AVIST: A GPU Based Animated Visualization Toolkit for Network ...

AVIST: A GPU Based Animated Visualization Toolkit for Network Security
Analysts
Peng Mi ∗
Virginia Tech
Yong Cao †
Virginia Tech
Figure 1: The correlated data views of AVIST : histogram view (left top), dynamic view (right top), parallel coordinate view (left bottom), graph
view (right bottom).
ABSTRACT
In this paper, we develop an animated visualization toolkit, AVIST,
which utilizes the parallel computing capacity of GPUs for the visualization
and analyzing the large network security dataset from
VAST 2013 Mini Challenge 3. To help network security analysts
finding temporal patterns and detecting anomalies, AVIST also provides
other features: four coordinated views, three different complex
disjunctive data filters and time-synced visualization of multiple
datasets.
Index Terms: H.5.2 [Information Interfaces And Presentation]:
User Interfaces—Interaction Styles; C.2.0 [Computer Communication
Networks]: General
1 INTRODUCTION
We are entering the era of “Big Data”. And the challenges for the
design of visual analytical tool become the powerful data processing
algorithms and effective user interaction interfaces. A good tool
can help the analysts quickly finding anomalies and outliers from
huge data. In this paper, we develop our tool AVIST, which takes
massive computing power of GPUs for real time visual analytics of
the big data, such as the network datasets of VAST 2013 Challenge,
VAST 2012 Challenge[1].
2 USER INTERFACES DESGIN
AVIST supports multiple correlated data views, which includes histogram
view, parallel coordinate view, dynamic view and graph
∗ e-mail: mipeng@vt.edu
† e-mail:yongcao@vt.edu
view, all of views are controlled by control panel, as shown in Figure
1 .
The control panel allows the analysts to specify the time window
and time sampling range for the automatic animation playback. By
playing animation, four data views provide the visualization of temporal
changes, so the network analysts can easily find the hidden
temporal patterns during the time. Another advantage of the control
panel is the complex disjunctive data filters. Three different filters:
exclusive filters, negative exclusive filters and highlight filters
are provided for anomalies and outliers detection. Exclusive filters
and negative exclusive filters can remove uninterested data visualization,
avoid visual clutter to help analysts concentrating on the
interested data. Analysts can use the highlight filters to choose different
colors for highlighting different piece of data. Based on the
highlight information, analysts can compare and predict the data.
The third advantage is the time-synced visualization of multiple
datasets. VAST 2013 Mini Challenge 3 provides multiple independent
datasets, which share the same time period. Time-synced visualization
of multiple datasets help the analysts to understand the
anomalies and outliers from different datasets descriptions, which
can verify the analysts’s suspicion.
The histogram view shows the data distribution during the current
time window. Analysts can select different attributes of the
data in the listbox to change different data distribution information.
The dynamic view shows the count changes of certain events.
When analysts apply several highlight filters using different colors,
the highlight data visualization becomes stacked graphs.
The parallel coordinate view shows the details information of
the datasets. In parallel coordinate view, analysts can specify one
record from millions of records. Besides, the parallel axises can be
re-ordered based on the order of the attributes analysts clicked in
the listbox.
The graph view shows the relationship between any two user
selected attributes. AVIST uses the force directed layout algorithm

to generate the graph. Analysts also can tune several parameters to
make the layout friendly and beauty. Due to the GPU power, our
layout algorithm allows the analysts real time editing the graph.
3 SYSTEM DESIGN
To support the real time visual analytics of big data, we develop the
parallel algorithms for generating the geometry and rendering data.
Besides, we carefully organize the data flow of the AVIST to avoid
duplicated computing.
Finding 2: the peak of network traffic. During the time
06:36:16, 4/2/2013, nearly 4 millions of records flood in the network
in one minute. We choose the source IPs and destination IPs
to generate the graph, and find the graph has three branches and
the IP addresses: 172.10.0.6, 172.0.0.1 are the hubs of the network.
The finding is illustrated in Figure 4 and Figure 5 .
Figure 2: The data flow of the AVIST.
Figure 4: In the dynamic view, there are 4435845 records in the network
during the time 06:36:16, 4/2/2013 with the time window size 60
seconds. We use the red color to highlight the records of source IP
172.10.0.6, and green color to highlight the destination IP 172.0.0.1.
From the dynamic view, we learn that there is no records related
about the ip 172.0.0.1 before the peak time.
Figure 2 shows our data flow design of AVIST, which describes
the data process from the raw data to rendering VBOs. Based on the
filters, the filtered data is generated, which stores the indices of the
raw data records. In each data views, we develop the parallel algorithms
to generate the geometry data and rendering data. Because
all of the geometry and rendering data are on the GPU, so there is
no data transfer from the main memory to the GPU in the rendering
stage. This solution scales very well for the big data visual analytics.
Now, AVIST can support millions of records visualization.
4 CASE STUDIES
In the following, we give two findings of VAST 2013 mini challenge
3 based on the AVIST. More detailed explanation can be
found from the uploaded video.
Finding 1: suspicious behaviors of webmail servers. In
the week one network flow dataset, we find the webmail servers
172.30.0.3, 172.20.0.3 using their port 80 to scan the network during
the time from 3:30, 4/3/2013 to 6:50, 4/3/2013 from the visualization
of the parallel coordinate view, as shown in Figure 3 .
Figure 5: In the graph view, we generate graph based on the
4435845 records of Figure 4 by choosing the attributes of source
IPs and destination IPs. And we use red and green color to highlight
the hubs of the network.
Figure 3: In the parallel coordinate view, the webmail servers
172.30.0.3 and172.20.0.3 scan all available ports in the network.
Here, we apply the exclusive filter to UDP and OTHER protocols,
as well as source port 80 and destination port 80. We use the red
color to highlight the source IPs 172.30.0.3 and172.20.0.3, and green
color to highlight the destination IPs 172.30.0.3 and172.20.0.3 .
5 CONCLUSION
To support the big data visual analytics, especially the huge network
security datasets visualization, AVIST utilizes the parallel computing
capacity of GPUs for data processing and rendering. AVIST
also provides four correlated data views for visualization. To avoid
visual clutter, three kinds of DNF filters are provides. At last,
AVIST is an animation visualization toolkit for temporal pattern
recognition. Future work will include more user friendly interfaces
and more powerful parallel algorithms.
REFERENCES
[1] Y. Cao, R. Moore, P. Mi, A. Endert, C. North, and R. Marchany. Dynamic
analysis of large datasets with animated and correlated views. In
Visual Analytics Science and Technology (VAST), 2012 IEEE Conference
on, pages 283–284, 2012.