Supporting the Visualization and Forensic Analysis of Network Events

Doantam Phan, Ph.D. Dissertation, Stanford University, December 2007

Abstract

The flow of traffic among computers on the Internet, the exchange of goods and services between countries, or the propagation of an epidemic in a population are all examples of causally connected measurable events in a network. Understanding the behavior of such networks often requires the ability to discover temporal connections among the events in a large data set. The problem is that relevant events are hard to identify automatically, so the investigator must organize events into a narrative sequence by hand. The investigation process often requires backtracking and multiple comparisons, which is not well supported by current tools. This dissertation contributes new interactive visualization techniques for analyzing, organizing, and presenting network event data at multiple levels of detail for the purpose of forensic analysis - tracking down causal sequences of importance.

The first contribution is a technique that supports event analysis, called pro-gressive multiples. We combine ideas from progressive disclosure, which reveals data to the user on demand, small multiples, which allows users to compare many images at once, and Bertin’s reorderable matrices. Analyzing events requires inspecting the communication history of the network and the ability to change the investigative focus through pivoting. Dynamic event plots and timelines provide visual recognition of temporal patterns and comparisons through juxtaposition. Affordances are provided to explore the space of events. A structured layout provides a history of exploration and supports backtracking. Our techniques are instantiated in a system for network incident investigation, Isis, which we validated with a long-term collaboration and deployment with the principal network analyst of the EE and CS departments at Stanford University.

The second contribution is a technique for automatically generating flow maps, which present summaries of network topology and behavior at a higher level than event plots and timelines. Cartographers have long used flow maps to show the movement of objects from one location to another. Hierarchical clustering is used to generate the maps much faster than was previously possible. Our technique has been adopted by a diverse group of users to depict the flow of computer networks, docu-ments, and international ecological trade.

Also see http://hci.stanford.edu/research/isis

Dissertation (PDF)

Supporting the Visualization and Analysis of Network Events (PDF)

Defense Slides (pdf)