Want to see your data come to life?
Begin building your dashboards now, and unleash your creativity!
Network Traffic Anomaly Detection Dashboard
- Published
-
Data Analytics Software QA Janaka Alwis
On this page
Introduction
With the rapid expansion of embedded systems and Internet of Things (IoT) environments, network security has become a critical challenge. Embedded devices deployed in industrial control systems, smart infrastructure, and cyber-physical systems often operate under strict resource constraints, making traditional security mechanisms difficult to implement. As a result, anomaly detection techniques that analyze network traffic behavior have emerged as an effective approach for identifying malicious activities.
This project presents a Network Traffic Anomaly Detection Dashboard developed using Dashtera, a no-code business intelligence and visualization platform. The dashboard provides an interactive, multi-level analytical view of network traffic data, enabling the comparison of normal and anomalous behavior across traffic volume, timing characteristics, protocol usage, IP communication patterns, and frequency-domain features.
The objective of this dashboard is to support exploratory data analysis and interpretability for anomaly detection by transforming raw network traffic features into meaningful visual patterns. The analysis is structured across three dashboard pages, each focusing on a different analytical perspective: traffic behavior, protocol and addressing characteristics, and anomaly-specific signal insights.
Dataset
The analysis is based on the Network Traffic Anomaly Detection Dataset, publicly available on Kaggle. The dataset was generated to simulate real-world network traffic scenarios in embedded and IoT-based systems, incorporating both benign and malicious behavior.
The dataset is specifically designed to support supervised anomaly detection research and has been used in the development of deep learning models such as the Adaptive Differential Evolution Weighted Deep Belief Network (ADE-WDBN). It combines traditional traffic-level features with frequency-domain attributes extracted using the Wavelet Transform (WT) method, enabling both temporal and spectral analysis of network behavior.
Key Features
The dataset contains the following categories of features:
- Traffic Volume and Timing
- Packet Size (bytes)
- Inter-Arrival Time between packets
- Packet Count within a 5-second window
- Mean Packet Size
- Protocol and Network Attributes
- Protocol Type (TCP, UDP, ICMP)
- Source IP Address
- Destination IP Address
- Source Port Ranges
- Destination Ports
- TCP Control Information
- TCP Flags (SYN, FIN, SYN-ACK)
- Frequency-Domain Features
- Spectral Entropy (derived via Wavelet Transform)
- Frequency Band Energy (derived via Wavelet Transform)
- Target Variable
- Label:
- 0 → Normal Traffic
- 1 → Anomalous (Malicious) Traffic
Dataset Overview
- Total Records: 1,000
- Normal Traffic: 900 records
- Anomalous Traffic: 100 records
- Application Domains: IoT networks, embedded systems, industrial control systems, critical infrastructure
The dataset’s combination of packet-level, protocol-level, and frequency-domain features makes it well-suited for anomaly detection and behavior-based security analysis.
Dashtera
Dashtera is a cloud-based, no-code analytics platform designed to support the visual exploration and analysis of complex datasets. The platform enables users to construct interactive dashboards without programming, allowing for efficient examination of multidimensional data through line plots, bar charts, maps, regressions, and statistical summaries. Its interface allows data to be filtered, compared, and inspected from multiple perspectives, which makes it suitable for exploratory data analysis tasks.
Key Features
- Integration with multiple data sources, including CSV files, APIs, and external repositories.
- Support for a wide range of visualization types, such as line charts, bar charts, Pareto charts, and geographic maps.
- Interactive drill-down capabilities for detailed examination of specific data segments.
- Dynamic filtering that enables focused analysis based on selected criteria.
- Built-in options for sharing dashboards to facilitate collaborative research and analysis.
Dashtera’s flexibility makes it particularly suitable for exploratory data analysis and predictive insight presentation in healthcare and insurance domains.
Dashboard
Traffic Volume & Timing Analysis
The first dashboard focuses on traffic-level characteristics, providing foundational insight into how anomalous network behavior differs from normal traffic in terms of packet size, timing, and transmission intensity.
Box plots of packet size versus label reveal that anomalous traffic exhibits a wider dispersion and higher variability compared to normal traffic. This suggests that malicious activity often involves irregular packet lengths, which may result from scanning, probing, or malformed packet generation. Line charts plotting packet size over record indices, used as a sequential reference rather than a true time series, further illustrate this behavior. Normal traffic shows relatively stable trends, whereas anomalous traffic introduces sudden spikes and fluctuations, indicating burst-like transmission patterns.
A similar pattern is observed in the inter-arrival time analysis. Box plots demonstrate greater spread for anomalous traffic, and line charts show abrupt changes in packet timing. Such irregular timing behavior is characteristic of attack scenarios such as denial-of-service attempts or automated probing, where packets are transmitted at inconsistent intervals.
The packet count within a 5-second window provides insight into short-term traffic intensity. The box plot indicates that anomalous traffic tends to generate higher packet counts over short intervals. Histograms further confirm that anomalous records contribute disproportionately to the higher end of the distribution, while normal traffic remains more uniformly distributed. This reinforces the idea that abnormal traffic often manifests as bursts of activity.
Although the mean packet size feature remains zero across all records and does not contribute discriminative power, its inclusion in the dashboard serves to document feature behavior and justify its limited analytical relevance.
A pie chart illustrating label distribution confirms the dataset composition, with 100 anomalous records and 900 normal records. Finally, the scatter plot of packet size versus inter-arrival time does not reveal a strong linear relationship. However, the absence of a clear pattern is itself informative, indicating that anomalous behavior arises from complex, non-linear interactions rather than simple pairwise correlations.
Protocol, Port & IP Analysis
The second dashboard examines protocol-level and addressing behavior, which is essential for understanding how anomalies manifest across different layers of the network stack.
Grouped bar charts comparing protocol type (TCP, UDP, ICMP) against traffic labels show that anomalous traffic is present across all three protocols. ICMP traffic exhibits a slightly higher proportion of anomalies, which aligns with its common use in reconnaissance, echo flooding, and network scanning attacks. Pie charts further illustrate the relative distribution of protocol usage in the dataset.
A consolidated grouped bar chart comparing protocol types across normal and anomalous traffic confirms that malicious behavior is not restricted to a single protocol, reinforcing the need for protocol-agnostic detection strategies.
Source IP analysis reveals that anomalies are distributed across multiple devices rather than originating from a single source. Records associated with IP addresses 192.168.1.2, 192.168.1.3, and other devices all contribute to anomalous traffic. This suggests that behavior-based analysis is more effective than static IP filtering.
Source port range analysis indicates that anomalies occur more frequently in user-defined ports compared to dynamic ports. User ports are often exploited for unauthorized services or covert communication channels, making this feature particularly relevant for anomaly detection.
Destination IP and destination port analyses further highlight that anomalous traffic frequently targets commonly used service ports such as 53 (DNS), 80 (HTTP), and 443 (HTTPS). These ports are typically open in most networks, making them attractive targets for malicious activities.
Anomaly Insights
The third dashboard offers in-depth anomaly-focused insights by combining real-time indicators, frequency-domain features, and multidimensional visualizations.
Vertical gauge charts display the most recent record’s packet size, inter-arrival time, and packet count, offering an operational snapshot that could be extended to real-time monitoring scenarios.
Box plots of spectral entropy and frequency band energy reveal that anomalous traffic exhibits higher variability and dispersion in the frequency domain. Elevated spectral entropy indicates increased randomness and unpredictability, while higher frequency band energy suggests abnormal signal intensity. These characteristics are consistent with malicious traffic that disrupts normal communication patterns.
The scatter plot of spectral entropy versus frequency band energy shows partial clustering, indicating that these features jointly contribute to distinguishing anomalous traffic from normal behavior.
Parallel coordinates charts for protocol type, source IP, and destination IP enable multi-feature inspection of individual records. These visualizations reveal that anomalies often correspond to uncommon combinations of protocol usage, IP addresses, and TCP flag states.
Protocol encoding is represented using mutually exclusive binary indicators:
| TCP | UDP | ICMP | Meaning |
|---|---|---|---|
|
TRUE |
FALSE |
FALSE |
TCP packet |
|
FALSE |
TRUE |
FALSE |
UDP packet |
|
FALSE |
FALSE |
TRUE |
ICMP packet |
This encoding improves interpretability and ensures clear protocol identification in multi-dimensional analysis.
Discussion
The dashboard analysis demonstrates that anomalous network traffic cannot be characterized by a single feature or threshold. Instead, malicious behavior emerges through irregularity across multiple dimensions, including packet size variation, timing instability, burst intensity, protocol misuse, and increased frequency-domain randomness.
Traffic-level features provide early indicators of abnormal behavior, while protocol, port, and IP analysis adds contextual understanding. Frequency-domain features further strengthen anomaly detection by capturing signal-level irregularities that are not visible in time-domain analysis alone.
The findings support the suitability of this dataset for advanced anomaly detection models and highlight the importance of multi-feature, behavior-based analysis in embedded system security.
Conclusion
This project presents a comprehensive Network Traffic Anomaly Detection Dashboard developed using Dashtera. Through interactive visual analytics, the dashboard enables systematic comparison of normal and anomalous network behavior across traffic volume, protocol usage, addressing patterns, and frequency-domain characteristics.
The analysis confirms that anomalous traffic is characterized by increased variability, burst behavior, protocol diversity, and higher spectral entropy rather than simple linear deviations. The dashboard provides a strong foundation for future work involving machine learning–based intrusion detection, real-time monitoring, and predictive security analytics.
Future extensions may include integrating anomaly scores, deploying live data streams, or evaluating deep learning models using the same feature set. Overall, the dashboard demonstrates the effectiveness of visual analytics in supporting network security research for embedded and IoT environments.
Category:
Tags:
Share:
Read More