Entry Name: "Middlesex-CALME-MC2"
VAST 2013 Challenge
Mini-Challenge 2: Situation Awareness Display Design
Team Members:
Sharmin (Tinni) Choudhury,
Middlesex University, t.choudhury@mdx.ac.uk
PRIMARY
Neesha Kodagoda, Middlesex University, n.kodagoda@mdx.ac.uk
Ashley Wheat, Middlesex University, a.wheat@mdx.ac.uk
Puja Varsani, Middlesex University, p.varsani@mdx.ac.uk
William Wong, Middlesex University, w.wong@mdx.ac.uk
Simon Attfield, Middlesex University, s.attfield@mdx.ac.uk
Glenford Mapp, Middlesex University, g.mapp@mdx.ac.uk
Louis Slabbert, Middlesex University, l.slabbert@mdx.ac.uk
Mahdi Aiash, Middlesex University, m.aiash@mdx.ac.uk
Chris Rooney, Middlesex University, c.rooney@mdx.ac.uk
Student Team: NO
Software Used:
Adobe Creative Suite
May we post
your submission in the Visual Analytics Benchmark Repository after VAST
Challenge 2013 is complete? YES
Video:
High-Resolution Image:
Storyboards:
Description of Your Design:
The
foundation of the Middlesex University’s Cyber Analysis & Monitoring
Environment (CALME), Figure 1, was laid based on a series of discussions and
interviews with cyber security experts to identify what is necessary for an
effective cyber situation awareness display. We learnt that situation awareness
had a reactive and a pro-active element with the network operation manager
needing information to react appropriately when situations such as cyber
security incidents occurred but they also have to be pro-active with their
security measures which involves not only having plans in place to react
appropriately to cyber security incidents but also ensuring that the network is
in optimal condition. To this end we developed CALME as a fully integrated
display with twelve sub-views that together help network operation manager be
both pro-active and reactive with their cyber security measures.
Figure 1: CALME Integrated Interface
For the
CALME interface, we assume that if built, it would have appropriate analytical
modules to power the UI. In addition, we assume the existence of a knowledge
base consisting of sufficient historical data using which we can establish
baseline and norms for such things as number of connections and network load.
CALME’s integrated
sub-views are,
1.
Concern
Level Assessment (CLA) View - The concern
level assessment or CLA is an aggregated indicator developed by Middlesex
University. The indicator is based on heuristics developed through interview
with experts and takes into account all available variable, such as number of
connection, machine health as reported by Microsoft Operations Manager etc, to give a suggested concern level for individual assets,
as well as network infrastructure.
2.
The
CLA Tree-Map View – another use of the CLA within the CALME distributes
machines, according to their CLA level, in a geo-based tree map that is divided
according to regions with the top left hand corner roughly corresponding to
North America and the bottom right hand corner corresponding to Australia and
New Zealand.
Figure 2: CALME CLA Views
3.
The
Timeline View - gives a history of what has been happening to the network in
the last 24 hours as well as displays predictions of the network state for six
hour to come. It is envisioned that the timeline can also be used as a temporal
control for the whole integrated view.
Figure 3: Timeline View
4.
The
Critical Issues View- under normal circumstances, this view will simply
displays a clock but in the event of a critical issue, the issue is pinned on
the screen as a highlight.
5.
The
Asset Load View – this view displays the overall network loads on assets,
including cpu usage, # of
connections and memory usage. It is envisioned that when fully implemented,
this view will support a drill down that will allow the network operator to
pin-point exact individual machines that are experiencing the high load.
Figure 4: Asset Load View
6.
The
Security View – this view uses an EKG (Electrocardiography) style visualisation
to monitor security logs such as IDS and firewall logs but also to monitor
administration login, login of accounts with high security clearance and access
to sensitive information, as well as a monitoring when sensitive information is
accessed.
Figure 5: Security View
7.
The
Patch Monitoring View – this view shows the status of machines in relation to
software patches, with unpatched machines having the potential being more
vulnerable than fully patched machines. This view is primarily to ensure the
network remains well maintained.
Figure 6: Patch Monitoring View
8.
The
Network Diagram View – this view shows network infrastructure such as routers,
switch etc in an approximate geo-based layout but
without any geo-map backing the network visualisation.
Figure 7: Network View
9.
The
Event Timeline View - shows events that have past 12 hours in the past and
events to come in the next 12 hours, including any events active at the current
point in time. Events can be scheduled events such as maintenance or alerts
from outside the organisation such as storm warnings.
10.
The
External Monitoring – this view shows any events and alerts related to
suppliers and/or consumer access to the Big Enterprise facilities.
Figure 8: Event Timeline &
External Monitoring
11.
Asset
View – this gives a one-glance overview of the state of the machines connected
to the network. The machines are divided according to their subclass of
workstations, mobile devices and servers, with mobile devices and servers being
further subdivided to paint a clearer picture. Assets in the blue portion of
the bar chart are turned on and reporting, assets in the grey portion of the
bar chart are not reporting and are either turned off or lacking network
connection.
Figure 9: Asset View
12.
Geo-Map View - gives the geo-location of all
the assets. This map view can be altered to by pinching parameters that are by
default shown on the views surrounding the central map and dropping it on the
map. Due to this, this view can be seen as embodies all six elements of cyber
situation awareness.
Figure 10: Geo-Map View
Together, these views should give the network operations manager enough information to be both proactive and reactive. However, it is acknowledged that some views are better suited for one type of reaction then another. For example, the Timeline view’s 6 hour forecasting can be used to plan for issues to arise. Similarly, the patch monitoring can be used for pro-active planning while the asset and asset load is purely for reactive activities. On the other hand, the security view is both for pro-active monitoring and for reactive activities as the security view will show probing attacks on IDS and Firewalls, as well as attempts at unauthorised logins which will allow for pro-active planning through monitoring of attack patterns and user behaviour. The security view would also highlight, as it does in Figure 5, attacks or breaches currently underway. In Figure 5, the security view highlights a sustained level of high connectivity, which indicates a possible denial of service attack. CALME’s main purpose, however, is to keep Network Operations Managers calmly supplied with information.