Visualizing cyber attacks using IP matrix

An Internet cyber threat monitoring system detects cyber threats using network sensors deployed at particular points on the Internet, statistically analyzes the time of attack, source of attack, and type of attack, and then visualizes the result of this analysis. Existing systems, however, simply visualize country-by-country statistics of attacks or hourly changes of attacks. Using these systems, it is difficult to understand the source of attack, the diffusion of the attack, or the relation between the target and the source of the attack. This paper described a method for visualizing cyber threats by using 2-dimensional matrix representation of IP addresses. The advantages of this method are that: (1) the logical distance of IP addresses is represented intuitively; (2) Internet address space is visualized economically; (3) macroscopic information (Internet level) and microscopic information (local level) are visualized simultaneously. By using this visualization framework, propagation of the Welchia worm and the Sasser.D worm are visualized.