Cybersecurity experts team up on ResearchGate to make threats in cyberspace easier to see

A collaboration that started on the network means analysts may soon be able to travel through cyberspace like outer space and see attacks with the naked eye.

Tim Bass and Richard Zuech found each other on ResearchGate. Bass is an independent cybersecurity consultant who rose to prominence advising the US military on cybersecurity issues in the 1990s. After seeing he’d read his work on the network, Zuech reached out to him for feedback. Soon after, the two teamed up to create a tool that shows cyberspace in 3D like a videogame, a potential gamechanger for cyber-defense.

The idea for the project originated when Bass was working as a military consultant. It occurred to him that objects in cyberspace could be tracked just as objects in airspace and outer space are. But it wasn’t until he met Zuech that he started building an application to make it happen. Zuech, who is pursuing a PhD in computer science at Florida Atlantic University, had cited Bass’s earlier work. “One day I got an alert from ResearchGate that Tim Bass had read my survey paper,” he said. “To me, Tim was really a legend. I’d found his research so thought-provoking that I messaged him. He wrote back, and we started chatting. The next thing I knew, we were collaborating.”

Bass, who had retired nearly a decade before, still used ResearchGate to follow the newest developments in cybersecurity research. The conversation with Zuech motivated him to pick his own research back up. “Rich inspired me to come out of retirement and turn these ideas into reality,” he said. “If it wasn’t for those notifications and his encouragement, I may never have done any of this work.”

As they progress, Bass and Zuech post updates to their ResearchGate project, a feature scientists use to follow ongoing research as it unfolds. “I find ResearchGate fascinating, because now you can really do what scientists are supposed to do: see people’s work easily,” said Bass. “You just have a really high signal to noise ratio.”

For more information and updates, visit Bass's project on ResearchGate.

The project Bass and Zuech are working on will help cybersecurity experts get a better sense of their surroundings in cyberspace. Humans are inherently attuned to potential threats around them, be it a rustle in the bushes or a car approaching an intersection. That’s why the researchers are working on a way to visualize cyber activity in three dimensions, helping security experts use situational awareness to better recognize attacks.

Users of the tool Bass and Zuech have built enter a world of color-coded dots that float in the dark like stars. In the prototype, the dots represent traffic to a website or server. Green and blue dots are regular website users, logged in or out respectively. Yellow dots are harmless bots, perhaps a search engine indexing the site. Red dots indicate a potential threat, a bot or user behaving suspiciously. Suspicious behavior could be anything from visiting restricted parts of a site to a huge number of failed login attempts.

Zooming through the visualization is a little like a playing a video game, and intentionally so. “Typically, defenders monitoring for attacks are looking at a bunch of logfiles, lines of text that report activity,” explains Zuech. “It’s really kind of boring to look at a logfile,” says Bass. “With a visualization, you can collaborate with someone on the other side of the world in the same cognitive space. You see things you wouldn’t otherwise see. And it’s more fun—analysts will actually pay more attention and want to spend more time on cyber security.” In testing, both Bass and Zuech found malicious activity, like bots disguised as mobile users clandestinely indexing a site, that might not have stood out using traditional techniques.

Prototype shown with and without space scene graphics. Initial experiments suggest these added graphics make the application more appealing, but may also distract analysts. Courtesy of Tim Bass.

Bass and Zuech rely on human eyes and brains to recognize attacks because it would be easy for hackers to fool a program that detected them automatically. If intruders know what will trigger an alert, they can do so intentionally to create a diversion, and distract from other malicious activity. That’s why it’s important to get all the activity on a server, not just identified threats, in front of a human analyst, says Bass: “We need humans in the loop to identify new, unexpected patterns.”

The researchers hope that one day, visualizations like theirs will be used by everyone from military analysts to corporate cybersecurity teams. “A lot of cybersecurity research has focused on the backend—writing better algorithms for AI, aggregation, clustering—but I consider the human element to be the most important,” says Bass. “As cyberspace grows faster than our ability to protect it, we need to find ways to make the most of that human cognitive ability.”