Designing STAR: A Cyber Dashboard Prototype Sean McKenna University of Utah & MIT Lincoln Laboratory Salt Lake City, UT | [email protected]

Keywords

3.

Visualization, cybersecurity, storytelling, interaction, treemap

We created several design artifacts which influenced the design of our prototype, specifically personas and scenarios. The use of personas for cybersecurity visualization design was originally showcased by Stoll et al. [4]. We established four kinds of personas for the communication of cyber information: cyber analyst, network operations center (NOC) manager, director of IT, and a CEO. For each persona shown in Figure 2, we identified their high-level goal, general knowledge, focus for cyber SA, and key questions for cyber SA. These key questions were influenced largely by the work of Paul and Whitley [3]. Scenarios enabled us to design a cyber dashboard prototype for the purpose of crafting stories. For communication of analysts and NOC managers, we focused the dashboard to tell the stories of these scenarios through different visualizations. We identified three types of scenarios: daily status of operations, report of an attack, and trend analysis from detection of correlated events. In these scenarios, variations can still occur: computer maintenance or security patches; machines with critical vulnerabilities; attackers that downloaded network information; or correlation to similar attacks. We could not address all these scenarios with our dashboard, so we narrowed our focus to specific kinds of data: IDS alerts and reports from an analyst.

1.

INTRODUCTION

A central challenge for a strong cyber defense is the appropriate communication of cyber information. There are many key stakeholders that make decisions and convey information up to different levels of authority, and this information may not always be in sync. Additionally, cyber analysts know and often utilize technical jargon to pass along information, and these analysts can spend significant time and effort to building their own visualizations manually, such as network summaries, patterns, and recent attacks. To aid communication, we have developed a working prototype of a cyber dashboard which visualizes a simplified view of a network, particularly the key external players which are extracted from both IDS alerts and reports from a traffic analyst. This prototype is one step towards enabling analysts to simplify and encode information into a visualization that can help tell the story of a cyber attack or a network’s current defense status.

2.

DESIGN PROCESS

To build the novel cyber dashboard presented in Figure 1, we conducted a user-centered design process. A prevalent challenge in the field of cybersecurity is access to end users [3, 4]. We involved various stakeholders through interviews and informal evaluations, and we strived to keep our design grounded to users through personas. Our design process was largely based off of a design activity framework [2], which characterizes design into different activities: understand, ideate, make and deploy, with evaluation throughout. We started off the design process by conducting a literature review, an existing tool analysis, and a series of interviews with over a dozen different stakeholders. Through this understand activity, we were able to generate specific user needs, tool requirements, and a broad range of different design opportunities for the dashboard. After identifying key design opportunities, we proceeded to ideate, where different design ideas were tested and evaluated against these criteria in order to pinpoint the most impactful visualization idea. Lastly, we concluded the project in the make activity where we crafted several design mockups and implemented them as a fully interactive prototype with real data. This project is still ongoing, so it has not been deployed yet.

4.

STAR: A CYBER DASHBOARD

The visualization prototype we designed is the storytelling treemap for alerts and reports (STAR) dashboard, as shown in Figure 1. STAR contains several linked views, and the main view is a squarified treemap [1] of external countries and cities or states which are geolocated IP addresses from IDS alerts and reports. This treemap has been simplified and aesthetically altered with white-space, and we represent each city or state with a hexagon icon to symbolize this abstraction. The STAR dashboard is a web-based tool built with many component linked views, with dynamic bar charts on the priority level and categorization of alerts, and the main treemap view has a dynamic color scheme based on the selected bar. Additionally, we have several static views at the top, such as the date and time last updated, daily summary, a legend, and a temporal heatmap of alerts per hour. The most-recent report summary is shown in the bottom-right, and a panel also contains a list of all reports, linked to highlight the cities of interest in the main view.

5. Poster Presentation VizSec ’14, November 10 2014, Paris, France .

DESIGN ARTIFACTS

CONCLUSIONS AND FUTURE WORK

We have introduced a prototype of the STAR dashboard, designed to convey a summary of cyber information at a glance and through interaction. For future work, we are cur-

Figure 1: We present our cyber visualization, or the STAR dashboard, an interactive web prototype with linked views that enable the use of simple stories by conveying both IDS alert data on top of analyst-created reports, connected through the use of external entities, both countries and cities, in the main treemap view.

CEOhMdecisionEmakingv Coordinatehpersonnelhandhoperations

Goals Knowledge

Operationsh

Cyber

CyberhSA

Attentionh

TemporalhWindow

KeyhQuestions

•h Howhcanhwehmaintainhongoinghoperations? •h Whathcouldhhappenhifhahcriticalhsystemhishimpacted? •h Whatharehthehmosthcriticalhsystemshathriskhofhattack? •h Whathcyberhresourceshwillhbehneededhinhthehfuture?

6.

Decisions

DirectorhofhIThMdecisionEmakingv Goals

Maintainhcyberhsituationalhawareness

Knowledge

Operationsh

CyberhSA

Attentionh

KeyhQuestions

•hDoeshthishattackhmatter? •hHowhserioushishthehattack? •hWhathdohIhdohabouththehattack? •hArehtherehanyhnegativeheffects?

Cyber TemporalhWindow

•hWhathdidhthehbadhguyshdo/take? •hIshithahgoodhdayhonhthehnetwork? •hHowhishmyhnetworkhdifferent •hfromhlasthweek?

NOChManagerhMinformationEsynthesisv Goals

Communicatehimpacthonhoperations

Knowledge

Operationsh

CyberhSA

Attentionh

KeyhQuestions

•hDoeshthishattackhmatter? •hHowhserioushishthehattack? •hWhathdohIhdohabouththehattack? •hArehtherehanyhnegativeheffects?

Cyber TemporalhWindow

•hHowhsuccessfulhwashthehattack? •hWhathdidhthehbadhguyshdo? •hWhathdidhthehbadhguyshtake?

Information

CyberhAnalysthMinformationEgatheringv Goals

Identifyhanomaloushnetworkhbehavior

Knowledge

Operationsh

CyberhSA

Attentionh

KeyhQuestions

•hWhathdoeshmyhnetworkhlookhlike? •hWhathhappenedhonhthehnetwork •hlasthnight?hWhat’shdifferent? •hIshsomethinghbadhhappening?

rently exploring a geospatial algorithm to create a spatiallyinfluenced treemap [5], and we will also refactor the prototype to work with live, streaming data. As this is still a prototype, we have not yet deployed the tool, so it will need to be evaluated and tested with end users to evaluate its utility, particularly for storytelling.

Cyber TemporalhWindow

•hHowhwashmyhnetworkhattacked? •hWhohishattackinghmyhnetwork? •hDoeshthishattackhmatter? •hWhathdidhthehbadhguyshdo?

Figure 2: Four key personas identified through our design process: cyber analyst, network operations center manager, director of IT, and a CEO.

ACKNOWLEDGMENTS

The author would like to thank Diane Staheli for guidance throughout the project, as well as our interviewees: Martine Kalke, Matt Leahy, Rick Larkin, Maureen Hunter, Raul Harnasch, Tamara Yu, David O’Gwynn, Scott Macdonald, Bill Young, Roop Ganguly, Chris Degni. This work is sponsored by the Assistant Secretary of Defense for Research & Engineering under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the author and are not necessarily endorsed by the United States Government.

7.

REFERENCES

[1] M. Bruls, K. Huizing, and J. J. Van Wijk. Squarified treemaps. Springer, 2000. [2] S. McKenna, D. Mazur, J. Agutter, and M. Meyer. Design activity framework for visualization design. Visualization and Computer Graphics, IEEE Transactions on, 2014. [3] C. L. Paul and K. Whitley. A taxonomy of cyber awareness questions for the user-centered design of cyber situation awareness. In Human Aspects of Information Security, Privacy, and Trust, pages 145–154. Springer, 2013. [4] J. Stoll, D. McColgin, M. Gregory, V. Crow, and W. K. Edwards. Adapting personas for use in security visualization design. In VizSEC 2007, pages 39–52. Springer, 2008. [5] J. Wood and J. Dykes. Spatially ordered treemaps. Visualization and Computer Graphics, IEEE Transactions on, 14(6):1348–1355, 2008.

Designing STAR: A Cyber Dashboard Prototype - Sean McKenna

Nov 10, 2014 - effort to building their own visualizations manually, such as network summaries ... To build the novel cyber dashboard presented in Figure 1,.
Download PDF
1014KB Sizes 0 Downloads 180 Views
Report

Recommend Documents

BubbleNet: A Cyber Security Dashboard for ... - Sean McKenna
1 University of Utah. 2 MIT Lincoln ... denial of service. • to prevent these ... collection of network records that represent some recurring or abnormal behavior.
1 Supplemen tal Materials - Sean McKenna
Research Methods for Human-Computer Interaction. Cambridge University ... Conference on Human Factors in Computing Systems, pages 17–24. ACM, 2003.
Sean McKenna, Dominika Mazur, James Agutter, Miriah Meyer ...
brainstorming web, tree diagram, flow diagram [18]. 57 morphological synthesis r. “organizing concepts under user-centered categories and combining concepts ...
BubbleNet: A Cyber Security Dashboard for Visualizing ... - SCI Utah
task of presentation is a vital one for network analysts, as infor- mation must often be ... information disclosure, theft, and denial of service [HL98]. Cyber security ...
A First Prototype
Apr 29, 2013 - Keywords: Media enrichment, mashups, mobile web applications, HTML5. 1 .... Easier to Use: Interface Design for a Second Screen Approach.
Shannon McKenna - Sabor a miedo.pdf
r. a. Page 3 of 360. Shannon McKenna - Sabor a miedo.pdf. Shannon McKenna - Sabor a miedo.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying ...
A Comparative Prototype Research Methodology
systems are embedded in a variety of complex real ... “smart” part of the system was to match file types ... interface connected to the device itself, e.g., a touch.
C++ Seasoning - Sean Parent
2013 Adobe Systems Incorporated. All Rights Reserved. No Raw Loops. 10 ...... Open sourced, runs on Linux and Android. ▫ Intel TBB - many platform. 51 ...
Punk - Sean Albiez
(Magazine, Joy Division); who self-professedly and cynically used punk to gain record company backing by extending the ... Cult, Danse Society, Specimen, Sex Gang Children).1 Additionally, in-between were a variety of bands who had a large (if not a
Dashboard
April 23, 2007. April 30, 2007. May 7, 2007. May 14, 2007. 148 people visited this site. 303 Visits. 148 Absolute Unique Visitors. 580 Pageviews. 1.91 Average Pageviews. 00:03:15 Time on Site. 62.38% Bounce Rate. 37.95% New Visits. Technical Profile.
Dashboard
Dashboard. May 20, 2010 - Sep 2, 2010. Comparing to: Site. 0. 150. 300. 0. 150. 300 ... Internet Explorer. 3,036. 41.01%. Chrome. 2,356. 31.82%. Firefox. 1,183.
Terence McKenna - Archaic Revival.pdf
... UFO's, Evolution, Shamanism, the Re- birth of the Goddess and the End of History. San Francisco: Harper & Row, 1992. ISBN: 0062506137. Page 1 of 37 ...
Rupert Sheldrake, Terence Mckenna, Ralph Abraham - The ...
Page 2 of 75. Also by Ralph Abraham, Terence McKenna and Rupert Sheldrake. Trialogues at the Edge of the West. Also by Ralph Abraham. Chaos, Gaia, Eros. Dynamics, the Geometry of Behavior (with Chris Shaw). Foundations of Mechanics (with Jerrold Mars
ShyWiki: A Spatial Hypertext Wiki Prototype
Wikis [1] allows their users to edit and create collabo- ratively their content, which represents part of their users' knowledge. The content of a wiki page is defined ...
A Prototype Structured but Low-viscosity Editor for Novice ... - eWiC
Many beginners learn with Java, a traditional text-based language. ... Programming, Greenfoot, Java, Scratch, Alice, CogTool, viscosity, cognitive dimensions. ..... 6. DISCUSSION. 6.1 Comparison – Greenfoot. Greenfoot programs are written in Java s
a description of prototype models for content-based ...
3. (. . .) The use of coherently developed content sources allows students to ... paradigm has proved to be a valid approach for language teaching at all stages of .... around the selected topics in a meaningful, coherent and interwoven manner.
Descargar cells.rcf prototype
diccionario españollarousse pdf.descargar whatsapp lgip-531a.como ... descargar juego zuma version completa.5779542422.descargar microsoft office 2010 ... 2013 gratis para nokia.descargar office para mac portable.descargar juegos ...
Developing a Multimodal Spatial Network Prototype Using ArcGIS 9.2
The applications which exist do not produce map output and lack .... At ArcGIS version 9.1, ESRI implemented a new multimodal network data model. This.
A Prototype Structured but Low-viscosity Editor for ...
not possible to enter an invalid statement). Parameters can be added or changed through blocks' context menus, but the structure of the statement itself cannot ...