User Behavior Map: Visual Exploration for Cyber Security Session Data

User behavior analysis is complex and especially crucial in the cyber security domain. Understanding dynamic and multi-variate user behavior are challenging. Traditional sequential and timeline based method cannot easily address the complexity of temporal and relational features of user behaviors. We propose a map-based visual metaphor and create an interactive map for encoding user behaviors. It enables analysts to explore and identify user behavior patterns and helps them to understand why some behaviors are regarded as anomalous. We experiment with a real dataset containing multiple user sessions, consisting of sequences of diverse types of actions. In the behavior map, we encode an action as a city and user sessions as trajectories going through the cities. The position of the cities is determined by the sequential and temporal relationship of actions. Spatial and temporal patterns on the map reflect behavior patterns in the action space. In the case study, we illustrate how we explore relationships between actions, identify patterns of the typical session and detect anomaly behaviors.