NetTimeView: Applying Spatio-temporal Data Visualization Techniques to DDoS Attack Analysis

  • Ayush Shrestha
  • Ying Zhu
  • Kebina Manandhar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8887)


Distributed Denial-Of-Service (DDoS) is a common network attack where multiple computers attempt to disable a single system with overwhelming network traffic. Various data visualization methods have been developed to help explain, analyze, and deal with DDoS attacks. However, most of the existing visualization methods do not effectively present the temporal aspect of the DDoS attack data. In this paper, we present a novel DDoS visualization technique, NetTimeView, that applies spatio-temporal data visualization to DDoS data. This technique integrates network traffic data and temporal data in a single view. Its multi-layered visualization technique is able to handle very large data sets with efficient use of visualization space. This tool is particularly useful for system administrators and network security analysts to conduct network forensic analysis. We demonstrate our method with a case study of a large DDoS data set.


Network Security Packet Arrival Network Attack Moire Pattern Packet Count 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Shiravi, H., Shiravi, A., Ghorbani, A.: A survey of visualization systems for network security. IEEE Transactions on Visualization and Computer Graphics 18, 1313–1329 (2012)CrossRefGoogle Scholar
  2. 2.
    Lakkaraju, K., Yurcik, W., Lee, A.J.: Nvisionip: netflow visualizations of system state for security situational awareness. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 65–72. ACM (2004)Google Scholar
  3. 3.
    Kintzel, C., Fuchs, J., Mansmann, F.: Monitoring large ip spaces with clockview. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec 2011, pp. 2:1–2:10. ACM, New York (2011)Google Scholar
  4. 4.
    Conti, G., Abdullah, K., Grizzard, J., Stasko, J., Copeland, J., Ahamad, M., Owen, H.L., Lee, C.: Countering security information overload through alert and packet visualization. IEEE Computer Graphics and Applications 26, 60–70 (2006)CrossRefGoogle Scholar
  5. 5.
    Koike, H., Ohno, K.: Snortview: visualization system of snort logs. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 143–147. ACM (2004)Google Scholar
  6. 6.
    Ren, P., Kristoff, J., Gooch, B.: Visualizing dns traffic. In: Proceedings of the 3rd International Workshop on Visualization for Computer Security, pp. 23–30. ACM (2006)Google Scholar
  7. 7.
    Zhang, J., Yang, G., Lu, L., Huang, M., Che, M.: A novel visualization method for detecting ddos network attacks. In: Huang, M.L., Nguyen, Q.V., Zhang, K. (eds.) Visual Information Communication, pp. 185–194. Springer, US (2010)Google Scholar
  8. 8.
    Pearlman, J., Rheingans, P.: Visualizing network security events using compound glyphs from a service-oriented perspective. In: VizSEC 2007, pp. 131–146. Springer (2008)Google Scholar
  9. 9.
    Google: Digital attack map (2014)Google Scholar
  10. 10.
    Krasser, S., Conti, G., Grizzard, J., Gribschaw, J., Owen, H.: Real-time and forensic network data analysis using animated and coordinated visualization. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 42–49. IEEE (2005)Google Scholar
  11. 11.
    Nunnally, T., Chi, P., Abdullah, K., Uluagac, A.S., Copeland, J.A., Beyah, R.: P3d: A parallel 3d coordinate visualization for advanced network scans. In: 2013 IEEE International Conference on Communications (ICC), pp. 2052–2057. IEEE (2013)Google Scholar
  12. 12.
    Choi, H., Lee, H., Kim, H.: Fast detection and visualization of network attacks on parallel coordinates. Computers & Security 28, 276–288 (2009)CrossRefGoogle Scholar
  13. 13.
    Tricaud, S., Saadé, P.: Applied parallel coordinates for logs and network traffic attack analysis. Journal in Computer Virology 6, 1–29 (2010)CrossRefGoogle Scholar
  14. 14.
    Fischer, F., Mansmann, F., Keim, D.A., Pietzko, S., Waldvogel, M.: Large-scale network monitoring for visual analysis of attacks. Springer (2008)Google Scholar
  15. 15.
    Goodall, J.R., Sowul, M.: Viassist: Visual analytics for cyber defense. In: IEEE Conference on Technologies for Homeland Security, HST 2009, pp. 143–150. IEEE (2009)Google Scholar
  16. 16.
    Shrestha, A., Miller, B., Zhu, Y., Zhao, Y.: Storygraph: Extracting patterns from spatio-temporal data. In: Proceedings of the ACM SIGKDD Workshop on Interactive Data Exploration and Analytics, pp. 95–103. ACM (2013)Google Scholar
  17. 17.
    Shneiderman, B.: The eyes have it: A task by data type taxonomy for information visualizations. In: Proceedings of the IEEE Symposium on Visual Languages, pp. 336–343. IEEE (1996)Google Scholar
  18. 18.
    CAIDA: The caida ucsd ”ddos attack 2007” dataset (2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Ayush Shrestha
    • 1
  • Ying Zhu
    • 1
  • Kebina Manandhar
    • 1
  1. 1.Georgia State UniversityUSA

Personalised recommendations