StateChartVis team

Visual detection of rare events using statechart

VAST 2009 Challenge
Challenge 1: -  Badge and Network Traffic

Authors and Affiliations:

Dan Mircea Suciu, “Babes-Bolyai” University, Cluj-Napoca [PRIMARY Contact]

Romain Vuillemot, Institut National des Sciences Appliquées de Lyon, France

Marian Scuturici, Institut National des Sciences Appliquées de Lyon, France

Tools

For our demonstration we used a visual tool called ActiveCASE built for modeling, analysis and design of active objects behaviour using statecharts. First version of ActiveCASE tool is described at http://www.cs.ubbcluj.ro/~studia-i/2001-2/index.php

Recent versions of ActiveCASE could generate statecharts from data flows and helps debugging object-oriented concurrent applications by real-time simulation of active objects behavior.

 

The main components of statecharts are:

 - state - could be described as a particular period of time when an object or a person respects some conditions or has a specific behaviour

- event - is a particular action which triggers a transition from one state to another. It takes 0 time.

 

We present a particular way of generating states, events and transitions from data flows.

 

Video

http://www.youtube.com/watch?v=INBcMfBdabs

 

Step 1: Data analysis

 

For each employee we consider the following set of events and states, based on data stored in

Employee Events:

-               prox-in-building : occurs when one employee uses his/her badge to enter the building

-                prox-in-classified: occurs when one employee uses his/her badge to enter in the restricted area

-               prox-out-classified: occurs when one employee uses his/her badge to exit from restricted area

-               computer usage: occurs when one employee’s computer is sending/receiving data

 

Employee States:

-               InOffice: the period of time after

o       the employee badges into the building, or

o       the employee was registered as leaving the restricted areas, or

o       the employee’s computer is sending or receiving data

o       and before any other event;

-               InRestrictedArea: the period after the employee badges into the restricted area and before any other event;

 

Step 2: Data preparation

 

Initial data files were imported in database tables (MS SQL Server 2005):

-               EmployeeData (from employeeData.csv)

-               IPLog (from IPLog3.5.csv)

-               ProxLog (from proxLog.csv)

 

 

Select

      cast(ID as nvarchar(10))+ ',' +

      cast(day(DateTime) as nvarchar(2)) + ',' +

      Datename(weekday, DateTime) + ','+

      cast(Datepart(hh, DateTime) as nvarchar(2)) +':' + cast(Datepart(mi, DateTime) as nvarchar(4)) +','+

      Event

FROM

(

Select ID, DateTime, Type as Event from ProxLog

Union

select EmployeeID,  AccessTime, 'use-computer'

from EmployeeData

inner join IPLog on IPLog.SourceIP = EmployeeData.IP

) ALL_EVENTS

order by DateTime

 

The above SQL query was used to obtain a data flow containing all 4 events in chronological order. Bellow is a small fragment of the obtained result:

 

 

EmployeeID,DayNumber,DayName,Time,Event

 

 . . . . . . . . . . . . . . . . . . . .

 

12,2,Wednesday,20:26,use-computer

31,2,Wednesday,20:27,use-computer

12,2,Wednesday,20:33,use-computer

12,2,Wednesday,20:39,prox-in-classified

12,2,Wednesday,20:58,prox-out-classified

12,2,Wednesday,20:59,use-computer

17,3,Thursday,6:36,prox-in-building

17,3,Thursday,6:42,use-computer

17,3,Thursday,6:48,use-computer

 

. . . . . . . . . . . . . . . . . . . .

 

 

Step 3: Extracting statecharts from data flow

 

3.1. Our approach

At this step all state changes are computed for all employees and for the entire month

a) Generate one statechart for each employee. The name of statechart is the ID of the Employee. The label of transitions contains the name of the event which triggered the transition and the number of its occurrence.

 

We can see in the result that, for employee with ID = 8, the transition between InRestrictedArea state and InOffice state, triggered by prox-in-classified event, occurs by 65 times.

 

 

 

b) Consolidate all state machines in one. The unification of statecharts corresponding to all 60 employees is made by searching for similar states and transitions. Everything is inserted in a special ConnectorState. For similar transitions, the number of occurrences is summed. Rare events (transitions) are displayed darker than the others

 

 

           

c) Visualize only rare transitions. During this phase only transition having a  number of occurrences < 50 are displayed (50 is a parameter that could be changed). All often triggered transitions are hidden. The cursor tooltip shows for each transition the statechart where the transition occurred and the number of occurrences (between brackets).

 

d) Focus on unusual transitions:

                        Use time filtering to observe the period of time when rare transitions occurred:

 

 

e) Detect patterns by studying the statecharts resulted after applying time filters

 

f) Launch hypothesis: