Glenn A. Fink

Analytic provenance: process+interaction+insight

Visual analytics is the science of analytical reasoning facilitated by interactive visual interfaces. One key aspect that separates visual analytics from other related fields (InfoVis, SciVis, HCI) is the focus on analytical reasoning. While the final products generated at from an analytical process are of great value, research has shown that the processes of the analysis themselves are just as important if not more so. These processes not only contain information on individual insights discovered, but also how the users arrive at these insights. This area of research that focuses on understanding a users reasoning process through the study of their interactions with a visualization is called Analytic Provenance, and has demonstrated great potential in becoming a foundation of the science of visual analytics. The goal of this workshop is to provide a forum for researchers and practitioners from academia, national labs, and industry to share methods for capturing, storing, and reusing user interactions and insights. We aim to develop a research agenda for how to better study analytic provenance and utilize the results in assisting users in solving real world problems.

A multi-phase network situational awareness cognitive task analysis

The goal of our project is to create a set of next-generation cyber situational-awareness capabilities with applications to other domains in the long term. The objective is to improve the decision-making process to enable decision makers to choose better actions. To this end, we put extensive effort into making certain that we had feedback from network analysts and managers and understand what their genuine needs are. This article discusses the cognitive task-analysis methodology that we followed to acquire feedback from the analysts. This article also provides the details we acquired from the analysts on their processes, goals, concerns, the data and metadata that they analyze. Finally, we describe the generation of a novel task-flow diagram representing the activities of the target user base.

Ant-Based Cyber Security

We describe a swarming-agent-based, mixed initiative approach to infrastructure defense where teams of humans and software agents defend cooperating organizations in tandem by sharing insights and solutions without violating proprietary boundaries. The system places human administrators at the appropriate level: where they provide system guidance while lower-level agents carry out tasks humans are unable to perform quickly enough to mitigatetodays security threats. Cooperative Infrastructure Defense, or CID, uses our ant-based approach to enable dialogue between humans and agents to foster a collaborative problem solving environment, to increase human situational awareness and to influence using visualization and shared control. We discuss theoretical implementation characteristics along with results from recent proof-of-concept implementations.

Root polar layout of Internet address data for security administration

This paper introduces an adaptation of polar coordinates called root polar plotting that we have developed for our network pixel map, a computer security visualization capable of representing tens of thousands of hosts at a time. Root polar coordinates overcome two important problems of normal polar coordinates: plot density distortion and severe occlusion near the origin. We discuss several approaches we took while investigating this problem and provide empirical data from experiments we conducted comparing root polar coordinates against both normal polar and Cartesian coordinates. In any application where a polar plot would be useful but distortion of the data must be avoided, or where it is important to avoid some markers from being occluded by others, root polar coordinates may be useful. Our approach provides: (1) a novel adaptation of polar coordinates that overcomes plotting distortion; (2) a means of plotting network data in near real-time without complex layout optimization; (3) an algorithm that reduces occlusion of plotted points while maintaining consistent placement; and (4) an empirical comparison of Cartesian vs. polar plots.

Security and privacy grand challenges for the Internet of Things

The growth of the Internet of Things (IoT) is driven by market pressures, and while security is being considered, the relationship between the unintended consequences of billions of such devices connecting to the Internet cannot be described with existing mathematical methods. The possibilities for unintended surveillance through lifestyle analysis, unauthorized access to information, and new attack vectors will continue to increase by 2020, when up to 50 billion devices may be connected. This paper discusses various kinds of vulnerabilities that can be expected to arise, and presents a research agenda for mitigating the worst of the impacts. We hope to draw research attention to the potential dangers of IoT so that many of these problems can be avoided.

Gamification for measuring cyber security situational awareness

Cyber defense competitions arising from U.S. service academy exercises, offer a platform for collecting data that can inform research that ranges from characterizing the ideal cyber warrior to describing behaviors during certain challenging cyber defense situations. This knowledge could lead to better preparation of cyber defenders in both military and civilian settings. This paper describes how one regional competition, the PRCCDC, a participant in the national CCDC program, conducted proof of concept experimentation to collect data during the annual competition for later analysis. The intent is to create an ongoing research agenda that expands on this current work and incorporates augmented cognition and gamification methods for measuring cybersecurity situational awareness under the stress of cyber attack.

Bio-inspired cyber security for smart grid deployments

Smart Grid technologies are transforming the electric power system in ways that will significantly impact electric distribution systems and result in greater efficiency. However, the increased scale of the grid and the new types of information it will transmit introduce security risks that cannot be addressed by traditional, centralized security techniques. We propose a scalable approach inspired by the complex-adaptive control systems of social insects, such as ants and bees. These systems emerge from inter-agent communication and the collective application of simple rules. The Digital Ants framework is a bio-inspired framework that uses lightweight, mobile agents. The agents communicate using digital pheromones which enable the agents to alert each other of possible cyber security issues. All communication and coordination is both localized and decentralized thereby allowing the framework to scale across the large numbers of devices that will exist in the Smart Grid. Furthermore, being lightweight makes the agents suitable for implementation on devices with limited computational resources. This paper will provide a brief overview of the Digital Ants framework and then present results from testbed-based demonstrations that show how Digital Ants can identify a cyber security attack scenario against smart meter deployments.

Professional analysts using a large, high-resolution display

Professional cyber analysts were observed as they attempted to solve the VAST 2009 Traffic Mini Challenge using basic visualization tools and a large, high-resolution display. We discuss some of the lessons we learned about how analysts actually work and potential roles for visualization and large, high-resolution displays.

Using swarming agents for scalable security in large network environments

The difficulty of securing computer infrastructures increases as they grow in size and complexity. Network-based security solutions such as IDS and firewalls cannot scale because of exponentially increasing computational costs inherent in detecting the rapidly growing number of threat signatures. Host-based solutions like virus scanners and IDS suffer similar issues that are compounded when enterprises try to monitor them in a centralized manner. Swarm-based autonomous agent systems like digital ants and artificial immune systems can provide a scalable security solution for large network environments. The digital ants approach offers a biologically inspired design where each ant in the virtual colony can detect atoms of evidence that may help identify a possible threat. By assembling the atomic evidences from different ant types the colony may detect the threat. This decentralized approach can require, on average, fewer computational resources than traditional centralized solutions; however there are limits to its scalability. This paper describes how dividing a large infrastructure into smaller, managed enclaves allows the digital ant framework to effectively operate in larger environments. Experimental results will show that using smaller enclaves allows for more consistent distribution of agents and results in faster response times.

Situational Awareness as a Measure of Performance in Cyber Security Collaborative Work

Cyber defense competitions arising from U.S. service academy exercises offer a platform for collecting data that can inform research that ranges from characterizing the ideal cyber warrior to describing behaviors during certain challenging cyber defense situations. This knowledge in turn could lead to better preparation of cyber defenders in both military and civilian settings. We conducted proof-of-concept experimentation to collect data during the Pacific-rim Regional Collegiate Cyber Defense Competition (PRCCDC) and analyzed it to study the behavior of cyber defenders. We propose that situational awareness predicts performance of cyber security professionals, and in this paper we focus on our collection and analysis of competition data to determine whether it supports our hypothesis. In addition to normal cyber data, we collected situational awareness and workload data and compared it against the performance of cyber defenders as indicated by their competition score. We conclude that there is a weak correlation between our measure of situational awareness and performance. We hope to refine and exploit this correlation in further studies.