NetflowVis: A temporal visualization system for netflow logs analysis

Abstract

Netflow logs record the interactions between host pairs on both sides of the monitored border, and have got more attention from researchers for security concerns. Such data allows analysts to find interesting patterns and security anomalies. Visual analytics provides interaction and visualization techniques that can support these tasks. In this paper, we present a system called NetflowVis to analyze communication patterns and network abnormalities from netflow logs. This system consists of four views, including the communication trajectories view, the traffic line view, the snapshot view and the protocol view. The communication trajectories view is a composite view that dynamically describes the communication trajectories. This view combines a link-node tree and an improved ThemeRiver. The protocol view is designed to display statistical data of the upstream and downstream traffic on different protocols, which is an improved radial view based on an area filling strategy. The system provides a multilevel analysis architecture for netflow cognition. In this paper, we also present a case study to demonstrate the effectiveness and usefulness of our system.