Daniel M. Best

Real-time visualization of network behaviors for situational awareness

Plentiful, complex, and dynamic data make understanding the state of an enterprise network difficult. Although visualization can help analysts understand baseline behaviors in network traffic and identify off-normal events, visual analysis systems often do not scale well to operational data volumes (in the hundreds of millions to billions of transactions per day) nor to analysis of emergent trends in real-time data. We present a system that combines multiple, complementary visualization techniques coupled with in-stream analytics, behavioral modeling of network actors, and a high-throughput processing platform called MeDICi. This system provides situational understanding of real-time network activity to help analysts take proactive response steps. We have developed these techniques using requirements gathered from the government users for which the tools are being developed. By linking multiple visualization tools to a streaming analytic pipeline, and designing each tool to support a particular kind of analysis (from high-level awareness to detailed investigation), analysts can understand the behavior of a network across multiple levels of abstraction.

The Scalable Reasoning System: Lightweight visualization for distributed analytics

A central challenge in visual analytics is the creation of accessible, widely distributable analysis applications that bring the benefits of visual discovery to as broad a user base as possible. Moreover, to support the role of visualization in the knowledge creation process, it is advantageous to allow users to describe the reasoning strategies they employ while interacting with analytic environments. We introduce an application suite called the scalable reasoning system (SRS), which provides Web-based and mobile interfaces for visual analysis. The service-oriented analytic framework that underlies SRS provides a platform for deploying pervasive visual analytic environments across an enterprise. SRS represents a ldquolightweightrdquo approach to visual analytics whereby thin client analytic applications can be rapidly deployed in a platform-agnostic fashion. Client applications support multiple coordinated views while giving analysts the ability to record evidence, assumptions, hypotheses and other reasoning artifacts. We describe the capabilities of SRS in the context of a real-world deployment at a regional law enforcement organization.

Ocelot: user-centered design of a decision support visualization for network quarantine

Most cyber security research is focused on detecting network intrusions or anomalies through the use of automated methods, exploratory visual analytics systems, or real-time monitoring using dynamic visual representations. However, there has been minimal investigation of effective decision support systems for cyber analysts. This paper describes the user-centered design and development of a decision support visualization for active network defense. Ocelot helps the cyber analyst assess threats to a network and quarantine affected computers from the healthy parts of a network. The described web-based, functional visualization prototype integrates and visualizes multiple data sources through the use of a hybrid space partitioning tree and node link diagram. We describe our design process for requirements gathering and design feedback which included expert interviews, iterative design, and a user study.

The scalable reasoning system: lightweight visualization for distributed analytics

A central challenge in visual analytics is the creation of accessible, widely distributable analysis applications that bring the benefits of visual discovery to as broad a user base as possible. Moreover, to support the role of visualization in the knowledge creation process, it is advantageous to allow users to describe the reasoning strategies they employ while interacting with analytic environments. We introduce an application suite called the scalable reasoning system (SRS), which provides web-based and mobile interfaces for visual analysis. The service-oriented analytic framework that underlies SRS provides a platform for deploying pervasive visual analytic environments across an enterprise. SRS represents a ‘lightweight’ approach to visual analytics whereby thin client analytic applications can be rapidly deployed in a platform-agnostic fashion. Client applications support multiple coordinated views while giving analysts the ability to record evidence, assumptions, hypotheses and other reasoning artifacts. We describe the capabilities of SRS in the context of a real-world deployment at a regional law enforcement organization.

Gamification for measuring cyber security situational awareness

Cyber defense competitions arising from U.S. service academy exercises, offer a platform for collecting data that can inform research that ranges from characterizing the ideal cyber warrior to describing behaviors during certain challenging cyber defense situations. This knowledge could lead to better preparation of cyber defenders in both military and civilian settings. This paper describes how one regional competition, the PRCCDC, a participant in the national CCDC program, conducted proof of concept experimentation to collect data during the annual competition for later analysis. The intent is to create an ongoing research agenda that expands on this current work and incorporates augmented cognition and gamification methods for measuring cybersecurity situational awareness under the stress of cyber attack.

Towards efficient collaboration in cyber security

Cyber security analysts in different geographical and organizational domains are often largely tasked with similar duties, albeit with domain-specific variations. These analysts necessarily perform much of the same work independently- for instance, analyzing the same list of security bulletins released by largely the same set of software vendors. As such, communication and collaboration between such analysts would be mutually beneficial to the analysts involved, potentially reducing redundancy and offering the opportunity to preemptively alert each other to high-severity security alerts in a more timely fashion. However, several barriers to practical and efficient collaboration exist, and consequently, no such framework exists to support these efforts. In this paper, we discuss the inherent difficulties which make efficient collaboration between cyber security analysts a difficult goal to achieve. We discuss preliminary ideas and concepts towards a collaborative cyber-security framework currently under development, whose goal is to facilitate analyst collaboration across these boundaries. While still in its early stages, we describe work-in-progress towards achieving this goal, including motivation, functionality, concepts, and a high-level description of the proposed system architecture.

GWVis: A tool for comparative ground-water data visualization

The Ground-Water Visualization application (GWVis) presents ground-water data visually in order to educate the public on ground-water issues. It is also intended for presentations to government and other funding agencies. GWVis works with ground-water level elevation data collected or modeled over a given time span, together with a matching fixed underlying terrain. GWVis was developed using the Python programming language in conjunction with associated extension packages and application program interfaces such as OpenGL^T^M to improve performance and allow us fine control of attributes of the model such as lighting, material properties, transformations, and interpolation. There are currently several systems available for visualizing ground-water data. We classify these into two categories: research-oriented models and static presentation-based models. While both of them have their strengths, we find the former overly complex and non-intuitive and the latter not engaging and presenting problems showing multiple data dimensions. GWVis bridges the gap between static and research based visualizations by providing an intuitive, interactive design that allows participants to view the model from different perspectives, infer information about simulations, and view a comparison of two datasets. By incorporating scientific data in an environment that can be easily understood, GWVis allows that information to be presented to a large audience base.

Atypical behavior identification in large-scale network traffic

Cyber analysts are faced with the daunting challenge of identifying exploits and threats within potentially billions of daily records of network traffic. Enterprise-wide cyber traffic involves hundreds of millions of distinct IP addresses and results in data sets ranging from terabytes to petabytes of raw data. Creating behavioral models and identifying trends based on those models requires data intensive architectures and techniques that can scale as data volume increases. Analysts need scalable visualization methods that foster interactive exploration of data and enable identification of behavioral anomalies. Developers must carefully consider application design, storage, processing, and display to provide usability and interactivity with large-scale data. We present an application that highlights atypical behavior in enterprise network flow records. This is accomplished by utilizing data intensive architectures to store the data, aggregation techniques to optimize data access, statistical techniques to characterize behavior, and a visual analytic environment to render the behavioral trends, highlight atypical activity, and allow for exploration.

CyberPetri at CDX 2016: Real-time network situation awareness

CyberPetri is a novel visualization technique that provides a flexible map of the network based on available characteristics, such as IP address, operating system, or service. Previous work introduced CyberPetri as a visualization feature in Ocelot, a network defense tool that helped security analysts understand and respond to an active defense scenario. In this paper we present a case study in which we use CyberPetri to support real-time situation awareness during the 2016 Cyber Defense Exercise.

From Desktop to Field: Deploying Visual Incident Analysis for Law Enforcement

We present a prototype mobile application environment for law enforcement users to assist them in daily operations. This system supports the collection of real-time observations and allows users to quickly share their findings with team members. Mobile tools for law enforcement introduce safety and other operational constraints that must be considered in developing appropriate user interfaces. Our environment attempts to address these challenges and provide tools to increase information sharing among officers and, expedite form-filling and evidence collection. Moreover, real-time location tracking and mapping enables mobile users to view the locations of team members and to push data (such as field-collected images, video, or text) to them.