Abstract
With the network expansion, the development of information highway, and the numerous data generated by applications, Netflow log size has been rapidly expanding. This paper proposes the use of visualization techniques to quickly and effectively identify network attacks and abnormal events, as well as perceive network security situation. A 2T (combination with Time-series and Treemap) graph visualization system, named Seeflow, is developed, which uses information entropy of Netflow’s features to draw a Time-series graph and use cross-entropies to distinguish between the normal and abnormal flow stream. Time-series graph can overview the network state from macro level. And Treemap graph is used to drill down into details from micro level. In addition, the exponential function is used to conduct quantitative analysis for the performance of Treemap. The Seeflow system also creates graphical features to visually analyze attacks and find interesting patterns. In experiment, VAST Challenge2013 competition dataset is analyzed by Seeflow system. Comparing with the prize-winning works shows that Seeflow can intuitively display network security situation from both of macro and micro level and effectively identify network attacks as well as support decision-making.
Similar content being viewed by others
References
Lai, J. B., Wang, H. Q., & Jin, S. (2007). Study of network security situation awareness system based on Netflow. Application Research of Computers, 24(8), 167–172.
Li, B., Springer, J., Bebis, G., & Gunes, M. H. (2013). A survey of network flow applications. Journal of Network and Computer Applications, 36(2), 567–581.
Zhang, H. (2009). Study on the TOPN abnormal detection based on the netflow data set. Computer and Information Science, 2(3), 103–108.
Hsiao HW, Chen DN, Wu TJ. (2010). Detecting hiding malicious website using network traffic mining approach. In 2nd international conference on education technology and computer (ICETC),vol. 5, V5-276-V5-280
Yin K and Zhu J. (2011). A novel DoS detection mechanism, in 2011 international conference on mechatronic science, electric engineering and computer (MEC), 296-298.
Sperotto, A. & Pras, A. (2011). Flow-based intrusion detection. In 2011 IFIP/IEEE International Symposium on Integrated Network Management (pp. 958–963).
Francois J, Wang S, Bronzi W, State R, Engel T. (2011). BotCloud: detecting botnets using MapReduce. In 2011 IEEE international workshop on information forensics and security (WIFS), (pp. 1–6).
Lakkaraju, K., Bearavolu, R., Slagell, A., Yurcik, W., North S. (2005). Closing-the-loop in nvisionip: integrating discovery and search in security visualizations. In Visualization for Computer Security, (pp. 75–82).
Taylor, T., Brook S and McHugh J. (2007). Netbytes viewer: An entity-based netflow visualization utility for identifying intru-sive behavior. In The 4th International Workshop on Visualization for Cyber Security, pp. 101–114.
Fischer, F., Mansmann, F., Keim, D. A., Pietzko, S., Waldvogel, M. (2008). Large-scale network monitoring for visual analysis of attacks. In 5th international workshop on Visualization for Computer Security, (pp. 111–118).
Boschetti A, Salgarelli L, Muelder C, Ma KL. (2011). TVi: a visual querying system for network monitoring and anomaly detection. In Proceedings of the 8th International Symposium on Visualization for Cyber Security, (pp. 1–10).
Braun, L., Volke, M., Schlamp, J., Bodisco, A., & Carle, G. (2014). Flow-inspector: a framework for visualizing network flow data using current web technologies. Computing, 96(1), 15–26.
Zhou, F., Shi, R., & Zhao, Y. (2013). NetSecRadar: A visualization system for network security situational awareness. In IEEE Conference on Visual Analytics Science and Technology (VAST 2012) (pp. 403–416).
Michael, J. M., & Zhao, S. (2011). Hybrid Visualization for Tree and Network Structures. Communications for the CCF, 7(4), 8–13.
Shiravi, H., Shiravi, A., & Ghorbani, A. A. (2011). A survey of visualization systems for network security. IEEE Transactions on Visualization and Computer Graphics, 1(1), 1–19.
Zhang, X., & Yuan, X. (2012). Treemap visualization. Journal of Computer-Aided Design & Computer Graphics, 24(9), 1113–1124.
Krstajic M and Keim DA. (2013). Visualization of streaming data: Observing change and context in information visualization techniques. In 2013 IEEE International Conference on Big Data IEEE: Silicon Valley, (pp. 41–47).
Wang, Z. & Yuan, X. (2014). Urban trajectory timeline visualization. In 2014 International Conference on Big Data and Smart Computing (BIGCOMP) Bangkok, (pp. 13–18).
Krstajic, M., Bertini, E., & Keim, D. A. (2011). Cloudlines: Compact display of event episodes in multiple time-series. IEEE Transactions on Visualization and Computer Graphics, 17(12), 2432–2439.
Shi, C., Cui, W., Liu, S., & Xu, P. (2012). RankExplorer: visualization of ranking changes in large time series data. IEEE Transactions on Visualization and Computer Graphics, 18(12), 2669–2678.
Chen, Y., Hu, H., & Li, Z. (2013). Performance compare and optimazation of ractangular treemap layout algorithms. Journal of Computer-Aided Design & Computer Graphics, 25(11), 1623–1634.
Stoffel, F., Fischer, F., & Keim, D. A. (2013). Finding anomalies in time-series using visual correlation for interactive root cause analysis. In Proceedings of the Tenth Workshop on Visualization for Cyber Security ACM (pp. 65–72).
Choi, H., Lee, H., & Kim, H. (2009). Fast detection and visualization of network attacks on parallel coordinates. Computers Security, 28(5), 276–288.
Acknowledgements
This work was supported by National Natural Science Foundation of China (Grant No. 61402540) and the Key Laboratory of Hunan Province for New Retail Virtual Reality Technology (2017TP1026).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Zhang, S., Shi, R. & Zhao, J. Seeflow: A Visualization System Using 2T Hybrid Graph for Characteristics Analysis of Abnormal Netflow. Wireless Pers Commun 101, 2127–2142 (2018). https://doi.org/10.1007/s11277-018-5808-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-018-5808-0