Research On Visual Analytics For Behavior And Connection Patterns Of Network Hosts

With the rapid development of network communication technology,modern society requires more advanced technologies for network security.As the main data source of grasping network security situation and discovering network anomalies,the analysis of network security logs has always been the focus of industry research.Visual analysis combines the high-efficiency cognitive ability of human vision,the logical judgment ability of the human brain and the high-speed computing ability of the modern computer,which solves the problems in traditional log analysis works and is an ideal solution for network security analysts to grasp the overall characteristics of the network,locate network anomalies,and find threatening hosts.However,there are still plenty of problems need to be solved in the network security visual analysis.Firstly,there is no proper method to unify multi-source and heterogeneous network security log data.Secondly,how to visualize the behavior mode of nodes in network and the connection mode between these nodes reasonably is still a tough problem.Thirdly,network security analysts need powerful tools to help them build a complete,reasonable and clear analysis thought,so as to improve the analysis efficiency and find hidden information.Starting from these issues,we integrate the common structural characteristics of multi-source network security logs,proposes a reasonable data fusion method and visual analysis scheme,and verifies the feasibility of the scheme through specific case analysis.Specific work content includes:(1)We Propose a reasonable data fusion method.This research refers to the Netflow log data format and uses 6 basic dimensions as the entry point for comprehensive multi-source network security log data,in order to integrate the basic information of network security logs from different sources into a unified format.(2)We select appropriate visual view designs and modify them.According to the current problems and user needs,we combine sunburst graph and hive plot graph to represent the behavior modes and connection patterns of nodes in network.We propose a novel graph design scheme named Link Wheel Graph to represent the working details of major ports during specific IPv4 connections.Meanwhile,we select force-directed graph and multiple sequent chart to represent specific information of IPv4 behaviors and IPv4 connections.(3)We determine and implement the visual analysis research scheme.This research proposes a four-layer visual analysis process architecture.Based on the user-centered design principles,a proper development environment is chosen to implement the corresponding visual analysis system.This includes data preprocessing in the back-end part of the system,visual data mapping in the front-end part of the system,drawing views,adding interactions,and improving system analysis processes.In this research,we use the data source provided by China Vis 2016 Challenge I to verify the practicality of the visual analysis solution.After verification,the visual analysis scheme of this study is proved to be designed reasonably,which means it can comprehensively and systematically help security analysts to efficiently summarize the behavior mode and connection mode of IPv4 addresses in the network,and find abnormal behavior and suspicious hosts from it.