- Serve the project:
python -m http.server 8000 - Browser: Chrome, full-screen (1920x1080 recommended)
- Have the folder dataset loaded:
packets_data/attack_flows_day1to5/ - Close other tabs for a clean look
URL: http://localhost:8000/attack_timearcs.html
- Page loads with "Waiting for data..." status
- The folder-based dataset auto-loads from
packets_data/attack_flows_day1to5/ - Progress bar fills as chunks stream in
- Narration: "This is the TimeArcs view. It shows network communication between IP addresses over a 5-day window. Each arc represents traffic between two IPs, colored by attack type."
- Point out the top axis (timeline spanning ~5 days)
- Point out the IP labels on the left (vertical node list)
- Point out the colored arcs connecting IPs across time
- Open the Attack Types legend panel (bottom-right floating panel) — show the color coding:
- Purple = DDoS
- Pink = Spambot / client compromise
- Orange = C2-based
- Teal = Post-phishing C2
- Green = Other
- Narration: "Each arc connects a source and destination IP at the time an event occurred. The color tells us the attack category."
- Hover over a purple (DDoS) arc — tooltip shows: source IP, destination IP, timestamp, event type
- Hover over an orange (C2) arc — compare the tooltip info
- Hover over an IP label — all connected arcs highlight
- Narration: "Hovering reveals details. Hovering an IP highlights all its connections, showing which IPs it communicated with."
- Drag the Compression slider from 3x to 6x — arcs spread out in the focus region
- Use arrow keys to move the bifocal focus region across the timeline
- Show the bifocal region indicator updating (e.g., "Focus: 35% - 65%")
- Narration: "The bifocal lens lets us magnify a time region while keeping the full dataset visible. Arrow keys move the focus window."
USE CASE PLACEHOLDER: DDoS Attack Inspection
- Identify a cluster of purple (DDoS) arcs targeting a single internal IP (e.g.,
172.28.4.7) - Click and drag on empty space to draw a selection rectangle around the DDoS cluster
- A numbered selection box appears with a blue dashed border
- The Brush Status updates: "Selected: N arcs, M IPs"
- Narration: "I'll select this cluster of DDoS activity targeting 172.28.4.7. The brush captures all arcs and IPs within the rectangle."
- Click the "View Details" button on the selection box
- A new tab opens:
ip_bar_diagram.html?fromSelection=... - The TCP Analysis view auto-loads with:
- Pre-selected IPs from the TimeArcs selection
- Zoomed to the selected time range
- Data loading from the same dataset
- Narration: "Clicking 'View Details' opens the TCP Analysis view, pre-filtered to the exact IPs and time range I selected. No manual setup needed."
- Point out the main chart — arcs/circles showing individual packets between IP pairs
- Point out the sidebar — IP selection checkboxes, flag stats, IP stats
- Point out the overview chart at the bottom (stacked bars showing flow health)
- Point out the zoom controls (+/- buttons, time range indicator)
- Narration: "This view shows individual TCP packets. Each mark is a packet, positioned on an arc between source and destination. The overview at the bottom summarizes flow health across time."
- Start in Arc View (Circles) — default mode
- Switch to Stacked Bars View via the sidebar radio button
- Show how the same data appears as stacked bars colored by TCP flag:
- Red = SYN
- Orange = SYN+ACK
- Green = ACK
- Blue = PSH+ACK
- Purple = FIN
- Dark grey = RST
- Switch back to Arc View
- Narration: "Two view modes: Arc View shows individual packet timing; Stacked Bars shows volume distribution by TCP flag type."
- Use the + button to zoom into the time range of interest
- Or drag the overview brush to narrow the visible window
- Show the zoom indicator updating with the current time range
- Zoom in enough to see individual SYN/SYN+ACK/RST patterns
- Narration: "Zooming in reveals the packet-level structure. Watch how the resolution adapts — coarse bins at overview level, individual packets when zoomed."
USE CASE PLACEHOLDER: DDoS — RST During Handshake
- Look at the overview chart stacked bars
- Point out the color coding:
- Green = Graceful close (normal)
- Dark green = Abortive (RST-based close)
- Purple = RST during handshake
- Orange = Incomplete (no SYN+ACK)
- Red = Invalid ACK
- In a DDoS scenario, expect heavy purple (rst_during_handshake) bars
- Narration: "The overview chart shows flow health. In this DDoS attack, we see massive purple bars — RST during handshake — indicating the server is rejecting connection floods."
- Click a bar in the overview chart
- The Flow List Modal opens showing all flows in that time bin
- Point out columns: source port, destination port, close type, packet count
- Use the search box to filter (e.g., type "rst" to show RST-related flows)
- Narration: "Clicking a bar opens the flow list. Each row is a TCP flow. I can search and filter to find specific patterns."
- In the flow list, click a flow row to select it
- Click "View Packets" button
- The main chart zooms to show that flow's packets as arcs:
- SYN (red) → RST (dark grey) = failed handshake
- SYN (red) → SYN+ACK (orange) → ACK (green) → data → FIN = normal flow
- Narration: "View Packets shows the exact TCP state machine for this flow. In this DDoS flow, we see a SYN immediately followed by RST — the server rejecting the connection attempt."
- Toggle Show Establishment Phase off — SYN/SYN+ACK/ACK arcs disappear
- Toggle it back on
- Toggle Show Closing Phase off — FIN/RST arcs disappear
- Toggle Show Data Transfer Phase off — PSH+ACK arcs disappear
- Narration: "Phase toggles let you isolate handshake, data transfer, or teardown. Useful for spotting anomalies in specific phases."
- In the sidebar, check "Show Ground Truth Event Boxes"
- Colored rectangles appear on the main chart, overlaying time periods
- Each box = a known attack event from the ground truth dataset
- Hover a box — tooltip shows: event type, source IP, destination IP, time window
- Narration: "Ground truth overlays show known attack events from the labeled dataset. We can validate whether our visual analysis matches the documented attacks."
USE CASE PLACEHOLDER: Confirm DDoS Timing
- Show a cluster of RST-heavy traffic in the main chart
- Show the ground truth box labeled "ddos" overlapping the same time range
- Narration: "The RST flood we identified visually aligns perfectly with the labeled DDoS event in the ground truth, confirming our analysis."
USE CASE PLACEHOLDER: C2 Heartbeat Detection
- Return to TimeArcs tab
- Clear the previous brush selection (click "Clear")
- Find orange (C2-based) arcs — look for periodic, evenly-spaced arcs between two IPs
- Brush-select the C2 cluster → "View Details"
- In TCP Analysis:
- Expect regular, small PSH+ACK packets at fixed intervals (heartbeat pattern)
- Flow close types mostly graceful (short-lived C2 check-in sessions)
- Enable ground truth → confirm "c2" or "c2_heartbeat" label
- Narration: "C2 traffic looks different from DDoS. These are periodic, small connections — a compromised host checking in with its controller. The regularity is the giveaway."
USE CASE PLACEHOLDER: Nmap Scan Detection
- Return to TimeArcs tab
- Find arcs labeled with scan-related events (check legend for scan types)
- Brush-select → "View Details"
- In TCP Analysis:
- Expect many SYN packets to different destination ports from a single source
- Most flows: incomplete_no_synack (open ports) or rst_during_handshake (closed ports)
- Overview chart dominated by orange (incomplete) and purple (RST) bars
- Narration: "A port scan generates hundreds of SYN packets to sequential ports. Closed ports respond with RST; open ports respond with SYN+ACK. The overview chart makes the pattern obvious."
USE CASE PLACEHOLDER: Spambot Activity
- Return to TimeArcs tab
- Find pink (spambot) arcs — often one internal IP connecting to many external IPs
- Brush-select → "View Details"
- In TCP Analysis:
- Expect many outbound connections from a single internal IP
- Flows are typically short-lived, graceful closes (SMTP connections)
- High volume of distinct destination IPs
- Check IP Statistics in sidebar — one IP has disproportionate outbound connections
- Narration: "The compromised host is sending spam — hundreds of short SMTP sessions to unique external IPs. The fan-out pattern in the arc view is characteristic of spambot activity."
USE CASE PLACEHOLDER: Post-Phishing Exfiltration
- Return to TimeArcs tab
- Find teal (post-phishing C2) arcs — look for sustained connections
- Brush-select → "View Details"
- In TCP Analysis:
- Expect long-duration flows with large PSH+ACK packets (data being sent out)
- Asymmetric traffic: much more data in one direction
- Flows are graceful close (attacker cleanly terminates after exfil)
- Switch to Stacked Bars view to see the volume disparity
- Narration: "Exfiltration flows are long-lived with heavy data transfer in one direction. The stacked bar view makes the asymmetry clear — large blue PSH+ACK bars indicate bulk data movement."
- Arrange both tabs side by side (or switch between them)
- Narration: "The two views are complementary. TimeArcs gives the macro view — who is attacking whom, when, and what type. TCP Analysis gives the micro view — individual packets, TCP state machines, and flow health. Together, they enable investigation from overview to packet-level detail."
- "TimeArcs for pattern recognition and attack clustering"
- "Brush selection for seamless drill-down"
- "TCP Analysis for packet-level forensics"
- "Ground truth validation for confirmed findings"
- "Multi-resolution loading for performance at scale"
| Act | Content | Suggested Duration |
|---|---|---|
| 1 | TimeArcs orientation | 2-3 min |
| 2 | Selection & navigation | 1-2 min |
| 3 | TCP Analysis orientation | 2-3 min |
| 4 | Flow analysis deep-dive | 3-4 min |
| 5 | Ground truth validation | 1-2 min |
| 6 | Attack type use cases (pick 2-3) | 3-5 min each |
| 7 | Summary | 1 min |
Total: 15-25 min depending on how many use cases you include.
- Mouse movements: Slow and deliberate. Pause on tooltips for readability.
- Zooming: Zoom in steps so viewers can track the transition.
- Narration pace: Pause after each visual change to let viewers absorb.
- Fallback: If the
fromSelectionauto-load fails (popup blocker), manually navigate toip_bar_diagram.htmland select the same IPs via the sidebar checkboxes. - IP addresses to feature:
172.28.4.7is a frequent DDoS target and appears in many flows — good anchor IP for the demo.
| Color | Category |
|---|---|
| Purple | DDoS |
| Pink | Spambot / client compromise |
| Orange | C2-based |
| Teal | Post-phishing C2 |
| Green | Other |
| Dark grey | Normal |
| Color | Flag |
|---|---|
| Red | SYN |
| Orange | SYN+ACK |
| Green | ACK |
| Blue | PSH+ACK |
| Purple | FIN |
| Light purple | FIN+ACK |
| Dark grey | RST |
| Dark red | ACK+RST |
| Color | Type | Meaning |
|---|---|---|
| Green | Graceful | Normal FIN teardown |
| Dark green | Abortive | RST-based close |
| Purple | RST during handshake | Reset before session established |
| Orange | Incomplete (no SYN+ACK) | Server never replied |
| Yellow | Incomplete (no ACK) | Client never completed handshake |
| Red | Invalid ACK | Malformed handshake completion |
| Grey | Ongoing | Still-active connection |