Comments on: Displaying Time in Link Graphs

By: Bob

Bob — Thu, 05 Feb 2009 03:00:56 +0000

Here’s a quick example using a single color showing initialization time.

http://img11.imageshack.us/img11/2064/testxn3.gif

And another showing start/end time.

http://img18.imageshack.us/img18/7630/testrg4.gif

Not perfect, but not bad either…16-20 is probably the max usable gradients.

By: Bob

Bob — Thu, 05 Feb 2009 01:58:45 +0000

A simple variation of what Cappella posted above makes sense to me. Using a simple grayscale model with 16-32 levels would likely be usable without cluttering the graph. The question is how to assign the colors…there seem to be several reasonable approaches that are likely to have widely different levels of implementation complexity.

1 – A simple linear scale, with time broken into n intervals and links colored based upon the interval in which they were started. Black is most recent (freshest) and lighten over time.

2 – A logarithmic scale, like the above, with greater resolution for recent events.

1/2a – A variation of either of the above where duration of the link is encoded by a gradient in the line…the originating side encoded with the start time, and the destination side encoded with the end time (up to and including black for current).

3 – A ‘node relative’ scale, with each node having links colored based upon the sequence/time that the link was established with the node relative to other links to the node. Would be screwy to look at, but might provide good sequencing information when looking at things like outbreaks. Gradients may be required here as well to properly encode the sequence.

This approach could be used for the node itself as well by coloring the border to indicate when it was introduced to the graph.

Great stuff.

By: Dustin Burke

Dustin Burke — Tue, 09 Dec 2008 17:36:29 +0000

For animation approach, checkout Force-based Algorithms that address the issue you raised concerning the instability of incremental updates. I’d suggest you checkout Traer Physics particle system engine for processing.org visualization language and environment. If you are doing forensics on past data, then you can better position the addition of incremental updates because you’ll know what the future connectivity of that node will be. This will let you determine a better initial location that reduces the springiness of the animation. Maybe this is what you meant by “time-based layout”?

The temporal coloring approach could work for showing long-term changes but you’re right it isn’t good for discerning between individual changes due to human visual “just noticable difference”. Color could be used in an animation to highlight the new additions and then have the color fade away as time marches on.

As for adding time-dimension, there are at least two things you might try. Why confine yourself to 2d plot when you could visualize 3d plot with time as the z-component? But sticking with 2-d, choosing a single node as the center of gravity, you could have concentric circles to show the propagation of time and incremental node additions would appear within a time band. As you mention though, these only work well for smaller graphs as the edges will clutter the view (and look like a tangled spider web

A lot depends on the specific objective of what you’re trying to visualize and the insights you’re hoping to glean from such a visual.

Cheers.

By: Sp3ar0

Sp3ar0 — Tue, 09 Dec 2008 17:02:34 +0000

oops….
http://www-star.stanford.edu/projects/relay/images/rc1-2.gif

By: Sp3ar0

Sp3ar0 — Tue, 09 Dec 2008 17:02:11 +0000

I used to do some work with RF Spectral analysis and we had a tool that displayed a 3D plot with Amplitude over Frequency and the 3rd dimension was the timestamp. You could replay, reverse, spread, narrow, turn, etc. It was good for a large dataset from say 0Hz up to 10Ghz and any strange occurances are cleary seen. Apply the same concept to port over ip and time. The depth of the view allows you to see back in time or as you replay that line comes into the front view…not sure if I explained that clearly enough, but I’ll try and code a demo to show what I mean.

Similar to this but replay/interaction with data is a must:

Sp3ar0

By: Cappella

Cappella — Tue, 09 Dec 2008 00:53:04 +0000

Just to throw off some thoughts, deriving from what I learnt in Ettercap.

1. Line thickness = Log (t).

The thicker the line, the longer it has occurred.

2. Line colour. 8 hues for blocks of n hours to show last 8n hours. So if n=3 then last 24 hours.

I believe the above can be easily coded in without any change to top link graphs.

Cons: When there are > 20 sub-nodes linking to one node it will get messy. Otherwise if it is less than 10 it should be pretty discernible.

3. Line type. Tight and loose dashed lines to indicate how recent or how long event has passed. Faint line for events that occur more than 24 hours, eg. Again can be used with 8 or less colours to depict blocks of time it has passed.

Cons: When too many event sub-nodes occur more than 24 hours, line can be too faint to be discerned in a congested area.

Bottomline: Almost every implementation is bad if there are too many nodes/sub-nodes squeezed in a small area.

By: Sp3ar0

Sp3ar0 — Mon, 08 Dec 2008 13:54:07 +0000

Would a parse tree with the parent node being the timestamp be usable I wonder…

By: Raffy - Security Data Visualization Â» Displaying Time in Link Graphs | animesque.com

Mon, 08 Dec 2008 02:06:06 +0000

[...] Raffy – Security Data Visualization Â» Displaying Time in Link Graphs [...]