Abstract
Network anomaly analysis is an emerging subtopic of network security. Network anomaly refers to the unusual behavior of network devices or suspicious network status. A number of intelligent visual tools are developed to enhance the ability of network security analysts in understanding the original data, ultimately solving network security problems. This paper surveys current progress and trends in network anomaly visualization. By providing an overview of network anomaly data, visualization tasks, and applications, we further elaborate on existing methods to depict various data features of network alerts, anomalous traffic, and attack patterns data. Directions for future studies are outlined at the end of this paper.
Similar content being viewed by others
References
Shiravi H, Shiravi A, Ghorbani A A. A survey of visualization systems for network security. IEEE Trans Visual Comput Graph, 2012, 18: 1313–1329
Pearlman J, Rheingans P. Visualizing network security events using compound glyphs from a service-oriented perspective. In: Proceedings of the Workshop on Visualization for Computer Security, Sacramento, 2008. 131–146
Janies J. Existence plots: a low-resolution time series for port behavior analysis. In: Proceedings of the 5th International Workshop on Visualization for Computer Security, Cambridge, 2008. 161–168
Koike H, Ohno K. SnortView: visualization system of snort logs. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 143–147
Bertini E, Hertzog P, Lalanne D. Spiralview: towards security policies assessment through visual correlation of network resources with evolution of alarms. In: Proceedings of IEEE Symposium on Visual Analytics Science and Technology, Washington, 2007. 139–146
Foresti S, Agutter J, Livnat Y, et al. Visual correlation of network alerts. IEEE Comput Graph, 2006, 26: 48–59
Lee C P, Tros J, Gibbs N, et al. Visual firewall: real-time network security monitor. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 129–136
Koike H, Ohno K, Koizumi K. Visualizing cyber attacks using ip matrix. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 91–98
Lamagna W M. An integrated visualization on network events vast 2011 mini challenge #2 award: outstanding integrated overview display. In: Proceedings of IEEE Conference on Visual Analytics Science and Technology, Providence, 2011. 319–321
Giacobe N A, Xu S. Geovisual analytics for cyber security: adopting the geoviz toolkit. In: Proceedings of IEEE Conference on Visual Analytics Science and Technology, Providence, 2011. 315–316
Shiravi H, Shiravi A, Ghorbani A A. IDS alert visualization and monitoring through heuristic host selection. In: Proceedings of International Conference on Information and Communications Security, Barcelona, 2010. 445–458
Erbacher R F. Intrusion behavior detection through visualization. In: Proceedings of IEEE International Conference on Systems, Man and Cybernetics, Washington, 2003. 2507–2513
Abdullah K, Lee C, Conti G, et al. IDS rainstorm: visualizing IDS alarms. In: Proceedings of the IEEE Workshops on Visualization for Computer Security, Minneapolis, 2005. 1
Erbacher R F, Walker K L, Frincke D A. Intrusion and misuse detection in large-scale systems. IEEE Comput Graph, 2002, 22: 38–47
Girardin L. An eye on network intruder-administrator shootouts. In: Proceedings of Workshop on Intrusion Detection and Network Monitoring, Santa Clara, 1999. 19–28
Nyarko K, Capers T, Scott C, et al. Network intrusion visualization with niva, an intrusion detection visual analyzer with haptic integration. In: Proceedings of 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems, Orlando, 2002. 277–284
Maltego. Paterva Company. http://www.paterva.com/web7
Wong T, Jacobson V, Alaettinoglu C. Internet routing anomaly detection and visualization. In: Proceedings of International Conference on Dependable Systems and Networks, Yokohama, 2005. 172–181
Teoh S T, Zhang K, Tseng S M, et al. Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 35–44
Teoh S T, Ranjan S, Nucci A, et al. BGP eye: a new visualization tool for real-time detection and analysis of BGP anomalies. In: Proceedings of the 3rd International Workshop on Visualization for Computer Security, Alexandria, 2006. 81–90
Arendt D L, Burtner R, Best D M, et al. Ocelot: user-centered design of a decision support visualization for network quarantine. In: Proceedings of IEEE Symposium on Visualization for Cyber Security, Chicago, 2015. 1–8
Takada T, Koike H. Tudumi: information visualization system for monitoring and auditing computer logs. In: Proceedings fo 6th International Conference on Information Visualisation, London, 2002. 570–576
Ren P, Kristoff J, Gooch B. Visualizing DNS traffic. In: Proceedings of the 3rd International Workshop on Visualization for Computer Security, Alexandria, 2006. 23–30
Goodall J R, Lutters W G, Rheingans P, et al. Preserving the big picture: visual network traffic analysis with TN. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 47–54
Yin X X, Yurcik W, Treaster M, et al. Visflowconnect: netflow visualizations of link relationships for security situational awareness. In: Proceedings of ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 26–34
Zhou F, Huang W, Zhao Y, et al. Entvis: a visual analytic tool for entropy-based network traffic anomaly detection. IEEE Comput Graph Appl, 2015, 35: 1
Onut L V, Ghorbani A A. Svision: a novel visual network-anomaly identification technique. Comput Secur, 2007, 26: 201–212
Ball R, Fink G A, North C. Home-centric visualization of network traffic for security administration. In: Proceedings of ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 55–64
Lakkaraju K, Yurcik W, Lee A J. Nvisionip: netflow visualizations of system state for security situational awareness. In: Proceedings of ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 65–72
Keim D A, Mansmann F, Schneidewind J, et al. Monitoring network traffic with radial traffic analyzer. In: Proceedings of IEEE Symposium on Visual Analytics Science and Technology, Baltimore, 2006. 123–128
Hao L H, Healey C G, Hutchinson S E. Ensemble visualization for cyber situation awareness of network security data. In: Proceedings of IEEE Symposium on Visualization for Cyber Security, Chicago, 2015. 1–8
Liao Q, Shi L H, Wang C Y. Visual analysis of large-scale network anomalies. IBM J Res Devel, 2013, 57: 1–12
Fink G A, Muessig P, North C. Visual correlation of host processes and network traffic. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 11–19
Ren P, Gao Y, Li Z, et al. Idgraphs: intrusion detection and analysis using histographs. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 39–46
McPherson J, Ma K L, Krystosk P, et al. Portvis: a tool for port-based detection of security events. In: Proceedings of ACM Workshop on Visualization and Data Mining for Computer Security, Washington, 2004. 73–81
Abdullah K, Lee C, Conti G, et al. Visualizing network data for intrusion detection. In: Proceedings of Information Assurance Workshop From the 6th Annual IEEE SMC, College Park, 2005. 100–108
Taylor T, Paterson D, Glanfield J, et al. Flovis: flow visualization system. In: Proceedings of the Cybersecurity Applications & Technology Conference for Homeland Security, Washington, 2009. 186–198
Glanfield J, Brooks S, Taylor T, et al. Over flow: an overview visualization for network analysis. In: Proceedings of the International Workshop on Visualization for Cyber Security, Atlantic, 2009. 11–19
Zhao Y, Liang X, Fan X P, et al. Mvsec: multi-perspective and deductive visual analytics on heterogeneous network security data. J Visual, 2014, 17: 181–196
Fischer F, Mansmann F, Keim D A, et al. Large-scale network monitoring for visual analysis of attacks. In: Proceedings of the 5th International Workshop on Visualization for Computer Security, Cambridge, 2008. 111–118
Cortese P F, Battista G D, Moneta A, et al. Topographic visualization of prefix propagation in the internet. IEEE Trans Vis Comput Graph, 2006, 12: 725–732
Mansmann F, Daniel A K, Stephen C N, et al. Visual analysis of network traffic for resource planning, interactive monitoring, and interpretation of security threats. IEEE Trans Vis Comput Graph, 2007, 13: 1105–1112
Inoue D, Eto M, Suzuki K, et al. Daedalus-viz: novel real-time 3D visualization for darknet monitoring-based alert system. In: Proceedings of the 9th International Symposium on Visualization for Cyber Security, Seattle, 2012. 72–79
Inoue D, Eto M, Yoshioka K, et al. Nicter: an incident analysis system toward binding network monitoring with malware analysis. In: Proceedings of WOMBAT Workshop on Information Security Threats Data Collection and Sharing, Amsterdam, 2008. 58–66
Oberheide J, Goff M, Karir M. Flamingo: visualizing internet traffic. In: Proceedings of Network Operations and Management Symposium, Vancouver, 2006. 150–161
Yelizarov A, Gamayunov D. Visualization of complex attacks and state of attacked network. In: Proceedings of VizSec International Workshop on Visualization for Cyber Security, Atlantic, 2009. 1–9
Angelini M, Prigent N, Santucci G. Percival: proactive and reactive attack and response assessment for cyber incidents using visual analytics. In: Proceedings of IEEE Symposium on Visualization for Cyber Security, Chicago, 2015. 1–8
Kolaczyk E D, Csrdi G. Visualizing network data. IEEE Trans Vis Comput Graph, 1995, 1: 16–28
Matuszak W J, DiPippo L, Sun Y L. Cybersave: situational awareness visualization for cyber security of smart grid systems. In: Proceedings of the 10th Workshop on Visualization for Cyber Security, Atlanta, 2013. 25–32
Kotenko I, Novikova E. Visualization of security metrics for cyber situation awareness. In: Proceedings of International Conference on Availability, Reliability and Security, Switzerland, 2014. 506–513
Zhao Y, Fan X P, Zhou F F, et al. A survey on network security data visualization. J Comput Aided Des Comput Graph, 2014, 26: 687–697
Zhuo W, Nadjin Y. Malwarevis: entity-based visualization of malware network traces. In: Proceedings of the 9th International Symposium on Visualization for Cyber Security, Seattle, 2012. 41–47
Trinius P, Holz T, G¨obel J, et al. Visual analysis of malware behavior using treemaps and thread graphs. In: Proceedings of 6th International Workshop on Visualization for Cyber Security, Atlantic, 2009. 33–38
Gove R, Saxe J, Gold S, et al. Seem: a scalable visualization for comparing multiple large sets of attributes for malware analysis. In: Proceedings of the Eleventh Workshop on Visualization for Cyber Security, Paris, 2014. 72–79
Erbacher R F, Christensen K, Sundberg A. Designing visualization capabilities for IDS challenges. In: Proceedings of IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 121–127
Card S K, Mackinlay J D, Shneiderman B. Readings in Information Visualization: Using Vision to Think. San Francisco: Morgan Kaufmann, 1999
Aigner W, Miksch S, Muller W, et al. Visual methods for analyzing time-oriented data. IEEE Trans Vis Comput Graph, 2008, 14: 47–60
Xie C, Chen W, Huang X X, et al. VAET: a visual analytics approach for E-transactions time-series. IEEE Trans Vis Comput Graph, 2014, 20: 1743–1752
Kondo B, Collins C M. Dimpvis: exploring time-varying information visualizations by direct manipulation. IEEE Trans Vis Comput Graph, 2014, 20: 2003–2012
Isaacs K E, Bremer P T, Jusufi I, et al. Combing the communication hairball: visualizing parallel execution traces using logical time. IEEE Trans Vis Comput Graph, 2014, 20: 2349–2358
Gotz D, Stavropoulos H. Decisionflow: visual analytics for high-dimensional temporal event sequence data. IEEE Trans Vis Comput Graph, 2014, 20: 1783–1792
Cho I, Dou W, Wang D X Y, et al. Vairoma: a visual analytics system for making sense of places, times, and events in Roman history. IEEE Trans Vis Comput Graph, 2016, 22: 210–219
Fulda J, Brehmer M, Munzner T. Timelinecurator: interactive authoring of visual timelines from unstructured text. IEEE Trans Vis Computer Graph, 2016, 22: 300–309
Loorak M H, Perin C, Kamal N, et al. Timespan: using visualization to explore temporal multi-dimensional data of stroke patients. IEEE Trans Vis Comput Graph, 2016, 22: 409–418
Walker J, Borgo R, Jones M W. Timenotes: a study on effective chart visualization and interaction techniques for time-series data. IEEE Trans Vis Comput Graph, 2016, 22: 549–558
Bach B, Shi C, Heulot N, et al. Time curves: folding time to visualize patterns of temporal evolution in data. IEEE Trans Vis Comput Graph, 2016, 22: 559–568
Gu Y, Wang C L, Peterka T, et al. Mining graphs for understanding time-varying volumetric data. IEEE Trans Vis Comput Graph, 2016, 22: 965–974
Albo Y, Lanir J, Bak P, et al. Off the radar: comparative evaluation of radial visualization solutions for composite indicators. IEEE Trans Vis Comput Graph, 2016, 22: 569–578
Gschwandtner T, Bogl M, Federico P, et al. Visual encodings of temporal uncertainty: a comparative user study. IEEE Trans Vis Comput Graph, 2016, 22: 539–548
Sun G D, Wu Y C, Liu S X, et al. Evoriver: visual analysis of topic coopetition on social media. IEEE Trans Vis Comput Graph, 2014, 20: 1753–1762
Heimerl F, Han Q, Koch S. Citerivers: visual analytics of citation patterns. IEEE Trans Vis Comput Graph, 2016, 22: 190–199
Zhao J, Cao N, Wen Z, et al. Fluxflow: visual analysis of anomalous information spreading on social media. IEEE Trans Vis Comput Graph, 2014, 20: 1773–1782
Chen W, Guo F Z, Wang F Y. A survey of traffic data visualization. IEEE Trans Intel Transp Syst, 2015, 16: 2970–2984
Gratzl S, Gehlenborg N, Lex A, et al. Domino: extracting, comparing, and manipulating subsets across multiple tabular datasets. IEEE Trans Vis Comput Graph, 2014, 20: 2023–2032
Kim H, Choo J, Park H, et al. Interaxis: steering scatterplot axes via observation-level interaction. IEEE Trans Vis Comput Graph, 2016, 22: 131–140
Lowe T, Forster E C, Albuquerque G, et al. Visual analytics for development and evaluation of order selection criteria for autoregressive processes. IEEE Trans Vis Comput Graph, 2016, 22: 151–159
Chen W, Shen Z Q, Tao Y B. Data Visualization. Beijing: Publishing House of Electronic Industry, 2013
Cao N, Shi C, Lin S, et al. Targetvue: visual analysis of anomalous user behaviors in online communication systems. IEEE Trans Vis Comput Graph, 2016, 22: 280–289
Rubio-Sanchez M, Raya L, Diaz F, et al. A comparative study between radviz and star coordinates. IEEE Trans Vis Comput Graph, 2016, 22: 619–628
Papadopoulos C, Gutenko I, Kaufman A E. Veevvie: visual explorer for empirical visualization, vr and interaction experiments. IEEE Trans Vis Comput Graph, 2016, 22: 111–120
Wang J, Mueller K. The visual causality analyst: an interactive interface for causal reasoning. IEEE Trans Vis Comput Graph, 2016, 22: 230–239
Lee S, Kim S H, Hung Y H, et al. How do people make sense of unfamiliar visualizations?: a grounded model of novice’s information visualization sensemaking. IEEE Trans Vis Comput Graph, 2016, 22: 499–508
Johansson J, Forsell C. Evaluation of parallel coordinates: overview, categorization and guidelines for future research. IEEE Trans Vis Comput Graph, 2016, 22: 579–588
Raidou R G, Eisemann M, Breeuwer M, et al. Orientation-enhanced parallel coordinate plots. IEEE Trans Vis Comput Graph, 2016, 22: 589–598
Chen H D, Zhang S, Chen W, et al. Uncertainty-aware multidimensional ensemble data visualization and exploration. IEEE Trans Vis Comput Graph, 2015, 21: 1072–1086
Roberts J C, Headleand C, Ritsos P D. Sketching designs using the five design-sheet methodology. IEEE Trans Vis Comput Graph, 2016, 22: 419–428
VanderPlas S, Hofmann H. Spatial reasoning and data displays. IEEE Trans Vis Comput Graph, 2016, 22: 459–468
Goodwin S, Dykes J, Slingsby A, et al. Visualizing multiple variables across scale and geography. IEEE Trans Vis Comput Graph, 2016, 22: 599–608
Scheepens R, Hurter C, van de Wetering H, et al. Visualization, selection, and analysis of traffic flows. IEEE Trans Vis Comput Graph, 2016, 22: 379–388
Lehmann D J, Theisel H. Optimal sets of projections of high-dimensional data. IEEE Trans Vis Comput Graph, 2016, 22: 609–618
Cheng S H, Mueller K. The data context map: fusing data and attributes into a unified display. IEEE Trans Vis Comput Graph, 2016, 22: 121–130
Jackle D, Fischer F, Schreck T, et al. Temporal mds plots for analysis of multivariate data. IEEE Trans Vis Comput Graph, 2016, 22: 141–150
Stahnke J, Dork M, Muller B, et al. Probing projections: interaction techniques for interpreting arrangements and errors of dimensionality reductions. IEEE Trans Vis Comput Graph, 2016, 22: 629–638
Kohonen T. Self-Organizing Maps. New York: Springer, 1997. 266–270
Amini F, Rufiange S, Hossain Z, et al. The impact of interactivity on comprehending 2D and 3D visualizations of movement data. IEEE Trans Vis Comput Graph, 2015, 21: 122–135
Tory M, Kirkpatrick A E, Atkins M S, et al. Visualization task performance with 2D, 3D, and combination displays. IEEE Trans Vis Comput Graph, 2006, 12: 2–13
Sun M Y, Mi P, North C, Ramakrishnan N. Biset: semantic edge bundling with biclusters for sensemaking. IEEE Trans Vis Comput Graph, 2016, 22: 310–319
Von Landesberger T, Brodkorb F, Roskosch P, et al. Mobilitygraphs: visual analysis of mass mobility dynamics via spatio-temporal graphs and clustering. IEEE Trans Vis Comput Graph, 2016, 22: 11–20
Krause J, Perer A, Bertini E. Infuse: interactive feature selection for predictive modeling of high dimensional data. IEEE Trans Vis Comput Graph, 2014, 20: 1614–1623
Mahyar N, Tory M. Supporting communication and coordination in collaborative sensemaking. IEEE Trans Vis Comput Graph, 2014, 20: 1633–1642
Stolper C D, Perer A, Gotz D. Progressive visual analytics: user-driven visual exploration of in-progress analytics. IEEE Trans Vis Comput Graph, 2014, 20: 1653–1662
Klemm P, Oeltze-Jafra S, Lawonn K, et al. Interactive visual analysis of image-centric cohort study data. IEEE Trans Vis Comput Graph, 2014, 20: 1673–1682
Jang S, Elmqvist N, Ramani K. Motionflow: visual abstraction and aggregation of sequential patterns in human motion tracking data. IEEE Trans Vis Comput Graph, 2016, 22: 21–30
Nguyen P H, Xu K, Wheat A, et al. Sensepath: understanding the sensemaking process through analytic provenance. IEEE Trans Vis Comput Graph, 2016, 22: 41–50
Blascheck T, John M, Kurzhals K, et al. Va2: a visual analytics approach for evaluating visual analytics applications. IEEE Trans Vis Comput Graph, 2016, 22: 61–70
Kwon B C, Kim S H, Lee S, et al. Visohc: designing visual analytics for online health communities. IEEE Trans Vis Comput Graph, 2016, 22: 71–80
Glueck M, Hamilton P, Chevalier F, et al. Phenoblocks: phenotype comparison visualizations. IEEE Trans Vis Comput Graph, 2016, 22: 101–110
Guo H, Gomez S R, Ziemkiewicz C, et al. A case study using visualization interaction logs and insight metrics to understand how analysts arrive at insights. IEEE Trans Vis Comput Graph, 2016, 22: 51–60
Acknowledgements
This work was supported by National Basic Research Program of China (973 Program) (Grant No. 2015CB352503), Major Program of National Natural Science Foundation of China (Grant No. 61232012), National Natural Science Foundation of China (Grant Nos. 61422211, u1536118, u1536119), Zhejiang Provincial Natural Science Foundation of China (Grant No. LR13F020001), and Fundamental Research Funds for the Central Universities.
Author information
Authors and Affiliations
Corresponding author
Additional information
Conflict of interest The authors declare that they have no conflict of interest.
Rights and permissions
About this article
Cite this article
Zhang, T., Wang, X., Li, Z. et al. A survey of network anomaly visualization. Sci. China Inf. Sci. 60, 121101 (2017). https://doi.org/10.1007/s11432-016-0428-2
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-016-0428-2