Monitoring Network Traffic
with Radial Traffic Analyzer
Daniel A. Keim Florian Mansmann Jörn Schneidewind Tobias Schreck Stefan Heinz Seminar Visual Analytics IEEE Symposium on Visual Analytics Science and Technology, 2006Motivation
● Internet has become the information medium of first resort ● Each host on the network faces different threats in this environment – Malicious code – Denialofservice attacks – Attempts to hijack a machineMotivation
localhost local network internet ● How can we identify such threats? ● What kind of data is transferred between my computer and other computers on the network?Motivation
Network Monitoring
●Surveillance of important performance metrics
●Goal: supervise functionality, detect and prevent
potential problems, develop effective counter
measures for anomalies and sabotage
Data Set
Communication data is complex ● Large amounts of data ● Realtime data ● Interrelationships between communication connections ● Relationships may vary over timeData Set – Technical Background
TCP / IP Reference Model 1Application Layer 2Presentation Layer 3Session Layer 4Transport Layer 5Network Layer 6Data Link Layer 7Physical Layer 1Application Layer 2Presentation Layer 3Session Layer 4Transport Layer 5Network Layer 6Data Link Layer 7Physical LayerData Set – Technical Background
TCP / IP Reference Model 1Application Layer 2Presentation Layer 3Session Layer 4Transport Layer 5Network Layer 6Data Link Layer 7Physical Layer IP TCP, UDP Ports IPAddress MACAddress packet level allows mapping to applications 192.168.23.42 80 (http)Data Set Attributes
● Time
● Source IP address & port
● Destination IP address & port ● Payload
Related Work
Stephen Lau “The Spinning Cube of Potential Doom” Communications of th ACM, 2004Related Work
Anita Komledi et al. “A UserCentric Look at GlyphBased Security Visualization” IEEE Workshop on Visualization for Computer Security, 2005Related Work
Stefano Foresti et al. “Visual Correlation of Network Alerts.” IEEE Computer Graphics and Applications, 2006Related Work
How does this approach differ from these works? ● Bring together the complementing pieces of information ● Easier reading and interpretation ● Easiertounderstand metaphorsRadial Traffic Analyzer
● Attributes are mapped to different rings ● User selects important attributes to be displayed in the inner rings ● From inside to outside the attributes are used successively for grouping and sorting LayoutRadial Traffic Analyzer
Why a radial layout?
● Supports better the task of finding suspicious patterns ● User is not misguided to place more importance on an
Coloring Concept ● Special colors ● Brightness for secure / unsecured Uses distinct colors for IP adresses and ports
Radial Traffic Analyzer
Interactivity ● Positioning and thus importance within the sorting order can be changed using drag & drop operations ● Tooltips are used to display the full label in case of small segments and additional information (host name, possible application programs)Radial Traffic Analyzer
Interactivity ● Detailed information for a segment is accessible using a popup menu ● Different measures: transferred bytes, number of connections, number of sessions ● Mouse click filters / discards all traffic with the chosen attributeRadial Traffic Analyzer
Combining RTA with Geospatial Displays
Idea for HistoMap ● Retrieve country names for IP addresses using Maxmind's GeoIP Database ● Use squarified treemap layout ● Size of rectangles corresponds to traffic volumeInteractive Exploration of Data Traffic with
Hierarchical Network Maps
Florian Mansmann Svetlana Vinnik
● Display the distribution of source and target data traffic
of network nodes
● Visualization of port activity
● Also a spacefilling technique TreeMap
Layout ● Squarified treemap ● To get an almost static map layout, the total size of the network and its components is used (user orientation) ● Nodes on continent and country level preserve their relative geographical position ● Nodes on the other levels are sorted by IP addresses