Detecting Networks Anomalies and Attacks Using 3D Visualization

3D modeling and visualization has become a key component of scientific research and development in many domains. Adding new routers, switches or firewalls, the computer networks are becoming more and more complex. The paradigm of introducing computer networks in three dimensions helps a lot to protect and provide services to networks. Therefore, the main purpose of this paper is detecting the network anomalies based on a 3D visualization of computer network. The interactivity between network administrator and the application happens in real-time. This means that if a breakdown occurs, the network administrator will be informed in real time and will be able immediately to switch off the broken device and then repair it. Practically, we realized a 3D modeling and visualization of our university computer network with more than thousand devices and it works well.


Introduction
Visualization for network security has become an interesting research topic. With the progress of technology and the implementation of new requirements, computer networks are more complex and very often attacked. Presenting the computer network in three dimensions helps manage these alerts. « There are many potential applications of information visualization to the problems of computer security, including: Visualization for detecting anomalous activity, Visualization for discovering trends and patterns, visualization for correlating intrusion detection events, visualization for seeing worm propagation or botnet activity, visualization for forensic analysis, visualization for understanding the makeup of malware or viruses, visualization for communicating the operation of security algorithms etc. » [1].
Here we will describe the 3D-NET, a practical application that deals with 3D modeling and visualization of our university computer network. Usually we had the different schemas, tables and we print them to use for further needs. If we had to change a network device, previously the network administrator looked at the identification of that device in a plan and then he had to check another plan for the location. This could be quite easy if the network has a few devices ( Figure 1).

The Problem
How to present a computer network that contains more than a thousand devices connected to each other through various link weights and how to maintain it in a real-time? Presenting the computer networks in 2D, with traditional visualization techniques on a paper or on a display, are extremely inconvenient. The network administrator is not able to have a clear view if a trouble occurred in network. In this context, the problems arose all of the time, especially with the cyber attacks.

Solution
Faced with the problem described above, our idea was to find a convenient form in order to visualize and control a computer network in real-time. In our institute, we realize different applications in 3D modeling and visualization technology. So the idea to find a solution of this problem was based on three-dimensional representation of computer network. In the beginning, we started with a prototypemodeling a network of only few devices ( Figure 2). The links between devices are represented with different color segments for different weights. Once given the number of network components, the possibility of choosing the network modeling was a good advantage. In our application, we took the different network devices like servers, routers, switches, firewalls, giving each other their standard form. The third dimension -the depth, makes the appearance of the network more naturally. The relevant form of parallelepiped was used to represent servers, hubs and other nodes like switches. The cylinder represents a router and finally a computer screen represents the computers on the network. Each network device is identified with IP address (Figure 3). For a node group, we choose a 3D conical shape where the top of the cone represents a router and in its circular base are placed the computers. After a test we made, this application run well. Then we completed the network structure of our university, which contains over a thousand network devices. Using the mouse, it is easy to navigate and visualize the entire network within a screen. To quickly distinguish the link weights of the network, the color as a key tool in visualization is used ( Figure 2). For better visualization of nodes and network devices and specially to minimize a crossed links, the distance between nodes related to the weight of the link, is given by: d ij = displayed link length, w ij = weight of the link That means the distance between two nodes is inversely proportional to the link weight [5].

Technology Used
For modeling and visualizing the network, the programming language C++ is used with a graphical library Open Scene Graph. Open Scene Graph is an open source high performance 3D graphics toolkit, used by application developers in fields such as visual simulation, games, virtual reality, scientific visualization and modeling [2]& [14].
The network structure is identified through XML files, where each node has its parameters (name, type, state and IP address, (Figure 4).
Detecting Networks Anomalies and Attacks using 3D Visualization As a dynamic support of network visualization, we added a real-time interactivity between network administrator and application. If a problem occurs in a network, the alert messages are instantly generated from the security devices through log files. At the same time we made possible the identification of risked zone, the white sphere ( Figure 5).
Immediately, the white sphere with the origin on that device will be drawn to attract the administrator eyes. At the same time an emergent sound will be played. The network administrator will be informed in real time (through SMS as well if absent in a working place). We can zoom and the alerted device will be shown on the screen with the red color with all necessary information written on it ( Figure 6). This is based from information visualization mantra (Ben Shneiderman) [4]: Overview first, zooming and filter, then details on demand ». Consulting it's identification and the location of a problematic device, the administrator can first switch that device off and then go directly in a location where it is based to repair it (or even to change it completely). This kind of network visualization allows even untrained users to detect and repair these devices. As Ball, Fink and North said « Regardless of training or experience, administrators must be able to rapidly understand the security state of their systems and networks, especially during a crisis. Most of the tools they use are text-based. We believe they can be more effective using visualization » [3].

Future Work
Many esearchers in the physical sciences have utilized 3D data visualization techniques to explore the interaction of variables that simultaneously impact physical phenomena [11]. We can incorporate network traffic data into the display, letting administrators quickly examine the data for particular types of traffic, such as illegal systems on the network, improper application usage, or connections from unknown systems or users. [12].
It is interesting to visualize the flow of communication across the network. For the network link weights, we can use the spectral order of colors to indicate different values, from the lowest to the highest one. Several applications have been developed to promote research in the area of visualization for network security. There are several applications that visualize the network traffic datta [6]. As an example, the VISUAL 3D scene is made of two network pixel maps facing each other as if in a mirror. A network pixel map is a pixel-oriented overview visualization [7]. One another application enables users to dynamically construct multiple-view visualizations for their tasks and data. Users exploit powerful visualization components developed in research such as Hyperbolic trees and Treemaps [9]. This may be useful because proficient hackers will attempt to hide their ultimate goal [10]. Further more, from the Tellenbach study , it is seemed that each routers shows different visibility of the anomalies. That difference illustrates the impact of the traffic mix on the anomaly visibility [15]. In this sense, in our application we can still add different data analysis in order to answer different requirements.

Conclusions
In this paper, we described the 3D-NET, an application that facilitates the maintenance during the network problems (malicious attacks, different anomalies, connectivity problems, etc.) through 3D representation of computer networks. Specifically, we did realize 3D modeling and visualization of our university computer network with more than thousand devices. The purpose of three-dimensional representation of a network is to inform the network administrator in a real time for the problematic network devices in order to identify them. The real-time interaction between application and network administrator, gives the possibility to first disconnect alerted device from the network and then to access a right location for repairing or replacing the device. As an alternative method of data analysis, we think that 3D visualization is very useful.