Image Processing Reference
In-Depth Information
time durations of suspected attacks, the nodes involved, and their corresponding
uncertainty values.
An annotation mechanism is provided in the time histogram view. Users may at
any time record an annotation which is represented as a semi-transparent rectangle
on top of the time histogram. Text may be added or edited as needed. Also, users
may input the IDs of nodes of importance to the annotation. When a user mouses
over an annotation which contains node IDs, the nodes are then highlighted in the
time histogram view. Viewing suspicious nodes across time can inform users as to
which time ranges may be worth investigating next. The color of the annotation can
represent either different users or an analyst-defined tagging scheme.
7.4.2 Uncertainty Versus No-Uncertainty Case Study
To explore the utility of uncertainty views and interactions, we describe the analysis
process of a Sybil attack dataset both with and without the uncertainty views and
interactions.
While SybilVis is designed to work with general network connectivity data, we
make use of datasets from a simulation system for Sybil attacks. Additionally, the use
of simulation data provides both ground truth and the ability to specify variables to
vary the complexity of the data. Variables of the simulation datasets include network
size, number of attacking nodes, attack durations, and number of attacks. For this
case study, we used a dataset that includes five attacking nodes in three attacks across
10,000 timesteps.
For a given attack duration, it is not common for all malicious nodes to be active
at the same time. In fact, some malicious nodes may only be active for a less than
5 % of an attack duration, making them difficult to detect without iterative analysis.
Therefore, the uncertainty views and interactions presented are designed to help
capture and aggregate multiple uncertain findings into a comprehensive final result.
Suspicious time ranges are found by observing sudden drops and rises in node
activity. These fluctuations may indicate the ending or beginning of an attack range.
This process of segmenting and analyzing time ranges in the dataset is repeated
throughout the analysis process. Once a time range is selected, it is necessary to
determine if an attack has occurred, and if so, which nodes were involved. This is
done by selecting outliers in the scatterplot view, and looking for tightly connected
subgraphs in the node-link view. For a more in-depth discussion on this analysis
process, see [
7
].
In the first suspicious time range, the outliers in the scatterplot view do not show
up as tightly connected subgraphs in the node-link view. With uncertainty views and
interactions, these nodes and time range can have their corresponding uncertainty
values reduced, shown by green in the node-link views in Fig.
7.3
a.
Without uncertainty techniques, this result must be either remembered or commit-
ted to some external source. Similarly, in the second suspicious timerange, several
outliers in the scatterplot view do form a tightly connected subgraph in the node-link
Search WWH ::
Custom Search