VAST Challenge 2016 - UKON

Entry Name: UKON dynamite

VAST Challenge 2016

Mini-Challenge 1

Team Members:
Wolfgang Jentner, University of Konstanz, wolfgang.jentner@uni-konstanz.de, PRIMARY
Mennatallah El-Assady, University of Konstanz, mennatallah.el-assady@uni-konstanz.de
Dominik Sacha, University of Konstanz, dominik.sacha@uni-konstanz.de
Dominik Jäckle, University of Konstanz, dominik.jaeckle@uni-konstanz.de
Florian Stoffel, University of Konstanz, florian.stoffel@uni-konstanz.de

Student Team: yes (graduate students)

Tools Used:
Inkscape
Microsoft Powerpoint
Techsmith Camtasia

Approximately how many hours were spent working on this submission in total?
approx. 50 hours

High-resolution image:
LINK TO THE HIGH-RESOLUTION IMAGE

Video (Optional but recommended):
LINK TO THE VIDEO

Storyboards (Optional but recommended):
-

Description

We present dynamite, a Dynamic Monitoring Interface for Task Ensembles. dynamite adopts a multi-level task-driven approach to support event surveillance and time critical decision making for large premises, e.g. casinos or holiday resorts. The system integrates with a complex stream processing engine processing various heterogeneous streams using task-based aggregates. These task stream ensembles are processed in three temporal dimensions to support investigators in examining or responding to threats: (1) Automatically highlighting current stream anomalies (present - monitoring), (2) taking previously captured data streams and analysis sessions into account to provide the investigator with information and stream recommendations (past - information gathering support) and (3) predicting relevant upcoming events and scenarios (future - decision support).

Figure 1: dynamite on an investigator's workspace with three high-resolution displays.

Core Concepts

dynamite is motivated by the following main ideas:

Task-driven aggregation and combination of data streams, and
three level of details, that are defined by each task individually.

Having a potentially large number of data streams available, the biggest issue is to make sense out of all the available information. A natural way to tackle this problem is to aggregate the streams. Thus, reducing the amount of information to an almost arbitrary low-level. For different tasks, such as VIP routing or fraud detection and investigation, different kinds of data and aggregation levels are necessary. dynamite presents the investigator with three coordinated views enabling the investigator to drill down into the stream aggregates revealing more detailed information while preserving context to higher level aggregates. This supports the investigator in monitoring the current situation, selecting task dependent stream ensemble information and to request details on demand. Task definitions are stored in the task repository and can be maintained manually. The stream processing engine automatically analyzes the entire stream repository to identify correlating streams based on inter-dependent anomalies and complements the task definition with further (unbiased) information.

Figure 2: The overall model of dynamite. It contains three level of details (stream overview, task, and detail view), and connects to a data repository, monitoring and prediction engine. In addition, the mobile-sandboxes provide an easy way of investigators to collaborate during an investigation as well as effectively communicate findings to supervisors or other personnel.

The analyst workspace is divided to provide three different scopes: a high-level stream overview, a task view, and a detailed view.

Stream Overview

The stream overview provides insights into the current situation by showing a highly aggregated view of the available data streams with connections to current events on premises. To visualize data streams, we utilize a novel visualization technique called HexaFlow. HexaFlow visualizations are based on bins on the data streams, which are visually depicted by hexagons. Each time frame, represented by a bin, is plotted next to the previous time frame, which keeps the stream metaphor intact. The free space between neighboring hexagons, which has a triangle shape, is used to indicate alert levels referring to the directly adjacent hexagons. According to the alertness levels "warning" and "serious", the triangles will be filled with yellow and red color, respectively, if the stream does not contain any alerting data, the triangle will have no fill, e.g. be black in our examples. To make use of the space of the hexagons, their inner space can be utilized by the data streams in case of alerts. For video streams, stills from the video stream can be shown in the hexagon, dangerous weather conditions could be indicated by corresponding iconic displays.

Figure 3: Stream overview using HexaFlow visualizations.

Task View

This view visualizes task dependent streams in more detail once a task has been selected. Task definitions can be chosen within the Stream Overview or in the taskbar on the left-hand side of the Task View. This lets the investigator efficiently switch between parallel tasks. Streams can be investigated in more detail by reordering, expand/fold operations, and time frame/event selections. Different stream detail visualizations are shown within the hexagons or underneath the selected streams/time frames. Note, that the temporal consistent alignment allows identifying stream dependencies and potential root causes. For example in Figure 4, we can see that the person tracking stream starts revealing critical events when the face recognition identified a suspect in camera 1. Subsequently, more detailed information about the suspect and the person tracking is shown in the Detail View.

Figure 4: The task view of the Credit Card Fraud investigation task. It contains data from video streams, information about the casino tokens, as well as a face detection and person tracking information.

Detail View

Figure 5: The detail view.

Collaboration

To allow analysts to work collaboratively in the dynamite environment, we introduce mobile-sandboxes as an extension of the three level workplace concept. Each mobile-sandbox, e.g. a smartphone or tablet, can be loaded with the current state of investigation, noteworthy snippets of data streams, or other important parts of the data. Analysts can use these devices to come together, exchange thoughts, and reason with the backing of data and parts of their very own workspace in a collaborative environment. Furthermore, each mobile-sandbox is capable of generating short, static reports, that can be transferred to any other sandbox or security personnel to exchange thoughts or facts from the data (streams).