A Matrix-Based Visualization System for Network Traffic Forensics

Network forensics requires analysts to efficiently reason about various attack phenomena from massive data. Visualization techniques can convert abstract data into visual sensitive graphics; thus, forensic officers can extract useful information quickly. In this paper, we present a matrix-based visualization system for visualized forensic analysis on unintelligible traffic datasets. The system consists of three collaborative views, including the Timeline view integrating active features and individual dispersions based on information entropies for the perception of the overall time series, the Matrix view balancing the expression of network structure and distributions of IPs and ports for efficient events tracing, and the Historical view comparing statuses in successive time slots for dynamic trends tracking. The system provides a multilevel analysis architecture and multifaceted perspectives for comprehensive cognition in traffic forensics. In case studies, we describe the forensic process of this system, including identifying port scan, distributed denial of service, and botnet attacks, on the datasets in VAST Challenge 2013.