Cyber security visualization is a multi-discipline research field. Visualization techniques have injected new vitality into traditional analysis methods for cyber security. However, most existing studies focus on the visual expression and overlook the visual support for the data analysis process. This paper presents a top-down model for anomaly detection on network traffic time-series data drawing from the experience of cyber security analysts. A prototype system is designed based on this model, and it includes four collaborative views with direct and rich interactions. A number of experiments, including port scanning and DDoS attacking, are carried out to demonstrate that this system can support network traffic time-series analysis on overview to detail, point to area and past to future process flows.