Image Processing Reference
In-Depth Information
Furthermore, we observe that it is useful to integrate uncertainty both into the
overview visualization (the time histogram, in our case) and the detail views (scat-
terplot and node-link). Uncertainty in the overview visualization helps guide the
analyst in selecting suspicious time-ranges for investigation, provides a summary
of analysis thus far, and reduces repeated analyses. Uncertainty in the detail views
directs the analyst's attention to nodes previously determined to be exhibiting likely
malicious activity.
Additionally, uncertainty in the detail views can influence selections in the visu-
alizations. For example, when selecting a loosely-defined cluster of nodes in the
scatterplot view for closer examination, if there is a dark-red node (meaning it was
previously determined as suspicious) near the edge of the cluster, it will likely be
selected as well. It is possible that, in some cases, an analyst would want to examine
nodes independent of previous decisions. In this case, analysts could simply disable
the uncertainty indicators in the detail views and preserve them in the overview.
However, based on our experience with analysts (below), the awareness of previous
decisions on a node is crucial for ongoing security analysis.
Our approach is influenced in part by feedback from network security experts
who have consistently mentioned a need to be able to raise the “threat” level of a
node/machine in order to effectively track it over time to make final decisions when
necessary. Threat in this sense, is essentially uncertainty regarding a true attack from
a false positive. Hence, in our system, uncertainty regarding attack time ranges and
malicious nodes can be easily specified and integrated into the visualizations.
To conclude, we integrate analytic uncertainty into a visualization in order to assist
security analysts in identifying the time range and nodes involved in coordinated
attacks. Additionally, analysis progress is documented via the annotations and time
uncertainty values, which can assist in reducing repeated analyses. A case study is
presented that demonstrates how integrating analytic uncertainty can inform analysis
in both the overviewand detail views. For futurework, wewill explore use of standard
automatic detection methods as input to the uncertainty views. Also, we will explore
ways to scale the node-link view, which is the current bottleneck for scalability in
this approach. Finally, we will investigate the effectiveness of similar uncertainty
management methods in other security analysis application areas, such as the VAST
Challenge datasets.
References
1. Coninx, A., Bonneau, G.P., Droulez, J., Thibault, G.: Visualization of uncertain scalar data
fields using color scales and perceptually adapted noise. In: Applied Perception in Graphics
and Visualization (2011)
2. Conti, G., Ahamad, M., Stasko, J.: Attacking information visualization system usability over-
loading and deceiving the human. In: Proceedings of the 2005 Symposium on Usable privacy
and security, SOUPS '05. ACM, New York (2005)
3. Cook, K.A., Thomas, J.J.: Illuminating the Path. IEEE Computer Society, Los Alamitos (2005)
Search WWH ::
Custom Search