Proposed InfoVis 2004 Project

The Network Pixel Map (an example is shown in Figure 1) is a high-density visualization of Internet Protocol (IP) addresses seen on the network. I am using this pixel-oriented[1] display as part of my research[2] on computer security visualization.

Figure 1: An example network pixel map displaying 8513 IP addresses

The figure shows 8,513 distinct hosts seen over a week's monitoring done on a machine in the HCI lab (McBryde 102). The source code and some data for the prototype of this visualization are located at [3] and [4] respectively. The host addresses plotted in the figure have been categorized (somewhat arbitrarily) into five trust levels (Home, Trusted, Safe, Untrusted, and Danger) as shown in Figure 2. Each trust level boundary has been shown as a light colored ring. The ring widths are not equal because root polar layout has been used to accentuate the home area. The color of each marker has been selected from a continuous spectrum that represents the relative value of the host's IP address on a continuum from 0.0.0.0 (integer value 0) to 255.255.255.255 (integer value 4,294,967,295). Lower values fall toward the red end of the spectrum while higher values are toward the violet end. Within each trust ring, markers have been placed via polar layout where the integer value of the first two octets (0 to 65,535) determines the relative distance from the center of the plot, and the last two octets determine the radial angle (polar coordinate theta). The small display area has resulted in much overlap of markers especially in the 128.173.0.0/16 range (the CIDR block used for Virginia Tech's academic networks).

The layout of the network pixel map is a series of concentric circles with the center being most trusted and the trust level decreasing as you move further from the center (see Figure 9). The reason for this layout was twofold: (1) there are more hosts on the Internet than there are in the home network, (2) the security of the home network is central, so the placement should reflect this.

Figure 2: Network Pixel Map Layout

A problem arose when plotting IP addresses as points in a polar layout: the distribution of points was warped with the greatest density in the center and the least at the outskirts. A normal polar coordinates transformation of a Cartesian plot thus appeared to be suboptimal. Polar representation cluttered the center of the layout just where the user's greatest interest lay. I attempted an adaptive density approach, but finally settled on a square root rho transform that gave acceptable results for uniformly distributed data.[3]

There are numerous open questions about the layout and semantic encodings in this particular visualization, and the purpose of this project is to help answer some of these. The following semantic (meaning) elements can be represented by this visualization:

  • Age of activity: How recently was traffic was seen to/from this host.
  • Frequency of activity: How often this host receives/transmits.
  • Novelty of activity: The host is novel if traffic to/from it has never been seen before.
  • IP address value: The integer equivalent of IP address.
  • Trust level: Possible values are: Home, Trusted, Safe, Unknown, and Danger.
  • CIDR block organization of addresses: The internal assignment strategy of hosts to networks.

These semantic elements can be encoded visually in a number of ways, including:

  • Hue of markers
  • Brightness of markers
  • Motion/flashing of markers
  • Marker radius
  • Distance from center (rho coordinate)
  • Angle (theta coordinate)

The following is a list of selected open research questions regarding this visualization:

  • Is trust a useful layout parameter?
  • What layout of the map is most effective: Cartesian, polar, root polar, or some other layout?
  • What information should be encoded in the color of the marker dots?
  • Should the markers be single pixels or should size be encoded meaningfully?
  • Is hue an acceptable encoding for continuous-valued semantic elements?
  • Does brightness variation have sufficient resolution to encode useful meanings?
  • Under what circumstances should overlap of host markers be resolved?
  • What information should be shown when the user selects a host dot?
  • What kinds of zooming, filtering, etc. would be useful to users?

Here are some ideas for the kinds of projects that would help me in this research:

  1. Use the source code[3] and data[4] to test different kinds of layouts with users. Generate or gather data for 1K, 10K, 100K or other numbers of hosts. Find out how long it takes users to locate a particular IP address in the sea of multi-colored markers given different layouts and different numbers of hosts. Try to quantify the effects of fixing collisions on user performance.
  2. Modify the existing Network Pixel Map[3] to get its data from a real stream of packet data. Try using the visualization to represent age of activity or some other semantic element(s) that it doesn’t already represent.
  3. Design your own high-density map of IP addresses and test it using the data in [4] or your own data. Your implementation should permit plotting from 10 to about 100,000 hosts. Note that IP addresses are not distributed uniformly—your data source may skew the results.

You may discuss related project ideas with me, and I’ll be happy to consider them. Also, I am available to answer questions via e-mail: .

References:

[1]Keim, D.A. Designing pixel-oriented visualization techniques: theory and applications. Visualization and Computer Graphics, IEEE Transactions on, 6 (1). 59-78.

[2]Fink, G. A., End-to-End Visualization of TCP/IP Data, a dissertation research proposal, 2004.

[3]Network Pixel Map prototype source code,

[4]Network Pixel Map prototype data,

[5]Fink, G. A., Adaptive Polar Layout of Internet Address Data,