research-article

VisTracer: a visual analytics tool to investigate routing anomalies in traceroutes

Authors:

Fabian Fischer,

Johannes Fuchs,

Pierre-Antoine Vervier,

Florian Mansmann,

Olivier ThonnardAuthors Info & Claims

VizSec '12: Proceedings of the Ninth International Symposium on Visualization for Cyber Security

Pages 80 - 87

https://doi.org/10.1145/2379690.2379701

Published: 15 October 2012 Publication History

Abstract

Routing in the Internet is vulnerable to attacks due to the insecure design of the border gateway protocol (BGP). One possible exploitation of this insecure design is the hijacking of IP blocks. Such hijacked IP blocks can then be used to conduct malicious activities from seemingly legitimate IP addresses. In this study we actively trace and monitor the routes to spam sources over several consecutive days after having received a spam message from such a source. However, the real challenge is to distinguish between legitimate routing changes and those ones that are related to systematic misuse in so-called spam campaigns. To combine the strengths of human judgement and computational efficiency, we thus present a novel visual analytics tool named Vistracer in this paper. This tool represents analysis results of our anomaly detection algorithms on large traceroute data sets with the help of several scalable representations to support the analyst to explore, identify and analyze suspicious events and their relations to malicious activities. In particular, pixel-based visualization techniques, novel glyph-based summary representations and a combination of temporal glyphs in a graph representation are used to give an overview of route changes to specific destinations over time. To evaluate our tool, real-world case studies demonstrate the usage of Vistracer in practice on large-scale data sets.

References

[1]

Prefix hijacking by michael lindsay via internap. http://mailman.nanog.org/pipermail/nanog/2011-August/039381.html, August 2011.

[2]

H. Ballani, P. Francis, and X. Zhang. A study of prefix hijacking and interception in the Internet. In Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, SIGCOMM '07, pages 265--276, New York, NY, USA, 2007. ACM.

Digital Library

[3]

R. Bush and R. Austein. The RPKI and Origin Validation, June 2009.

[4]

L. Colitti, G. Di Battista, F. Mariani, M. Patrignani, and M. Pizzonia. Visualizing Interdomain Routing with BGPlay. Journal of Graph Algorithms and Applications, 9(1):117--148, 2005.

[5]

X. Hu and Z. M. Mao. Accurate Real-Time Identification of IP Prefix Hijacking. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP '07, pages 3--17, Washington, DC, USA, 2007. IEEE Computer Society.

Digital Library

[6]

S. Kent. Securing the Border Gateway Protocol: A Status Update. In In Seventh IFIP TC-6 TC-11 Conference on Communications and Multimedia Security, pages 2--3, 2003.

[7]

M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. Phas: A prefix hijack alert system. In Proc. USENIX Security Symposium, 2006.

Digital Library

[8]

M. Lad, D. Massey, and L. Zhang. Visualizing internet routing changes. IEEE Transactions on Visualization and Computer Graphics, pages 1450--1460, 2006.

Digital Library

[9]

J. Oberheide, M. Karir, and D. Blazakis. VAST: visualizing autonomous system topology. In Proceedings of the 3rd international workshop on Visualization for computer security, pages 71--80. ACM, 2006.

Digital Library

[10]

J. Qiu and L. Gao. Detecting bogus bgp route information: Going beyond prefix hijacking. Technical report, In Proc. SecureComm, 2007.

[11]

A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, pages 291--302, New York, NY, USA, 2006. ACM.

Digital Library

[12]

J. Shearer, K. Ma, and T. Kohlenberg. BGPeep: An IP-Space Centered View for Internet Routing Data. Visualization for Computer Security, pages 95--110, 2008.

Digital Library

[13]

B. Shneiderman. The Eyes Have It: A Task by Data Type Taxonomy for Information Visualizations. In Proceedings 1996 IEEE Symposium on Visual Languages, pages 336--343. IEEE Computer Society, 1996.

Digital Library

[14]

Symantec Corporation. Symantec Internet Security Threat Report. http://www.symantec.com/threatreport/, April 2012.

[15]

M. Tahara, N. Tateishi, T. Oimatsu, and S. Majima. A Method to Detect Prefix Hijacking by Using Ping Tests. In APNOMS '08: Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management, pages 390--398, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[16]

S. T. Teoh, K. L. Ma, S. F. Wu, and X. Zhao. Case study: interactive visualization for internet security. In Proceedings of the conference on Visualization '02, VIS '02, pages 505--508, Washington, DC, USA, 2002. IEEE Computer Society.

Digital Library

[17]

S. T. Teoh, S. Ranjan, A. Nucci, and C.-N. Chuah. Bgp eye: a new visualization tool for real-time detection and analysis of bgp anomalies. In VizSEC '06: Proceedings of the 3rd international workshop on Visualization for computer security, pages 81--90, New York, NY, USA, 2006. ACM.

Digital Library

[18]

S. T. Teoh, K. Zhang, S.-M. Tseng, K.-L. Ma, and S. F. Wu. Combining visual and automated data mining for near-real-time anomaly detection and analysis in bgp. In VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 35--44, New York, NY, USA, 2004. ACM.

Digital Library

[19]

P.-A. Vervier and O. Thonnard. Spamtracer: Using Traceroute To Tracking Fly-By Spammers (under review). In The 8th International Conference on emerging Networking EXperiments and Technologies, CoNEXT '12, Nice, France, 2012. ACM.

[20]

T. Wong and C. Alaettinoglu. Internet routing anomaly detection and visualization. In Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on, pages 172--181. IEEE, 2005.

Digital Library

[21]

Z. Zhang, Y. Zhang, Y. Charlie, H. Z. Morley, and M. R. Bush. iSPY: Detecting IP Prefix Hijacking on My Own. In In Proc. ACM SIGCOMM, 2008.

Digital Library

[22]

C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis. A light-weight distributed scheme for detecting IP prefix hijacks in real-time. In Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, SIGCOMM '07, pages 277--288, New York, NY, USA, 2007. ACM.

Digital Library

Cited By

Raynor JCrnovrsanin TBartolomeo SSouth LSaffo DDunne C(2022)The State of the Art in BGP Visualization Tools: A Mapping of Visualization Techniques to Cyberattack TypesIEEE Transactions on Visualization and Computer Graphics10.1109/TVCG.2022.3209412(1-11)Online publication date: 2022
https://doi.org/10.1109/TVCG.2022.3209412
Guo YGuo SJin ZKaul SGotz DCao N(2022)Survey on Visual Analysis of Event Sequence DataIEEE Transactions on Visualization and Computer Graphics10.1109/TVCG.2021.310041328:12(5091-5112)Online publication date: 1-Dec-2022
https://doi.org/10.1109/TVCG.2021.3100413
Ulmer ASessler DKohlhammer J(2021)ProBGP: Progressive Visual Analytics of Live BGP UpdatesComputer Graphics Forum10.1111/cgf.1428740:3(37-48)Online publication date: 29-Jun-2021
https://doi.org/10.1111/cgf.14287
Show More Cited By

Index Terms

VisTracer: a visual analytics tool to investigate routing anomalies in traceroutes

Recommendations

Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Advanced Routing Worm and Its Security Challenges

Most well-known worms, such as Code Red, Slammer, Blaster, and Sasser, infected vulnerable computers by scanning the entire IPv4 address space. In this article, the authors present an advanced worm called the "routing worm," which implements two new ...
Modeling and Analysis of Active Benign Worms and Hybrid Benign Worms Containing the Spread of Worms
ICN '07: Proceedings of the Sixth International Conference on Networking

Worms are a serious and growing threat to network and traditional antivirus technologies do not currently scale to deal with the worm threat. Benign worms, especially active benign worms and hybrid benign worms, become a new active countermeasure. In ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

VizSec '12: Proceedings of the Ninth International Symposium on Visualization for Cyber Security

October 2012

101 pages

ISBN:9781450314138

DOI:10.1145/2379690

General Chair:
Dino Schweitzer
United States Air Force Academy
,
Program Chair:
Daniel Quist
MIT Lincoln Laboratory

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Seventh Framework Programme

Conference

VizSec '12

VizSec '12: 2012 Symposium on Visualization for Cyber Security

October 15, 2012

Washington, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 39 of 111 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
762
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)4

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Raynor JCrnovrsanin TBartolomeo SSouth LSaffo DDunne C(2022)The State of the Art in BGP Visualization Tools: A Mapping of Visualization Techniques to Cyberattack TypesIEEE Transactions on Visualization and Computer Graphics10.1109/TVCG.2022.3209412(1-11)Online publication date: 2022
https://doi.org/10.1109/TVCG.2022.3209412
Guo YGuo SJin ZKaul SGotz DCao N(2022)Survey on Visual Analysis of Event Sequence DataIEEE Transactions on Visualization and Computer Graphics10.1109/TVCG.2021.310041328:12(5091-5112)Online publication date: 1-Dec-2022
https://doi.org/10.1109/TVCG.2021.3100413
Ulmer ASessler DKohlhammer J(2021)ProBGP: Progressive Visual Analytics of Live BGP UpdatesComputer Graphics Forum10.1111/cgf.1428740:3(37-48)Online publication date: 29-Jun-2021
https://doi.org/10.1111/cgf.14287
Kim DAndalibi VCamp J(2021)Protecting IoT Devices through Localized Detection of BGP Hijacks for Individual Things2021 IEEE Security and Privacy Workshops (SPW)10.1109/SPW53761.2021.00045(260-267)Online publication date: May-2021
https://doi.org/10.1109/SPW53761.2021.00045
Shi YLiu YTong HHe JYan GCao N(2020)Visual Analytics of Anomalous User Behaviors: A SurveyIEEE Transactions on Big Data10.1109/TBDATA.2020.2964169(1-1)Online publication date: 2020
https://doi.org/10.1109/TBDATA.2020.2964169
Ji SJeong BJeong D(2020)Evaluating visualization approaches to detect abnormal activities in network traffic dataInternational Journal of Information Security10.1007/s10207-020-00504-9Online publication date: 22-May-2020
https://doi.org/10.1007/s10207-020-00504-9
Del Fatto VDignös ARaimato GMaccioni LBorgianni YGamper J(2019)Visual time period analysis: a multimedia analytics application for summarizing and analyzing eye-tracking experimentsMultimedia Tools and Applications10.1007/s11042-019-07950-1Online publication date: 11-Jul-2019
https://doi.org/10.1007/s11042-019-07950-1
Marzialetti LCandela MDi Battista GKerren AKlein KLi Y(2018)Upstream VisibilityProceedings of the 11th International Symposium on Visual Information Communication and Interaction10.1145/3231622.3231632(80-87)Online publication date: 13-Aug-2018
https://dl.acm.org/doi/10.1145/3231622.3231632
Ulmer ASchufrin MSessler DKohlhammer J(2018)Visual-Interactive Identification of Anomalous IP-Block Behavior Using Geo-IP Data2018 IEEE Symposium on Visualization for Cyber Security (VizSec)10.1109/VIZSEC.2018.8709182(1-8)Online publication date: Oct-2018
https://doi.org/10.1109/VIZSEC.2018.8709182
Al-Musawi BBranch PArmitage G(2017)BGP Anomaly Detection Techniques: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2016.262224019:1(377-396)Online publication date: Sep-2018
https://doi.org/10.1109/COMST.2016.2622240
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents