# Technical Data Extraction: Network Flow Analysis Chart
## 1. Image Metadata & Classification
* **Type:** Line Graph (Time-series)
* **Scale:** Semi-logarithmic (Y-axis is logarithmic, X-axis is linear)
* **Language:** English
* **Subject:** Network traffic monitoring, specifically comparing "Benign" traffic vs. "DoS" (Denial of Service) attack flows over time.
## 2. Component Isolation
### A. Header / Legend
* **Location:** Top-center [approx. x=400-600, y=top]
* **Legend Items:**
* **Green Line:** Labelled "Benign"
* **Red Line:** Labelled "DoS"
### B. Axis Configuration
* **Y-Axis (Vertical):**
* **Title:** Number of Flows
* **Scale:** Logarithmic ($10^0$ to $10^6$)
* **Major Markers:** $10^0$ (1), $10^1$ (10), $10^2$ (100), $10^3$ (1,000), $10^4$ (10,000), $10^5$ (100,000), $10^6$ (1,000,000).
* **X-Axis (Horizontal):**
* **Title:** Time in minutes
* **Scale:** Linear (0 to 800)
* **Major Markers:** 0, 100, 200, 300, 400, 500, 600, 700, 800.
* **Note:** Labels are rotated at approximately a 45-degree angle.
## 3. Data Series Analysis & Trends
### Series 1: Benign (Green Line)
* **Visual Trend:** This series exhibits a "noisy" but relatively stable horizontal trend for the majority of the duration, followed by a sharp terminal decline.
* **Data Points & Behavior:**
* **0 - 500 minutes:** The flow count fluctuates rapidly between approximately $10^3$ and $5 \times 10^3$. It maintains a baseline of roughly 2,000–3,000 flows.
* **500 - 530 minutes:** A slight downward trend begins.
* **530 - 560 minutes:** A precipitous drop occurs, with the flow count falling from $\sim 10^3$ to nearly $10^0$ (1 flow).
* **End Point:** The data terminates around the 560-minute mark.
### Series 2: DoS (Red Line)
* **Visual Trend:** This series is characterized by "pulse" or "burst" behavior. It remains at zero (off the bottom of the log scale) for most of the time, with two distinct, high-intensity spikes.
* **Data Points & Behavior:**
* **Interval 1 (approx. 95 - 145 mins):** A sudden vertical rise to a flat plateau at exactly $2 \times 10^3$ flows. It maintains this constant rate for ~50 minutes before dropping vertically back to zero.
* **Interval 2 (approx. 310 - 325 mins):** A second, more intense spike. It peaks sharply at approximately $1.5 \times 10^4$ (15,000) flows before settling into a brief plateau around $7 \times 10^3$ and then dropping back to zero.
* **Other Intervals:** No DoS flows are recorded outside of these two specific windows.
## 4. Summary Table of Key Events
| Time (Approx. Min) | Event Type | Flow Count (Approx.) | Description |
| :--- | :--- | :--- | :--- |
| 0 - 530 | Baseline | $10^3 - 5 \times 10^3$ | Continuous Benign traffic activity. |
| 95 - 145 | DoS Attack 1 | $2 \times 10^3$ | Sustained, flat-top burst of DoS flows. |
| 310 - 325 | DoS Attack 2 | $1.5 \times 10^4$ | High-intensity peak, significantly exceeding benign traffic levels. |
| 530 - 560 | Termination | $10^3 \rightarrow 10^0$ | Rapid cessation of all network activity. |
## 5. Technical Observations
* **Attack Magnitude:** The second DoS attack (at min 310) is the highest point on the graph, reaching an order of magnitude higher than the average benign traffic.
* **Data Termination:** The graph ends abruptly at ~560 minutes, despite the X-axis extending to 800. This suggests the capture session ended or the system went offline at that point.
