Security analysts examine gigabytes of network data on a daily basis looking for signs of intrusive behaviour. Command-line tools such as the System for Internet-Level Knowledge (SiLK) tool suite are helpful but the volume of data makes analysis difficult. We present the FloVis Netflow Visualization Framework, an extensible visualization platform meant to compliment tools such as SiLK for network analysis. Visualization is compelling because it allows the user to view significant portions of data at once and utilize his/her high bandwidth vision and pattern matching abilities for rapid data analysis. FloVis is unique because visualizations are dynamically loaded plugins within the framework, meaning that new visualizations can be added to the system as desired. In this thesis, we discuss the general framework along with three such plugins: FlowBundle, NetBytes Viewer and the SiLK Query Tool. FlowBundle shows connections between hosts on a network using bundling and node aggregation in order to reduce occlusion; NetBytes Viewer provides detailed host volume information per port/protocol over a time period using a 3D impulse graph; and, the SiLK Query Tool is a graphical front-end to the SiLK analysis tools for viewing raw NetFlow records in a tabular form. The system supports drill down and interaction between the different visualizations so that users can see the data in various ways. In addition to describing the existing state of FloVis, the thesis also discusses case studies as well as an informal user study. Finally, a discussion of the future direction of the framework is offered.
展开▼
