VisFlowConnect: Providing security situational awareness by visualizing network traffic flows

We present the design and implementation of VisFlowConnect, a powerful new tool for visualizing network traffic flow dynamics for situational awareness. The visualization capability provided by VisFlowConnect allows an operator to assess the state of a large and complex network given an overall view of the entire network and filter/drill-down features with a friendly user interface that allows users to request more detailed information of interest such as specific protocol traffic flows. The value of VisFlowConnect specifically for security situational awareness is that any security event, with only a few minor exceptions, will be reflected as a traffic flow. Thus using VisFlowConnect a user will "see" all security events. We show several experiments in which abnormal behaviors with security implications have been discovered and analyzed using VisFlowConnect. These experiments demonstrate how VisFlowConnect can be a uniquely effective tool to assist security administrators in securing their computer networks.