Visual latency-based interactive visualization for digital forensics

In this paper, we present an interactive visualization and clustering algorithm for real-time multi-attribute digital forensic data such as network anomalous events. In the model, glyphs are defined with multiple network attributes and clustered with the recursive optimization algorithm for dimensional reduction. The user's visual latency time is incorporated into the recursive process so that it updates the display and the optimization model according to the human factor and maximizes the capacity of real-time computation. The interactive search interface is developed to enable the display of similar data points according to their similarity of attributes. Finally, typical network anomalous events are analyzed and visualized such as password guessing, etc. This technology is expected to have an impact on real-time visual data mining for network security, sensor networks and many other multivariable real-time monitoring systems. Our usability study shows a decent accuracy of context-independent glyph identification (89.37%) with a high precision for anomaly detection (94.36%). The results indicate that, without any context, users tend to classify unknown patterns as possibly harmful. On the other hand, in the dynamic clustering (context-dependent) experiment, clusters of very extremely unusual glyphs normally contain fewer packets. In this case, the packet identification accuracy is remarkably high (99.42%).