Visualisation of Virus Attack in Email Network

The pictures illustate an email virus attack recorded on November 10, 2004. The virus was coded: W32.Mydoom.AI@mm. It is a mass-mailing worm which spreads by sending an email to the email addresses that it finds in the address book. An infected computer will act as a fake email server and send virus emails to others.

We define a two-mode email transaction network which contains both user nodes and server nodes. More precisely, it contains both client (sender and receiver) side and server side of email transactions. A normal email transaction network within a one-hour period of our data set can be represented as in Figure 1. Here, red nodes represent servers while yellow nodes represent clients. To distinguish the sending and receiving processes, green and blue edges are used to display them, respectively. The red node in the center represents the main email server in the data set. Figure 2 is a visualization of an email network from 9am-10am, November 10, 2004, when the virus attacked the network. It is quite easy to see that something extraordinary is happening, as the email traffic increased tremendously. Although the sudden increase of email traffic can also be seen by checking the log file, it is more insightful to display the same information using the visualization. 


Figure 1


We can further visualize a temporal email propagation network. Figure 3 shows an example. In every one hour, a layout of a two-mode email network is drawn in a plate, showing the traffic of that time period; then those plates are stacked together, as a time-series network. Edges between plates are also added to highlight propagation of the email virus. This example clearly demonstrates the power of visualization combined with proper analysis methods.