The focus of this paper is to help system and network administrators recognize attacks on a network using a 3D visualization tool to detect, identify, and analyze traffic. Such visualization can be extremely complex in real-world scenarios, depending on the type of attacks and the network topology. In particular, the authors discuss the use of a modern recommender system to aid in navigating within complex 3D visualization tools. They propose NAVSEC, a recommender system prototype for navigating within 3D network security visualization tools. NAVSEC helps in part by recommending visualizations and interactions to novice users. Recommender systems are widely used by websites like Amazon and eBay, for example, to provide suggestions for goods based on user behavior.

The use of a 3D visualization tool in network security is not a novel approach. Small network topologies can easily rely on the use of text-based reports. However, when the number of nodes, services, and attacks increases, such text-based approaches become unsustainable. Three-dimensional visualization tools play a crucial role in helping system administrators find network traffic patterns, either malicious or not. When the network topology becomes huge, and the number of nodes and interactions are too many, 3D visualization tools also lose their effectiveness. In particular, novice users find it difficult to navigate inside the views of such tools.

The authors present NAVSEC, a recommender system based on the nearest neighbor algorithm. This learning algorithm “uses a knowledge base of expert users.” The authors show that when using such an algorithm, the number of views of novice users converges to the number of views of experts, thus reaching the defined achievement. The authors also provide a motivation case: stealthy port scanning attacks. NAVSEC is available for download.