Download Click here to view PowerPoint slides

Data Information, Resource Discovery,
Information Taxonomy for
Presentation, Selection, and Design
Visualisation for Defensive Information Warfare
Syndicates 2 and 5
Peter Clark, Rashaad Jones, Mark Nixon, Martin Taylor
Presented 11 March 2003
The Pennsylvania State University
Nittany Lion Inn
State College, PA
6th Network of Experts Workshop: Information Visualization Needs for Intelligence and Counter-terror
Topics
•
•
•
•
•
Challenges of I/W Intelligence Visualisation
Dimensions of I/W Intelligence Information
Applying the HAT Report Taxonomies
Evaluation/Assessment Issues
Areas of Research
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
2
Challenges of I/W Intelligence (1)
• Good COP, bad COP
– A Common Operating Picture (COP) for I/W depends
on the presentee’s (human perceiver’s)
• purpose
• role
• cognitive style
• COPs and more COPs* for defensive I/W are
distinguished by different
– Ways of indexing visualised I/W information elements
– Levels of granularity in I/W information
– Modes of information access (data, timing, etc.)
* in this Keystone State
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
3
Challenges of I/W Intelligence (2)
• COPs for defensive I/W are distinguished by
different
– Ways of indexing visualised I/W information elements
• Labels, e.g., “Köln-Bonn”
• Descriptors, e.g., “Clear flight ceiling”
• Locations, e.g., geo-spatial co-ordinates
– Granularity and dimensionality of I/W information
• Continuous (analogue, scalar, vector)
• Discrete (categorial, symbolic, linguistic, tabular)
– Modes of information access (data, timing, etc.)
• Imposed by the information (e.g., real-time, signal-based)
• Chosen (e.g., by variation in perspective, attribute, etc.)
• Static vs. Streamed
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
4
Challenges of I/W Intelligence (3)
• COPs for distributed defensive I/W operations
– Information presented is appropriate to the role
• Owner – interest is system cost, schedule, performance.
• Operator – interest is in security of intelligence products
• System Administrator – interest is in system effectiveness at
– alerting him/her to signatures of imminent I/W attacks
– monitoring anomalous message traffic
– searching and exploring message packet interrelationships
– Fidelity follows purpose
• Summaries or details “right-sized” to the role
– “Objectness” depends on user control
• Affords the constructed presentation its intuitiveness
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
5
Challenges of I/W Intelligence (4)
• Collaboration and teamwork for distributed
defensive I/W operations requires that
– Role-distinguished displays discourage interference
– Distributed operators visualise each others’ behavior
– Existence and progress of an attack be identified
• Phased detection involving many “pairs of eyes”
– Security of system, communications and teammember information be maintained
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
6
Dimensions of I/W Intelligence (1)
• Tempo of I/W operations
– Not restricted or paced by the rate at which physical
objects of conventional warfare can be invented and
manufactured
– An accelerated “arms race”
– Implementing and publishing countermeasures taxes
the adversary’s main resource
• Creativity with respect to new, unprecedented attacks
– NB Countermeasures could well play into an
adversary’s hand by establishing new vulnerabilities
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
7
Dimensions of I/W Intelligence (2)
• Identification of system risk is the raison d’être
for any of the data acquired in I/W operations
• Dimensions of I/W information used for
determining anomalous vs. baseline behavior
–
–
–
–
–
–
–
IP address (source, destination)
Time
Port #
Protocol (IP, TCP, UDP, etc.)
URL
Sequence #
Flag
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
8
Some HAT Report Concepts (1)
• The dataspace inside the computer
– Represents some aspect of the world the
human seeks to understand and influence
• Display “engines” inside the
computer
– Enable human visualisation of this aspect of the
world by accessing and presenting dataspace
content
• The IST-05 (VisTG) Reference Model
– Exhibits a reciprocal relationship between
• The human’s understanding and the
dataspace in the computer, and
• The human’s visualisation and the
engines in the computer that operate
on the dataspace
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
9
Some HAT Report Concepts (2)
• The effectiveness of visualisation systems
depends on how well they
– accommodate human cognitive and task performance
limitations
– engage and enable human cognitive, sensory and
motor capacities
• Human purposes: the four modes of perception
–
–
–
–
Controlling/Monitoring – Basic “situation awareness”
Alerting – Change detection of “primed for” events
Searching – For the necessary but unknown detail
Exploring – For context development, future response
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
10
The HAT Report Taxonomies (1)
• A six-dimensional taxonomy of data types
– Data acquisition
• when are the data acquired, relative to when the display is needed?
– Data sources
• is there a single source or more than one independent source of data?
– Data choice
• can the user choose the data to be acquired (i.e., can the user redeploy
the sensors)?
– Data identification
• how are the individual data elements identified, by location or by label?
– Data Values
• what kinds of values can the data have, analogue or categorical?
– Data inter-relations
• how does one data element relate conceptually to others? Does the
value of one affect the meaning of the other?
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
11
The HAT Report Taxonomies (2)
• A four-dimensional taxonomy of data displays
– Display timing
• static versus dynamic?
– Data selection for display
• user-directed versus algorithmically selected?
– Data placement
• located versus labelled?
– Data values
• analogue versus categoric?
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
12
Key HAT Report Findings (1)
• Perceptual modes in defensive I/W operations
– Alerting is the primary mode
• Known (components of) earlier attacks
• Anomalous behavior – relative to standards on message protocols
• Technologically easy to “prime for” many such alerts – NB a real
attack may be a subtle one among many simultaneously alerted
– Exploring is the key to averting future attacks
• understanding vulnerabilities and risks afforded by external accessibility
• determining “normal” network user behavior
– priming for alerts
– planning alternative detection, “baiting” schemes
– Searching supports determination of the meaning, source and
malevolence of a detected attack in progress
– Monitoring/Controlling enter into the surreptitious
• tracking of intruders and their resource accesses
• change of resource accesses and performance so as frustrate the attacker
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
13
Key HAT Report Findings (2)
• Taxonomic classification of defensive I/W data types
–
–
–
–
–
–
Data acquisition – streamed, real-time
Data sources – multi-source, from redundant router tables, etc.
Data choice – chosen through selection of messaging attributes
Data identification – labelled
Data values – values are categorical
Data inter-relations – strong constructional inter-relationships between
message components (packets, messages, sessions)
• Taxonomic classification of defensive I/W displays
– Display timing
• dynamic in support of real-time alerting, searching or monitoring/controlling
• static in exploring potential future attacks and current vulnerabilities
– Data selection for display is user-directed – attacks can exploit many
dimensions of message traffic
– Data placement is located in 2D or 3D displays, labelled in tables
– Data values are categorical in displays
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
14
Evaluation/Assessment Issues
• Software-less demonstrations
– Develop mock-ups of defensive I/W visualisations
distinguished by purpose, role, cognitive style
• Characterise data types and displays according to the HAT
taxonomies
• Effectiveness estimates require
– Scenario acquisition for performance measures
• Streamed I/W data require time-to-detection tests
• Variety and number of I/W threat scenarios required for valid
performance measures
– Correctness criteria for performance measures
• Risks are ranked qualitatively to some extent
• Scoring weights on different risks are nonetheless required
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
15
Areas of Research
• Exploration vs. Search for I/W visualisations
– Key to anticipating unprecedented attacks
• Countermeasures to offensive I/W
– Tracking, identifying and disabling perpetrators
• Theoretical foundations of distributed system
security might be revisited
– Locus of unauthorized access attacks (i.e., attacks
other than denials-of-service)
• System vs. Users (Problem Solvers)
– Problem-centric vs. system-centric authorization
• May ease access control by forcing adversary to follow
problem solver (team) from system to system (2nd order
user content security)
Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003
16