NetBytes Viewer: An Entity-Based NetFlow Visualization Utility for Identifying Intrusive Behavior

NetBytes Host Viewer is an interactive visualization tool designed to show the historical network flow data per port of an individual host machine or subnet on a network over time, using a 3D impulse graph plot. Such visualizations allow network administrators to quickly and effectively diagnose infected or malfunctioning computers by viewing data transmission patterns for each port on the entity. NetBytes has a set of interactive features which help to deal with the problems associated with displaying a 3D graph on a 2D screen. First, NetBytes offers a “selector” mode which allows the user to highlight specific ports (or times) on the graph using a slider and snap buttons. From the selector, the user can launch a set of 2D graphs (Bytes vs. Time and Bytes vs. Ports) to acquire more detailed information about the host with less clutter. Lastly, the user is able to rotate the 3D graph in any direction to mitigate occlusion. The long term objectives of this work include the integration of the NetBytes Viewer with complementary visualizations of the overall network. This application will integrate with a larger network analysis tool and be utilized as a drill-down mechanism. 1