Skip to main content
SpringerLink
Log in

Seeflow: A Visualization System Using 2T Hybrid Graph for Characteristics Analysis of Abnormal Netflow

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

With the network expansion, the development of information highway, and the numerous data generated by applications, Netflow log size has been rapidly expanding. This paper proposes the use of visualization techniques to quickly and effectively identify network attacks and abnormal events, as well as perceive network security situation. A 2T (combination with Time-series and Treemap) graph visualization system, named Seeflow, is developed, which uses information entropy of Netflow’s features to draw a Time-series graph and use cross-entropies to distinguish between the normal and abnormal flow stream. Time-series graph can overview the network state from macro level. And Treemap graph is used to drill down into details from micro level. In addition, the exponential function is used to conduct quantitative analysis for the performance of Treemap. The Seeflow system also creates graphical features to visually analyze attacks and find interesting patterns. In experiment, VAST Challenge2013 competition dataset is analyzed by Seeflow system. Comparing with the prize-winning works shows that Seeflow can intuitively display network security situation from both of macro and micro level and effectively identify network attacks as well as support decision-making.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Lai, J. B., Wang, H. Q., & Jin, S. (2007). Study of network security situation awareness system based on Netflow. Application Research of Computers, 24(8), 167–172.

    Google Scholar 

  2. Li, B., Springer, J., Bebis, G., & Gunes, M. H. (2013). A survey of network flow applications. Journal of Network and Computer Applications, 36(2), 567–581.

    Article  Google Scholar 

  3. Zhang, H. (2009). Study on the TOPN abnormal detection based on the netflow data set. Computer and Information Science, 2(3), 103–108.

    Article  Google Scholar 

  4. Hsiao HW, Chen DN, Wu TJ. (2010). Detecting hiding malicious website using network traffic mining approach. In 2nd international conference on education technology and computer (ICETC),vol. 5, V5-276-V5-280

  5. Yin K and Zhu J. (2011). A novel DoS detection mechanism, in 2011 international conference on mechatronic science, electric engineering and computer (MEC), 296-298.

  6. Sperotto, A. & Pras, A. (2011). Flow-based intrusion detection. In 2011 IFIP/IEEE International Symposium on Integrated Network Management (pp. 958–963).

  7. Francois J, Wang S, Bronzi W, State R, Engel T. (2011). BotCloud: detecting botnets using MapReduce. In 2011 IEEE international workshop on information forensics and security (WIFS), (pp. 1–6).

  8. Lakkaraju, K., Bearavolu, R., Slagell, A., Yurcik, W., North S. (2005). Closing-the-loop in nvisionip: integrating discovery and search in security visualizations. In Visualization for Computer Security, (pp. 75–82).

  9. Taylor, T., Brook S and McHugh J. (2007). Netbytes viewer: An entity-based netflow visualization utility for identifying intru-sive behavior. In The 4th International Workshop on Visualization for Cyber Security, pp. 101–114.

  10. Fischer, F., Mansmann, F., Keim, D. A., Pietzko, S., Waldvogel, M. (2008). Large-scale network monitoring for visual analysis of attacks. In 5th international workshop on Visualization for Computer Security, (pp. 111–118).

  11. Boschetti A, Salgarelli L, Muelder C, Ma KL. (2011). TVi: a visual querying system for network monitoring and anomaly detection. In Proceedings of the 8th International Symposium on Visualization for Cyber Security, (pp. 1–10).

  12. Braun, L., Volke, M., Schlamp, J., Bodisco, A., & Carle, G. (2014). Flow-inspector: a framework for visualizing network flow data using current web technologies. Computing, 96(1), 15–26.

    Article  Google Scholar 

  13. Zhou, F., Shi, R., & Zhao, Y. (2013). NetSecRadar: A visualization system for network security situational awareness. In IEEE Conference on Visual Analytics Science and Technology (VAST 2012) (pp. 403–416).

  14. Michael, J. M., & Zhao, S. (2011). Hybrid Visualization for Tree and Network Structures. Communications for the CCF, 7(4), 8–13.

    Google Scholar 

  15. Shiravi, H., Shiravi, A., & Ghorbani, A. A. (2011). A survey of visualization systems for network security. IEEE Transactions on Visualization and Computer Graphics, 1(1), 1–19.

    Google Scholar 

  16. Zhang, X., & Yuan, X. (2012). Treemap visualization. Journal of Computer-Aided Design & Computer Graphics, 24(9), 1113–1124.

    Google Scholar 

  17. Krstajic M and Keim DA. (2013). Visualization of streaming data: Observing change and context in information visualization techniques. In 2013 IEEE International Conference on Big Data IEEE: Silicon Valley, (pp. 41–47).

  18. Wang, Z. & Yuan, X. (2014). Urban trajectory timeline visualization. In 2014 International Conference on Big Data and Smart Computing (BIGCOMP) Bangkok, (pp. 13–18).

  19. Krstajic, M., Bertini, E., & Keim, D. A. (2011). Cloudlines: Compact display of event episodes in multiple time-series. IEEE Transactions on Visualization and Computer Graphics, 17(12), 2432–2439.

    Article  Google Scholar 

  20. Shi, C., Cui, W., Liu, S., & Xu, P. (2012). RankExplorer: visualization of ranking changes in large time series data. IEEE Transactions on Visualization and Computer Graphics, 18(12), 2669–2678.

    Article  Google Scholar 

  21. Chen, Y., Hu, H., & Li, Z. (2013). Performance compare and optimazation of ractangular treemap layout algorithms. Journal of Computer-Aided Design & Computer Graphics, 25(11), 1623–1634.

    Google Scholar 

  22. Stoffel, F., Fischer, F., & Keim, D. A. (2013). Finding anomalies in time-series using visual correlation for interactive root cause analysis. In Proceedings of the Tenth Workshop on Visualization for Cyber Security ACM (pp. 65–72).

  23. Choi, H., Lee, H., & Kim, H. (2009). Fast detection and visualization of network attacks on parallel coordinates. Computers Security, 28(5), 276–288.

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported by National Natural Science Foundation of China (Grant No. 61402540) and the Key Laboratory of Hunan Province for New Retail Virtual Reality Technology (2017TP1026).

Author information

Authors and Affiliations

  1. Modern Educational Technology Center, Hunan University of Commerce, Changsha, 410205, People’s Republic of China

    Sheng Zhang

  2. School of Information Science and Engineering, Central South University, Changsha, 410083, People’s Republic of China

    Sheng Zhang & Ronghua Shi

  3. Key Laboratory of Hunan Province for New Retail Virtual Reality Technology, School of Computer and Information Engineering, Hunan University of Commerce, No. 569, Yuelu Avenue, Changsha, 410205, Hunan, People’s Republic of China

    Jue Zhao

Authors
  1. Sheng Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ronghua Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jue Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jue Zhao.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhang, S., Shi, R. & Zhao, J. Seeflow: A Visualization System Using 2T Hybrid Graph for Characteristics Analysis of Abnormal Netflow. Wireless Pers Commun 101, 2127–2142 (2018). https://doi.org/10.1007/s11277-018-5808-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-018-5808-0

Keywords

Search

Navigation