BubbleNet: A Cyber Security Dashboard for Visualizing Patterns Sean McKenna1,2 Diane Staheli2 Cody Fulcher2 Miriah Meyer1 1 2

University of Utah MIT Lincoln Laboratory

The Lincoln Laboratory portion of this work is sponsored by the Assistant Secretary of Defense for Research & Engineering under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Government.

2

what was leaked?

“spoiled brat” “minimally talented”

3

Challenges in Cyber Security • for analysts • large amounts of data • requires human interpretation to prevent attacks • attacks are robust and ever-changing

• for visualization practitioners • analysts can distrust visualization • hard to compete with speed “current main bottleneck is the hard drive read times” • limited access to both users and data 4

BubbleNet Dashboard • conducted a design study • problem characterization • data and task abstraction • dashboard design

• focus on the design process • design methods • user evaluation • deployment 5

Cyber Security Visualization Tools • most cyber security research has focused on novel representations [Foresti ‘06, Taylor ‘09, Paul ’13, Fowler ‘14, Fischer ‘14] • usability and tool effectiveness have been scarcely studied • very few discussions about tool deployment • no end-to-end design study 6

Problem Characterization • cyber security incidents can result in negative outcomes • information disclosure • theft • denial of service

• to prevent these, analysts find anomalies in data streams • dashboards are a vital component of data presentation “pictures are great when going up to management because you have 60 seconds to make your case” 7

Data and Task Abstraction • network record:

• metadata associated with the communication between two computers

• pattern:

• collection of network records that represent some recurring or abnormal behavior

• analysts must both discover & present these patterns

• identification and comparison can be supported by aggregation • e.g. collecting records by location on the internet 8

Dataset • intrusion detection system (IDS) data • captures alerts – these are our records • rules triggered and may hint at potential incidents • requires a priori knowledge

• aggregation of alerts • • • •

by location: country by time: day and hour store amount of alerts and averages keep links back to original data 9

BubbleNet Dashboard • location view • temporal views • attribute bullet charts • record details • selection overview

10

Finding Patterns in BubbleNet

11

[video]

12

Design Process qual itati ve software company research organization university info. security

codi n

g

channel: idea heur pers mat istic onas rix s “evolving relationship between producers and consumers of visualization” [Wood, Beecham, Dykes 2014]

operational organization 2013

2015 users

data

methods 13

Personas • identified different potential users • flow of information and decisions • selected a subset to focus the design • analysts and managers • simplified requirements • consistent terminology

[McKenna et al. 2015]

14

Design Process for more on these design methods

a) prototype I

qual itati ve software company

[McKenna et al. 2015]

codi n

g pers

onas

research organization

idea

mat

rix

heur

istic s data

university info. security

sket ches

operational organization 2013

2015 users

data

methods

tools 15

Data Sketches • data-driven sketches, test our abstractions [Lloyd & Dykes 2011]

• feedback from analyst • provided project focus: • initial impressions • confusing encodings • encodings of interest [McKenna et al. 2015]

16

a) prototype I

qual itati ve software company

b) prototype II

codi n

g pers

onas

research organization

idea

mat

rix

heur

usab

ility s

istic s data

university info. security

c) BubbleNet dashboard

tudy

sket ches

operational organization 2013

2015 users

data

methods

tools 17

Evaluation • user study • 5 analysts, 4 managers • 1-hour long, training + scenarios

• system usability scale (SUS) [Sauro 2011] • 10 questions on usability • yields score out of 100 • standardized across many user interfaces

18

Evaluation BubbleNet’s score:

75 / 100

System Usability Score by User 100 72.5

80

85

80

90

80

77.5

M3

M4

65

Score

68 42.5

0 A1

A2

A3

Analysts

A4

A5

M1

M2

Managers

19

Evaluation • system usability scale • validates general principles and interaction paradigms • limited to usability

• think-aloud session + qualitative coding • pulled out key successes of the project • e.g. temporal pattern detection, focus on patterns, interaction feedback

20

Evaluation “I keep getting drawn to the heatmap and these darker areas, because they certainly stand out” “the majority of what we are looking for is patterns and this just makes patterns which is faster” “it’s very responsive and dynamic; the fact that it changes as I narrow [in] is the best” “I could write a splunk query to do this, but this is easier” 21

a) prototype I

qual itati ve software company

b) prototype II

codi n

g pers

onas

research organization

idea

mat

rix

heur

usab

ility s

istic s data

university info. security

c) BubbleNet dashboard

tudy

sket ches

operational organization 2013

2015 users

data

methods

tools

deployment 22

Reflections • needs of cyber security analysts and managers are unique and challenging to accommodate simultaneously • winnowing and casting of user roles occurred later in the design process • task of presentation involves two or more parties, so there were users beyond just a data analyst to consider

23

a) prototype I

qual itati ve software company

b) prototype II

codi n

g pers

onas

research organization

idea

mat

rix

heur

usab

ility s

istic s data

university info. security

c) BubbleNet dashboard

tudy

sket ches

operational organization 2013

2015 users

data

methods

tools

deployment 24

to find out more… http://mckennapsean.com/projects/bubble-net [email protected] acknowledgements: Jonzy, Dan Bowden, Tamara Denning, staff members at MIT Lincoln Laboratory, and the Visualization Design Lab

25

a) prototype I

qual itati ve software company

b) prototype II

codi n

g pers

onas

research organization

idea

mat

rix

heur

usab

ility s

istic s data

university info. security

c) BubbleNet dashboard

tudy

sket ches

operational organization 2013

2015 users

data

methods

tools

deployment 26

BubbleNet: A Cyber Security Dashboard for ... - Sean McKenna

1 University of Utah. 2 MIT Lincoln ... denial of service. • to prevent these ... collection of network records that represent some recurring or abnormal behavior.
Download PDF
12MB Sizes 0 Downloads 160 Views
Report

Recommend Documents

Designing STAR: A Cyber Dashboard Prototype - Sean McKenna
Nov 10, 2014 - effort to building their own visualizations manually, such as network summaries ... To build the novel cyber dashboard presented in Figure 1,.
BubbleNet: A Cyber Security Dashboard for Visualizing ... - SCI Utah
task of presentation is a vital one for network analysts, as infor- mation must often be ... information disclosure, theft, and denial of service [HL98]. Cyber security ...
1 Supplemen tal Materials - Sean McKenna
Research Methods for Human-Computer Interaction. Cambridge University ... Conference on Human Factors in Computing Systems, pages 17–24. ACM, 2003.
Sean McKenna, Dominika Mazur, James Agutter, Miriah Meyer ...
brainstorming web, tree diagram, flow diagram [18]. 57 morphological synthesis r. “organizing concepts under user-centered categories and combining concepts ...
Cyber Security Rules.pdf
Page 2 of 2. Page 2 of 2. Cyber Security Rules.pdf. Cyber Security Rules.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying Cyber Security Rules.pdf.Missing:
Cyber Security Rules.pdf
Sign in. Loading… Whoops! There was a problem loading more pages. Retrying... Whoops! There was a problem previewing this document. Retrying.
An Economic-based Cyber-security Framework for ...
IEEE Canadian Conference on Electrical and Computer Engineering, Montreal, Canada, 2012. [9] J. Wei, D. Kundur, “Two-tier hierarchical cyber-physical ...
Automatic Labeling for Entity Extraction in Cyber Security - GitHub
first crawling the web and training a decision clas- sifier to identify ... tailed comparisons of the results, and [10] for more specifics on ... because they are designed to do the best possible with very little ... To build a corpus with security-r
1 International Conference on Cyber Security for ... - Nemode
mechanisms including online social networks, trust and ... All submissions will be peer-reviewed and judged on the basis of originality, contribution to the field, ...
Developing an Ontology for Cyber Security Knowledge Graphs (PDF ...
Official Full-Text Paper (PDF): Developing an Ontology for Cyber Security Knowledge Graphs. ... Figure 1: Entities and Relations in the STUCCO Ontology.
1 International Conference on Cyber Security for ... - Nemode
CALL FOR PAPERS. 1 st. International Conference on Cyber Security for Sustainable Society 2015. 26-27th February 2015, Coventry, United Kingdom.
PandaLabs Bulletins - RED Team Cyber Security
adding an iframe-type reference pointing to a malicious server. ... don't suspect a thing since the modification is made on the HTML code of the legitimate ... malware captures all types of confidential information (passwords, user names, email.
Cyber Security white paper.pdf
Page 1 of 7. CYBER SECURITY WHITE PAPER. Written for the California Community Colleges Chancellor's Office. August 2015. Page 1 of 7 ...
PandaLabs Bulletins - RED Team Cyber Security
Once they manage to access the Web page, cyber-crooks add an iframe-type reference at the end of the file loaded by default, pointing to the malicious server.