Data Visualization of Network Traffic Across Time Spans and Traffic Types
Mark Platt, GIAC Certified Intrusion Analyst, has been researching the use of interactive visual discovery in the analysis of network traffic. Data visualizations can be a powerful tool to identify patterns across linear time spans and traffic types and then quantify the findings by way of delta comparison of the integrity in the patterns that emerge.
According to Mark, "The power of how your product actually does visualize data trends and other non-static measures of quantifying traffic and data integrity is unique. I haven't seen anything else like it at all in this new age of 'data visualization' where most offerings are merely standard graphs and the like. Thank you!"
He logged network traffic from source to destination over time periods greater than 30 days from various scenarios and fed the information into ADVIZOR. Using the parabox and multiscape charts, patterns were immediately visible in the data. "If you chart 30 days of internet traffic between sources and destinations using lines to represent the connections, you will observe unmistakable patterns which are self-similar and symmetrical by nature. Fractals. Measurable and quantifiable repetitive progressions of flow which can be a definition of normal or abnormal traffic integrity as defined by the pattern inherent in the span of data transfer across a linear axis."
Mark's research led him to some interesting and significant discoveries. "En route from from point A to B the many stops and redirected information madness actually gives us a quite ordered sub-world where data traffic can be defined via patterns from said points of data in transit. Even a simple CSV file fed into the ADVIZOR data visualization platform with the proper fields and relations thereof in the proper places will generate the pattern that tells the story of the traffic. The patterns often are not just composed of repetitive iterations but the entire patterns of traffic repeat as well, like the holographic model of information within systems."
According to Mark, "With Advizor and NO OTHER tool so far, one can animate by the time field or another linear field to replicate the pattern in motion. Observing the pattern forming as it did in the time frame during which the data was being communicated between network devices, you can find the points where the pattern re-iterates or ends/begins. From there one can quantify the pattern for measurement and model it. When a delta comparison is made between a model of network traffic from a pattern extracted from normal traffic, anomalies can be detected which can indicate security concerns or emergent phenomena."