ZHANG Haocheng,WU Xiaojie,TANG Xiang,SHU Runxuan,DING Tianchen,DONG Xiaoju

DOI: https://doi.org/10.11959/j.issn.2096-109x.2018015

2018-01-01

Abstract:With the fast development of information technology and computer network, the scale and complexity of network security data grows rapidly. Traditional visualization techniques are no longer suitable. In addition, it designs interactive functions based on the feature of network security analysis, in order to assist the network security analyst. The existing approaches for network security visualization have some defects, which fail to provide a good indication of network security data in terms of timing and also fail to display information completely and realize user-friendly interaction. A multi-view network security visualization system was proposed, which provided the analysts of both the static status and dynamic changes of the network by combining the force-oriented model and the staged animation. It provides comprehensive information with display and filter of protocols, IP segment and port. The system on Shanghai Network database were evaluated.

Tianye Zhang,Xumeng Wang,Zongzhuang Li,Fangzhou Guo,Yuxin Ma,Wei Chen

DOI: https://doi.org/10.1007/s11432-016-0428-2

2017-01-01

Science China Information Sciences

Abstract:Network anomaly analysis is an emerging subtopic of network security. Network anomaly refers to the unusual behavior of network devices or suspicious network status. A number of intelligent visual tools are developed to enhance the ability of network security analysts in understanding the original data, ultimately solving network security problems. This paper surveys current progress and trends in network anomaly visualization. By providing an overview of network anomaly data, visualization tasks, and applications, we further elaborate on existing methods to depict various data features of network alerts, anomalous traffic, and attack patterns data. Directions for future studies are outlined at the end of this paper.

Xin Fan,Chenlu Li,Xiaoju Dong

DOI: https://doi.org/10.1007/s12650-018-0525-z

IF: 1.7

2018-10-22

Journal of Visualization

Abstract:AbstractThe real-time analysis of network data is of great significance to network security. Visualization technology and machine learning can assist in network data analysis from different aspects. However, there is little research regarding combining these two methods to process real-time network data. This paper proposes a novel real-time network security system. Combining unsupervised learning and visualization technology, it can identify network behavior patterns and provide a visualization module to adjust models interactively. The system is primarily divided into three parts. In the feature extraction part, we train a deep auto-encoder to compress the feature dimension. In the behavior pattern recognition part, normal and abnormal pattern SOINNs are trained incrementally. In visualization part, analysts can use multiple views to judge recognition results rapidly and adjust models so that the identification accuracy can be increased. We use the data in VAST Challenge 2013 to show that our system can identify network behavior patterns in real time and find the correlations between them.Graphical abstract

computer science, interdisciplinary applications,imaging science & photographic technology

Tao Zhang,Qi Liao,Lei Shi

DOI: https://doi.org/10.1109/PacificVis.2014.22

2014-01-01

Abstract:Large-scale networks have become increasingly challenging to manage. It is vital for a system administrator or network manager to be able to analyze the vast amount of log data in order to detect suspicious behaviors or patterns, possibly due to malicious users/applications or faulty devices. While an intrusion detection system (IDS) log can provide a large number of warnings, exactly which alarms are true while the others are false, and more importantly what are the underlying causes are still difficult to know. To bridge the gap between network log and anomaly discovery, we design and implement a visualization tool that combines multiple commodity visualizations with minimum learning curve. While each individual view is well understood, the effects of such views in analyzing network anomalies are not well studied. Since each visualization technique has advantages as well as limitations in addressing a particular task, we show that these views, when combined and linked together, may provide an effective and lightweight network anomaly analysis tool. The web-based open platform may simplify network administration as well as promote collaborative analysis among researchers.

Li Zheng,Gang Yu,Yuntian Zheng

DOI: https://doi.org/10.1007/s11265-023-01836-0

2023-02-01

Journal of Signal Processing Systems

Abstract:Data visualization is an important approach for data analysis, which can reveal the patterns and characteristics of complex datasets through visual processing, and provide aid for data analysts. In recent years, with the expansion of Internet users and the rich diversity of various Internet applications, the importance of network security is increasing. In the field of network security data analysis, it is a developing direction to use data visualization methods and visual analysis tools to assist manual analysis. In this paper, a visualization system for network security data is designed and implemented, which is mainly based on network flow records and security policies. The node centrality measurement and high-dimensional data visualization methods are comprehensively applied, and an interactive visualization approach is proposed. The IP topology is presented in three different view modes: static analysis, temporal analysis and exploration analysis. In addition, the high-dimensional projection map takes flow, security policy and IP address as analysis objects and selects several dimensional features as indicators. After visual presentation, the distribution of the stream set and IP set contained in the record after projection in the selected dimension space can be obtained, so that the analyst can find the points with significant abnormal eigenvalue distribution, and deduce the possible situation based on this. After testing, the system can accept the new original data record file, and quickly generate the corresponding visualization content, which can be used for the visualization analysis of network security optimization tool software, and has been used in the actual system.

computer science, information systems,engineering, electrical & electronic

Rujun LIU,Yang XIN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.11.007

2016-01-01

Abstract:Focus on the issues that network abnormal data is displayed in an single way and it can’t be shown in real time, a network security data visualization and analysis system is designed and implemented. The functions of the system are network abnormal data monitoring, situation awareness and risk monitoring. Firstly, data collection model gathers original data of devices. Secondly, data preprocessing model transforms original data into standard format. Thirdly, data analysis model distinguishes abnormal data and forms network situation by analysing and detecting standard data. Finally, analysis results are real-time displayed by network map, topological graph, sequence chart,etc. The system combines data collection, data preprocessing, data analysis and data display, meanwhile implements real-time situation forecast and improves the effeciency of network device monitoring.

Sheng Zhang,Ronghua Shi,Jue Zhao

DOI: https://doi.org/10.3837/tiis.2016.06.019

2016-01-01

KSII Transactions on Internet and Information Systems

Abstract:Owing to their low scalability, weak support on big data, insufficient data collaborative analysis and inadequate situational awareness, the traditional methods fail to meet the needs of the security data analysis. This paper proposes visualization methods to fuse the multi-source security data and grasp the network situation. Firstly, data sources are classified at their collection positions, with the objects of security data taken from three different layers. Secondly, the Heatmap is adopted to show host status; the Treemap is used to visualize Netflow logs; and the radial Node-link diagram is employed to express IPS logs. Finally, the Labeled Treemap is invented to make a fusion at data-level and the Time-series features are extracted to fuse data at feature-level. The comparative analyses with the prize-winning works prove this method enjoying substantial advantages for network analysts to facilitate data feature fusion, better understand network security situation with a unified, convenient and accurate mode.

Hui He,Guotao Fan,Jianwei Ye,Weizhe Zhang

DOI: https://doi.org/10.1155/2013/827376

2013-01-01

Abstract:It is of great significance to research the early warning system for large-scale network security incidents. It can improve the network system's emergency response capabilities, alleviate the cyber attacks' damage, and strengthen the system's counterattack ability. A comprehensive early warning system is presented in this paper, which combines active measurement and anomaly detection. The key visualization algorithm and technology of the system are mainly discussed. The large-scale network system's plane visualization is realized based on the divide and conquer thought. First, the topology of the large-scale network is divided into some small-scale networks by the MLkP/CR algorithm. Second, the sub graph plane visualization algorithm is applied to each small-scale network. Finally, the small-scale networks' topologies are combined into a topology based on the automatic distribution algorithm of force analysis. As the algorithm transforms the large-scale network topology plane visualization problem into a series of small-scale network topology plane visualization and distribution problems, it has higher parallelism and is able to handle the display of ultralarge-scale network topology.

Eric Muhati,Danda Rawat

DOI: https://doi.org/10.3390/jcp4020012

2024-04-09

Journal of Cybersecurity and Privacy

Abstract:The exponential growth in data volumes, combined with the inherent complexity of network algorithms, has drastically affected network security. Data activities are producing voluminous network logs that often mask critical vulnerabilities. Although there are efforts to address these hidden vulnerabilities, the solutions often come at high costs or increased complexities. In contrast, the potential of open-source tools, recognized for their security analysis capabilities, remains under-researched. These tools have the potential for detailed extraction of essential network components, and they strengthen network security. Addressing this gap, our paper proposes a data analytics-driven network anomaly detection model, which is uniquely complemented with a visualization layer, making the dynamics of cyberattacks and their subsequent defenses distinctive in near real-time. Our novel approach, based on network scanning tools and network discovery services, allows us to visualize the network based on how many IP-based networking devices are live, then we implement a data analytics-based intrusion detection system that scrutinizes all network connections. We then initiate mitigation measures, visually distinguishing malicious from benign connections using red and blue hues, respectively. Our experimental evaluation shows an F1 score of 97.9% and a minimal false positive rate of 0.3% in our model, demonstrating a marked improvement over existing research in this domain.

computer science, information systems, interdisciplinary applications, software engineering

Xin Fan,Chenlu Li,Xiaoru Yuan,Xiaoju Dong,Jie Liang

DOI: https://doi.org/10.1007/s12650-019-00580-7

IF: 1.7

2019-01-01

Journal of Visualization

Abstract:Network anomaly detection is an important means for safeguarding network security. On account of the difficulties encountered in traditional automatic detection methods such as lack of labeled data, expensive retraining costs for new data and non-explanation, we propose a novel smart labeling method, which combines active learning and visual interaction, to detect network anomalies through the iterative labeling process of the users. The algorithms and the visual interfaces are tightly integrated. The network behavior patterns are first learned by using the self-organizing incremental neural network. Then, the model uses a Fuzzy c-means-based algorithm to do classification on the basis of user feedback. After that, the visual interfaces are updated to present the improved results of the model, which can help users to choose meaningful candidates, judge anomalies and understand the model results. The experiments show that compared to labeling without our visualizations, our method can achieve a high accuracy rate of anomaly detection with fewer labeled samples.

Han Dongming,Pan Jiacheng,Pan Rusheng,Zhou Dawei,Cao Nan,He Jingrui,Xu Mingliang,Chen Wei

DOI: https://doi.org/10.1007/s11704-020-0013-1

IF: 2.6688

2021-01-01

Frontiers of Computer Science

Abstract:Multivariate dynamic networks indicate networks whose topology structure and vertex attributes are evolving along time. They are common in multimedia applications. Anomaly detection is one of the essential tasks in analyzing these networks though it is not well addressed. In this paper, we combine a rare category detection method and visualization techniques to help users to identify and analyze anomalies in multivariate dynamic networks. We conclude features of rare categories and two types of anomalies of rare categories. Then we present a novel rare category detection method, called DIRAD, to detect rare category candidates with anomalies. We develop a prototype system called iNet, which integrates two major visualization components, including a glyph-based rare category identifier, which helps users to identify rare categories among detected substructures, a major view, which assists users to analyze and interpret the anomalies of rare categories in network topology and vertex attributes. Evaluations, including an algorithm performance evaluation, a case study, and a user study, are conducted to test the effectiveness of proposed methods.

Nan Cao,Chaoguang Lin,Qiuhan Zhu,Yu-Ru Lin,Xian Teng,Xidao Wen

DOI: https://doi.org/10.1109/tvcg.2017.2744419

IF: 5.2

2018-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:The increasing availability of spatiotemporal data continuously collected from various sources provides new opportunities for a timely understanding of the data in their spatial and temporal context. Finding abnormal patterns in such data poses significant challenges. Given that there is often no clear boundary between normal and abnormal patterns, existing solutions are limited in their capacity of identifying anomalies in large, dynamic and heterogeneous data, interpreting anomalies in their multifaceted, spatiotemporal context, and allowing users to provide feedback in the analysis loop. In this work, we introduce a unified visual interactive system and framework, Voila, for interactively detecting anomalies in spatiotemporal data collected from a streaming data source. The system is designed to meet two requirements in real-world applications, i.e., online monitoring and interactivity. We propose a novel tensor-based anomaly analysis algorithm with visualization and interaction design that dynamically produces contextualized, interpretable data summaries and allows for interactively ranking anomalous patterns based on user input. Using the “smart city” as an example scenario, we demonstrate the effectiveness of the proposed framework through quantitative evaluation and qualitative case studies.

Zhongyang Kan,Changzhen Hu,Zhigang Wang,Guoqiang Wang,Xiaolong Huang

DOI: https://doi.org/10.1109/icacc.2010.5487236

2010-01-01

Abstract:With the rapid development of Internet and the expanding application fields of network applications, it is not enough to maintain the network security only depend on those professional network technical administrators. In this paper a novel visualization tool based on treemap, which is called NetVis, is introduced to bind the network security technique and general network management together in an integrated visualization. NetVis is designed in 2D view. The experiments show that NetVis can not only detect the abnormal activities in the network, but also make the network management more intuitive and efficient.

Bin YUAN,Deqing ZOU,Hai JIN

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.03.002

2016-01-01

Abstract:The developing of Internet techniques has brought many convenience into our daily life, such as on-line shop-ping, on-line entertainment, social network, etc. However, cyber-attack and cyber-crime have also become more and more common since Internet provides so many potential profits, which makes cyber security more and more important. Unfor-tunately, traditional cyber security approaches, such as firewall, IDS and IPS, are not efficient because they lack the feature of intelligence, dynamic nature and global view. As such, network security visualization is proposed. Visualization is not only efficient but also very effective at communicating information. Based on the analysis of network data, network secu-rity visualization transfers the invisible, unexpressed and abstract network data into visual images to provide a high-level view of security events to analysts for more timely and informed decisions. Visualization brings revolution to the network security research area and has developed very fast. In this paper, we provide a thorough survey of network security visu-alization, categorizing the related work based on the type of network data (since network data is the basis of network security visualization). Further, we analyze the issues and challenges regarding network security visualization and provide guidelines and directions for future work.

Fangfang Zhou,Ronghua Shi,Ying Zhao,Yezi Huang,Xing Liang

DOI: https://doi.org/10.1007/978-3-319-03584-0_30

2013-01-01

Abstract:Situational awareness is defined as the ability to effectively determine an overall computer network status based on relationships between security events in multiple dimensions. Unfortunately, as the lack of tools to synthetically analyze the security logs generated by kinds of network security products, such as NetFlow, Firewall and Host Security, it is difficult to monitor and perceive network security situational awareness. Information visualization allows users to discover and analyze large amounts of information through visual exploration and interaction efficiently. Even with the aid of visualization, identifying the attack patterns from big multi-source data and recognizing the abnormal from visual clutter are still challenges. In this paper, a novel visualization system, NetSecRadar, is proposed for network security situational awareness based on multi-source logs, which can monitor the network and perceive the overall view of the security situation by using radial graph. NetSecRadar utilizes a hierarchical force-directed graph layout for arrangement of thousands of hosts to better use the available screen space, and provides the method to quantify the dangerous levels of the security events, and finds the correlations of security events generated by multi-source logs and perceives the patterns of abnormal in situational awareness, and synthesizes interactions, filtering and drill-down to understand the detail information. To demonstrate the system’s capabilities, we utilize the VAST Challenge 2013 as case study.

Wen Chen,Hongchao Fan,Tiantian Feng,Guochao Wu,Weiyue Li,Gang Qiao,Hangbin Wu,Xiaohua Tong,Chun Liu,Weian Wang,Rongxing Li

DOI: https://doi.org/10.1109/Geoinformatics.2012.6270308

2012-01-01

GEOINFORMATICS

Abstract:This paper is dedicated to an intelligent visualization system for landslide monitoring, whereas wireless sensor network is deployed for observing and detecting the dynamic changes of the landslide body at an experiment site. The visualization system is designed and implemented to visualize the spatial distribution of the employed sensors and the data of these sensors. Through the visualization-supported data analysis, the system will be capable of alert for possible critical events such as landslide surface failure. The experimental results show the initial functions and prototype capabilities of the system.

Jian Huang,Xiushan Zhang

DOI: https://doi.org/10.1109/ccet.2018.8542190

2018-01-01

Abstract:In recent years, with the rapid development of computer science and information technology, the world is filled and propelled of time-varying and multivariate data. The enormous growth of data in the last decades led to big data challenge in the network security field. Traditional visual analysis method for the time-varying network is inadequate. Efficient methods for visual clutter reduction, network structure exploration and network behavior detection are needed. In this paper, we propose two methods: A triangular-based algorithm for time-varying behavior presentation and an improved brush PCP aims to assist the visual analysis task in time-varying network pattern detection. A synthetic visual analysis system is designed and implemented on the basis of these two novel methods. Our system is capable of visually analyzing vast amounts of network data. To better describe and demonstrate the usefulness and performance of our system, we utilize the ChinaVis2015 Challenge dataset as a case study.

Ying ZHAO,Xiaoping FAN,Fangfang ZHOU,Wei HUANG,Mengjiao TANG

DOI: https://doi.org/10.3778/j.issn.1673-9418.1312039

2014-01-01

Abstract:Network security visualization is a growing community of network security research in recent years. It provides the human security analysts with better tools to discover patterns, detect anomalies, identify correlations of security events with higher efficiency. To meet the demand of cooperative visual analytics on large-scale network and multi-source data, this paper develops a data fusion model based on the even tuple and statistics tuple within uni-form data formats, raises a design strategy including the radial graph that is good at parsing events correlations and comparative stacked stream that is good at comparing statistics time series, explores the automated deployment method based on network logic topology and edge bundling method in radial graph. Finally by utilizing the pro-posed prototype system to analyze network security datasets in VAST Challenge 2013 and conducting some experi-ments and discussions, the effectiveness of tools is verified and substantiated.

Jiawan Zhang,Liang Li,Liangfu Lu,Ning Zhou

DOI: https://doi.org/10.1109/sectech.2008.47

2008-01-01

Abstract:Network scans visualization provides very effective means for to detection large scale network scans. Many visualization methods have been developed to monitor network traffic, but all the techniques or tools still heavily rely on human detection. They seldom consider the importance of network event characteristics to the network data visualization, and cannot detect slow scans, hidden scans etc. In this paper a visual interactive network scans detection system called ScanViewer is designed to represent traffic activities that reside in network flows and their patterns. The ScanViewer combines the characteristics of network scan with novel visual structures, and utilizes a set of different visual concepts to map the collected datagram to the graphs that emphasize their patterns. Additionally, a new tool named localport is designed for to capture large-scale ports information. The experiments show that ScanViewer can not only detect network scans, port scans, distributed port scans, but also can detect the hidden scans etc.

Siming Chen, Fabian Merkle, Hanna Schaefer, Cong Guo, Hongwei Ai, Xiaoru Yuan, Thomas Ertl

2013-01-01

Abstract:In this paper we briefly describe the tool submitted to VAST 2013 Mini-Challenge 3 [1]. It is concepted to monitor the network of the Big Marketing Company and find different attacks or security issues. The tool provides traditional time line and graph) as well as newly generated connection river) visualizations to show patterns and anomalies in the dataset. The aim of our tool was to present the complex informations inside the given dataset obvious and simple in order to make it usable for collaboration.