Paper: Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting
We have published a paper titled “Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting” in the 8th International Conference on Information Visualization Theory and Applications (IVAPP 2016), held in Rome, Italy on February 27-29, 2016, as part of the VISIGRAPP Joint Conference.
Mikel Iturbe, Iñaki Garitano, Urko Zurutuza, and Roberto Uribeetxeberria, members of the Mondragon University Telematics research team, sign the article.
In this paper, we describe the development of a visual flow monitoring system for industrial networks. In a few words, we monitor an industrial network in a given lapse of time and use the observed network flow data to build a whitelist. After building the whitelist, we build chord diagrams with new, incoming flows, and if the incoming data is not registered in the whitelist (e.g. two hosts that do not suppose to communicate with each other do communicate), we flag it as anomalous and highlight it (usually using red color) in the diagram. The network operator then sees that a non legitimate connection is happening.
You can have more details on the full paper (PDF). Also, you can have the slides used in the presentation (PDF):
The area of security visualizations tailored to industrial networks is still in its infancy and it is necessary to push forward in this direction in order to provide accessible, intuitive and effective security solutions for these networks.
Publication data
Title: Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting
Authors: Mikel Iturbe, Iñaki Garitano, Urko Zurutuza, Roberto Uribeetxeberria
Conference: 8th International Conference on Information Visualization Theory and Applications (IVAPP 2016)
Book title: Proceedings of the 11th Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications (VISIGRAPP 2016) – Volume 2: IVAPP, pages 99-106
Abstract: Industrial Control Systems are the set of specialized elements that monitor and control physical processes. Those systems are normally interconnected forming environments known as industrial networks. The particularities of these networks disallow the usage of traditional IT security mechanisms, while allowing other security strategies not suitable for IT networks. As industrial network traffic flows follow constant and repetitive patterns, whitelisting has been proved a viable approach for anomaly detection in industrial networks. In this paper, we present a network flow and related alert visualization system based on chord diagrams. The system represents the detected network flows within a time interval, highlighting the ones that do not comply the whitelisting rules. Moreover, it also depicts the network flows that, even if they are registered in the whitelist, have not been detected on the selected time interval (e.g. a host is down). Finally, the visualization system is tested with network data coming from a real industrial network.
Download (PDF): Full paper, Presentation Slides.