Bachelor Thesis BCLR-2013-09

BibliographySchaefer, Hanna: Processing dynamic computer network data for visual analysis.
University of Stuttgart, Faculty of Computer Science, Electrical Engineering, and Information Technology, Bachelor Thesis No. 9 (2013).
61 pages, english.
Abstract

In recent times datasets have become larger and more and more difficult to understand for users. Therefore Visual Analytics research investigates on combining automation methods with user related analysis. A special type of this field is security visualization. Since information like connection data or health status of each computer in the network are very abstract the help of automation methods becomes even more important to make interesting outliers and anomalies obvious to the user. This bachelor thesis compares two different approaches for anomaly detection in security visualization. The study is based on the VAST 2013 Mini Challenge 3 and its submission of a University of Stuttgart and Peking University cooperation. This thesis concentrates on comparing the two automation methods seasonal trend decomposition (STL) for numerical data fields, such as bytes and packages, and the sample entropy (or Shannon Entropy) method for categorical data fields, such as IP and port. Both approaches should enable the user to find events in the given network dataset and thus to understand the risks and attacks in the network of the VAST challenges example company Big Marketing. As a result the methods are similar in the quantity of anomalies found, but differ in the type of anomaly. Since the STL focuses on different variables, some variables show more scan events and others more DOS events. Combining all results from the different variables the STL offers a higher number of true anomalies. On the other hand, the sample entropy is more intuitive to use and gives hints on the type of event without using other visualizations. In a small user study the entropy method was clearly preferred and performed in a better way in the result of given tasks. As a conclusion this thesis suggests the entropy methods in any similar context to the given benchmark and system, but also suggests that the STL methods could be more efficient with different parameters of network security.

Full text and
other links
Volltext
Department(s)University of Stuttgart, Institute of Visualisation and Interactive Systems, Visualisation and Interactive Systems
Superviser(s)Ertl, Prof. Thomas; Koch, Steffen; Krüger, Robert; Thom, Dennis
Entry dateFebruary 26, 2020
   Publ. Computer Science