TVis: A Light-weight Traffic Visualization Systemfor DDoS Detection

Abhishek KalwarDept. of Comp. Sc. & Engg.Assam Kaziranga University

Jorhat 785006, Indiaakabhishek554@outlook.com

Youki KadobayashiLaboratory for Cyber Resilience, NAIST

Nara 630 0192, Japanyouki-k@is.naist.jp

Monowar H. Bhuyan*Laboratory for Cyber Resilience, NAIST

Nara 630 0192, Japan &Dept. of Computing ScienceUmea University, Sweden

monowar@cs.umu.se

Erik ElmrothDepartment of Computing Science

Umea University, Swedenelmroth@cs.umu.se

Dhruba K. BhattacharyyaDept. of Comp. Sc. & Engg.

Tezpur UniversityAssam 784028, India

dkb@tezu.ernet.in

Jugal K. KalitaDepartment of Computer Science

University of Colorado,USAjkalita@uccs.edu

Abstract—With rapid growth of network size and complexity,network defenders are facing more challenges in protectingnetworked computers and other devices from acute attacks.Traffic visualization is an essential element in an anomaly detec-tion system for visual observations and detection of distributedDoS attacks. This paper presents an interactive visualizationsystem called TVis, proposed to detect both low-rate and high-rate DDoS attacks using Heron’s triangle-area mapping. TVisallows network defenders to identify and investigate anomaliesin internal and external network traffic at both online and offlinemodes. We model the network traffic as an undirected graph andcompute triangle-area map based on incidences at each vertexfor each 5 seconds time window. The system triggers an alarmiff the system finds an area of the mapped triangle beyond thedynamic threshold. TVis performs well for both low-rate andhigh-rate DDoS detection in comparison to its competitors.

Index Terms—DDoS attack; visualization; network traffic;online and offline; triangle-area;

I. INTRODUCTION

Network systems are becoming more complex rapidly withthe proliferation of connected devices in terms of size, topol-ogy, and speed. [1]. Simultaneously, the number of networkattacks against each host has increased exponentially. Theseattacks often conceal the vast amount of legitimate andseemingly random traffic. A Denial-of-Service (DoS) attackattempts to make machines or network resources unavailable toits intended users either temporarily or indefinitely, interrupt-ing or suspending services of a host connected to the internet.

Moreover, Distributed DoS (DDoS) attacks are a combi-nation of DoS attacks where attacks are generated by a largenumber of hosts. These hosts might be amplifiers or reflectors,or even might be zombies. They usually send the traffic tothe target or victim host through the reflectors. Early DDoSattacks in 2000 targeted at well-known websites such as CNN,Amazon, and Yahoo, stopped normal services of these victims

*Dr. Bhuyan is on lien from the Department of Computer Science andEngineering, Assam Kaziranga University, Jorhat, India.

for hours [2], [3]. A new form of Mirai botnet based threatshide in the Tor network that attempts to compromise legitimateusers.

Most existing network defense techniques and tools stillheavily rely on security analysts (SA). The security analystperforms manual analysis to detect and trigger actions againstnetwork attacks. Network traffic visualization has becomemore critical in recent years to speed up the attack detectionprocess through visual analytics. Malicious activities, such asDDoS attacks are relatively easy to implement and somewhathard to prevent. However, detection of DDoS attack requiresthe processing of vast amounts meta-data (i.e., packet or Net-Flow) within short time-scales (e.g., in milliseconds). DDoSattacks can be a low-rate and high-rate attack based on attack-rate dynamics. A low-rate DDoS attacker attempts to bypassthe security system by sending attack packets to the victimat a sufficiently low rate to elude detection [4]. In a high-rate DDoS attack, the attacker sends a burst of attack packetsto the victim within a short interval of time to overwhelm thebandwidth or resources. The task of analyzing both header andpayload of network traffic is an NP-complete problem. So, wemostly focus on packet header information and visualization interms of different parameters to support low-rate and high-rateDDoS attack detection.

Several works have been reported to detect attacks inlarge-volume alerts, produced by a detection tool employingvisualization methods. DDoSViewer [5] is a visual interactivesystem used for detecting DDoS attacks. DDoSViewer designsfor detecting DDoS attacks through the analysis of visualpatterns. The Spinning Cube [6] maps SIP, DIP and Dportto the axes in a 3D plot. The amount of network activity isvisualized interactively in the plot using colour, displayingcertain attacks (eg., port scans) very clearly. Zhou et al.[7] presented a low-rate DDoS detection scheme developedbased on the distribution of packet size. They estimated thepacket size distribution distance between legitimate and low-

rate traffic to detect low-rate DDoS attacks. Recently, Davidand Thomas [8] introduce a dynamic threshold-based DDoSdetection scheme for NetFlow traffic and evaluated using real-time datasets.

In this paper, we present TVis, a visualization system todetect both low-rate and high-rate DDoS attacks based ontime-periodic sampled traffic. We model network traffic as anundirected graph and compute the area of a triangle formedbased on incidence on each vertex for a time window of 5seconds. We identify the three consecutive maximal densevertices to form a triangle and estimate the area of the triangle.The TVis system has the following steps: (a) examine allpackets at the monitoring endpoint; (b) use memory efficientdata structures; (c) generate statistical summaries that canbe retained for further analysis; (d) generate an undirectedgraph to visualize the network; and (e) perform triangle-areamapping of dense incident vertex. The main contributions ofthis work are as follows:

• We introduce a light-weight traffic visualization systemto detect both low-rate and high-rate DDoS attacks usingHeron’s1 triangle-area map estimation.

• TVis is cost-effective as it visualizes network traffic.It can perform visualization in both online and offlinemodes.

• TVis has been validated using testbed and benchmarkdatasets. In both cases, it performs well compared to itscompetitors.

The rest of the paper is organized as follows. Section IIintroduces the proposed visualization system describing theframework and the model. Section III presents performanceevaluation using testbed and benchmark datasets, and finallyconcludes with Section IV.

II. TVIS: THE PROPOSED SYSTEM

This section starts by describing the proposed system ar-chitecture followed by the algorithm. It includes the strategyfor visualization and detection of both low-rate and high-rateDDoS attacks.

A. TVis: A Framework

We model the proposed system as an undirected graphH = {h1, h2, · · · , hn}, with each host as a vertex, and anumber of incidences on each vertex I = {i1, i2, · · · , in}to form a triangle and estimate the area for finding theinfected period. To get the end-point traffic, we configure ournetwork to redirect all traffic to a particular port. So, TViscan monitor each traffic instance and visualize them to detectboth low-rate and high-rate DDoS attacks. The frameworkof the proposed system is given in Figure 1. TVis uses thejNetPcap [9] library for capturing and preprocessing traffic.After capturing network traffic, it filters out the IP packets forsubsequent analysis. It uses developed subroutines to extractvarious relevant features from IP packets and finally constructsa 5 min traffic feature sample for offline analysis. Due to the

1http://mathworld.wolfram.com/HeronsFormula.html

light-weight nature of our system, TVis can visualize the trafficfast to support attack detection.

Fig. 1. TVis: a framework of the proposed system

We employ Heron’s triangle-area map computation to es-timate the infected period based on the incidences at ahost (i.e., vertex). The concept of triangle-area map com-putation is shown in Figure 2. Let the triangle-area mapbe A = {a1, a2, · · · , an}, incidences per host be HI ={hi1 , hi2 · · · , hin}, and time periods be T = {t1, t2, · · · , tn}used for representation of the proposed system. Hence, thearea of a triangle can be defined as:

∆a1 =√sk(sk − hi1)(sk − hi2)(sk − hi3) (1)

where sk is the semi-perimeter with sk = (hi1 +hi2 +hi3)/2,and ∆a1 is the area of an infected period.

t4

h1

h2

h3

Time

No. o

f inc

iden

ce

h4

t1 t2 t3

Fig. 2. Triangle-area map computation to visualize infected period

B. TVis: Algorithm

Algorithm 1 shows the significant steps in the design of theTVis system for network traffic visualization and analysis forthe detection of both low-rate and high-rate DDoS attacks. It

has two main modules: online() and offline(). In the online()mode, it captures, preprocesses and splits traffic instances,and visualizes them for attack detection. TVis maps thesource node to the the destination node based on connectioninformation. But in the offline() mode, it just visualizes thealready stored preprocessed traffic instances for detection.TVis works in a similar fashion in the offline mode exceptthat it captures and prepossesses packets from a file. So, thecost of computation in online() mode is more than offline modeto provide a near real-time performance. This algorithm offerstwo categories of graphs: sparse graph and a dense graph thatrepresent legitimate and attack traffic, respectively.

Further, TVis accumulates three consecutive vertices withmaximal incidences and compute the area of the triangle usingHeron’s formula based a time window. If the area is beyondthan dynamic thresholds δAl

, and δAhfor low-rate and high-

rate attacks, and the probability of packet loss is high, then itgenerates an alarm. Low area of the triangle indicates high-rateattacks and vice versa.

III. PERFORMANCE EVALUATION

In this section, we describe the datasets used for perfor-mance analysis of TVis and report experimental results indetail.

A. Datasets

We use three different real-world datasets: (i) MIT LincolnLaboratory [10], (ii) CAIDA DDoS 2007 [11], and (iii)Assam Kaziranga University (AKU) network dataset. TheMIT Lincoln Laboratory dataset is real-time and containspure normal data. The CAIDA DDoS 2007 dataset containsone hour of anonymized traffic traces from a DDoS attacklaunched on August 4, 2007. This dataset includes mainlytwo types of attacks: consumption of computing resourcesand the consumption of network bandwidth. We also usedTVis system to collect, monitor, and visualize live networktraffic in the Assam Kaziranga University campus. The AKUdataset is composed of three categories of traffic, viz., normaltraffic, low-rate attack traffic, and high-rate attack traffic. Thenetwork is comprised of about 500 hosts (i.e., laptop, desktop,and server), 6 L3 switches, and 25 wireless routers inside theUniversity campus. We configure the network to monitor allnetwork traffic at an endpoint. We mount four different attacks,viz., syn flood, smurf, ping flood and fraggle in distributedmode towards multiple targets. We attempt to detect both low-rate and high-rate DDoS attacks within a short time interval.So, TVis can increase the network uptime rather just detectionof DDoS attacks.

B. Results

We evaluate the TVis system in both online and offlinemodes by considering multiple attack scenarios. In the offlinemode, we evaluate the TVis system using the CAIDA DDoS2007 dataset. Figure 3 shows the visualized network traffic inoffline mode. We can see in Figure 3 how TVis identifies thepresence of attack traffic. The TVis system immediately sends

Algorithm 1 TVis (online, offline)Input: mode . defines the mode of capturing packetOutput: The visualized graph with triangle area

1: if mode 6= online then2: call online( )3: else4: call offline( )5: end if6: function ONLINE( )7: Initialize storePacket[60], device, T [3] .

It is an array of linked list to store packets as they arrive,with 60 arrays each storing 5 sec data, total 5mins

8: Find all the network devices connected to the machine9: device = get the choice of device from the list

10: Open the device for capturing in promiscuous mode11: for i← 0 to 59 do12: storePacket[i] = CAPTURE( device)13: end for14: ANALYSE(storePacket)15: NODEVISUALGRAPH(storePacket)16: exit17: end function18: function NODEVISUALGRAPH(storePacket)19: Initialize graph . an undirected

graph where vertices are host on the network and edgesrepresent communication among them, vertex . linkedlist of devices, i.e., IP addresses, edges . a linked listeach having value (vi, vj) where vi, vj ∈ vertex

20: for i← 0, to size of storePacket do21: for all packet in storePacket[i] do22: if packet is an IP packet then23: if packet.sourceIP not in vertex then24: add packet.sourceIP to vertex25: end if26: if packet.destinationIP not in vertex

then27: add packet.destinationIP to vertex28: end if29: if (packet.sourceIP, packet.destinatio−

nIP ) not in edges then30: add (packet.sourceIP, packet.desti−

nationIP )31: end if32: end if33: end for34: end for35: graph.addV ertex(vertex)36: graph.addEdges(edges)37: TRIANGLEAREAGEN(storePacket, T[])38: return graph39: end function40: function OFFLINE( )41: Initialize storePacket[60] .

It is an array of linked list to store packets as they arrive,time = 5000 (Time is in milliseconds, 5000 represents 5sec), i = 0 (for accessing the array)

42: get the pcap file pcapF ile from user43: open pcapF ile to read packets44: for all packets in pcapF ile do45: if packet.timestamp > time then46: time = time+ 500047: i+ +48: end if49: add packet to storePacket[0]50: end for51: ANALYSE(storePacket)52: NODEVISUALGRAPH(storePacket)53: exit54: end function55: function TRIANGLEAREAGEN(T[])( )56: Initialize A, k . A indicates the area of a triangle57: for i 6= k do58: if T[i] ≥ 1600 and pl ≥ 0.22 then59: compute A using Equation 160: end if61: if (A1 ≥ δAh

||A1 ≤ δAh) then

62: Triggers an alarm63: end if64: end for65: end function

Fig. 3. TVis: visualization of network traffic available at CAIDA DDoS 2007dataset

a request to the edge router to drop the packet before enteringthe network. It also depends on the period between the attackpulses to overwhelm the target. We compute the triangle areaiff the system finds consecutive three vertices with incidencesgreater than at least 1600 packets, and increased packet lossesduring the same time.

We also evaluate the TVis system using the MIT LincolnLaboratory dataset to differentiate between legitimate andattack traffic. Figure 4 shows the visualized network trafficin the offline mode using MIT Lincoln Laboratory dataset. InFigure 4, we see that the presence or absence of attacks in thetraffic. This is because it generates a sparse graph that enablesus to identify legitimate traffic from time-periodic sampleddata. Attack traffic instances are rarer than legitimate traffic

Fig. 4. TVis: visualization of network traffic available at MIT LincolnLaboratory dataset

instances.In the online mode, we used the live network traffic of

Assam Kaziranga University campus when executing attacks.We captured and visualized traffic for 5 second time windowsfor total 5 minutes as shown in Figure 9 when executingattacks in the testbed. TVis system can visualize the uniqueIP address and packets per protocol within a time windowas shown in Figure 5, and 6, respectively. Also, this systemshows the unique ports for TCP and UDP protocols in Figure7 and 8, respectively. We can see that in the visualization, notall host in the network are shown, because it shows only thosehosts that are active and either sending or receiving packets,including the target. Figure 9 exhibits dense graph to ensureTVis system for DDoS detection.

Fig. 5. Number of unique IP addresses

Following Moore et al. [12], we generate both low-rate andhigh-rate DDoS attack to validate TVis system. The attacktraffic is generated using open-source attack codes with morethan 1600 and less than 5000 packets per seconds for low-rateattacks and produces high-rate attack if it goes beyond theselimits. However, this number will varies based on datasets andenvironments. Based on our experiment, we observe that TVistriggers an alarm for an attack when the normalized area of thetriangle, δA ≥ 0.43 with Pk ≥ 1600 packets per seconds with

Fig. 6. Number of packets per protocol

Fig. 7. Unique TCP ports for a time window 65 second

Fig. 8. Unique UDP ports for a time window 65 second

5 second time window. Our system is significant because ofthe reasons given below. It is also superior to recent work[13]. Figure 10 reports the ROC curve of TVis system todetect DDoS attacks when using the MIT Lincoln Laboratorylegitimate and the CAIDA DDoS datasets.

• TVis is cost-effective and can operate in both online andoffline modes.

• It is fast and scalable, and is able to detect both low-rateand high-rate DDoS attacks effectively.

Fig. 9. TVis: visualization of traffic for AKU network with mapped area oftriangle

0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07

False positive rate

0.0

0.2

0.4

0.6

0.8

1.0

Dete

cti

on

rate

Low-rate

High-rate

Fig. 10. TVis: ROC curve when compared with existing methods using MITnormal and CAIDA DDoS datasets

The triangle area δA goes lower for high-rate DDoS attacksand increases for low-rate attacks. High-rate attacks are morefrequent towards a target with a high intensities of maliciousincidences in a short time window. However, low-rate attacksare less frequent and are similar to legitimate traffic. For ourexperiment, we found best results when δAh

≥ 0.43 and δAh≤

0.61, otherwise low-rate attacks. TVis shows δAleg < 0.43 forlegitimate traffic instances.

C. Comparison with Competing Methods

visualization-based methods for DDoS detection have beenreported in the past. The main reason could be the increasedsize, speed, and complexity of networks have made propervisualization difficult. However, recently introduced software-defined networks to isolate network operations and makevisualization of network flows useful again. Visualizationtechniques allow people to see and comprehend large amountsof complex data [16]. Graphics are used to assist IDS inves-tigation and the reporting process by helping the analyst toidentify significant incidents and reduce false alarms. Intricatepatterns are displayed over time in a secure way, where eachof them can be understand easily [16].

TABLE ICOMPARISON OF EXISTING DETECTION METHODS

Author and Year Scheme Identifi-cation

Detection Real-time Vi-sualization

Real-timeStream

InteractiveZoom-in/out

Van et al. [14], 2015 Metric-based No Yes No No NoZhou et al. [7], 2017 Packet size distribution No Yes No Yes NoBehal et al. [15], 2018 D-FACE No Yes No Yes NoDavid and Thomas [8], 2019 Dynamic thresholding No Yes No Yes NoTvis, 2019 Dynamic thresholding yes Yes Yes Yes Yes

To assess the efficacy of TVis, we compare several methodssuch as sequence Fourier power spectral entropy (FPSE) [17],wavelet power spectral entropy (WPSE) [17], and the sequencealignment method [18]. The Fourier power spectral entropy(FPSE) and wavelet power spectral entropy (WPSE) methods[17] are information-theoretic methods to detect low-rate DoSattacks, and then achieve 95% detection accuracy. However,the sequence alignment method to detect synchronous low-rate DoS attacks using the Smith-Waterman algorithm toestimate similarity score of two sequences, and achieves95.88% detection rate. TVis improves overall performancewhen experimented over the MIT legitimate and the CAIDADDoS datasets by achieving 98.79% and 96.54% detectionrates for low-rate and high-rate DDoS detection, respectively.Table III-B reports a comparison of existing DDoS detectionmethods.

IV. CONCLUSION AND FUTURE WORK

In this paper, we presented the TVis system to visualizenetwork traffic in real-time for detection of both low-rateand high-rate DDoS attacks. The use of appropriate datastructures is helpful in running the system in near real-timeto support successful detection of both low-rate and high-rateDDoS attacks. An undirected graph is generated, and TVistriggers an alarm based on the estimated triangle-area of threeconsecutive maximal incident vertices using Heron’s formula.The TVis system performs well in detecting four differentclasses of DDoS attacks, including syn flood, smurf, fraggle,and ping flood. However, we report the results for real-time synflood attacks only in offline and online modes with extendedscalability.

The TVis system is under futhure development so that itcan evolve with new attacks. We are also working on addingdatacenter infrastructure and service visualization features tomonitor and prevent incidents in real-time and reduce down-time of applications.

ACKNOWLEDGMENT

This work was supported by the Kempe post-doc fellow-ship via project no. SMK-1644, Sweden. Additional supportwas provided by the International Exchange Program of theNational Institute of Information and Communications (NICT)and JST CREST Grant Number JPMJCR1783, Japan.

REFERENCES

[1] X. Yin, W. Yurcik, M. Treaster, Y. Li, and K. Lakkaraju, “VisFlow-Connect: Netflow Visualizations of Link Relationships for SecuritySituational Awareness,” in Proceedings of the 2004 ACM Workshop onVisualization and Data Mining for Computer Security. New York, NY,USA: ACM, 2004, pp. 26–34.

[2] L. Garber, “Denial-of-Service Attacks Rip the Internet,” Computer,vol. 33, no. 4, pp. 12–17, April 2000.

[3] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “NetworkAnomaly Detection: Methods, Systems and Tools,” IEEE Communica-tions Surveys & Tutorials, vol. 16, no. 1, pp. 303–336, 2014.

[4] M. H. Bhuyan, A. Kalwar, A. Goswami, D. K. Bhattacharyya, and J. K.Kalita, “Low-Rate and High-Rate Distributed DoS Attack Detection Us-ing Partial Rank Correlation,” in Communication Systems and NetworkTechnologies, 2015 Fifth International Conference on, April 2015, pp.706–710.

[5] J. Zhang, G. Yang, L. Lu, M. Huang, and M. Che, Visual InformationCommunication. Boston, MA: Springer US, 2010, ch. A NovelVisualization Method for Detecting DDoS Network Attacks, pp. 185–194.

[6] Lau and Stephen, “The spinning cube of potential doom,” Commun.ACM, vol. 47, no. 6, pp. 25–26, June 2004.

[7] L. Zhou, M. Liao, C. Yuan, and H. Zhang, “Low-rate ddos attackdetection using expectation of packet size,” Security and CommunicationNetworks, vol. 2017, 2017.

[8] J. David and C. Thomas, “Efficient ddos flood attack detection usingdynamic thresholding on flow-based network traffic,” Computers &Security, vol. 82, pp. 284–295, 2019.

[9] jNetPcap, “jNetPcap - what is it?” http://jnetpcap.com/.[10] MIT Lincoln Laboratory Datasets, “MIT LLS DDOS 0.2.2,”

http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/2000data.html, Massachusetts Institute ofTechnology, Cambridge, MA, 2000.

[11] CAIDA, “The Cooperative Analysis for Internet Data Analysis,”http://www.caida.org, 2011.

[12] D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage,“Inferring Internet Denial-of-service Activity,” ACM Trans. ComputerSystems, vol. 24, no. 2, pp. 115–139, May 2006.

[13] J. Song, T. Itoh, G. Park, and H. Takakura, “An Advanced SecurityEvent Visualization Method for Identifying Real Cyber Attacks,” Appl.Math. Inf. Sci., vol. 11, no. 2, pp. 353–361, 2017.

[14] D. van der Steeg, R. Hofstede, A. Sperotto, and A. Pras, “Real-timeDDoS attack detection for Cisco IOS using NetFlow,” in IntegratedNetwork Management (IM), 2015 IFIP/IEEE International Symposiumon, 2015, pp. 972–977.

[15] S. Behal, K. Kumar, and M. Sachdeva, “D-face: An anomaly baseddistributed approach for early detection of ddos attacks and flash events,”Journal of Network and Computer Applications, vol. 111, pp. 49–63,2018.

[16] W. Wright and P. Clarke, “Visualization Techniques for Intrusion De-tection.” [Online]. Available: http://handle.dtic.mil/100.2/ADA428197l

[17] Zhaomin Chen, Chai Kiat Yeo, Bu Sung Lee, and Chiew Tong Lau,“Power spectrum entropy based detection and mitigation of low-rateDoS attacks,” Computer Networks, vol. 136, pp. 80 – 94, 2018.

[18] Z. Wu, Q. Pan, M. Yue, and L. Liu, “Sequence alignment detectionof tcp-targeted synchronous low-rate dos attacks,” Computer Networks,vol. 152, pp. 64 – 77, 2019.