Analytical Interface

The main part of the Granef toolkit is the graphical environment, which is available by default at http://127.0.0.1:8000. This environment provides the user with the necessary functions to analyze the data loaded in the graph database.

The main part is the Granef interface is a graph visualization, where individual nodes are distinguished by color according to their type (see the following figure). In the case of clustering multiple nodes into one, the node is colored by all contained types corresponding to their proportion. A detailed database schema can be found at https://granef.csirt.muni.cz/#database.

Database schema

Initial settings

On the home page, you can go to the Preferences and define default layout and style settings for new visualizations. In addition, it is possible to define new tags and colors that can be used to mark selected nodes. The following video shows how these Preferences can be set up.

When editing the Preferences, it is necessary to keep in mind that if the analytical module is destroyed (a remove attribute of granef script), these settings will be deleted too.

Visualizations management

The Granef visualization allows you to use multiple visualizations (workspaces) that can be annotated, saved, duplicated, or deleted. It is possible to simply switch between the different visualizations to maintain different results and views of the analyzed data. The following video shows how to create and maintain the visualization during the analysis.

Analytical queries

Queries about data stored in the database or current visualization can be made using the Search child window. On the top switch, it is possible to choose whether to query the currently loaded data (unavailable if the visualization does not contain data) or use the analysis API (i.e., query the database).

In the case of Search in visualization, you can search nodes in the current graph by assigned tags, colors, or node type. In addition, it is possible to search for nodes by their Betweenness centrality or Page rank (both according to a specified value). The found nodes are then marked as selected.

In the case of Search in analysis API, it is possible to submit queries directly to the API serving as an interface to the database. The user can specify if the result should be clustered (which is helpful, especially for larger amounts of data) as a single node or divided by time windows (only for Connection nodes). In addition, it is possible to select whether the new data should be added to or replace existing data. To query the database, it is possible to use predefined API functions or write a custom query in DQL. In the case of predefined functions, it is only necessary to define the required input forms, and it is not necessary to know how to write correct queries for the graph database.

Graph visualization control

The visualization is designed to be easily controlled with the mouse using fewer keyboard shortcuts. The following functions can be used to manage the visualization:

  • mouse hover above the node –⁠ show node details (may be disabled in the Control menu);
  • left click on a node –⁠ node selection;
  • double left click on a node –⁠ show node details;
  • left button holding down on a node –⁠ move the node in the visualization (turns off physics when the node is moved);
  • left button holding down on empty space –⁠ move the view of the visualization;
  • right click –⁠ show context menu;
  • left shift + left button holding dow or click on a node –⁠ nodes selection;
  • mouse wheel – zoom in and out.

Control menu

To manipulate the visualized chart, it is possible to use the menu control, providing functionality for manipulation and visualization adjustment. This menu is divided into the following nine categories:

Menu items

  1. View manipulation contains Fit view and Zoom in/out buttons to adjusts the view of the graph.
  2. Node locks provide two modes for locking node positions. The global one locks the node position on the canvas regardless of further modifications in the graph. Graph-aware locking continuously recalculates and adjusts the position of the locked node due to further graph changes caused by user interaction.
  3. Node hiding allows hiding the nodes to unclutter the view and show them again.
  4. Graph actions section contains node removal feature, invert selection, tag and color assigning, showing related child windows where users can set nodes with one or more tags or colors. The last two options show details about selected nodes and determine the automatic node info display when the mouse hovers.
  5. Clustering actions allows the user to apply four graph clustering operations to aggregate selected nodes and unfold clustered (aggregated) nodes: clustering the outliers (nodes with the node degree 1), manual clustering of selected nodes, automated clustering of all nodes, and clustering of selected edges. The last button performs the cluster unfolding..
  6. Export and Save tools allow users to export the current graph as a serialized visualization in a JSON format or an image, or save the current analytical case, including the visualization state (i.e., definitions of nodes and edges, characteristics of the current view and data necessary for cluster manipulation).
  7. Timeline controls displays Timeline child window showing the number of the connections (y-axis) related to the time (x-axis).
  8. Selection mode allows changing the mode between rectangular and lasso (freehand).
  9. Other actions display the Search child window, open preferences child window, and allow update visualization description.

Preferences child window

A child window that allows you to customize visualization properties. Specifically, the following properties can be set:

  • Layout – Selection and setting of a used graph layout (see description of available layouts at Cytoscape.js documentation).
  • Stylesheet – Selection of the information displayed in the visualization.
  • Timeline Clustering – Definition of time window duration for timeline clustering.
  • Tags – Definition of tags that can be used in the current visualization.
  • Colors – Definition of node colors that can be used in the current visualization.

Selection detail

A child window that displays information about selected nodes. If only one node is selected or hovered, it shows its attributes. If multiple nodes are selected, the window contains five tabs:

  • Types – Summary of node types in the selection and clusters.
  • Statistics – Overview of the data using various chart visualizations.
  • Data – Tables with information about nodes and their attributes.
  • Timeline (optional) – Timeline visualization of Connection nodes showed when the selection (or cluster) contains them.
  • Flow (optional) – Communication visualization showed when the selection (or cluster) contains Connection and Host nodes.

Context menu

The context menu appears when you click the right mouse button. The option to select all nodes is displayed if you click on a blank area. The following menu with various functions will be displayed when clicking on a node or clicking anywhere (if any nodes are selected):

Context menu

  1. Select all – Select all nodes visible in the graph visualization.
  2. Select neighbours – Select neighboring nodes of the selection according to their type.
  3. Open clusters – Open selected cluster.
  4. Fetch all attributes – Fetch all attributes of selected nodes from the database.
  5. Fetch neighbours – Fetch neighboring nodes of the selection according to their type. The menu lets you decide whether to show the data individually, as a single node (cluster), or use timeline clustering.