{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T14:38:13Z","timestamp":1775745493201,"version":"3.50.1"},"reference-count":62,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2024,4,9]],"date-time":"2024-04-09T00:00:00Z","timestamp":1712620800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000001","name":"U.S. Air Force Research Lab","doi-asserted-by":"publisher","award":["CNS 1650831"],"award-info":[{"award-number":["CNS 1650831"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"U.S. Air Force Research Lab","doi-asserted-by":"publisher","award":["HRD 1828811"],"award-info":[{"award-number":["HRD 1828811"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"U.S. Air Force Research Lab","doi-asserted-by":"publisher","award":["DHS 2017-ST-062-000003"],"award-info":[{"award-number":["DHS 2017-ST-062-000003"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"name":"U.S. Department of Homeland Security","award":["CNS 1650831"],"award-info":[{"award-number":["CNS 1650831"]}]},{"name":"U.S. Department of Homeland Security","award":["HRD 1828811"],"award-info":[{"award-number":["HRD 1828811"]}]},{"name":"U.S. Department of Homeland Security","award":["DHS 2017-ST-062-000003"],"award-info":[{"award-number":["DHS 2017-ST-062-000003"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"The exponential growth in data volumes, combined with the inherent complexity of network algorithms, has drastically affected network security. Data activities are producing voluminous network logs that often mask critical vulnerabilities. Although there are efforts to address these hidden vulnerabilities, the solutions often come at high costs or increased complexities. In contrast, the potential of open-source tools, recognized for their security analysis capabilities, remains under-researched. These tools have the potential for detailed extraction of essential network components, and they strengthen network security. Addressing this gap, our paper proposes a data analytics-driven network anomaly detection model, which is uniquely complemented with a visualization layer, making the dynamics of cyberattacks and their subsequent defenses distinctive in near real-time. Our novel approach, based on network scanning tools and network discovery services, allows us to visualize the network based on how many IP-based networking devices are live, then we implement a data analytics-based intrusion detection system that scrutinizes all network connections. We then initiate mitigation measures, visually distinguishing malicious from benign connections using red and blue hues, respectively. Our experimental evaluation shows an F1 score of 97.9% and a minimal false positive rate of 0.3% in our model, demonstrating a marked improvement over existing research in this domain.<\/jats:p>","DOI":"10.3390\/jcp4020012","type":"journal-article","created":{"date-parts":[[2024,4,9]],"date-time":"2024-04-09T10:08:50Z","timestamp":1712657330000},"page":"241-263","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":15,"title":["Data-Driven Network Anomaly Detection with Cyber Attack and Defense Visualization"],"prefix":"10.3390","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3269-0363","authenticated-orcid":false,"given":"Eric","family":"Muhati","sequence":"first","affiliation":[{"name":"Data Science and Cybersecurity Center (DSC2<\/sup>), Department of Electrical Engineering and Computer Science, Howard University, Washington, DC 20059, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3638-3464","authenticated-orcid":false,"given":"Danda","family":"Rawat","sequence":"additional","affiliation":[{"name":"Data Science and Cybersecurity Center (DSC2<\/sup>), Department of Electrical Engineering and Computer Science, Howard University, Washington, DC 20059, USA"}]}],"member":"1968","published-online":{"date-parts":[[2024,4,9]]},"reference":[{"key":"ref_1","first-page":"102419","article-title":"Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study","volume":"50","author":"Ferrag","year":"2020","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"100361","DOI":"10.1016\/j.cosrev.2021.100361","article-title":"Cyber security training for critical infrastructure protection: A literature review","volume":"40","author":"Chowdhury","year":"2021","journal-title":"Comput. Sci. Rev."},{"key":"ref_3","unstructured":"Chapaneri, R., and Shah, S. (2018). Smart Intelligent Computing and Applications, Proceedings of the Second International Conference on SCI 2018, Bhubaneswar, India, 21\u201322 December 2018, Springer."},{"key":"ref_4","unstructured":"Silva, A.R., McClain, J.T., Anderson, B.R., Nauer, K.S., Abbott, R., and Forsythe, J.C. (2014). Factors Impacting Performance in Competitive Cyber Exercises, Sandia National Lab. (SNL-NM). Technical Report."},{"key":"ref_5","unstructured":"Kashyap, R., and Piersson, A.D. (2018). Handbook of Research on Network Forensics and Analysis Techniques, IGI Global."},{"key":"ref_6","unstructured":"Zhao, H., Tang, W., Zou, X., Wang, Y., and Zu, Y. (2019). Recent Developments in Intelligent Computing, Communication and Devices, Springer."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"1313","DOI":"10.1109\/TVCG.2011.144","article-title":"A survey of visualization systems for network security","volume":"18","author":"Shiravi","year":"2011","journal-title":"IEEE Trans. Vis. Comput. Graph."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Dama\u0161evi\u010dius, R., Toldinas, J., Ven\u010dkauskas, A., Grigali\u016bnas, \u0160., Morkevi\u010dius, N., and Jukavi\u010dius, V. (2019, January 10\u201312). Visual Analytics for Cyber Security Domain: State-of-the-Art and Challenges. Proceedings of the International Conference on Information and Software Technologies, Vilnius, Lithuania.","DOI":"10.1007\/978-3-030-30275-7_20"},{"key":"ref_9","unstructured":"Ware, C. (2012). Information Visualization: Perception for Design, Morgan Kaufmann."},{"key":"ref_10","unstructured":"MITRE (2024, March 16). Threat-Based Defense. Available online: https:\/\/attack.mitre.org."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"1534","DOI":"10.1109\/COMST.2022.3187531","article-title":"A survey on network security for cyber\u2013physical systems: From threats to resilient design","volume":"24","author":"Kim","year":"2022","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"112392","DOI":"10.1109\/ACCESS.2022.3216617","article-title":"Explainable intrusion detection systems (x-ids): A survey of current methods, challenges, and opportunities","volume":"10","author":"Neupane","year":"2022","journal-title":"IEEE Access"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Kapustin, V., and Paulauskas, N. (2023). Analysis of TCP flood attack using NetFlow. Moksl.-Liet.-Ateitis\/Sci.-Future Lith., 15.","DOI":"10.3846\/mla.2023.18847"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1016\/j.jnca.2018.12.006","article-title":"A holistic review of network anomaly detection systems: A comprehensive survey","volume":"128","author":"Moustafa","year":"2019","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1819","DOI":"10.2478\/amns.2022.2.0171","article-title":"AdaBoost Algorithm in Trustworthy Network for Anomaly Intrusion Detection","volume":"8","author":"Guo","year":"2022","journal-title":"Appl. Math. Nonlinear Sci."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"250","DOI":"10.1016\/j.dcan.2017.07.004","article-title":"Visualization of big data security: A case study on the KDD99 cup data set","volume":"3","author":"Ruan","year":"2017","journal-title":"Digit. Commun. Netw."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"439","DOI":"10.1016\/j.engappai.2006.09.005","article-title":"A hierarchical SOM-based intrusion detection system","volume":"20","author":"Kayacik","year":"2007","journal-title":"Eng. Appl. Artif. Intell."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1016\/j.eswa.2016.09.041","article-title":"Multi-level hybrid support vector machine and extreme learning machine based on modified K-means for intrusion detection system","volume":"67","author":"Othman","year":"2017","journal-title":"Expert Syst. Appl."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1080\/0952813X.2019.1647558","article-title":"A hybrid BGWO with KPCA for intrusion detection","volume":"32","author":"Velliangiri","year":"2020","journal-title":"J. Exp. Theor. Artif. Intell."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Feng, Y., Li, J., and Nguyen, T. (2020, January 15\u201317). Application-layer DDoS defense with reinforcement learning. Proceedings of the 2020 IEEE\/ACM 28th International Symposium on Quality of Service (IWQoS), Hangzhou, China.","DOI":"10.1109\/IWQoS49365.2020.9213026"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"1153","DOI":"10.1109\/COMST.2015.2494502","article-title":"A survey of data mining and machine learning methods for cyber security intrusion detection","volume":"18","author":"Buczak","year":"2015","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1007\/s00521-014-1701-2","article-title":"Data mining-based integrated network traffic visualization framework for threat detection","volume":"26","author":"Bhardwaj","year":"2015","journal-title":"Neural Comput. Appl."},{"key":"ref_23","unstructured":"Ohnof, K., Koikef, H., and Koizumi, K. (2005, January 6\u20138). IPMatrix: An effective visualization framework for cyber threat monitoring. Proceedings of the Ninth International Conference on Information Visualisation (IV\u201905), London, UK."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Ulmer, A., Schufrin, M., Sessler, D., and Kohlhammer, J. (2018, January 22). Visual-Interactive Identification of Anomalous IP-Block Behavior Using Geo-IP Data. Proceedings of the 2018 IEEE Symposium on Visualization for Cyber Security (VizSec), Berlin, Germany.","DOI":"10.1109\/VIZSEC.2018.8709182"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"533","DOI":"10.1007\/s00521-013-1516-6","article-title":"Review of information extraction technologies and applications","volume":"25","author":"Small","year":"2014","journal-title":"Neural Comput. Appl."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"45417","DOI":"10.1109\/ACCESS.2019.2909406","article-title":"Reconstruction of Complex Networks Under Missing and Spurious Noise Without Prior Knowledge","volume":"7","author":"Ren","year":"2019","journal-title":"IEEE Access"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"4950","DOI":"10.1007\/s41109-019-0194-4","article-title":"A general deep learning framework for network reconstruction and dynamics learning","volume":"4","author":"Zhang","year":"2019","journal-title":"Appl. Netw. Sci."},{"key":"ref_28","unstructured":"Lyon, G.F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning, Association for Computing Machinery (ACM)."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Kim, M., and Leskovec, J. (2011, January 28\u201330). The network completion problem: Inferring missing nodes and edges in networks. Proceedings of the 2011 SIAM International Conference on Data Mining, SIAM, Mesa, AZ, USA.","DOI":"10.1137\/1.9781611972818.5"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"1763","DOI":"10.1109\/TC.2017.2699190","article-title":"Towards Accurate Statistical Analysis of Security Margins: New Searching Strategies for Differential Attacks","volume":"66","author":"Chen","year":"2017","journal-title":"IEEE Trans. Comput."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Koganti, V.S., Galla, L.K., and Nuthalapati, N. (2016, January 16\u201317). Internet worms and its detection. Proceedings of the 2016 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT), Kumaracoil, India.","DOI":"10.1109\/ICCICCT.2016.7987920"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Bo, C., Fang, B.X., and Yun, X.C. (2006, January 23\u201324). Adaptive method for monitoring network and early detection of internet worms. Proceedings of the International Conference on Intelligence and Security Informatics, San Diego, CA, USA.","DOI":"10.1007\/11760146_16"},{"key":"ref_33","first-page":"1\/1","article-title":"Stuxnet: The World\u2019s First Cyber\u2026 Boomerang?","volume":"2015\/2016","author":"Middleton","year":"2016","journal-title":"Interstate-J. Int. Aff."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1109\/MSECP.2003.1219056","article-title":"Inside the slammer worm","volume":"1","author":"Moore","year":"2003","journal-title":"IEEE Secur. Priv."},{"key":"ref_35","unstructured":"Foundation, W. (2023, April 18). Wireshark. Available online: https:\/\/www.wireshark.org."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"46","DOI":"10.1109\/65.844500","article-title":"Web traffic modeling exploiting TCP connections\u2019 temporal clustering through HTML-REDUCE","volume":"14","author":"Molina","year":"2000","journal-title":"IEEE Netw."},{"key":"ref_37","unstructured":"Knuth, D.E. (1981). Seminumerical Algorithms, Vol. 2: The Art of the Computer Programming, Addison-Wesley."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"1021","DOI":"10.1038\/nature09008","article-title":"Random numbers certified by Bell\u2019s theorem","volume":"464","author":"Pironio","year":"2010","journal-title":"Nature"},{"key":"ref_39","unstructured":"(2023, March 18). KDD Cup 1999: Computer Network Intrusion Detection. Available online: https:\/\/www.kdd.org\/kdd-cup\/view\/kdd-cup-1999\/Data."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Priyalakshmi, V., and Devi, R. (2022, January 26\u201327). Analysis and Implementation of Normalisation Techniques on KDD\u201999 Data Set for IDS and IPS. Proceedings of the International Conference on Data Science and Applications: ICDSA 2022, Kolkata, India.","DOI":"10.1007\/978-981-19-6634-7_5"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1007\/978-981-19-8338-2_4","article-title":"Network Intrusion Detection Using Machine Learning","volume":"Volume 1","author":"Prajapati","year":"2023","journal-title":"Futuristic Communication and Network Technologies: Select Proceedings of VICFCNT 2021"},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"4993","DOI":"10.1007\/s00521-021-06093-5","article-title":"An effective NIDS framework based on a comprehensive survey of feature optimization and classification techniques","volume":"35","author":"Keserwani","year":"2023","journal-title":"Neural Comput. Appl."},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"103081","DOI":"10.1016\/j.jnca.2021.103081","article-title":"Worm computing: A blockchain-based resource sharing and cybersecurity framework","volume":"185","author":"Shi","year":"2021","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"4278","DOI":"10.1002\/mma.8039","article-title":"Dynamics of the worm transmission in wireless sensor network in the framework of fractional derivatives","volume":"45","author":"Achar","year":"2022","journal-title":"Math. Methods Appl. Sci."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"S\u00e1nchez-Pati\u00f1o, N., Gallegos-Garcia, G., and Rivero-Angeles, M.E. (2023). Teletraffic Analysis of DoS and Malware Cyber Attacks on P2P Networks under Exponential Assumptions. Appl. Sci., 13.","DOI":"10.3390\/app13074625"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Li, Z., Rios, A.L.G., and Trajkovi\u0107, L. (2020, January 11\u201314). Detecting internet worms, ransomware, and blackouts using recurrent neural networks. Proceedings of the 2020 IEEE International Conference on Systems, Man, and Cybernetics (SMC), Toronto, ON, Canada.","DOI":"10.1109\/SMC42975.2020.9283472"},{"key":"ref_47","first-page":"1848","article-title":"A detailed analysis on NSL-KDD dataset using various machine learning techniques for intrusion detection","volume":"2","author":"Revathi","year":"2013","journal-title":"Int. J. Eng. Res. Technol. (IJERT)"},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"1343","DOI":"10.1016\/j.comnet.2007.11.022","article-title":"Practical large-scale latency estimation","volume":"52","author":"Szymaniak","year":"2008","journal-title":"Comput. Networks"},{"key":"ref_49","unstructured":"Jain, R. (1990). The Art of Computer Systems Performance Analysis: Techniques for Experimental Design, Measurement, Simulation, and Modeling, John Wiley & Sons."},{"key":"ref_50","unstructured":"Duato, J., Yalamanchili, S., and Ni, L. (2002). Interconnection Networks: An Engineering Approach, Morgan Kaufmann Pub. Inc."},{"key":"ref_51","doi-asserted-by":"crossref","first-page":"224","DOI":"10.1006\/jpdc.2000.1679","article-title":"A comparison of router architectures for virtual cut-through and wormhole switching in a NOW environment","volume":"61","author":"Duato","year":"2001","journal-title":"J. Parallel Distrib. Comput."},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"Falcon, A., Faraboschi, P., and Ortega, D. (2008, January 20\u201322). An adaptive synchronization technique for parallel simulation of networked clusters. Proceedings of the ISPASS 2008-IEEE International Symposium on Performance Analysis of Systems and software, Austin, TX, USA.","DOI":"10.1109\/ISPASS.2008.4510735"},{"key":"ref_53","unstructured":"Lahti, C.B., and Peterson, R. (2005). Sarbanes-Oxley Compliance Using COBIT and Open Source Tools, Syngress."},{"key":"ref_54","doi-asserted-by":"crossref","first-page":"756","DOI":"10.1109\/JPROC.2021.3052449","article-title":"A unifying review of deep and shallow anomaly detection","volume":"109","author":"Ruff","year":"2021","journal-title":"Proc. IEEE"},{"key":"ref_55","doi-asserted-by":"crossref","first-page":"1","DOI":"10.18637\/jss.v039.i11","article-title":"Computing the two-sided Kolmogorov-Smirnov distribution","volume":"39","author":"Simard","year":"2011","journal-title":"J. Stat. Softw."},{"key":"ref_56","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1109\/TC.2013.177","article-title":"A novel en-route filtering scheme against false data injection attacks in cyber-physical networked systems","volume":"64","author":"Yang","year":"2013","journal-title":"IEEE Trans. Comput."},{"key":"ref_57","doi-asserted-by":"crossref","unstructured":"Tang, Q., Zheng, C., Lu, Q., Yang, W., Yuan, Q., and Chen, X. (2017, January 4\u20136). Taking over malicious connection in half way by migrating protocol state to a user-level TCP stack. Proceedings of the 2017 8th International Conference on Information and Communication Systems (ICICS), Irbid, Jordan.","DOI":"10.1109\/IACS.2017.7921976"},{"key":"ref_58","doi-asserted-by":"crossref","first-page":"238","DOI":"10.1109\/TC.2005.31","article-title":"Preventing session table explosion in packet inspection computers","volume":"54","author":"Kim","year":"2005","journal-title":"IEEE Trans. Comput."},{"key":"ref_59","unstructured":"Paxson, V., Allman, M., Chu, J., and Sargent, M. (2023, March 18). Computing TCP\u2019s Retransmission Timer; Technical Report, RFc 2988; 2000. Available online: https:\/\/www.rfc-editor.org\/rfc\/rfc6298."},{"key":"ref_60","unstructured":"Stoer, J., and Bulirsch, R. (2013). Introduction to Numerical Analysis, Springer Science & Business Media."},{"key":"ref_61","doi-asserted-by":"crossref","unstructured":"Tavallaee, M., Bagheri, E., Lu, W., and Ghorbani, A.A. (2009, January 8\u201310). A detailed analysis of the KDD CUP 99 data set. Proceedings of the 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, Canda.","DOI":"10.1109\/CISDA.2009.5356528"},{"key":"ref_62","unstructured":"Meijer, L. (2023, March 18). On DOTS: Entity Component System\u2014Unity Software. Available online: https:\/\/blogs.unity3d.com\/2019\/03\/08\/on-dots-entity-component-system."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/4\/2\/12\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T14:25:11Z","timestamp":1760106311000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/4\/2\/12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,9]]},"references-count":62,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2024,6]]}},"alternative-id":["jcp4020012"],"URL":"https:\/\/doi.org\/10.3390\/jcp4020012","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4,9]]}}}