ArticlePDF Available

Abstract

Interactive Data Visualizations (IDV) can be useful for cybersecurity subject matter experts (CSMEs) while they are exploring new data or investigating familiar datasets for anomalies, correlating events, etc. For an IDV to be useful to a CSME, interaction with that visualization should be simple and intuitive (free of additional mental tasks) and the visualization’s layout must map to a CSME’s understanding. While CSMEs may learn to interpret visualizations created by others, they should be encouraged to visualize their datasets in ways that best reflect their own ways of thinking. Developing their own visual schemes makes optimal use of both the data analysis tools and human visual cognition. In this article, we focus on a currently available interactive stereoscopically perceivable multidimensional data visualization solution, as such tools could provide CSMEs with better perception of their data compared to interpreting IDV on flat media (whether visualized as 2D or 3D structures).
JDST., vol. 4, no. 3, p37-p52, 2021
https://doi.org/10.46713/jdst.004.03
www.jdst.eu, e-ISSN 2534-9813
Research Article
Corresponding Author: E-mail: jdst@coda.ee
Interactive Stereoscopically Perceivable
Multidimensional Data Visualizations for
Cybersecurity
Kaur Kullman a, Don Engel a
a University of Maryland, Baltimore County, 1000 Hilltop Circle, Baltimore, MD 21250, US
https://csst.umbc.edu
A B S T RA C T
Interactive Data Visualizations (IDV) can be useful for cybersecurity subject matter
experts (CSMEs) while they are exploring new data or investigating familiar datasets
for anomalies, correlating events, etc. For an IDV to be useful to a CSME, interaction
with that visualization should be simple and intuitive (free of additional mental tasks)
and the visualization’s layout must map to a CSME’s understanding. While CSMEs
may learn to interpret visualizations created by others, they should be encouraged
to visualize their datasets in ways that best reflect their own ways of thinking.
Developing their own visual schemes makes optimal use of both the data analysis
tools and human visual cognition.
In this article, we focus on a currently available interactive stereoscopically
perceivable multidimensional data visualization solution, as such tools could provide
CSMEs with better perception of their data compared to interpreting IDV on flat
media (whether visualized as 2D or 3D structures).
A R T I C L E I N F O
RECEIVED: 09 Oct 2021
REVISED: 10 Nov 2021
ACCEPTED: 30 Nov 2021
ONLINE: 12 DEC 2021
K E Y W O RD S
Stereoscopically Perceivable, Immersive, Data
Visualization, Interactive Data Visualization,
Cybersecurity, Virtual Reality, Augmented Reality, Mixed
Reality, Interactive Stereoscopically Perceivable
Multidimensional Data Visualization
Creative Commons BY-NC-SA 4.0
K. Kullman and D. Engel, JDST, vol.4, no.3, pp. 37-52, 2021
38
I. OVERVIEW
As commercially available virtual [1], augmented [2] and mixed reality [3] (VR, AR,
MR; collectively “xR) devices have become significantly more performant over the
last decade, there has been a commensurate growth in interest in using these tools
for three-dimensional data visualizations. Most of this interest has been in
(geo)spatial data visualization [4] [5] [6], i.e., the visualization of imaginary,
proposed, or real physical environments with overlayed textual information [6] [7].
Researchers and practitioners have focused less on how to represent non-
(geo)spatial data using stereoscopically perceivable multidimensional data
visualizations (SPMDV).
As with all other types of interactive data visualizations (IDV), interactive SPMDV
(ISPMDV) should be created with or by subject matter experts (SMEs) in order to
ensure that these creations will indeed serve their intended audience well [8]. To
enable cybersecurity SMEs (CSMEs) to create useful stereoscopically perceivable
IDVs (SPIDVs), these CSMEs need (at least):
1) An easy-to-follow method identifying what to visualize.
2) Easy-to-configure tools for creating the visualizations proposed in (1).
3) Tools which enable ingesting data from its source (e.g., SIEM, log
correlation) into the visualization created in (2).
Although (2) and (3) may be combined into one tool, the objectives of (2) and
(3) are distinct; (2) focuses on data visualization (in an xR headset), while (3) deals
with “translating” ingested data from its source to a preferred format that would
be suitable for (2).
In this paper we will give an overview of such a method and combined tool.
II. WHAT TO VISUALIZE AND HOW
ISPMDV can be considered an “add-on” to SPMDV, which in turn derives from
multidimensional data visualizations (MDV). While MDV on flat screens is a well-
researched topic [9] [10] [11] [12], SPMDV has received broader public attention
only gradually during the past ten years [13] [14] [5] [15], with the emergence of
VR and MR headsets that are good enough to have enabled researchers [16] [17]
[18] and practitioners [19] [20] [21] to explore their capabilities for data
visualization.
Being fundamentally spatial in nature, geospatial data visualization [4] and
graphs [19] have relatively straightforward implementations in SPMDV. Given that
cybersecurity data is not intrinsically spatial, then for which CSME tasks would
SPMDV visualizations be useful? Or rather, what kind of SPMDVs and ISPMDVs
would best suit the CSME tasks, and how might these be designed? CSMEs rely on
large datasets, so it stands to reason that the full use of a third dimension afforded
by xR will be useful in making more data visually discernable without relying on
cluttering cues like shading, occlusion, and perspective (as is needed for MDV on
flat screens). Model Mapping Method for Cybersecurity (M4C) [8] is one method
Interactive Stereoscopically Perceivable Multidimensional Dataviz for Cybersec
that can be used to design SPMDV while enabling the CSMEs to serve as both the
designers and consumers of their own visualizations. In M4C, visualizations of
networked entities (e.g., computers) are positioned according to their logical (but
not necessarily their physical) topology, with the resulting 3D structure(s) matching
a CSME’s understanding of a networks expected topology. While other methods
exist [22] [23], the essence of M4C is to extract the understanding of a dataset that
CSMEs use for their tasks. That extracted understanding is then used in the process
of creating such an SPMDV or ISPMDV for these CSMEs, that would enable them to
further explore their dataset in ways that are aligned to their internalized
understanding of that dataset.
It is important to note that these visualizations cannot be created independently
of the CSMEs who would be using these visualizations for their tasks. An ISPMDV
may look like a fancy scene pulled from science fiction to third parties, but it must
be useful for its users; otherwise, these visualizations are not worth the cost of
electricity that is needed to power the equipment that is running them. For
verifying effectiveness, metrics established for the evaluation of ISPMDV should be
used [24].
To explain the idea of creating data-specific 3D layouts further, let’s take a
simplistic computer network topology and lay it out onto a three-dimensional data-
shape based on the IP addresses that are used by the entities in that network.
Figure 1. Networked entities arranged in a cube shape based on their functional topology;
respective configuration of such data-shape shown on the right (from [25]).
A demo (mock-up) dataset consisting of an imaginary credit union’s corporate
and branch networks traffic (and its logical topology) is distributed with Virtual Data
Explorer (VDE) [26]. We will discuss VDE in more detail in the next section, but for
now, we focus on how a CSME would define a 3D layout of a dataset using VDE.
The left side of Figure 1 depicts a simplified version of the three-dimensional
structure of that imaginary credit union’s branch network (data-shape), with the
K. Kullman and D. Engel, JDST, vol.4, no.3, pp. 37-52, 2021
40
reddish spheres marking entities on the network. On the right side of Figure 1 is the
snippet from the configuration file which VDE uses to map ingested data (in this
case, observed and filtered network traffic) to spatial structures. From this vantage
point, we can use the common XYZ axes to describe the Figure 1 data-shape, but it
doesn’t make much sense to stick with the XYZ thinking in complex constellations.
In the configuration example on the right of Figure 1:
1) the red letters Y and Z refer to the spatial positions of entities in that group
in the data-shape, respectively, on the Y and Z axes,
2) the red X refers to the sequential position (on the X axis inside that group
(Y)) of an entity with a matching IP address,
3) the yellow As refer to group numbers (in this example, matching with the
second octet of entity’s IP address) and
4) yellow Xs refer to the IP-address last octets.
Note that the “networks” descriptor in the configuration (line 358), contains two
variables “group” and “entity”. Subgroup members are mapped to the “entity
part of it (the last octet of the IP address in this case, yellow or red X), while the
“group” number (line 315) refers to both the branch number (lines 317, 327, 336,
etc.) and the second octet of an entity’s IP address template (line 358).
Determining which subgroup contains a given entity, and determining which
parameter(s) serve as the basis for this decision, is completely up to the CSME
author of the visualization. This grouping is up to their perception, based on their
understanding of the dataset. In this example case, these are the business functions
of involved devices and their groups.
Such data-shapes representing groups of entities can then be positioned into
constellations according to the CSME’s understanding of the dataset that is being
visualized. For example, the prerequisite knowledge needed from a CSME to create
such a constellation containing a set of proposed data-shapes for depicting a
computer networks functional topology would be to:
a) Understand the principles of how a computer network functions; specifically,
how is such a network set up in the environment that the author of this visualization
(the CSME) needs to understand.
b) Understanding the logical grouping of networked entities and their topology,
but also networked entities and stakeholders’ goals (e.g., corporate, employees,
external {friendly, neutral, malicious} actors, etc.).
c) Understanding the expected behavior of the above actors and how it might
be reflected in network data.
d) What indicators to look for, how to validate the findings, how to act with that
combined knowledge.
Please refer to [8] for further information on how to design such data-shapes
with CSMEs for CSMEs.
Interactive Stereoscopically Perceivable Multidimensional Dataviz for Cybersec
III. ISPMDV EXAMPLES
Although there are use cases for SPMDVs without user interaction, the
implementation of even simple interactions can significantly accelerate a user’s
familiarization with visualized data. More importantly, the ability for the user to
interact, select, and alter the selection of visualized (or augmented) data via queries
greatly enhances the CSME’s ability to learn to interpret the visualization.
It has been shown that first-time users tend to intuitively reach out to the data
representations, as if to verify the existence of these artificial objects hanging in
front of them [27]. Haptic feedback (using controllers), auditory cues, and realistic
shaders further enhance users immersion in an ISPMDV environment.
To create and customize ISPMDVs for CSMEs with CSMEs, Virtual Data Explorer
(VDE) software was created with US Army Research Lab support [27]. VDE has three
components:
1) A backend, which interprets the configurations of your network topology
(json) and maps the ingested data according to that config into groups (of
groups (of groups (of groups))) of entities.
2) A browser plugin, which helps in feeding the data from a Moloch, SIEM or
custom log correlation tool as appropriate (say, after running a query), via
a WebSocket to the VDE backend.
3) A headset (Magic Leap, Oculus, MS Mixed Reality, HTC Vive, HoloLens 2),
which gets the set of groups from the backend and positions these for the
viewer according to the selected layout configuration (json).
Unity 3D is used to create the software responsible for the ISPMDV in the
headsets, C# is used for the backend, and JavaScript is used for the browser plugin.
Due to the medium on which you are reading this paper being flat (a screen or
a physical piece of paper), it is impossible to convey here the “spatialness” of
ISPMDV with figures. The next-best option to observing ISPMDV examples directly
in xR are first-person videos of users interacting with an ISPMDV; for these, please
visit coda.ee/JDST. Below are a few screenshots from video captures of VR and MR
sessions, where the user either explores or interacts with an ISPMDV.
A. NATO CCDCOE CDX Locked Shields
To test the utility of ISPMDV when encoding non-spatial data, networked
entities that were found to be present in NATO CCDCOE Locked Shields Cyber
Defence eXercise (LS) [28] network traffic were spatially positioned as semi-
transparent spheres, according to entities positions in that (Blue Team’s) networks
functional topology, and, more importantly, entities affiliation with logical groups
present in LS networks. Logical groups could be distinguished by their members’
functionality (e.g., SCADA components), purpose (e.g., DMZ servers), risk exposure,
operating system, etc. (see Figure 2). This resulted in custom 3D data-shapes that
were combined into a constellation (a VDE layout) representing a larger whole of
the LS network(s). Constellations shown in Figures 3-5 depict LS network traffic with
K. Kullman and D. Engel, JDST, vol.4, no.3, pp. 37-52, 2021
42
VDE (in VR or MR), while Figures 6 and 7 use a slightly more primitive approach with
OpenGraphiti (in VR).
LS traffic was chosen for testing purposes due to the complexity of its network
and because the first author, having been involved with LS since 2010, has a deep
understanding of that networks topology and its components expected behavior.
Network topology (positions of groups of groups of groups of nodes), displayed
as spheres and cubes, is overlayed with network traffic, visualized as lines (edges)
rendered as connecting the nodes that were observed to have initiated or received
network connections (sessions) during a time window. Which edges are visible,
their opacity, and their coloring depend on the results of the underlying query that
was executed once the user defined the time window and other query parameters
(e.g. ASN, IP range, ports used, and amount of data transferred).
Figure 2: VR view of Locked Shields 18 Partner Run, focus on 11th Blue Team’s networks
(refer to config example, from line 313 onward, in Figure 1): subnets labels are visible
above the blades (“Blue Team 11 Firewalls, “Threod drone ground station ,” etc.), that
contain groups of entities (“OSX in INT network,Services in INT network,” etc.), that, in
turn, contain spheres representing individual entities (IP address) of that group.
Interactive Stereoscopically Perceivable Multidimensional Dataviz for Cybersec
Figure 3: VR view of Locked Shields 18 Partner Run network topology and network traffic
using VDE, displaying an overall view of the meta-shape: a data-shape consisting of
multiple data-shapes. Red edges represent selected connections between Blue Team 3
device and Red Team nodes. A detailed description of this layout can be found in [21].
Figure 4: VR view of Locked Shields 18 Partner Run network topology and network traffic
using VDE, shown from the other side of the meta-shape, where the data-shape consisting
of unknown entities is in foreground (lower side of this screenshot), while Blue Teams
networks are positioned farther away (on the upper side of this screenshot). Some edges
and entities have been selected and are rendered red instead of the default green [21].
K. Kullman and D. Engel, JDST, vol.4, no.3, pp. 37-52, 2021
44
Two distinct datasets are combined in such an ISPMDV: a logical topology of the
entities that are expected to be active in the network (i.e., the positions of nodes
representing those entities) and the observed network traffic.
Feedback from analysts on the ISPMDV shown in Figures 2-4 is covered in [27].
Overall, the impressions of stereoscopically perceivable 3D data visualizations were
highly favorable, with multiple participants acknowledging that such 3D
visualizations of network topology could assist in their understanding of the
networks they use daily. Study participants expressed a wish to integrate such
visualization capabilities in their workflow. Videos of VR and MR sessions with VDE,
as well as some prior conference presentations featuring that tool, are available at
coda.ee/JDST.
Figure 5: MR view of Locked Shields 18 Partner Run network topology and network traffic
using VDE. A user’s index finger is selecting a Blue Team’s network [21].
Interactive Stereoscopically Perceivable Multidimensional Dataviz for Cybersec
Figure 6: VR view of Locked Shields 16 network topology and traffic using VDE. Notice the
slightly different constellation layout compared to Figures 2 - 5 [29].
Figure 7: VR view of Locked Shields 16 network topology and traffic using OpenGraphiti.
Blue Teams’ networks are aligned onto “blades” consisting of subnets, while nodes are
positioned on a line sequentially, according to their last octet.
Figure 8: VR view of Locked Shields 16 network topology and traffic using OpenGraphiti.
Such layouts are simple to create from network traffic and are useful for initial exploration
K. Kullman and D. Engel, JDST, vol.4, no.3, pp. 37-52, 2021
46
of a dataset’s topology (after or together with graphs), but are too messy for spotting
more subtle anomalies.
B. VDE Demo Dataset
The lack of a public dataset containing the traffic of a computer network with
sufficiently complex topology motivated the creation of a mock-up dataset of an
imaginary credit union (CU) to showcase a possible network topology ISPMDV,
which was then modeled in VDE. This mock-up CU dataset features a financial
institution with operations on multiple continents and countries, with multiple
branches in each of those, where the branches have standardized, but distinctly
populated, internal networks.
Figures 9-14 are screenshots from a VDE v2 VR session, exploring the ISPMDV
of the mock-up CU dataset. Video of this exploration was presented at MAVRIC
2020 [25], a VDE v2 demo build is available to experience it in VR [26] and VDE is
also included in the NASA MRET open source toolset [6].
In this ISPMDV, subnets of branch networks are grouped to cubes (see internals
of that data-shape in Figure 11) which are then stacked vertically based on the
organizational group to which that branch belongs (e.g., country, continent). The
vertical branch groups are then positioned on a circle (Figure 10), with groups
containing public services facing the center or the circle. In the center of the
ISPMDV are three other groups:
a) known entities (corporate net, partners, etc.),
b) known threats (IP addresses from threat feeds, prior compromises, etc.),
c) unknown IPs.
Interactive Stereoscopically Perceivable Multidimensional Dataviz for Cybersec
Figure 9: VDE VR sessions of exploring an imaginary CU networks ISPMDV, arranged as a
constellation of data-shapes representing the functional topology of that network,
overlaid with network traffic.
Figure 10: When the user moves the viewpoint closer to one of the data-shapes
representing a CU branch network, the outer (cube) shell disappears, while labels of
internal groups are activated. Labels of nodes (transparent cubes) are activated only once
the user is close enough and are kept facing the user for readability.
K. Kullman and D. Engel, JDST, vol.4, no.3, pp. 37-52, 2021
48
Figure 11: Although subgroup outer shells disappear once the user is close enough (to
reduce visual clutter and let the user to focus on individual entities / nodes), subgroups
labels (e.g., “Workstations: Backoffice”) are kept visible above those, and groups labels
(e.g.,Branch 8 front office”) are activated based on the direction of the user’s gaze.
Figure 12: The user can select nodes either (1) from afar, with a pointer or (2) by touching
them with their virtual index finger (rendered based on inputs from a VR controller). The
selected node’s name (in this case, the IP address) is displayed next to the VR hand. The
node’s incoming and outgoing edges are kept visible while other edges are disabled.
Interactive Stereoscopically Perceivable Multidimensional Dataviz for Cybersec
Figure 13: Edges (representing an observed network session) are highlighted when
touched, with the corresponding source and destination nodes’ names appearing above
the user’s hand. A single line of text is attached to the hand, avoiding the clutter which a
head-up display would have caused. User studies have shown this to be an intuitive
feature of the interface.
Figure 14: The user can grab a node and move it around, to better perceive the location
of the targets and sources of its connections (i.e., terminal points of the edges are easier
to spot this way).
The demo build of VDE containing the ISPMDV shown on Figures 9-14 could be
used for further studies of user interaction. Together with the VDE server
component, VDE can be used to visualize data ingested from SIEM, log correlation,
or other data sources APIs. Please feel free to reach out to the authors to discuss
academic research collaboration.
VI. CONCLUSIONS
While SPMDVs for intrinsically spatial data have received substantial publicity, the
creation, presentation, and usability research of SPMDVs and ISPMDVs designed to
show non-spatial data has attracted less attention. In this paper, we explored three
distinct ISPMDV examples, all rendered with VDE, with each being used to visualize
computer network traffic and topology.
We encourage cybersecurity professionals and researchers to use emerging
technologies (e.g., xR HMDs) to explore novel ways for visualizing datasets relevant
K. Kullman and D. Engel, JDST, vol.4, no.3, pp. 37-52, 2021
50
to their problems and tasks. The examples provided in this paper are just modest
illustrations of what is already possible with existing tools (see [26] [16] [20] [19]
[6] and others) and should be used for inspiration.
Appropriate methods (e.g., [8], [24]) should be used when creating ISPMDVs to
ensure the utility of the resulting visualization for the CSMEs who would be using
them.
ACKNOWLEDGEMENTS
The authors thank Alexander Kott, Jennifer A. Cowley, Lee C. Trossbach, Matthew
C. Ryan, Jaan Priisalu, and Olaf Manuel Maennel for their ideas and guidance. This
research was partly supported by the Army Research Laboratory under Cooperative
Agreement Number W911NF-17-2-0083 and in conjunction with the CCDC
Command, Control, Computers, Communications, Cyber, Intelligence, Surveillance,
and Reconnaissance (C5ISR) Center.
REFERENCES
[1]
Unity Technologies, "Definition of: Virtual Reality (VR)," [Online]. Available:
https://unity3d.com/what-is-xr-glossary#paragraph70. [Accessed 2021].
[2]
Unity Technologies, "Definition of: Augmented Reality (AR)," [Online].
Available: https://unity3d.com/what-is-xr-glossary#paragraph12. [Accessed
2021].
[3]
Unity Technologies, "Definition of: Mixed Reality (MR)," [Online]. Available:
https://unity3d.com/what-is-xr-glossary#paragraph42. [Accessed 2021].
[4]
S. Skolnik, "Using Virtual Reality to Visualize Disasters, Climate, and Extreme
Weather Impacts Shayna Skolnik," in MAVRIC, College Park, 2020.
[5]
C. Hurter, Image-Based Visualization: Interactive Multidimensional Data
Exploration, N. Elmqvist and D. Ebert, Eds., Morgan & Claypool, 2016.
[6]
National Aeronautics and Space Administration, "Collaborative Mixed-Reality
Engineering Tool (MRET)," [Online]. Available:
https://techport.nasa.gov/view/95677. [Accessed 2021].
[7]
A. Kabil, T. Duval and N. Cuppens, "Alert Characterization by Non-expert Users
in a Cybersecurity Virtual Environment: A Usability Study," in International
Conference on Augmented Reality, Virtual Reality and Computer Graphics,
Lecture Notes in Computer Science, 2020.
[8]
K. Kullman, L. Buchanan, A. Komlodi and D. Engel, "Mental Model Mapping
Method for Cybersecurity," in 22nd International Conference On Human-
Computer Interaction, Copenhagen, 2020.
Interactive Stereoscopically Perceivable Multidimensional Dataviz for Cybersec
[9]
C. Ware and G. Franck, "Evaluating Stereo and Motion Cues for Visualizing
Information Nets in Three Dimensions," ACM Transactions on Graphics, vol.
15, no. 2, pp. 121-140, 4 1996.
[10]
J.-P. van Riel and B. Irwin, "InetVis, a Visual Tool for Network Telescope Traffic
Analysis," in AFRIGRAPH 2006, Cape Town, 2006.
[11]
R. Marty, Applied Security Visualization, 2008.
[12]
T. Munzner, Visualization Analysis & Design, A K Peters/CRC Press, 2014, p.
428.
[13]
H. S. Smallman, M. St. John, H. M. Oonk and M. B. Cowen, "Information
availability in 2D and 3D displays," IEEE Computer Graphics and Applications,
vol. 21, no. 5, pp. 51-57, 2001.
[14]
M. Teräs and S. Raghunathan, "Big Data Visualisation in Immersive Virtual
Reality Environments: Embodied Phenomenological Perspectives to
Interaction," ICTACT Journal on Soft Computing, vol. 05, no. 04, pp. 1009-
1015, 2015.
[15]
A. Kabil, T. Duval, N. Cuppens, G. L. Comte, Y. Halgand and C. Ponchel, "Why
should we use 3D Collaborative Virtual Environments for Cyber Security?," in
IEEE Fourth VR International Workshop on Collaborative Virtual
Environments, Reutlingen, 2018.
[16]
M. Cordeil, A. Cunningham, B. Bach, C. Hurter, B. H. Thomas, K. Marriott and
T. Dwyer, "IATK: An Immersive Analytics Toolkit," in IEEE Conference on
Virtual Reality and 3D User Interfaces (VR), Osaka, 2019.
[17]
A. Batch, A. Cunningham, M. Cordeil, N. Elmqvist, T. Dwyer, B. H. Thomas and
K. Marriott, "There Is No Spoon: Evaluating Performance, Space Use, and
Presence with Expert Domain Users in Immersive Analytics," IEEE
Transactions on Visualization and Computer Graphics, vol. 26, no. 1, pp. 536
- 546, 2020.
[18]
S. Beitzel, J. Dykstra, P. Toliver and J. Youzwak, "Exploring 3D Cybersecurity
Visualization with the Microsoft HoloLens," in International Conference on
Applied Human Factors and Ergonomics, 2017, 2017.
[19]
T. Reuille, S. Hawthorne, A. Hay, S. Matsusaki and C. Ye, "OpenDNS Data
Visualization Framework," 2015. [Online]. Available:
http://www.opengraphiti.com/.
[20]
3Data, "Advanced Analytics for SecOps," 3Data, [Online]. Available:
https://3data.io/solutions-cybersecurity/. [Accessed 01 2021].
[21]
M. Ryan, K. Kullman and L. Trossbach, "VR/MR Supporting the Future of
Defensive Cyber Operations," in NATO Computer Aided Analysis, Exercise,
Experimentation Forum., Paris, 2019.
K. Kullman and D. Engel, JDST, vol.4, no.3, pp. 37-52, 2021
52
[22]
Y. Seong, J. Nuamah and S. Yi, "Guidelines for Cybersecurity Visualization
Design," in IDEAS 2020, Seoul, South Korea, 2020.
[23]
C. Zhong, A. Alnusair, B. Sayger, A. Troxell and J. Yao, "AOH-Map: A Mind
Mapping System for Supporting Collaborative Cyber Security Analysis," in
2019 IEEE Conference on Cognitive and Computational Aspects of Situation
Management (CogSIMA), Las Vegas, 2019.
[24]
D. J. Clark and B. P. Turnbull, "Experiment Design for Complex Immersive
Visualisation," in Conference: Military Communications and Information
Systems Conference (MilCIS) 2020, Canberra, 2020.
[25]
K. Kullman, "Creating Useful 3D Data Visualizations for Cybersecurity," in
MAVRIC, College Park, MD, 2020.
[26]
K. Kullman, "Virtual Data Explorer," Cognitive Data OÜ, [Online]. Available:
https://coda.ee/getvde.
[27]
K. Kullman, N. B. Asher and C. Sample, "Operator Impressions of 3D
Visualizations for Cybersecurity Analysts," in ECCWS 2019 18th European
Conference on Cyber Warfare and Security, Coimbra, 2019.
[28]
The NATO Cooperative Cyber Defence Centre of Excellence, "Locked Shields
Cyber Defence eXercise," [Online]. Available:
https://ccdcoe.org/exercises/locked-shields/.
[29]
K. Kullman, J. Cowley and N. Ben-Asher, "Enhancing Cyber Defense Situational
Awareness Using 3D Visualizations," in 13th International Conference on
Cyber Warfare and Security, Washington, DC, 2018.
... The author also interviewed Kaur Kullman, a noted expert in VR visualisations of cybersecurity data from University of Maryland. Kullman's research (see Figure 04) shows the viability of using interactive 3D environments to visualise complex cybersecurity information (Kullman and Engel, 2022). Kullman explained the current state-of-the-art, potential hardware issues, and the physical limitations of human test subjects. ...
... This research builds on recent work which demonstrates the need for effective visualisations of Cybersecurity data (Kullman and Engel, 2022). While 3D visualisations of complex data are not new (Berkel and Bos, 1999), the price of hardware has fallen and the speed of software has improved to such a degree that this research shows that it is finally feasible to use VR in the workplace to explore complex data sets. ...
... Screenshot of 3D interactive data(Kullman and Engel, 2022) BY-NC-SA 4.0. ...
Preprint
Full-text available
A prototype Metaverse experience was created in which users could explore hierarchical cybersecurity data. A small group of participants were surveyed on their attitudes to the Metaverse. They then completed a short series of tasks in the environment. Questions were asked to assess if they were suffering from Cybersickness. After completing further tasks, their attitudes were surveyed regarding future uses of the metaverse in the organisation. A second cohort of participants attended an online seminar. They completed a survey about their attitudes to the Metaverse. They then watched a short video of the Metaverse experience. Afterwards, they answered questions related to their attitudes towards future uses of the metaverse in the organisation. The results of these questionnaires were assessed to see whether participants were receptive to the idea of working with data inside the Metaverse in the future.
... The 3D visualizations should closely match the mental models of the individual end users and therefore not be developed independent of them (Kullman & Engel, 2022). To optimize the 3D visualizations for the analytical environment (e.g., malware analysis, network analysis, threat analysis) of the specific user, Kullman and colleagues (2020) suggest using semi-structured interviews to map the context-specific mental models of the analysts. ...
... As XR has been shown to enable domain scientists in other fields to develop a better underestanding of their data [7], we seek to use XR to support GEOS users. Our implementation is in NASA's open source toolkit for XR, the Mixed Reality Exploration Toolkit (MRET) [8], because MRET has a track record in supporting the modular development of tailored visualizations for other application domains [9]. ...
Conference Paper
Full-text available
Our work explores the use of extended reality (XR) to improve scientific discovery with numerical weather/climate models that inform Earth science digital twins, specifically the NASA Goddard Earth Observing System (GEOS) global atmospheric model. The overall project is named the Vi-sualization And Lagrangian dynamics Immersive eXtended Reality Toolkit (VALIXR), which has two main areas of focus: (1) enhancing the understanding of and interaction with model output data through advanced visualizations in the XR environment, and (2) the integration of Lagrangian dynamics into the GEOS model, which allows a natural, feature-specific analysis of Earth science phenomena as opposed to traditional, fixed-point Eulerian dynamics. Here, we report initial work on these focus areas.
... Microsoft HoloLens 2 (Microsoft, Redmond, DC) has become the most common MR headset to be used for various research studies, fielded by enterprises and governments for Interactive Stereoscopically Perceivable Multidimensional Data Visualizations (ISPMDV; see Kullman and Engel, 2022b for an introduction), where its mostly used for either geospatial or natively spatial datasets. For the purposes of this study, HoloLens 2 was chosen for its capabilities, ease of software development, and existing compatibility with VDE. ...
Article
Full-text available
Background Cyber defense decision-making during cyber threat situations is based on human-to-human communication aiming to establish a shared cyber situational awareness. Previous studies suggested that communication inefficiencies were among the biggest problems facing security operation center teams. There is a need for tools that allow for more efficient communication of cyber threat information between individuals both in education and during cyber threat situations. Methods In the present study, we compared how the visual representation of network topology and traffic in 3D mixed reality vs. 2D affected team performance in a sample of cyber cadets ( N = 22) cooperating in dyads. Performance outcomes included network topology recognition, cyber situational awareness, confidence in judgements, experienced communication demands, observed verbal communication, and forced choice decision-making. The study utilized network data from the NATO CCDCOE 2022 Locked Shields cyber defense exercise. Results We found that participants using the 3D mixed reality visualization had better cyber situational awareness than participants in the 2D group. The 3D mixed reality group was generally more confident in their judgments except when performing worse than the 2D group on the topology recognition task (which favored the 2D condition). Participants in the 3D mixed reality group experienced less communication demands, and performed more verbal communication aimed at establishing a shared mental model and less communications discussing task resolution. Better communication was associated with better cyber situational awareness. There were no differences in decision-making between the groups. This could be due to cohort effects such as formal training or the modest sample size. Conclusion This is the first study comparing the effect of 3D mixed reality and 2D visualizations of network topology on dyadic cyber team communication and cyber situational awareness. Using 3D mixed reality visualizations resulted in better cyber situational awareness and team communication. The experiment should be repeated in a larger and more diverse sample to determine its potential effect on decision-making.
... VDE enables a user to stereoscopically perceive a spatial layout of a dataset in a VR or MR environment (e.g., the topology of a computer network), while the re-sulting visualization can be augmented with additional data, like TCP/UDP/ICMP session counts between network nodes [16]. VDE allows its users to customize visualization layouts via two complimentary text configuration files that are parsed by the VDE Server and the VDE Client. ...
Chapter
Full-text available
Cybersecurity practitioners face the challenge of monitoring complex and large datasets. These could be visualized as time-varying node-link graphs, but would still have complex topologies and very high rates of change in the attributes of their links (representing network activity). It is natural, then, that the needs of the cybersecurity domain have driven many innovations in 2D visualization and related computerassisted decision making. Here, we discuss the lessons learned while implementing user interactions for Virtual Data Explorer (VDE), a novel system for immersive visualization (both in Mixed and Virtual Reality) of complex time-varying graphs. VDE can be used with any dataset to render its topological layout and overlay that with time-varying graph; VDE was inspired by the needs of cybersecurity professionals engaged in computer network defense (CND). Immersive data visualization using VDE enables intuitive semantic zooming, where the semantic zoom levels are determined by the spatial position of the headset, the spatial position of handheld controllers, and user interactions (UIa) with those controllers. This spatially driven semantic zooming is quite different from most other network visualizations which have been attempted with time-varying graphs of the sort needed for CND, presenting a broad design space to be evaluated for overall user experience (UX) optimization. In this paper, we discuss these design choices, as informed by CND experts, with a particular focus on network topology abstraction with graph visualization, semantic zooming on increasing levels of network detail, and semantic zooming to show increasing levels of detail with textual labels.
Book
The main goal of the field of augmented cognition is to research and develop adaptive systems capable of extending the information management capacity of individuals through computing technologies. Augmented cognition research and development is therefore focused on accelerating the production of novel concepts in human-system integration and includes the study of methods for addressing cognitive bottlenecks (e.g., limitations in attention, memory, learning, comprehension, visualization abilities, and decision making) via technologies that assess the user’s cognitive status in real time. A computational interaction employing such novel system concepts monitors the state of the user, through behavioral, psychophysiological, and neurophysiological data acquired from the user in real time, and then adapts or augments the computational interface to significantly improve their performance on the task at hand. The International Conference on Augmented Cognition (AC), an affiliated conference of the HCI International (HCII) conference, arrived at its 16th edition and encouraged papers from academics, researchers, industry, and professionals, on a broad range of theoretical and applied issues related to augmented cognition and its applications. The field of augmented cognition has matured over the years to solve enduring issues such as portable, wearable neurosensing technologies and data fusion strategies in operational environments. These innovations coupled with better understanding of brain and behavior, improved measures of brain state change, and improved artificial intelligence algorithms have helped expand the augmented cognition focus areas to rehabilitation, brain-computer interfaces, and training and education. The burgeoning field of human-machine interfaces such as drones and autonomous agents are also benefitting from augmented cognition research. This volume of the HCII 2022 proceedings is dedicated to this year’s edition of the AC conference and focuses on topics related to understanding human cognition and behavior, brain activity measurement and electroencephalography, human and machine learning, and augmented cognition in extended reality. Papers of this one volume are included for publication after a minimum of two single-blind reviews from the members of the AC Program Board or, in some cases, from members of the Program Boards of other affiliated conferences. We would like to thank all of them for their invaluable contribution, support, and efforts.
Conference Paper
Full-text available
Experimentation focused on assessing the value of complex visualisation approaches when compared with alternative methods for data analysis is challenging. The interaction between participant prior knowledge and experience, a diverse range of experimental or real-world data sets and a dynamic interaction with the display system presents challenges when seeking timely, affordable and statistically relevant results. This paper outlines a hybrid approach proposed for experimentation with complex interactive data analysis tools. The approach involves a structured survey completed after free engagement with the software platform by expert participants. The survey captures objective and subjective data points relating to the experience with the goal of making an assessment of the software performance supported by statistically significant experimental results. This work is particularly applicable to field of network analysis for cyber security and also military cyber operations and intelligence data analysis.
Conference Paper
Full-text available
Cyber security visualization designers can benefit from human factors engineering concepts and principles to resolve key human factors challenges in visual interface design. We survey human factors concepts and principles that have been applied in the past decade of human factors research. We highlight these concepts and relate them to cybersecurity visualization design. We provide guidelines to help cybersecurity visualization designers address some human factors challenges in the context of interface design. We use ecological interface design approach to present human factors-based principles of interface design for visualization. Cyber security visualization designers will benefit from human factors engineering concepts and principles to resolve key human factors challenges in visual interface design.
Conference Paper
Full-text available
US Army C5ISR Center Cyber Security Service Provider (CSSP) is a 24/7 Defensive Cyber Operations (DCO) organization that defends US Department of Defense and US Army networks from hostile cyber activity, as well as develops technologies and capabilities for use by DCO operators within the DoD. In recent years, C5ISR Center CSSP has been researching various advanced data visualization concepts and strategies to enhance the speed and efficiency of cybersecurity analyst's workflow. To achieve these goals Virtual and Mixed Reality (VR/MR) tools have been employed to investigate, whether these mediums would enable useful remote collaboration of DCO operators and whether stereoscopically perceivable 3D data visualizations would enable DCO operators to gain improved hindsight into their datasets. We'll be giving overview of the capabilities being developed as aligned to our research and operational requirements, our expected outcomes of using VR/MR in training and operational cyber environments and our planned path to accomplish these goals.
Conference Paper
Full-text available
Cybersecurity analysts ingest and process significant amounts of data from diverse sources in order to acquire network situation awareness. Visualizations can enhance the efficiency of analysts' workflow by providing contextual information, various sets of cybersecurity related data, information regarding alerts, among others. However, textual displays and 2D visualizations have limited capabilities in displaying complex, dynamic and multidimensional information. There have been many attempts to visualize data in 3D, while being displayed on 2D displays, but success has been limited. We propose that customized, stereoscopically perceivable 3D visualizations aligned with analysts' internal representations of network topology, may enhance their capability to understand their networks' state in ways that 2D displays cannot afford. These 3D visualizations may also provide a path for users who are trained and comfortable with textual and 2D representations of data to assess visualization methods that may be suitably aligned to implicit knowledge of their networks. Thus, the premise of custom data-visualizations forms the foundation for this study. Herein, we report on findings from a comparative, qualitative, within-subjects usability analysis between 2D and 3D representations of the same network traffic dataset. Study participants (analysts) provided information on: 1.) ability to create an initial understanding of the network, 2.) ease of finding task-relevant information in the representation, and 3.) overall usability. Results indicated that interviewees indicated a preference for 3D visualizations over the 2D alternatives and we discuss possible explanations for this preference.
Conference Paper
Full-text available
The human visual system is generally more adept at inferring meaning from graphical objects and natural scene elements than reading alphanumeric characters. Graphical objects like charts and graphs in cybersecurity dashboards often lack the requisite numbers of features to depict behaviors of complex network data. For example, bar charts afford few features to encode a panoply of parameters in network data. Furthermore, dashboard visualizations seldom support the transition of human work from situation awareness building to requisite responses during intrusion detection events. This research effort aims to identify how graphical objects (also referred as data-shapes) depicted in Virtual Reality tools, developed in accordance with an analyst’s mental model of an intrusion detection event, can enhance analyst’s situation awareness. We demonstrate the proposed approach using Locked Shields 16 CDX network traffic. Implications of this study and future case study are discussed.
Conference Paper
Full-text available
We describe the novel use of the Microsoft HoloLens to assist human operators with computer network operations tasks. We created three applications to explore how the HoloLens may aid cybersecurity practitioners. First, we developed a 3D network visualizer that displays network topologies in varying levels of detail, ranging from a global perspective down to specific properties of individual nodes. The user navigates through the topology views using hand gestures while responding to simulated alarm conditions on specific nodes. Second, we developed an application that simulates a “capture the flag” exercise. Third, we developed an application to test network connectivity. We discuss the benefits, challenges, and lessons learned from developing mixed-reality applications for computer network operations. We also discuss ideas for further development in this area.
Article
Immersive analytics turns the very space surrounding the user into a canvas for data analysis, supporting human cognitive abilities in myriad ways. We present the results of a design study, contextual inquiry, and longitudinal evaluation involving professional economists using a Virtual Reality (VR) system for multidimensional visualization to explore actual economic data. Results from our preregistered evaluation highlight the varied use of space depending on context (exploration vs. presentation), the organization of space to support work, and the impact of immersion on navigation and orientation in the 3D analysis space.
Book
Our society has entered a data-driven era, one in which not only are enormous amounts of data being generated daily but there are also growing expectations placed on the analysis of this data. Some data have become simply too large to be displayed and some have too short a lifespan to be handled properly with classical visualization or analysis methods. In order to address these issues, this book explores the potential solutions where we not only visualize data, but also allow users to be able to interact with it. Therefore, this book will focus on two main topics: large dataset visualization and interaction.Graphic cards and their image processing power can leverage large data visualization but they can also be of great interest to support interaction. Therefore, this book will show how to take advantage of graphic card computation power with techniques called GPGPUs (general-purpose computing on graphics processing units). As specific examples, this book details GPGPU usages to produce fast enough visualization to be interactive with improved brushing techniques, fast animations between different data representations, and view simplifications (i.e. static and dynamic bundling techniques).Since data storage and memory limitation is less and less of an issue, we will also present techniques to reduce computation time by using memory as a new tool to solve computationally challenging problems. We will investigate innovative data processing techniques: while classical algorithms are expressed in data space (e.g. computation on geographic locations), we will express them in graphic space (e.g., raster map like a screen composed of pixels). This consists of two steps: (1) a data representation is built using straightforward visualization techniques; and (2) the resulting image undergoes purely graphical transformations using image processing techniques. This type of technique is called image-based visualization.The goal of this book is to explore new computing techniques using image-based techniques to provide efficient visualizations and user interfaces for the exploration of large datasets. This book concentrates on the areas of information visualization, visual analytics, computer graphics, and human-computer interaction. This book opens up a whole field of study, including the scientific validation of these techniques, their limitations, and their generalizations to different types of datasets.