Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Data Information, Resource Discovery, Information Taxonomy for Presentation, Selection, and Design Visualisation for Defensive Information Warfare Syndicates 2 and 5 Peter Clark, Rashaad Jones, Mark Nixon, Martin Taylor Presented 11 March 2003 The Pennsylvania State University Nittany Lion Inn State College, PA 6th Network of Experts Workshop: Information Visualization Needs for Intelligence and Counter-terror Topics • • • • • Challenges of I/W Intelligence Visualisation Dimensions of I/W Intelligence Information Applying the HAT Report Taxonomies Evaluation/Assessment Issues Areas of Research Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 2 Challenges of I/W Intelligence (1) • Good COP, bad COP – A Common Operating Picture (COP) for I/W depends on the presentee’s (human perceiver’s) • purpose • role • cognitive style • COPs and more COPs* for defensive I/W are distinguished by different – Ways of indexing visualised I/W information elements – Levels of granularity in I/W information – Modes of information access (data, timing, etc.) * in this Keystone State Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 3 Challenges of I/W Intelligence (2) • COPs for defensive I/W are distinguished by different – Ways of indexing visualised I/W information elements • Labels, e.g., “Köln-Bonn” • Descriptors, e.g., “Clear flight ceiling” • Locations, e.g., geo-spatial co-ordinates – Granularity and dimensionality of I/W information • Continuous (analogue, scalar, vector) • Discrete (categorial, symbolic, linguistic, tabular) – Modes of information access (data, timing, etc.) • Imposed by the information (e.g., real-time, signal-based) • Chosen (e.g., by variation in perspective, attribute, etc.) • Static vs. Streamed Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 4 Challenges of I/W Intelligence (3) • COPs for distributed defensive I/W operations – Information presented is appropriate to the role • Owner – interest is system cost, schedule, performance. • Operator – interest is in security of intelligence products • System Administrator – interest is in system effectiveness at – alerting him/her to signatures of imminent I/W attacks – monitoring anomalous message traffic – searching and exploring message packet interrelationships – Fidelity follows purpose • Summaries or details “right-sized” to the role – “Objectness” depends on user control • Affords the constructed presentation its intuitiveness Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 5 Challenges of I/W Intelligence (4) • Collaboration and teamwork for distributed defensive I/W operations requires that – Role-distinguished displays discourage interference – Distributed operators visualise each others’ behavior – Existence and progress of an attack be identified • Phased detection involving many “pairs of eyes” – Security of system, communications and teammember information be maintained Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 6 Dimensions of I/W Intelligence (1) • Tempo of I/W operations – Not restricted or paced by the rate at which physical objects of conventional warfare can be invented and manufactured – An accelerated “arms race” – Implementing and publishing countermeasures taxes the adversary’s main resource • Creativity with respect to new, unprecedented attacks – NB Countermeasures could well play into an adversary’s hand by establishing new vulnerabilities Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 7 Dimensions of I/W Intelligence (2) • Identification of system risk is the raison d’être for any of the data acquired in I/W operations • Dimensions of I/W information used for determining anomalous vs. baseline behavior – – – – – – – IP address (source, destination) Time Port # Protocol (IP, TCP, UDP, etc.) URL Sequence # Flag Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 8 Some HAT Report Concepts (1) • The dataspace inside the computer – Represents some aspect of the world the human seeks to understand and influence • Display “engines” inside the computer – Enable human visualisation of this aspect of the world by accessing and presenting dataspace content • The IST-05 (VisTG) Reference Model – Exhibits a reciprocal relationship between • The human’s understanding and the dataspace in the computer, and • The human’s visualisation and the engines in the computer that operate on the dataspace Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 9 Some HAT Report Concepts (2) • The effectiveness of visualisation systems depends on how well they – accommodate human cognitive and task performance limitations – engage and enable human cognitive, sensory and motor capacities • Human purposes: the four modes of perception – – – – Controlling/Monitoring – Basic “situation awareness” Alerting – Change detection of “primed for” events Searching – For the necessary but unknown detail Exploring – For context development, future response Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 10 The HAT Report Taxonomies (1) • A six-dimensional taxonomy of data types – Data acquisition • when are the data acquired, relative to when the display is needed? – Data sources • is there a single source or more than one independent source of data? – Data choice • can the user choose the data to be acquired (i.e., can the user redeploy the sensors)? – Data identification • how are the individual data elements identified, by location or by label? – Data Values • what kinds of values can the data have, analogue or categorical? – Data inter-relations • how does one data element relate conceptually to others? Does the value of one affect the meaning of the other? Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 11 The HAT Report Taxonomies (2) • A four-dimensional taxonomy of data displays – Display timing • static versus dynamic? – Data selection for display • user-directed versus algorithmically selected? – Data placement • located versus labelled? – Data values • analogue versus categoric? Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 12 Key HAT Report Findings (1) • Perceptual modes in defensive I/W operations – Alerting is the primary mode • Known (components of) earlier attacks • Anomalous behavior – relative to standards on message protocols • Technologically easy to “prime for” many such alerts – NB a real attack may be a subtle one among many simultaneously alerted – Exploring is the key to averting future attacks • understanding vulnerabilities and risks afforded by external accessibility • determining “normal” network user behavior – priming for alerts – planning alternative detection, “baiting” schemes – Searching supports determination of the meaning, source and malevolence of a detected attack in progress – Monitoring/Controlling enter into the surreptitious • tracking of intruders and their resource accesses • change of resource accesses and performance so as frustrate the attacker Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 13 Key HAT Report Findings (2) • Taxonomic classification of defensive I/W data types – – – – – – Data acquisition – streamed, real-time Data sources – multi-source, from redundant router tables, etc. Data choice – chosen through selection of messaging attributes Data identification – labelled Data values – values are categorical Data inter-relations – strong constructional inter-relationships between message components (packets, messages, sessions) • Taxonomic classification of defensive I/W displays – Display timing • dynamic in support of real-time alerting, searching or monitoring/controlling • static in exploring potential future attacks and current vulnerabilities – Data selection for display is user-directed – attacks can exploit many dimensions of message traffic – Data placement is located in 2D or 3D displays, labelled in tables – Data values are categorical in displays Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 14 Evaluation/Assessment Issues • Software-less demonstrations – Develop mock-ups of defensive I/W visualisations distinguished by purpose, role, cognitive style • Characterise data types and displays according to the HAT taxonomies • Effectiveness estimates require – Scenario acquisition for performance measures • Streamed I/W data require time-to-detection tests • Variety and number of I/W threat scenarios required for valid performance measures – Correctness criteria for performance measures • Risks are ranked qualitatively to some extent • Scoring weights on different risks are nonetheless required Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 15 Areas of Research • Exploration vs. Search for I/W visualisations – Key to anticipating unprecedented attacks • Countermeasures to offensive I/W – Tracking, identifying and disabling perpetrators • Theoretical foundations of distributed system security might be revisited – Locus of unauthorized access attacks (i.e., attacks other than denials-of-service) • System vs. Users (Problem Solvers) – Problem-centric vs. system-centric authorization • May ease access control by forcing adversary to follow problem solver (team) from system to system (2nd order user content security) Syndicates 2, 5 Presentation: Visualisation for Defensive Information Warfare, March 10, 2003 16