Xin Fan,Wenjie Luo,Xiaoju Dong,Rui Su

DOI: https://doi.org/10.1007/978-981-13-2203-7_45

2018-01-01

Abstract:Analyzing network data is one of the important means to safeguard network security. However, how to detect anomalies and trace back the origin of attacks in the enlarging scale of network data is still a challenge now. This paper designs and implements a network visualization system, which meets three main requirements: the situation awareness of the whole network, the rapid detection of anomalies, and the track of attack source. To combine multiple visualization technologies reasonably, the system provides information from three levels. It also uses unsupervised learning methods to detect anomalies in different ways. Therefore, the system enhances the ability of identifying abnormal behaviors from network data. Its efficiency is tested by the usage of data in the ChinaVis 2016.

Wen Xu,Jing He,Hao Lan Zhang,Bo Mao,Jie Cao

DOI: https://doi.org/10.1145/2996890.3007881

2016-01-01

Abstract:Moving target detection and tracking, recognition, behaviors analysis are the key issues in the intelligent visual surveillance system (IVSS). The challenge is how to process the real-time video stream in an effective way in case that we could find the interested objects for analysis. However, the traditional video surveillance technology often does not meet the needs of real-time key frame recognition for the on-line intelligent video monitoring system. In our paper, we adopt the state-of-the-art Faster R-CNN [7] that takes advantages of convolutional neural networks into our real-time target recognition system -Deep Intelligent Visual Surveillance (DIVS). The key aspects of our DIVS are consisted of four parts: (i) Getting the real-time video images from remote cameras; (ii) Processing the data with the deep learning framework caffe [23] built for Faster R-CNN; (iii) Storing the valuable data with MySQL; (iv) Data presentation on the website. Experiments based on our system validated the effectiveness, stability and accuracy of our proposed solutions.

ZHANG Haocheng,WU Xiaojie,TANG Xiang,SHU Runxuan,DING Tianchen,DONG Xiaoju

DOI: https://doi.org/10.11959/j.issn.2096-109x.2018015

2018-01-01

Abstract:With the fast development of information technology and computer network, the scale and complexity of network security data grows rapidly. Traditional visualization techniques are no longer suitable. In addition, it designs interactive functions based on the feature of network security analysis, in order to assist the network security analyst. The existing approaches for network security visualization have some defects, which fail to provide a good indication of network security data in terms of timing and also fail to display information completely and realize user-friendly interaction. A multi-view network security visualization system was proposed, which provided the analysts of both the static status and dynamic changes of the network by combining the force-oriented model and the staged animation. It provides comprehensive information with display and filter of protocols, IP segment and port. The system on Shanghai Network database were evaluated.

Jian Huang,Xiushan Zhang

DOI: https://doi.org/10.1109/ccet.2018.8542190

2018-01-01

Abstract:In recent years, with the rapid development of computer science and information technology, the world is filled and propelled of time-varying and multivariate data. The enormous growth of data in the last decades led to big data challenge in the network security field. Traditional visual analysis method for the time-varying network is inadequate. Efficient methods for visual clutter reduction, network structure exploration and network behavior detection are needed. In this paper, we propose two methods: A triangular-based algorithm for time-varying behavior presentation and an improved brush PCP aims to assist the visual analysis task in time-varying network pattern detection. A synthetic visual analysis system is designed and implemented on the basis of these two novel methods. Our system is capable of visually analyzing vast amounts of network data. To better describe and demonstrate the usefulness and performance of our system, we utilize the ChinaVis2015 Challenge dataset as a case study.

Li Zheng,Gang Yu,Yuntian Zheng

DOI: https://doi.org/10.1007/s11265-023-01836-0

2023-02-01

Journal of Signal Processing Systems

Abstract:Data visualization is an important approach for data analysis, which can reveal the patterns and characteristics of complex datasets through visual processing, and provide aid for data analysts. In recent years, with the expansion of Internet users and the rich diversity of various Internet applications, the importance of network security is increasing. In the field of network security data analysis, it is a developing direction to use data visualization methods and visual analysis tools to assist manual analysis. In this paper, a visualization system for network security data is designed and implemented, which is mainly based on network flow records and security policies. The node centrality measurement and high-dimensional data visualization methods are comprehensively applied, and an interactive visualization approach is proposed. The IP topology is presented in three different view modes: static analysis, temporal analysis and exploration analysis. In addition, the high-dimensional projection map takes flow, security policy and IP address as analysis objects and selects several dimensional features as indicators. After visual presentation, the distribution of the stream set and IP set contained in the record after projection in the selected dimension space can be obtained, so that the analyst can find the points with significant abnormal eigenvalue distribution, and deduce the possible situation based on this. After testing, the system can accept the new original data record file, and quickly generate the corresponding visualization content, which can be used for the visualization analysis of network security optimization tool software, and has been used in the actual system.

computer science, information systems,engineering, electrical & electronic

Xuefei Tian,Zhiyuan Wu,JunXiang Cao,Shengtao Chen,Xiaoju Dong

DOI: https://doi.org/10.1016/j.vrih.2023.06.009

2023-01-01

Virtual Reality & Intelligent Hardware

Abstract:Background With the development of information technology, there is a significant increase in the number of network traffic logs mixed with various types of cyberattacks. Traditional intrusion detection systems（IDSs） are limited in detecting new inconstant patterns and identifying malicious traffic traces in real time.Therefore, there is an urgent need to implement more effective intrusion detection technologies to protect computer security. Methods In this study, we designed a hybrid IDS by combining our incremental learning model（KANSOINN） and active learning to learn new log patterns and detect various network anomalies in real time. Conclusions Experimental results on the NSLKDD dataset showed that KAN-SOINN can be continuously improved and effectively detect malicious logs. Meanwhile, comparative experiments proved that using a hybrid query strategy in active learning can improve the model learning efficiency.

Han Dongming,Pan Jiacheng,Pan Rusheng,Zhou Dawei,Cao Nan,He Jingrui,Xu Mingliang,Chen Wei

DOI: https://doi.org/10.1007/s11704-020-0013-1

IF: 2.6688

2021-01-01

Frontiers of Computer Science

Abstract:Multivariate dynamic networks indicate networks whose topology structure and vertex attributes are evolving along time. They are common in multimedia applications. Anomaly detection is one of the essential tasks in analyzing these networks though it is not well addressed. In this paper, we combine a rare category detection method and visualization techniques to help users to identify and analyze anomalies in multivariate dynamic networks. We conclude features of rare categories and two types of anomalies of rare categories. Then we present a novel rare category detection method, called DIRAD, to detect rare category candidates with anomalies. We develop a prototype system called iNet, which integrates two major visualization components, including a glyph-based rare category identifier, which helps users to identify rare categories among detected substructures, a major view, which assists users to analyze and interpret the anomalies of rare categories in network topology and vertex attributes. Evaluations, including an algorithm performance evaluation, a case study, and a user study, are conducted to test the effectiveness of proposed methods.

Ying Zhao,Fangfang Zhou,Ronghua Shi

2012-01-01

Abstract:NetSecRadar is a visual analytics system to aid in monitoring the network security in real time and preceiving the overall view of the security situation using radial graph. At present, we use this tool mainly for IDS alerts to analyze the irregular behavioral patterns, and synthesize interactions, filtering and drill-down to detect the potential intrusions. In conclusion, we describe how this system was used to analyze the mini-challenges of the 2012 VAST challenge.

Ying ZHAO,Xiaoping FAN,Fangfang ZHOU,Wei HUANG,Mengjiao TANG

DOI: https://doi.org/10.3778/j.issn.1673-9418.1312039

2014-01-01

Abstract:Network security visualization is a growing community of network security research in recent years. It provides the human security analysts with better tools to discover patterns, detect anomalies, identify correlations of security events with higher efficiency. To meet the demand of cooperative visual analytics on large-scale network and multi-source data, this paper develops a data fusion model based on the even tuple and statistics tuple within uni-form data formats, raises a design strategy including the radial graph that is good at parsing events correlations and comparative stacked stream that is good at comparing statistics time series, explores the automated deployment method based on network logic topology and edge bundling method in radial graph. Finally by utilizing the pro-posed prototype system to analyze network security datasets in VAST Challenge 2013 and conducting some experi-ments and discussions, the effectiveness of tools is verified and substantiated.

Bin YUAN,Deqing ZOU,Hai JIN

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.03.002

2016-01-01

Abstract:The developing of Internet techniques has brought many convenience into our daily life, such as on-line shop-ping, on-line entertainment, social network, etc. However, cyber-attack and cyber-crime have also become more and more common since Internet provides so many potential profits, which makes cyber security more and more important. Unfor-tunately, traditional cyber security approaches, such as firewall, IDS and IPS, are not efficient because they lack the feature of intelligence, dynamic nature and global view. As such, network security visualization is proposed. Visualization is not only efficient but also very effective at communicating information. Based on the analysis of network data, network secu-rity visualization transfers the invisible, unexpressed and abstract network data into visual images to provide a high-level view of security events to analysts for more timely and informed decisions. Visualization brings revolution to the network security research area and has developed very fast. In this paper, we provide a thorough survey of network security visu-alization, categorizing the related work based on the type of network data (since network data is the basis of network security visualization). Further, we analyze the issues and challenges regarding network security visualization and provide guidelines and directions for future work.

Tao Zhang,Qi Liao,Lei Shi

DOI: https://doi.org/10.1109/PacificVis.2014.22

2014-01-01

Abstract:Large-scale networks have become increasingly challenging to manage. It is vital for a system administrator or network manager to be able to analyze the vast amount of log data in order to detect suspicious behaviors or patterns, possibly due to malicious users/applications or faulty devices. While an intrusion detection system (IDS) log can provide a large number of warnings, exactly which alarms are true while the others are false, and more importantly what are the underlying causes are still difficult to know. To bridge the gap between network log and anomaly discovery, we design and implement a visualization tool that combines multiple commodity visualizations with minimum learning curve. While each individual view is well understood, the effects of such views in analyzing network anomalies are not well studied. Since each visualization technique has advantages as well as limitations in addressing a particular task, we show that these views, when combined and linked together, may provide an effective and lightweight network anomaly analysis tool. The web-based open platform may simplify network administration as well as promote collaborative analysis among researchers.

Sheng Zhang,Ronghua Shi,Jue Zhao

DOI: https://doi.org/10.3837/tiis.2016.06.019

2016-01-01

KSII Transactions on Internet and Information Systems

Abstract:Owing to their low scalability, weak support on big data, insufficient data collaborative analysis and inadequate situational awareness, the traditional methods fail to meet the needs of the security data analysis. This paper proposes visualization methods to fuse the multi-source security data and grasp the network situation. Firstly, data sources are classified at their collection positions, with the objects of security data taken from three different layers. Secondly, the Heatmap is adopted to show host status; the Treemap is used to visualize Netflow logs; and the radial Node-link diagram is employed to express IPS logs. Finally, the Labeled Treemap is invented to make a fusion at data-level and the Time-series features are extracted to fuse data at feature-level. The comparative analyses with the prize-winning works prove this method enjoying substantial advantages for network analysts to facilitate data feature fusion, better understand network security situation with a unified, convenient and accurate mode.

Xin Fan,Chenlu Li,Xiaoru Yuan,Xiaoju Dong,Jie Liang

DOI: https://doi.org/10.1007/s12650-019-00580-7

IF: 1.7

2019-01-01

Journal of Visualization

Abstract:Network anomaly detection is an important means for safeguarding network security. On account of the difficulties encountered in traditional automatic detection methods such as lack of labeled data, expensive retraining costs for new data and non-explanation, we propose a novel smart labeling method, which combines active learning and visual interaction, to detect network anomalies through the iterative labeling process of the users. The algorithms and the visual interfaces are tightly integrated. The network behavior patterns are first learned by using the self-organizing incremental neural network. Then, the model uses a Fuzzy c-means-based algorithm to do classification on the basis of user feedback. After that, the visual interfaces are updated to present the improved results of the model, which can help users to choose meaningful candidates, judge anomalies and understand the model results. The experiments show that compared to labeling without our visualizations, our method can achieve a high accuracy rate of anomaly detection with fewer labeled samples.

Rujun LIU,Yang XIN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.11.007

2016-01-01

Abstract:Focus on the issues that network abnormal data is displayed in an single way and it can’t be shown in real time, a network security data visualization and analysis system is designed and implemented. The functions of the system are network abnormal data monitoring, situation awareness and risk monitoring. Firstly, data collection model gathers original data of devices. Secondly, data preprocessing model transforms original data into standard format. Thirdly, data analysis model distinguishes abnormal data and forms network situation by analysing and detecting standard data. Finally, analysis results are real-time displayed by network map, topological graph, sequence chart,etc. The system combines data collection, data preprocessing, data analysis and data display, meanwhile implements real-time situation forecast and improves the effeciency of network device monitoring.

Fangfang Zhou,Ronghua Shi,Ying Zhao,Yezi Huang,Xing Liang

DOI: https://doi.org/10.1007/978-3-319-03584-0_30

2013-01-01

Abstract:Situational awareness is defined as the ability to effectively determine an overall computer network status based on relationships between security events in multiple dimensions. Unfortunately, as the lack of tools to synthetically analyze the security logs generated by kinds of network security products, such as NetFlow, Firewall and Host Security, it is difficult to monitor and perceive network security situational awareness. Information visualization allows users to discover and analyze large amounts of information through visual exploration and interaction efficiently. Even with the aid of visualization, identifying the attack patterns from big multi-source data and recognizing the abnormal from visual clutter are still challenges. In this paper, a novel visualization system, NetSecRadar, is proposed for network security situational awareness based on multi-source logs, which can monitor the network and perceive the overall view of the security situation by using radial graph. NetSecRadar utilizes a hierarchical force-directed graph layout for arrangement of thousands of hosts to better use the available screen space, and provides the method to quantify the dangerous levels of the security events, and finds the correlations of security events generated by multi-source logs and perceives the patterns of abnormal in situational awareness, and synthesizes interactions, filtering and drill-down to understand the detail information. To demonstrate the system’s capabilities, we utilize the VAST Challenge 2013 as case study.

Kaixing Huang,Qi Zhang,Chunjie Zhou,Naixue Xiong,Yuanqing Qin

DOI: https://doi.org/10.1109/tsmc.2017.2698457

2017-01-01

IEEE Transactions on Systems Man and Cybernetics Systems

Abstract:Visual sensor networks (VSNs) are highly vulnerable to attacks due to their open deployment in possibly unattended environments. To improve the network security of VSNs, an intrusion detection system (IDS) is an effective countermeasure. However, as visual sensors can produce big and dynamic video data, it is a tough task to rapidly and effectively detect attacks in VSNs. Moreover, attack samples in VSNs are generally too rare for IDSs to fully understand the behaviors of attacks. Facing these difficulties, in this paper, we propose an efficient intrusion detection approach for VSNs, which is based on traffic pattern learning. In the proposed approach, a traffic model is developed to describe the dynamic characteristics of network traffic in VSNs. Based on this model, the optimal feature set for traffic pattern learning can be extracted. Then a hierarchical self-organizing map (HSOM) is employed to learn traffic patterns and detect intrusions. Furthermore, an active learning strategy is devised to accelerate the training process of the HSOM and better learn the patterns of attacks. Experimental results show that the proposed approach has high detection accuracy and good real-time performance.

Ying Zhao,Xing Liang,Xiaoping Fan,Yiwen Wang,Mengjie Yang,Fangfang Zhou

DOI: https://doi.org/10.1007/s12650-014-0213-6

IF: 1.7

2014-01-01

Journal of Visualization

Abstract:In this article, we present a visual analytics system, MVSec, which helps analysts understand better what information flows under network security datasets. The major contributions of this work include: (1) a data fusion strategy for multiple heterogeneous datasets by using unified event tuple and statistic tuple data structure, which compress large scale datasets and lays the foundation of cooperative visual analysis; (2) multiple coordinated views, which provide analysts with multiple visual perspectives to characterize loud events, dig out subtle events and investigate relations of events in datasets; and (3) a contextual visual analysis with deductive viewpoints, which inspires analysts to explore hypotheses and reason their deductions from visual narratives. In case studies, we demonstrate in detail how the system helps analysts draw an analytical storyline and understand network situations better in VAST Challenge 2013. Additionally, we discuss lessons learned in designing our system and participating in VAST Challenge 2013, which is helpful and applicable not only to similar network security systems but also to other domains facing visual analytics challenges.

Liang Li,Yuanhui He,Feiyang Huang,Ziming Zhao,Zhuoxue Song,Tong Zhou,Zhenyuan Li,Fan Zhang

DOI: https://doi.org/10.1109/cscwd61410.2024.10580010

2024-01-01

Abstract:Intrusion Detection Systems (IDSs) are vital in detecting network attacks and ensuring the confidentiality and integrity of network resources. Currently, industry-standard IDSs primarily rely on rule-based or anomaly-detection techniques. However, existing detection techniques often generate false positives and negatives, also known as the alert fatigue problem. This influx of incorrect events diminishes the IDS’s efficiency by overburdening security analysts. In this paper, we present ACVS, an innovative automated alert cross-verification system that leverages Graph Neural Networks for identifying misclassifications in security events. Initially, ACVS generates event graphs using attributes like IP addresses and timestamps from sequences of security events and then employs correlation analysis on these events, utilizing alert information to verify misclassifications. Finally, the system uses Graph Neural Networks to classify and correct these security events automatically. We conduct evaluations for ACVS on a substantial real-world dataset comprising over 5 million security events, which are categorized into 5 distinct groups. The results reveal that ACVS markedly enhances the accuracy of intrusion detection systems and substantially reduces the need for manual analysis.

Yixuan Wu,Laisen Nie,Xuanrui Xiong,Balqies Sadoun,Lin Yang,Zhaolong Ning

DOI: https://doi.org/10.1109/tce.2023.3331907

2024-01-01

IEEE Transactions on Consumer Electronics

Abstract:The Industry 5.0 (I5) incorporates numerous emerging technologies that enable the perception, management, interaction, and control of real physical objects. As cyber attacks are becoming more intelligent and accessible, I5 security issues are gaining increasing prominence. An intrusion detection system plays an important role in network security by detecting and identifying various security threats. However, owing to the limited computing and storage resources of users, it is difficult for I5 nodes to support large-scale network data collection and simultaneous transmission of the collected data. To address the above problems, this study investigates an intelligent intrusion detection technology for I5 security and develops a low-loss intrusion detection algorithm based on abnormal attacks. We first establish an incremental update feature selection method, which realises feature selection using a fuzzy rough set and a fuzzy knowledge distance. Subsequently, to reduce the decision loss of the selected features, we implement feature correlation using the fuzzy knowledge distance. Based on the selected features, we achieve incremental update intrusion detection using a graph attention network and a random forest. Simultaneously, we prove the convergence of the designed graph attention network in a specific scene. Finally, the experimental results show that our designed method has higher accuracy than existing methods.

Zhang Sheng,Shi Rong-hua,Zhou Fangfang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.004

2014-01-01

Abstract:There are some security problem of cognition difficulty, lack of global cognition and interaction in modern Internet security. How to identify network attacks and abnormal events in a quicker and more effective way is a key and eternal topic. The visualization method, a possible and valuable solution, is proposed. Considering the features and defeats of current working visualization systems, this paper researches and constructs a new type of Intrusion Detection System(IDS)--IDS View, a system based on radial panel visualization technology. With a main focus on user interface and experience, decrease of image occlusion, color mixing algorithms, curve algorithms and port mapping algorithms, this system can well be applied to the campus network security situation assessment. Application results show that analysts can intuitively be aware of the network security status from both macro and micro levels, so it can effectively identify network attacks and assist them in decision-making.