, PCAV can quickly detect new attacks and enable network administrators to intuitively recognize and respond to the attacks. Compared with existing visualization works, PCAV can handle hyper-dimensions, i.e., can visualize more than 3 parameters if necessary, which significantly reduces false positives. As a consequence, Internet worms are more precisely detected. Another strength of PCAV is handling flows instead of packets. Per-flow visualization greatly reduces the processing time and further provides compatibility with legacy routers which export flow information, e.g., as NetFlow does in Cisco routers. We confirmed the effectiveness of PCAV using real-life Internet traffic traces. The PCAV program and demo movie of evaluation are publicly available here.

• Demo movie

  This demo movie demonstrate PCAV performs well under backbone network traffic. The backbone traffic includes two trans-pacific T3 links connecting the U.S. and a Korean Internet Exchange traffic. In the backbone traffic, you can see a shape of actual DDoS attack distinctly. This movie file encoded with Microsoft video 1 codec.

• PCAV application

  This is the latest version of the PCAV application. It is not complete version of the PCAV, therefore some operations may not work properly. You can see the detail descriptions demo applications in readme.txt. The PCAV uses Cisco netflow version 5 for input data, so you should use some tools or router such as nprobe or Cisco router wihch can export neflow data. If you want to have demo copy of nprobe, get it from the homepage of nprobe.

• Conference Paper

  Hyunsang Choi, Heejo Lee, "PCAV: Internet Attack Visualization on Parallel Coordinates", ICICS 2005, LNCS 3783, pp. 454~466, Dec. 2005.

• Magazine

  Hyunsang Choi, Heejo Lee and Hyogon Kim, "Parallel Coordinate Attack Visualization", Submitted for publication, 2006.