AVIST: A GPU Based Animated Visualization Toolkit for Network ...

to generate the graph. Analysts also can tune several parameters to
make the layout friendly and beauty. Due to the GPU power, our
layout algorithm allows the analysts real time editing the graph.
3 SYSTEM DESIGN
To support the real time visual analytics of big data, we develop the
parallel algorithms for generating the geometry and rendering data.
Besides, we carefully organize the data flow of the AVIST to avoid
duplicated computing.
Finding 2: the peak of network traffic. During the time
06:36:16, 4/2/2013, nearly 4 millions of records flood in the network
in one minute. We choose the source IPs and destination IPs
to generate the graph, and find the graph has three branches and
the IP addresses: 172.10.0.6, 172.0.0.1 are the hubs of the network.
The finding is illustrated in Figure 4 and Figure 5 .
Figure 2: The data flow of the AVIST.
Figure 4: In the dynamic view, there are 4435845 records in the network
during the time 06:36:16, 4/2/2013 with the time window size 60
seconds. We use the red color to highlight the records of source IP
172.10.0.6, and green color to highlight the destination IP 172.0.0.1.
From the dynamic view, we learn that there is no records related
about the ip 172.0.0.1 before the peak time.
Figure 2 shows our data flow design of AVIST, which describes
the data process from the raw data to rendering VBOs. Based on the
filters, the filtered data is generated, which stores the indices of the
raw data records. In each data views, we develop the parallel algorithms
to generate the geometry data and rendering data. Because
all of the geometry and rendering data are on the GPU, so there is
no data transfer from the main memory to the GPU in the rendering
stage. This solution scales very well for the big data visual analytics.
Now, AVIST can support millions of records visualization.
4 CASE STUDIES
In the following, we give two findings of VAST 2013 mini challenge
3 based on the AVIST. More detailed explanation can be
found from the uploaded video.
Finding 1: suspicious behaviors of webmail servers. In
the week one network flow dataset, we find the webmail servers
172.30.0.3, 172.20.0.3 using their port 80 to scan the network during
the time from 3:30, 4/3/2013 to 6:50, 4/3/2013 from the visualization
of the parallel coordinate view, as shown in Figure 3 .
Figure 5: In the graph view, we generate graph based on the
4435845 records of Figure 4 by choosing the attributes of source
IPs and destination IPs. And we use red and green color to highlight
the hubs of the network.
Figure 3: In the parallel coordinate view, the webmail servers
172.30.0.3 and172.20.0.3 scan all available ports in the network.
Here, we apply the exclusive filter to UDP and OTHER protocols,
as well as source port 80 and destination port 80. We use the red
color to highlight the source IPs 172.30.0.3 and172.20.0.3, and green
color to highlight the destination IPs 172.30.0.3 and172.20.0.3 .
5 CONCLUSION
To support the big data visual analytics, especially the huge network
security datasets visualization, AVIST utilizes the parallel computing
capacity of GPUs for data processing and rendering. AVIST
also provides four correlated data views for visualization. To avoid
visual clutter, three kinds of DNF filters are provides. At last,
AVIST is an animation visualization toolkit for temporal pattern
recognition. Future work will include more user friendly interfaces
and more powerful parallel algorithms.
REFERENCES
[1] Y. Cao, R. Moore, P. Mi, A. Endert, C. North, and R. Marchany. Dynamic
analysis of large datasets with animated and correlated views. In
Visual Analytics Science and Technology (VAST), 2012 IEEE Conference
on, pages 283–284, 2012.