Interactive Visualizations for Cyber- Mission Awareness ARO MURI on Cyber Situation Awareness Year One Review Meeting Tobias Höllerer Four Eyes Laboratory (Imaging, Interaction, and Innovative Interfaces), Computer Science Department, Media Arts & Technology Program,
Motivation 1. Up-to-date views of the available cyber-assets 2. A comprehensive analysis of the dependencies between cyber-missions and cyber-assets, 3. An accurate understanding of the impact of cyberattacks 4. Actionable cyber-attack forecasts 5. A semantically-rich, easy-to-grasp view of the cyber- mission i status. t
Approach Scalable Visualization and Interaction Effective information and knowledge presentation by tailoring interfaces to user s information needs, context, and cognitive state. User models (e.g. war fighters, network security officers, command center personnel) Display and interaction platforms (mobile interfaces, desktop, immersive situation rooms) Our integrative framework and the data structures we share (from data modeling and acquisition, extraction and abstraction, and analysis and presentation) enables such dynamic tailoring. Enable users to interactively explore the information landscape. 3
Approach Scalable Visualization and Interaction Effective information and knowledge presentation by tailoring interfaces to user s information needs, context, and cognitive state. User models (e.g. war fighters, network security officers, command center personnel) Display and interaction platforms (mobile interfaces, desktop, immersive situation rooms) Our integrative framework and the data structures we share (from data modeling and acquisition, extraction and abstraction, and analysis and presentation) enables such dynamic tailoring. Enable users to interactively explore the information landscape. 4
Access To Data Lawrence Berkeley National Lab (LBL) logs ~4,000 users, ~12,000 internal hosts, Gbps/10Gbps Ground truth th (or at least partial) available Topology, historical DNS also available UCSB network logs and trouble tickets Set up network logging facilities with Engineering Computing Infrastructure at UCSB Netflow from switches in 3 main engineering buildings Correlation with CS support trouble tickets
User/Task Analysis Main user types: Network security officers at different levels Command center, mission planning Network security officers Most likely standard desktop computer and display, but might switch to mobile interface in extraordinary situations. Cybaware visualizations need to be easily shared / networked Officers need to maintain overview of mission timeline including assets and their use, as well as all incoming information, potential threats, their impact, and possible countermeasures. Mission planners and some officers may work in the situation room, where we assume high-end display and interaction hardware to be available. 6
User/Task Analysis Main user types: Network security officers at different levels Command center, mission planning Network security officers Most likely standard desktop computer and display, but might switch to mobile interface in extraordinary situations. Cybaware visualizations need to be easily shared / networked Officers need to maintain overview of mission timeline including assets and their use, as well as all incoming information, potential threats, their impact, and possible countermeasures. Mission planners and some officers may work in the situation room, where we assume high-end display and interaction hardware to be available. 7
Platform Evaluation Mobile Platform Desktop / Networked Collaboration Immersive Situation ti Room 8
Ebb context-aware timelines
Platform Evaluation Mobile Platform Desktop / Networked Collaboration Immersive Situation ti Room 10
Platform Evaluation Mobile Platform Desktop / Networked Collaboration Immersive Situation ti Room UCSB Allosphere 11
Desktop / Networked Collaboration Networked Graph Views WIGIs: Web-based Interactive Graph Interfaces Demo 12
Cybaware NSR NSR (Network Simulation Realm) is an immersive 3D visualization tool for cybersecurity situational awareness. Network Topologies Datasets Framework for defining and importing network topologies, registering relevant data sets, and rendering a space containing these entities in a situation room or on a desktop PC. Space Desktop PC / AlloSphere
Cybaware NSR Network Topologies Plug-ins Space Datasets A key element of our framework is a plug-in based architecture allowing users to build and deploy any number of custom visualization agents into the space. These plug-in agents can annotate and augment the network entities in the space in order to provide real-time analysis, feedback, or suggestions to the user. Desktop PC / AlloSphere
Plugin Example: Visualizing Game Theoretic Problems Goal: Visualize information about game theoretic problems to aid the decision making process Will enable interactive what-if analyses of attack scenarios Here, refer to a game as a set of moves (game can be incomplete) First step: Visualize data from game trees
Game Trees Example: Tic Tac Toe game tree Root: empty game X s turn, 9 possible x moves, 9 children per game (if game isn t over) O s turn, 8 possible moves, 8 children per game (if game isn t over) x o o x x x x... o o o x x x x o o o x o x o x 2 nd level of tree: game with 1 move Leaves: games that are done (win/lose/draw) X wins O wins Draw
Visualizing Game Trees via Treemaps Treemap: Area-efficient Areaefficient representation of tree, usually on a 2D surface Game Tree: Nodes correspond to games, leaves are completed games Corresponding treemap construction Initial region for root node... X0 X1 O1 O2 O8... X8 Divide each region horizontally for each game resulting from X s next move Divide region vertically for each game resulting from O s next move Further divisions X wins (Blue) O Wins (Orange) Draw (Black) Final look of entire treemap after coloring Once at region corresponding to moves corresponding to completed game (tree leaf), color region and stop dividing
Resulting Treemap Treemap for complete (9 moves max) Tic Tac Toe game tree (~250k leaves): Tic Tac Toe game treemap Tic Tac Toe game treemap with regions corresponding X s Xs first move highlighted (X can play moves 0 8 at this point In the game) We are interested in subregions of the treemap that correspond to available moves. This allows us to see the possible set of outcomes corresponding to a certain move.
GameTreemap plugin/app (OpenGL) Allows user to test Tic-Tac-Toe Tac Toe moves with treemap visualization Game board and data Treemaps Treemap for entire game with region corresponding to current set of moves highlighted Region of treemap corresponding to current game with current player s available moves highlighted. Current selected move is highlighted with thicker line. Region of treemap corresponding to game if current player selects current selected move. Subregions with next player s possible moves highlighted; helps identify imminent threats.
Demo in AlloSphere 3:30pm today 20
Conclusions Scalable Information Presentation Networked Graphs and Information Browsing Mission Control in Immersive Situation Rooms Preparatory Work on Mobile Platforms Interfaces will Scale with Data UCSB network logs and trouble tickets Lawrence Berkeley National Lab (LBL) logs Support for Interactive Situational Awareness Resources Overview Adversary Alertness What-If Scenarios 21
22