SiteVisor has a real-time 3D visualization engine called SiteVisor-VIZ to visualize alerts and darknet traffic. SiteVisor-VIZ has two components: a central sphere with a wireframe, and several rings around the sphere. The sphere represents the Internet, and the rings represent the organizations that are the subjects for the SiteVisor alert system (i.e., monitored organizations). In between the sphere and rings, hundreds of comet-shaped darknet packets continuously drift from the sphere to the rings in real time.
The sphere represents a complete IPv4 address space on the Internet. A /16 network (i.e., 216 = 65,536 addresses) sequentially maps on to a meridian from the North Pole to the South Pole. In total, 65,536 meridians (representing from 0.0.0.0/16 to 255.255.0.0/16, respectively) are placed around the surface of the sphere in order. The IP addresses that are assigned to the monitored organizations are excluded from the mapping on the sphere since they are on the rings.
A ring represents an organization monitored by SiteVisor. The IP addresses assigned to the organization are on the periphery of the ring in a sequential manner. The lite blue parts of the ring are mapped livenets, and the dark blue parts are mapped darknets in the organization. The ring revolves around the sphere and rotates clockwise. The purpose of this self-rotation is to hide the start and end address of the organization since the location of the darknet should be kept secret. The number in the center of the ring indicates the unique identifier of the organization.
The icons showing Chinese characters (indicating “caution”) around the ring are SiteVisor alerts. Each alert indicates an IP address in the livenet that has sent some packets to internal and/or external darknet(s). The color of the Chinese character signifies a trigger and the type of the alert. As shown above, if all alerts are yellow, they are continued and periodic alerts. If an IP address in the livenet starts anew to send packets to some darknet, a red alert will be immediately displayed on the entire screen in order to emphasize it to the operators; and the address will be indicated on the ring. If an operator clicks or double-clicks on an alert icon, its meta data or the details of the darknet packets can be displayed, respectively.
SiteVisor-VIZ provides a highly flexible filtering function for darknet traffic. The following parameters and their combinations can be used to determine filtering rules.
- Source and destination IP addresses and network address represented in the CIDR notation
- Protocols (TCP/UDP/ICMP) and TCP flags (shown below)
- Source and destination port numbers
- Sensor ID
In each figure, the filtering function is utilized to assign different colors to the darknet packets according to specified rules. The function can also render specific packets invisible (or visible) by using the settings console.
SiteVisor-VIZ assigns the mouse wheel event to magnify and minimize the screen in order to conduct a deep dive. Below figure shows a magnified screen where many small spheres are drifting outward from the large sphere. The small spheres represent the darknet packets that are capable of providing detailed information when clicked. As below, if one of the darknet packets is clicked, and then detailed information such as time, source/destination IP addresses and port numbers, and sensor ID are displayed on a pop-up panel.
SiteVisor-VIZ includes another visualization method called flow mode. Although the packet-by-packet visualization is useful for observing the detailed behavior of the darknet traffic, it is difficult to measure the volume of the traffic. The flow mode helps the user find the relative traffic volume by means of the color temperature. The volume, which is based on the number of packets or the amount of data being sent, is calculated on each source IP address. As below, a red flow and a yellow flow can be seen whose source hosts on the sphere are conducting massive scans.