About

Picture of J-P

Welcome to the Masters research site of Jean-Pierre van Riel where the general subject matter is network monitoring, information security and visualisation. In particular, network telescope traffic is visualised, analysed and used to crtique scan detection algorythms found in the Snort and Bro IDS. This site provides an overview and sample of some research findings along with access to the authors publications. In addtion, the source code and binaries for InetVis can be found on this site. InetVis is the network packet visualisation tool devloped for this rearch. It's developemnt and design was inspired by Stephen Lau's Spinning Cube of Potential Doom. In his words:

Practically every computer linked to the Internet is constantly being scanned for security vulnerabilities and targeted for attack by viruses, worms, and worse. [S. Lau]

Keywords

information visualisation, network traffic visualisation, network monitoring, network telescope, information security, network security, intrusion detection, scan detection.

Research Abstract

Monitoring and securing computer networks present several challenges. One challenge is dealing with large, multifaceted, data volumes. A second challenge is maintaining vigilance amidst an increasing number of vulnerabilities and exploits. A third challenge is assessing the inadequacies in automated security measures such as intrusion detection systems. In addressing these challenges, this research intends to investigate the combined use of visualisation and dedicated sensor network monitoring methodologies – in particular using a network telescope to observe scan incidents and anomalous traffic found in the ‘wild’. A network telescope provides a clearer view of scan activity because it passively monitors traffic by only capturing incoming unsolicited activity (i.e. no legitimate production traffic). This alleviates the concern of dealing with large traffic volumes and false positives. It is anticipated that suitable visualisation of network scans can serve as an interpretive platform, enhance human insight, and aid in critiquing scan detection algorithms. In particular, the Snort and Bro IDS scan detection algorithms are investigated in depth.

A further objective is to visualise scan alert data superimposed over raw traffic data, providing a viewpoint to interpret and scrutinise the performance of a scan detection algorithm.