TVi is a tool that combines multiple visual representations of network traces carefully designed and tightly coupled to support different levels of visual-based querying and reasoning required for making sense of complex traffic data. It allows analysts to visualize data starting at a high level, providing information related to the entire network, and easily move all the way down to a very low level, providing detailed information about selected hosts, anomalies and attack paths.

Monitoring, anomaly detection and forensics are essential tasks that must be carried out routinely for every computer network. The sheer volume of data generated by conventional anomaly detection tools such as Snort often makes it difficult to explain the nature of an attack and track down its source.

TVi's main contributions to traffic visualization are:

• Integration of visual representation and machine learning data-processing tools: Principal Component Analysis (PCA) transforms and analysis based on data entropy are at the base of the data which is visualized by the end user, allowing them to see only relevant data to a particular analysis goal, e.g., anomaly detection, as opposed to scanning huge logfiles.
• Very high scalability: TVi uses relational databases to store its data. By leveraging the distributed features of modern DBMS, it can easily scale to cover a small LAN with a single point of data capture to operational backbones with tens of traffic probes.
• Multiple, optimized visualization tools: TVi's user interface combines many 2D visualization methods (multi-view): histograms, timelines, graphs, geo--clustered graphs and matrices. All the views are linked together; therefore, the same feature can be shown in different ways in order to investigate different aspects of an anomaly. Its integration with other NIDS such as Snort makes it then easier to pinpoint the sources of anomalies.

We designed TVi with scalability and extensibility in mind: its DBMS foundations make it scalable with virtually no limitations, and other state-of-the-art IDS, like Snort or Bro, can be easily integrated in our tool. The original paper, appeared at VizSec 2011 can be downloaded here[after the conference].

Intended usage

The instructions for installing and making it active are inside the tarball package. It request the pcap traces of the network, and a few pre-processing step.

We tested TVi on the famous DARPA1999 dataset and on an our internal trace. Unfortunately neither the DARPA trace nor the UniBS one contains actual, dangerous attacks. Therefore, even though we are confident that the TVi architecture would be able to show its advantages over existing mechanisms even in those cases, the unavailability of public traces with actual attacks makes it virtually impossible to test these cases fully.

We made TVi publicly available because we think that other research groups can test it onto their traces. All of the tester are encouraged to share with us their results; therefore, any feedback (also negative ones) are warmly accepted. Comments on the code, on the algorithm, suggestions, results and complaints can be sent here. We are also looking for any kind of collaboration (university of industry) on that software.

License

TVi is distributed under the classical GPL license. Please see also the LICENSE file, included in the distribution.

Download

Requested libraries (packeage dependencies):

• QT framework (note, the MySQL plugin of the QtSQL module might has to be separately compiled);
• OpenGL libraries, with GLUT;
• MySQL community edition, with libraries (mysqlclient);
• OGDF framework;

Please note that this version of TVi is provided "AS IS" with no warranty whatsoever (see the LICENSE file), is intended for purely experimental and research purposes, and should be considered alpha-quality.

To download the tool follow this link: TVi source