Time series (stacked); line colors follow “Colors”
Drop anomaly index (line) + IP drop heatmap (squares)
Global traffic heatmap (country aggregate, cached)
ML scatter
How to read this plot
Axes (Projection) — PCA: first two principal components of standardized log-features (traffic shape). Similar points often move together across time.
t-SNE: nonlinear 2D embedding preserving local neighborhoods; good for clusters, distances across far regions are not strictly meaningful.
Bytes vs Conns (log): raw log1p totals in the selected time window; X ≈ volume, Y ≈ connection churn.
Risk (0–100) — rescaled anomaly score within the current window only. IsolationForest / LOF flag IPs whose feature vector is unusual vs peers; Z-score uses Euclidean norm of standardized features. Higher = more unusual, not proof of abuse.
Density layer — 2D kernel-style contour of where most IPs fall; outliers sit in sparser regions. Toggle off to reduce clutter.
Colors — Stable per IP: fixed hue per address (read stacks/legends). Traffic: blue (low) → red (high) by log-scaled bytes in the window among shown rows. Suspicion: green (low risk) → red (high risk); matches the numeric risk score.
Click table row — highlights one IP in both charts (others fade).