Identifying and Investigating Intrusive Scanning Patterns by Visualizing Network Telescope Traffic in a 3-D Scatter-plot

Detecting and investigating intrusive Internet activity is an ever-present challenge for network administrators and security researchers. Network monitoring can generate large, unmanageable amounts of log data, which further complicates distinguishing between illegitimate and legitimate traffic. Considering the above issue, this article has two aims. First, it describes an investigative methodology for network monitoring and traffic review; and second, it discusses results from applying this method. The method entails a combination of network telescope traffic capture and visualisation. Observing traffic from the perspective of a dedicated sensor network reduces the volume of data and alleviates the concern of confusing malicious traffic with legitimate traffic. Complimenting this, visual analysis facilitates the rapid review and correlation of events, thereby utilizing human intelligence in the identification of scanning patterns. To demonstrate the proposed method, several months of network telescope traffic is captured and analysed with a tailor made 3D scatter-plot visualisation. As the results show, the visualisation saliently conveys anomalous patterns, and further analysis reveals that these patterns are indicative of covert network probing activity. By incorporating visual analysis with traditional approaches, such as textual log review and the use of an intrusion detection system, this research contributes improved insight into network scanning incidents.