Complexity is the enemy of security. Networks have become more complex in terms of size, topology,
and especially trafc ows. Trafc ows are faster and the number of different applications generating
ows grows continuously. While network trafc is an ideal place to monitor for security events since all
security events leave some form of network trace, there is a major problem in that security events can
also be concealed among the vast amount of legitimate trafc. It is often difcult just to capture and
store network trafc, so analyzing and detecting attacks in near-real-time with current command line
driven text-based tools can be especially challenging for non-experts.
However, humans excel at visual processing and identifying abnormal visual patterns. Visualization
tools can translate the myriads of network logs into animations that capture the patterns of network
trafc in a succinct way, thus enabling users to quickly identify abnormal patterns that warrant closer
examination. Such visualization tools enable network administrators to sift through gigabytes of daily
network trafc more effectively than searching text-based logs.
VisFlowConnect-IP visualizes network trafc as a parallel axes graph with hosts as nodes and trafc
ows as lines connecting these nodes. These graphs can then be animated over time to reveal trends.
VisFlowConnect-IP has these distinguishing features: (1) it uses animations to visualize network trafc