Springer Nature is making Coronavirus research free. View research | View latest news | Sign up for updates

A survey of network anomaly visualization

  • 518 Accesses

  • 12 Citations

Abstract

Network anomaly analysis is an emerging subtopic of network security. Network anomaly refers to the unusual behavior of network devices or suspicious network status. A number of intelligent visual tools are developed to enhance the ability of network security analysts in understanding the original data, ultimately solving network security problems. This paper surveys current progress and trends in network anomaly visualization. By providing an overview of network anomaly data, visualization tasks, and applications, we further elaborate on existing methods to depict various data features of network alerts, anomalous traffic, and attack patterns data. Directions for future studies are outlined at the end of this paper.

This is a preview of subscription content, log in to check access.

References

  1. 1

    Shiravi H, Shiravi A, Ghorbani A A. A survey of visualization systems for network security. IEEE Trans Visual Comput Graph, 2012, 18: 1313–1329

  2. 2

    Pearlman J, Rheingans P. Visualizing network security events using compound glyphs from a service-oriented perspective. In: Proceedings of the Workshop on Visualization for Computer Security, Sacramento, 2008. 131–146

  3. 3

    Janies J. Existence plots: a low-resolution time series for port behavior analysis. In: Proceedings of the 5th International Workshop on Visualization for Computer Security, Cambridge, 2008. 161–168

  4. 4

    Koike H, Ohno K. SnortView: visualization system of snort logs. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 143–147

  5. 5

    Bertini E, Hertzog P, Lalanne D. Spiralview: towards security policies assessment through visual correlation of network resources with evolution of alarms. In: Proceedings of IEEE Symposium on Visual Analytics Science and Technology, Washington, 2007. 139–146

  6. 6

    Foresti S, Agutter J, Livnat Y, et al. Visual correlation of network alerts. IEEE Comput Graph, 2006, 26: 48–59

  7. 7

    Lee C P, Tros J, Gibbs N, et al. Visual firewall: real-time network security monitor. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 129–136

  8. 8

    Koike H, Ohno K, Koizumi K. Visualizing cyber attacks using ip matrix. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 91–98

  9. 9

    Lamagna W M. An integrated visualization on network events vast 2011 mini challenge #2 award: outstanding integrated overview display. In: Proceedings of IEEE Conference on Visual Analytics Science and Technology, Providence, 2011. 319–321

  10. 10

    Giacobe N A, Xu S. Geovisual analytics for cyber security: adopting the geoviz toolkit. In: Proceedings of IEEE Conference on Visual Analytics Science and Technology, Providence, 2011. 315–316

  11. 11

    Shiravi H, Shiravi A, Ghorbani A A. IDS alert visualization and monitoring through heuristic host selection. In: Proceedings of International Conference on Information and Communications Security, Barcelona, 2010. 445–458

  12. 12

    Erbacher R F. Intrusion behavior detection through visualization. In: Proceedings of IEEE International Conference on Systems, Man and Cybernetics, Washington, 2003. 2507–2513

  13. 13

    Abdullah K, Lee C, Conti G, et al. IDS rainstorm: visualizing IDS alarms. In: Proceedings of the IEEE Workshops on Visualization for Computer Security, Minneapolis, 2005. 1

  14. 14

    Erbacher R F, Walker K L, Frincke D A. Intrusion and misuse detection in large-scale systems. IEEE Comput Graph, 2002, 22: 38–47

  15. 15

    Girardin L. An eye on network intruder-administrator shootouts. In: Proceedings of Workshop on Intrusion Detection and Network Monitoring, Santa Clara, 1999. 19–28

  16. 16

    Nyarko K, Capers T, Scott C, et al. Network intrusion visualization with niva, an intrusion detection visual analyzer with haptic integration. In: Proceedings of 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems, Orlando, 2002. 277–284

  17. 17

    Maltego. Paterva Company. http://www.paterva.com/web7

  18. 18

    Wong T, Jacobson V, Alaettinoglu C. Internet routing anomaly detection and visualization. In: Proceedings of International Conference on Dependable Systems and Networks, Yokohama, 2005. 172–181

  19. 19

    Teoh S T, Zhang K, Tseng S M, et al. Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 35–44

  20. 20

    Teoh S T, Ranjan S, Nucci A, et al. BGP eye: a new visualization tool for real-time detection and analysis of BGP anomalies. In: Proceedings of the 3rd International Workshop on Visualization for Computer Security, Alexandria, 2006. 81–90

  21. 21

    Arendt D L, Burtner R, Best D M, et al. Ocelot: user-centered design of a decision support visualization for network quarantine. In: Proceedings of IEEE Symposium on Visualization for Cyber Security, Chicago, 2015. 1–8

  22. 22

    Takada T, Koike H. Tudumi: information visualization system for monitoring and auditing computer logs. In: Proceedings fo 6th International Conference on Information Visualisation, London, 2002. 570–576

  23. 23

    Ren P, Kristoff J, Gooch B. Visualizing DNS traffic. In: Proceedings of the 3rd International Workshop on Visualization for Computer Security, Alexandria, 2006. 23–30

  24. 24

    Goodall J R, Lutters W G, Rheingans P, et al. Preserving the big picture: visual network traffic analysis with TN. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 47–54

  25. 25

    Yin X X, Yurcik W, Treaster M, et al. Visflowconnect: netflow visualizations of link relationships for security situational awareness. In: Proceedings of ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 26–34

  26. 26

    Zhou F, Huang W, Zhao Y, et al. Entvis: a visual analytic tool for entropy-based network traffic anomaly detection. IEEE Comput Graph Appl, 2015, 35: 1

  27. 27

    Onut L V, Ghorbani A A. Svision: a novel visual network-anomaly identification technique. Comput Secur, 2007, 26: 201–212

  28. 28

    Ball R, Fink G A, North C. Home-centric visualization of network traffic for security administration. In: Proceedings of ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 55–64

  29. 29

    Lakkaraju K, Yurcik W, Lee A J. Nvisionip: netflow visualizations of system state for security situational awareness. In: Proceedings of ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 65–72

  30. 30

    Keim D A, Mansmann F, Schneidewind J, et al. Monitoring network traffic with radial traffic analyzer. In: Proceedings of IEEE Symposium on Visual Analytics Science and Technology, Baltimore, 2006. 123–128

  31. 31

    Hao L H, Healey C G, Hutchinson S E. Ensemble visualization for cyber situation awareness of network security data. In: Proceedings of IEEE Symposium on Visualization for Cyber Security, Chicago, 2015. 1–8

  32. 32

    Liao Q, Shi L H, Wang C Y. Visual analysis of large-scale network anomalies. IBM J Res Devel, 2013, 57: 1–12

  33. 33

    Fink G A, Muessig P, North C. Visual correlation of host processes and network traffic. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 11–19

  34. 34

    Ren P, Gao Y, Li Z, et al. Idgraphs: intrusion detection and analysis using histographs. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 39–46

  35. 35

    McPherson J, Ma K L, Krystosk P, et al. Portvis: a tool for port-based detection of security events. In: Proceedings of ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 73–81

  36. 36

    Abdullah K, Lee C, Conti G, et al. Visualizing network data for intrusion detection. In: Proceedings of Information Assurance Workshop From the 6th Annual IEEE SMC, College Park, 2005. 100–108

  37. 37

    Taylor T, Paterson D, Glanfield J, et al. Flovis: flow visualization system. In: Proceedings of the Cybersecurity Applications & Technology Conference for Homeland Security, Washington, 2009. 186–198

  38. 38

    Glanfield J, Brooks S, Taylor T, et al. Over flow: an overview visualization for network analysis. In: Proceedings of the International Workshop on Visualization for Cyber Security, Atlantic, 2009. 11–19

  39. 39

    Zhao Y, Liang X, Fan X P, et al. Mvsec: multi-perspective and deductive visual analytics on heterogeneous network security data. J Visual, 2014, 17: 181–196

  40. 40

    Fischer F, Mansmann F, Keim D A, et al. Large-scale network monitoring for visual analysis of attacks. In: Proceedings of the 5th International Workshop on Visualization for Computer Security, Cambridge, 2008. 111–118

  41. 41

    Cortese P F, Battista G D, Moneta A, et al. Topographic visualization of prefix propagation in the internet. IEEE Trans Vis Comput Graph, 2006, 12: 725–732

  42. 42

    Mansmann F, Daniel A K, Stephen C N, et al. Visual analysis of network traffic for resource planning, interactive monitoring, and interpretation of security threats. IEEE Trans Vis Comput Graph, 2007, 13: 1105–1112

  43. 43

    Inoue D, Eto M, Suzuki K, et al. Daedalus-viz: novel real-time 3D visualization for darknet monitoring-based alert system. In: Proceedings of the 9th International Symposium on Visualization for Cyber Security, Seattle, 2012. 72–79

  44. 44

    Inoue D, Eto M, Yoshioka K, et al. Nicter: an incident analysis system toward binding network monitoring with malware analysis. In: Proceedings of WOMBAT Workshop on Information Security Threats Data Collection and Sharing, Amsterdam, 2008. 58–66

  45. 45

    Oberheide J, Goff M, Karir M. Flamingo: visualizing internet traffic. In: Proceedings of Network Operations and Management Symposium, Vancouver, 2006. 150–161

  46. 46

    Yelizarov A, Gamayunov D. Visualization of complex attacks and state of attacked network. In: Proceedings of VizSec International Workshop on Visualization for Cyber Security, Atlantic, 2009. 1–9

  47. 47

    Angelini M, Prigent N, Santucci G. Percival: proactive and reactive attack and response assessment for cyber incidents using visual analytics. In: Proceedings of IEEE Symposium on Visualization for Cyber Security, Chicago, 2015. 1–8

  48. 48

    Kolaczyk E D, Csrdi G. Visualizing network data. IEEE Trans Vis Comput Graph, 1995, 1: 16–28

  49. 49

    Matuszak W J, DiPippo L, Sun Y L. Cybersave: situational awareness visualization for cyber security of smart grid systems. In: Proceedings of the 10th Workshop on Visualization for Cyber Security, Atlanta, 2013. 25–32

  50. 50

    Kotenko I, Novikova E. Visualization of security metrics for cyber situation awareness. In: Proceedings of International Conference on Availability, Reliability and Security, Switzerland, 2014. 506–513

  51. 51

    Zhao Y, Fan X P, Zhou F F, et al. A survey on network security data visualization. J Comput Aided Des Comput Graph, 2014, 26: 687–697

  52. 52

    Zhuo W, Nadjin Y. Malwarevis: entity-based visualization of malware network traces. In: Proceedings of the 9th International Symposium on Visualization for Cyber Security, Seattle, 2012. 41–47

  53. 53

    Trinius P, Holz T, G¨obel J, et al. Visual analysis of malware behavior using treemaps and thread graphs. In: Proceedings of 6th International Workshop on Visualization for Cyber Security, Atlantic, 2009. 33–38

  54. 54

    Gove R, Saxe J, Gold S, et al. Seem: a scalable visualization for comparing multiple large sets of attributes for malware analysis. In: Proceedings of the Eleventh Workshop on Visualization for Cyber Security, Paris, 2014. 72–79

  55. 55

    Erbacher R F, Christensen K, Sundberg A. Designing visualization capabilities for IDS challenges. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 121–127

  56. 56

    Card S K, Mackinlay J D, Shneiderman B. Readings in Information Visualization: Using Vision to Think. San Francisco: Morgan Kaufmann, 1999

  57. 57

    Aigner W, Miksch S, Muller W, et al. Visual methods for analyzing time-oriented data. IEEE Trans Vis Comput Graph, 2008, 14: 47–60

  58. 58

    Xie C, Chen W, Huang X X, et al. VAET: a visual analytics approach for E-transactions time-series. IEEE Trans Vis Comput Graph, 2014, 20: 1743–1752

  59. 59

    Kondo B, Collins C M. Dimpvis: exploring time-varying information visualizations by direct manipulation. IEEE Trans Vis Comput Graph, 2014, 20: 2003–2012

  60. 60

    Isaacs K E, Bremer P T, Jusufi I, et al. Combing the communication hairball: visualizing parallel execution traces using logical time. IEEE Trans Vis Comput Graph, 2014, 20: 2349–2358

  61. 61

    Gotz D, Stavropoulos H. Decisionflow: visual analytics for high-dimensional temporal event sequence data. IEEE Trans Vis Comput Graph, 2014, 20: 1783–1792

  62. 62

    Cho I, Dou W, Wang D X Y, et al. Vairoma: a visual analytics system for making sense of places, times, and events in Roman history. IEEE Trans Vis Comput Graph, 2016, 22: 210–219

  63. 63

    Fulda J, Brehmer M, Munzner T. Timelinecurator: interactive authoring of visual timelines from unstructured text. IEEE Trans Vis Computer Graph, 2016, 22: 300–309

  64. 64

    Loorak M H, Perin C, Kamal N, et al. Timespan: using visualization to explore temporal multi-dimensional data of stroke patients. IEEE Trans Vis Comput Graph, 2016, 22: 409–418

  65. 65

    Walker J, Borgo R, Jones M W. Timenotes: a study on effective chart visualization and interaction techniques for time-series data. IEEE Trans Vis Comput Graph, 2016, 22: 549–558

  66. 66

    Bach B, Shi C, Heulot N, et al. Time curves: folding time to visualize patterns of temporal evolution in data. IEEE Trans Vis Comput Graph, 2016, 22: 559–568

  67. 67

    Gu Y, Wang C L, Peterka T, et al. Mining graphs for understanding time-varying volumetric data. IEEE Trans Vis Comput Graph, 2016, 22: 965–974

  68. 68

    Albo Y, Lanir J, Bak P, et al. Off the radar: comparative evaluation of radial visualization solutions for composite indicators. IEEE Trans Vis Comput Graph, 2016, 22: 569–578

  69. 69

    Gschwandtner T, Bogl M, Federico P, et al. Visual encodings of temporal uncertainty: a comparative user study. IEEE Trans Vis Comput Graph, 2016, 22: 539–548

  70. 70

    Sun G D, Wu Y C, Liu S X, et al. Evoriver: visual analysis of topic coopetition on social media. IEEE Trans Vis Comput Graph, 2014, 20: 1753–1762

  71. 71

    Heimerl F, Han Q, Koch S. Citerivers: visual analytics of citation patterns. IEEE Trans Vis Comput Graph, 2016, 22: 190–199

  72. 72

    Zhao J, Cao N, Wen Z, et al. Fluxflow: visual analysis of anomalous information spreading on social media. IEEE Trans Vis Comput Graph, 2014, 20: 1773–1782

  73. 73

    Chen W, Guo F Z, Wang F Y. A survey of traffic data visualization. IEEE Trans Intel Transp Syst, 2015, 16: 2970–2984

  74. 74

    Gratzl S, Gehlenborg N, Lex A, et al. Domino: extracting, comparing, and manipulating subsets across multiple tabular datasets. IEEE Trans Vis Comput Graph, 2014, 20: 2023–2032

  75. 75

    Kim H, Choo J, Park H, et al. Interaxis: steering scatterplot axes via observation-level interaction. IEEE Trans Vis Comput Graph, 2016, 22: 131–140

  76. 76

    Lowe T, Forster E C, Albuquerque G, et al. Visual analytics for development and evaluation of order selection criteria for autoregressive processes. IEEE Trans Vis Comput Graph, 2016, 22: 151–159

  77. 77

    Chen W, Shen Z Q, Tao Y B. Data Visualization. Beijing: Publishing House of Electronic Industry, 2013

  78. 78

    Cao N, Shi C, Lin S, et al. Targetvue: visual analysis of anomalous user behaviors in online communication systems. IEEE Trans Vis Comput Graph, 2016, 22: 280–289

  79. 79

    Rubio-Sanchez M, Raya L, Diaz F, et al. A comparative study between radviz and star coordinates. IEEE Trans Vis Comput Graph, 2016, 22: 619–628

  80. 80

    Papadopoulos C, Gutenko I, Kaufman A E. Veevvie: visual explorer for empirical visualization, vr and interaction experiments. IEEE Trans Vis Comput Graph, 2016, 22: 111–120

  81. 81

    Wang J, Mueller K. The visual causality analyst: an interactive interface for causal reasoning. IEEE Trans Vis Comput Graph, 2016, 22: 230–239

  82. 82

    Lee S, Kim S H, Hung Y H, et al. How do people make sense of unfamiliar visualizations?: a grounded model of novice’s information visualization sensemaking. IEEE Trans Vis Comput Graph, 2016, 22: 499–508

  83. 83

    Johansson J, Forsell C. Evaluation of parallel coordinates: overview, categorization and guidelines for future research. IEEE Trans Vis Comput Graph, 2016, 22: 579–588

  84. 84

    Raidou R G, Eisemann M, Breeuwer M, et al. Orientation-enhanced parallel coordinate plots. IEEE Trans Vis Comput Graph, 2016, 22: 589–598

  85. 85

    Chen H D, Zhang S, Chen W, et al. Uncertainty-aware multidimensional ensemble data visualization and exploration. IEEE Trans Vis Comput Graph, 2015, 21: 1072–1086

  86. 86

    Roberts J C, Headleand C, Ritsos P D. Sketching designs using the five design-sheet methodology. IEEE Trans Vis Comput Graph, 2016, 22: 419–428

  87. 87

    VanderPlas S, Hofmann H. Spatial reasoning and data displays. IEEE Trans Vis Comput Graph, 2016, 22: 459–468

  88. 88

    Goodwin S, Dykes J, Slingsby A, et al. Visualizing multiple variables across scale and geography. IEEE Trans Vis Comput Graph, 2016, 22: 599–608

  89. 89

    Scheepens R, Hurter C, van de Wetering H, et al. Visualization, selection, and analysis of traffic flows. IEEE Trans Vis Comput Graph, 2016, 22: 379–388

  90. 90

    Lehmann D J, Theisel H. Optimal sets of projections of high-dimensional data. IEEE Trans Vis Comput Graph, 2016, 22: 609–618

  91. 91

    Cheng S H, Mueller K. The data context map: fusing data and attributes into a unified display. IEEE Trans Vis Comput Graph, 2016, 22: 121–130

  92. 92

    Jackle D, Fischer F, Schreck T, et al. Temporal mds plots for analysis of multivariate data. IEEE Trans Vis Comput Graph, 2016, 22: 141–150

  93. 93

    Stahnke J, Dork M, Muller B, et al. Probing projections: interaction techniques for interpreting arrangements and errors of dimensionality reductions. IEEE Trans Vis Comput Graph, 2016, 22: 629–638

  94. 94

    Kohonen T. Self-Organizing Maps. New York: Springer, 1997. 266–270

  95. 95

    Amini F, Rufiange S, Hossain Z, et al. The impact of interactivity on comprehending 2D and 3D visualizations of movement data. IEEE Trans Vis Comput Graph, 2015, 21: 122–135

  96. 96

    Tory M, Kirkpatrick A E, Atkins M S, et al. Visualization task performance with 2D, 3D, and combination displays. IEEE Trans Vis Comput Graph, 2006, 12: 2–13

  97. 97

    Sun M Y, Mi P, North C, Ramakrishnan N. Biset: semantic edge bundling with biclusters for sensemaking. IEEE Trans Vis Comput Graph, 2016, 22: 310–319

  98. 98

    Von Landesberger T, Brodkorb F, Roskosch P, et al. Mobilitygraphs: visual analysis of mass mobility dynamics via spatio-temporal graphs and clustering. IEEE Trans Vis Comput Graph, 2016, 22: 11–20

  99. 99

    Krause J, Perer A, Bertini E. Infuse: interactive feature selection for predictive modeling of high dimensional data. IEEE Trans Vis Comput Graph, 2014, 20: 1614–1623

  100. 100

    Mahyar N, Tory M. Supporting communication and coordination in collaborative sensemaking. IEEE Trans Vis Comput Graph, 2014, 20: 1633–1642

  101. 101

    Stolper C D, Perer A, Gotz D. Progressive visual analytics: user-driven visual exploration of in-progress analytics. IEEE Trans Vis Comput Graph, 2014, 20: 1653–1662

  102. 102

    Klemm P, Oeltze-Jafra S, Lawonn K, et al. Interactive visual analysis of image-centric cohort study data. IEEE Trans Vis Comput Graph, 2014, 20: 1673–1682

  103. 103

    Jang S, Elmqvist N, Ramani K. Motionflow: visual abstraction and aggregation of sequential patterns in human motion tracking data. IEEE Trans Vis Comput Graph, 2016, 22: 21–30

  104. 104

    Nguyen P H, Xu K, Wheat A, et al. Sensepath: understanding the sensemaking process through analytic provenance. IEEE Trans Vis Comput Graph, 2016, 22: 41–50

  105. 105

    Blascheck T, John M, Kurzhals K, et al. Va2: a visual analytics approach for evaluating visual analytics applications. IEEE Trans Vis Comput Graph, 2016, 22: 61–70

  106. 106

    Kwon B C, Kim S H, Lee S, et al. Visohc: designing visual analytics for online health communities. IEEE Trans Vis Comput Graph, 2016, 22: 71–80

  107. 107

    Glueck M, Hamilton P, Chevalier F, et al. Phenoblocks: phenotype comparison visualizations. IEEE Trans Vis Comput Graph, 2016, 22: 101–110

  108. 108

    Guo H, Gomez S R, Ziemkiewicz C, et al. A case study using visualization interaction logs and insight metrics to understand how analysts arrive at insights. IEEE Trans Vis Comput Graph, 2016, 22: 51–60

Download references

Acknowledgements

This work was supported by National Basic Research Program of China (973 Program) (Grant No. 2015CB352503), Major Program of National Natural Science Foundation of China (Grant No. 61232012), National Natural Science Foundation of China (Grant Nos. 61422211, u1536118, u1536119), Zhejiang Provincial Natural Science Foundation of China (Grant No. LR13F020001), and Fundamental Research Funds for the Central Universities.

Author information

Correspondence to Wei Chen.

Additional information

Conflict of interest The authors declare that they have no conflict of interest.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Zhang, T., Wang, X., Li, Z. et al. A survey of network anomaly visualization. Sci. China Inf. Sci. 60, 121101 (2017). https://doi.org/10.1007/s11432-016-0428-2

Download citation

Keywords

  • network anomaly
  • network anomaly visualization
  • visual analysis
  • network security
  • visualization