Siming Chen,Cong Guo,Xiaoru Yuan,Fabian Merkle,Hanna Schaefer,Thomas Ertl

DOI: https://doi.org/10.1145/2671491.2671493

2014-01-01

Abstract:Visualization and interactive analysis can help network administrators and security analysts analyze the network flow and log data. The complexity of such an analysis requires a combination of knowledge and experience from more domain experts to solve difficult problems faster and with higher reliability. We developed an online visual analysis system called OCEANS to address this topic by allowing close collaboration among security analysts to create deeper insights in detecting network events. Loading the heterogeneous data source (netflow, IPS log and host status log), OCEANS provides a multi-level visualization showing temporal overview, IP connections and detailed connections. Participants can submit their findings through the visual interface and refer to others' existing findings. Users can gain inspiration from each other and collaborate on finding subtle events and targeting multi-phase attacks. Our case study confirms that OCEANS is intuitive to use and can improve efficiency. The crowd collaboration helps the users comprehend the situation and reduce false alarms.

Xin Fan,Chenlu Li,Xiaoju Dong

DOI: https://doi.org/10.1007/s12650-018-0525-z

IF: 1.7

2018-10-22

Journal of Visualization

Abstract:AbstractThe real-time analysis of network data is of great significance to network security. Visualization technology and machine learning can assist in network data analysis from different aspects. However, there is little research regarding combining these two methods to process real-time network data. This paper proposes a novel real-time network security system. Combining unsupervised learning and visualization technology, it can identify network behavior patterns and provide a visualization module to adjust models interactively. The system is primarily divided into three parts. In the feature extraction part, we train a deep auto-encoder to compress the feature dimension. In the behavior pattern recognition part, normal and abnormal pattern SOINNs are trained incrementally. In visualization part, analysts can use multiple views to judge recognition results rapidly and adjust models so that the identification accuracy can be increased. We use the data in VAST Challenge 2013 to show that our system can identify network behavior patterns in real time and find the correlations between them.Graphical abstract

computer science, interdisciplinary applications,imaging science & photographic technology

Jiang Bian,Mengjun Xie,Teresa J. Hudson,Hari Eswaran,Mathias Brochhausen,Josh Hanna,William R. Hogan

DOI: https://doi.org/10.1371/journal.pone.0111928

IF: 3.7

2014-01-01

PLoS ONE

Abstract:Social network analysis (SNA) helps us understand patterns of interaction between social entities. A number of SNA studies have shed light on the characteristics of research collaboration networks (RCNs). Especially, in the Clinical Translational Science Award (CTSA) community, SNA provides us a set of effective tools to quantitatively assess research collaborations and the impact of CTSA. However, descriptive network statistics are difficult for non-experts to understand. In this article, we present our experiences of building meaningful network visualizations to facilitate a series of visual analysis tasks. The basis of our design is multidimensional, visual aggregation of network dynamics. The resulting visualizations can help uncover hidden structures in the networks, elicit new observations of the network dynamics, compare different investigators and investigator groups, determine critical factors to the network evolution, and help direct further analyses. We applied our visualization techniques to explore the biomedical RCNs at the University of Arkansas for Medical Sciences – a CTSA institution. And, we created CollaborationViz, an open-source visual analytical tool to help network researchers and administration apprehend the network dynamics of research collaborations through interactive visualization.

Jin Xu,Shuilin Ren,Yubo Tao,Hai Lin

DOI: https://doi.org/10.1109/vast.2015.7347649

2015-01-01

Abstract:We provided a analytical system for the Mini Challenge 2 of VAST 2015. Our system combines traditional visualization parallel coordinates, force layout, matrix for collecting and correlating evidence. Multiple traditional visualization ways are provided to help users get a wide range of hypotheses and verify them.

Daojuan Zhang,Kexiang Qian,Wenhui Wang,Fuyang fang,Chonghua Wang,Xi Luo

DOI: https://doi.org/10.1145/3444370.3444607

2020-12-04

Abstract:With the development of information technology, the scale of the network continues to expand, and the security issues continue to increase. The complexity of the network security situation is increasing and the importance of the network security situational awareness continues to increase. The data sources are wide, the type and the number are large in a large-scale network environment currently. This paper comprehensively studies the network security situational awareness technology based on multi-source heterogeneous data. In addition, this paper introduces the origin, concept and the model of the network situational awareness, as well as the characteristics of network security situational awareness based on multi-source heterogeneous data fusion. Finally, the key technologies in the security situational awareness such as the extraction of situational elements, multi-source data fusion, situation assessment, situation prediction and visual display are introduced.

Tianye Zhang,Xumeng Wang,Zongzhuang Li,Fangzhou Guo,Yuxin Ma,Wei Chen

DOI: https://doi.org/10.1007/s11432-016-0428-2

2017-01-01

Science China Information Sciences

Abstract:Network anomaly analysis is an emerging subtopic of network security. Network anomaly refers to the unusual behavior of network devices or suspicious network status. A number of intelligent visual tools are developed to enhance the ability of network security analysts in understanding the original data, ultimately solving network security problems. This paper surveys current progress and trends in network anomaly visualization. By providing an overview of network anomaly data, visualization tasks, and applications, we further elaborate on existing methods to depict various data features of network alerts, anomalous traffic, and attack patterns data. Directions for future studies are outlined at the end of this paper.

Chufan Lai,Qiangqiang Liu,Lu Feng,Chenglei Yue,Xi Chen,Yang Hu,Zhanyi Wang,Pengju Teng,Xiaoru Yuan

DOI: https://doi.org/10.1109/vast.2017.8585432

2017-01-01

Abstract:In VAST Challenge 2017, we propose an interactive and collaborative visual analytic system for the analysis of traffic sensor data. Our system fully incorporates the power of spatial-temporal visualization, sequence mining techniques and collaborative analysis. It allows users to conduct multi-facet and interactive data analysis in a highly efficient way. We discuss technical details in this report, and demonstrate the effectiveness of our system via convincing cases.

Yu-Xin Ma,Jia-Yi Xu,Di-Chao Peng,Ting Zhang,Cheng-Zhe Jin,Hua-Min Qu,Wei Chen,Qun-Sheng Peng

DOI: https://doi.org/10.1007/s11390-013-1378-5

2013-01-01

Abstract:The problem of detecting community structures of a social network has been extensively studied over recent years, but most existing methods solely rely on the network structure and neglect the context information of the social relations. The main reason is that a context-rich network offers too much flexibility and complexity for automatic or manual modulation of the multifaceted context in the analysis process. We address the challenging problem of incorporating context information into the community analysis with a novel visual analysis mechanism. Our approach consists of two stages: interactive discovery of salient context, and iterative context-guided community detection. Central to the analysis process is a context relevance model (CRM) that visually characterizes the influence of a given set of contexts on the variation of the detected communities, and discloses the community structure in specific context configurations. The extracted relevance is used to drive an iterative visual reasoning process, in which the community structures are progressively discovered. We introduce a suite of visual representations to encode the community structures, the context as well as the CRM. In particular, we propose an enhanced parallel coordinates representation to depict the context and community structures, which allows for interactive data exploration and community investigation. Case studies on several datasets demonstrate the efficiency and accuracy of our approach.

Xiaoling Tao,Yang Liu,Feng Zhao,Changsong Yang,Yong Wang

DOI: https://doi.org/10.1186/s13638-018-1309-9

2018-12-01

EURASIP Journal on Wireless Communications and Networking

Abstract:With the rapid development of the Internet, network security situation awareness has attracted tremendous attention. In large-scale complex networks, network security situation awareness data presents the characteristics of large-scale, multi-source, and heterogeneous. Recently, much research work have been done on network security situation awareness. However, most of the existing methods store different types of data in different ways, which makes data query and analysis inefficient. To solve this problem, we propose a graph database-based hierarchical multi-domain network security situation awareness data storage method. In our scheme, we build a hierarchical multi-domain network security situation awareness model to divide the network into different domains, which can collect and dispose the awareness data more efficiently. Meanwhile, to unify our storage mode, we also define network security situation awareness data storage rules and methods based on graph database. Finally, extensive experiments on real datasets show that our proposed method is efficient compared to state-of-the-art storage models.

telecommunications,engineering, electrical & electronic

CHEN Li,Yuriko Takeshima,Issei Fujishiro,PENG Qun-sheng

DOI: https://doi.org/10.3321/j.issn:1008-9497.2001.02.019

2001-01-01

Abstract:Parallel visualization for large-scale datasets in a very challenging topic in scientific visualization. A parallel visualization system for large-scale datasets is described. Feature analysis techniques are employed to improve the quality of visualization results. This system supports concurrent visualization with computation and outputs a simplified small graphic primitive set, which can be displayed by a small basic viewer on clients. This system provides many kinds of parallel visualization algorithms for the users to visualize their data form scalar, vector to tensor, some of which are not included in other commercial software. The experimental results show the effectiveness of the system.

Lei Shi,Qi Liao,Xiaohua Sun,Yarui Chen,Chuang Lin

DOI: https://doi.org/10.1109/bigdata.2013.6691629

2013-01-01

Abstract:The visualization of complex network traffic involving a large number of communication devices is a common yet challenging task. Traditional layout methods create the network graph with overwhelming visual clutter, which hinders the network understanding and traffic analysis tasks. The existing graph simplification algorithms (e.g. community-based clustering) can effectively reduce the visual complexity, but lead to less meaningful traffic representations. In this paper, we introduce a new method to the traffic monitoring and anomaly analysis of large networks, namely Structural Equivalence Grouping (SEG). Based on the intrinsic nature of the computer network traffic, SEG condenses the graph by more than 20 times while preserving the critical connectivity information. Computationally, SEG has a linear time complexity and supports undirected, directed and weighted traffic graphs up to a million nodes. We have built a Network Security and Anomaly Visualization (NSAV) tool based on SEG and conducted case studies in several real-world scenarios to show the effectiveness of our technique.

杨育彬,李宁,张瑶

DOI: https://doi.org/10.3724/sp.j.1001.2008.01980

2008-01-01

Journal of Software

Abstract:Studies in social network theory focus on characterizing complex social relationships by firstly mapping and visualizing them into a graph,and then subsequently identifying the corresponding graph properties.This paper provides an integrated approach,which combines social network analysis and data mining theory with the necessary geographical attributes to analyze 1417 instances of terrorism that occurred world wide during the period 1980-2002.The study reveals interesting patterns on the evolution of these terrorist organizations over two decades.The proposed method can be easily generalized to be applied to other types of large-scale networked datasets,such as micro-array data,and genomic networked data,etc.

Dichao Peng,Wei Chen,Qunsheng Peng

DOI: https://doi.org/10.1002/sec.521

IF: 1.968

2012-01-01

Security and Communication Networks

Abstract:ABSTRACTThe establishment of trust relations is recognized as an important approach to initiate cooperation between unfamiliar entities in distributed computing environments. Particularly, trust relations can play a key role to help nodes make decisions on service discoveries in wireless environments. Visualizing trust relations can help us understand and analyze the real‐time threats that the distributed system is facing and consequently identify the attacks in order to deploy corresponding countermeasures. The main challenges to visualize trust in such distributed environments are as follows: (i) visually reorganizing and presenting trust relations to show underlying cooperation between attackers; (ii) mapping attacker behaviors to visual patterns in an ambiguity‐free manner; (iii) properly organizing and encoding other contextual information to analyze how these factors play along with trust. In this paper, we introduce TrustVis, a tool that helps users visually analyze trust relations to identify attacks in a semi‐automatic fashion. In parallel with a running trust evaluation engine that actively monitors trust relations, TrustVis reorganizes and presents trust relations with a matrix to map the cooperative attack schemes to visual patterns. By coordinating the trust matrix and other contextual information into a multi‐faceted view, TrustVis incorporates the intelligence of domain experts to interactively monitor the networked system toward identifying both the attackers' identities and the adopted attack schemes. Copyright © 2012 John Wiley & Sons, Ltd.

Qi Liao,Aaron Striegel,Nitesh Chawla

DOI: https://doi.org/10.1145/1850795.1850799

2010-01-01

Abstract:Managing complex enterprise networks requires an understanding at a finer granularity than traditional network monitoring. The ability to correlate and visualize the dynamics and inter-relationships among various network components such as hosts, users, and applications is non-trivial. In this paper, we propose a visualization approach based on the hierarchical structure of similarity/difference visualization in the context of heterogeneous graphs. The concept of hierarchical visualization starts with the evolution of inter-graph states, adapts to the visualization of intra-graph clustering, and concludes with the visualization of similarity between individual nodes. Our visualization tool, ENAVis (Enterprise Network Activities Visualization), quantifies and presents these important changes and dynamics essential to network operators through a visually appealing and highly interactive manner. Through novel graph construction and transformation, such as network connectivity graphs, MDS graphs, bipartite graphs, and similarity graphs, we demonstrate how similarity/dynamics can be effectively visualized to provide insight with regards to network understanding.

Xiaoli Lin,Yu Yao,Bo Hu,Wei Yang,Xiaoming Zhou,Wenjie Zhang

DOI: https://doi.org/10.1016/j.segan.2024.101325

2024-02-25

Sustainable Energy, Grids and Networks

Abstract:Risk assessment is an effective way to counter cyber-attacks on the power communication network. However, many existing methods are imbalanced and overlook the security state of the attack source, leading to inaccuracies. To address these shortcomings, this paper presents a cyber risk visual analytics framework that effectively combines cyber risk assessment with network alarm visual analytics. For the imbalanced assessment, we propose a weighted risk expectation that considers the security states of the attack sources as well as multiple significant attack factors. We introduce a new node centrality called directed weighted degree (DW-Degree), which considers not only the heterogeneity of edge directions, but also the impact propagated from/to the non-adjacent reachable nodes. Combining weighted risk expectation (WRE) and DW-Degree centrality (DC), we present an improved risk assessment method (WRE-DC) for network nodes and perform real-time risk assessment using WRE-DC and sliding window technique. In addition, a novel visual analysis system based on the real-time WRE-DC results and network alarms has been developed to improve the analysis of complex network risks. The experimental results obtained from real network alarm data confirm the effectiveness of the proposed method in significantly improving the accuracy of network node risk assessment.

energy & fuels,engineering, electrical & electronic

Zikun Deng,Shifu Chen,Xiao Xie,Guodao Sun,Mingliang Xu,Di Weng,Yingcai Wu

DOI: https://doi.org/10.1109/tvcg.2022.3229953

IF: 5.2

2024-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Numerous patterns found in urban phenomena, such as air pollution and human mobility, can be characterized as many directed geospatial networks (geo-networks) that represent spreading processes in urban space. These geo-networks can be analyzed from multiple levels, ranging from the macro-level of summarizing all geo-networks, meso-level of comparing or summarizing parts of geo-networks, and micro-level of inspecting individual geo-networks. Most of the existing visualizations cannot support multilevel analysis well. These techniques work by: 1) showing geo-networks separately with multiple maps leads to heavy context switching costs between different maps; 2) summarizing all geo-networks into a single network can lead to the loss of individual information; 3) drawing all geo-networks onto one map might suffer from the visual scalability issue in distinguishing individual geo-networks. In this study, we propose GeoNetverse, a novel visualization technique for analyzing aggregate geo-networks from multiple levels. Inspired by metro maps, GeoNetverse balances the overview and details of the geo-networks by placing the edges shared between geo-networks in a stacked manner. To enhance the visual scalability, GeoNetverse incorporates a level-of-detail rendering, a progressive crossing minimization, and a coloring technique. A set of evaluations was conducted to evaluate GeoNetverse from multiple perspectives.

Zipeng Liu,Zhenhuang Wang,Siming Chen,Zuchao Wang,Zhengjie Miao,Xiaoru Yuan

DOI: https://doi.org/10.1109/vast.2014.7042573

2014-01-01

Abstract:We proposed a collaborative platform to analyze streaming microblog messages in real-time on the emergence of security events, for VAST 2014 Mini Challenge 3. Our team members monitored and analyzed the streaming data simultaneously on it, where we could flexibly distribute workloads by filtering the data streams as we liked, and share notable information such as suspects and locations. With the assistance of a keyword analyzer, we were able to stay vigilant for potential emergencies in the course of streaming and conduct postmortem analysis. We will describe the collaborative mechanisms, as well as the design principles and considerations in detail.

Shuzhan Wang,Ruxue Jiang,Zhaoqi Wang,Yan Zhou

2024-09-14

Abstract:Computer network anomaly detection and log analysis, as an important topic in the field of network security, has been a key task to ensure network security and system reliability. First, existing network anomaly detection and log analysis methods are often challenged by high-dimensional data and complex network topologies, resulting in unstable performance and high false-positive rates. In addition, traditional methods are usually difficult to handle time-series data, which is crucial for anomaly detection and log analysis. Therefore, we need a more efficient and accurate method to cope with these problems. To compensate for the shortcomings of current methods, we propose an innovative fusion model that integrates Isolation Forest, GAN (Generative Adversarial Network), and Transformer with each other, and each of them plays a unique role. Isolation Forest is used to quickly identify anomalous data points, and GAN is used to generate synthetic data with the real data distribution characteristics to augment the training dataset, while the Transformer is used for modeling and context extraction on time series data. The synergy of these three components makes our model more accurate and robust in anomaly detection and log analysis tasks. We validate the effectiveness of this fusion model in an extensive experimental evaluation. Experimental results show that our model significantly improves the accuracy of anomaly detection while reducing the false alarm rate, which helps to detect potential network problems in advance. The model also performs well in the log analysis task and is able to quickly identify anomalous behaviors, which helps to improve the stability of the system. The significance of this study is that it introduces advanced deep learning techniques, which work anomaly detection and log analysis.

Machine Learning,Cryptography and Security

Guangjie Zhang,Xiaobo Tan

DOI: https://doi.org/10.1117/12.2675117

2023-05-25

Abstract:In the research of network security situational awareness, an important problem that needs to be solved urgently is that in the face of a large number of noisy multi-source data, the accuracy of obtaining network security situational awareness indicators will be affected. This paper proposes a data fusion processing method based on deep neural network to solve the above problems, which first uses natural language processing technology to process high-noise data in the data, and does a good job of word reduction of the data through the WordNetLemmatizer module. The TF-IDF feature extraction algorithm is applied to extract features through the frequency of data occurrence and the weight of the data. The experimental results show that the accuracy of obtaining network security situational awareness indicators by using the data fusion method based on deep neural network reaches more than 85% compared with the data fusion methods of other machine learning algorithms, and can be applied to the network security situational awareness model.

Computer Science,Engineering

Xin Fan,Chenlu Li,Xiaoru Yuan,Xiaoju Dong,Jie Liang

DOI: https://doi.org/10.1007/s12650-019-00580-7

IF: 1.7

2019-01-01

Journal of Visualization

Abstract:Network anomaly detection is an important means for safeguarding network security. On account of the difficulties encountered in traditional automatic detection methods such as lack of labeled data, expensive retraining costs for new data and non-explanation, we propose a novel smart labeling method, which combines active learning and visual interaction, to detect network anomalies through the iterative labeling process of the users. The algorithms and the visual interfaces are tightly integrated. The network behavior patterns are first learned by using the self-organizing incremental neural network. Then, the model uses a Fuzzy c-means-based algorithm to do classification on the basis of user feedback. After that, the visual interfaces are updated to present the improved results of the model, which can help users to choose meaningful candidates, judge anomalies and understand the model results. The experiments show that compared to labeling without our visualizations, our method can achieve a high accuracy rate of anomaly detection with fewer labeled samples.