SVision: A novel visual network-anomaly identification technique

We propose a novel graphical technique (SVision) for intrusion detection, which pictures the network as a community of hosts independently roaming in a 3D space defined by the set of services that they use. The aim of SVision is to graphically cluster the hosts into normal and abnormal ones, highlighting only the ones that are considered as a threat to the network. Our experimental results conducted on DARPA 1999 and 2000 intrusion detection and evaluation datasets as well as real network data captured between 2003 and 2005 from the University of New Brunswick main link, and also a private network, show the proposed technique as a good candidate for the detection of various network threats such as vertical and horizontal scanning attacks, Denial of Service (DoS) attacks, Distributed DoS (DDoS) attacks, as well as worm propagation attack. Finally, the visualization technique proves to cope with high number of hosts in the network, the experimental results using network data of up to 1,000,000 distinct IPs per time interval.