This demo illustrates the power of KeyLines when visualising complex cyber-security data. The chart, time bar and side controls allow exploration of the data and discovery of both broad trends and precise details of the infection of particular machines and their immediate environments.

The data, taken from https://www.abuse.ch/, contains information about the infection of machines by 8 different identified malware. The dataset covers a 5 year period, which can be filtered to only show the machines active at the end of the period - the end of December 2015.

When one or more malware are selected the chart shows all infection for that malware, and a colour-coded trend line shows the relative infections rate. Tool tips for the histogram bars and trend lines show total infected machines.

The servers acting as 'Command and Control' ('C&C') machines for a set of botnets are coloured pale blue.

These machines have an association with an 'ISP' and also one or more hosts that are the contact point(s) for their botnets. ISPs are shown with a flag to indicate their geographic location.

The chart provides insight on the detail of C&C machine communications with their botnets, and the geography of infection.

There are two obvious dense clusters in the chart. One represents a set of C&C machines associated with a German ISP (ASN AS24940), the other a French one (AS16276) - which is a possible indication of a poorly managed domain.

Another significant node is the C&C machine 195.16.127.102, scaled larger due to the number of hosts associated with it. This Russian machine has 8 different compromised hosts, each using *.hotmail.ru addresses to communicate with their fleet of botnets.

Key functions used:

• chart.filter
• chart.layout
• timebar.inRange