User-centric Visualization of Data Provenance

The need to understand and track files (and inherently, data) in cloud computing systems is in high demand. Over the past years, the use of logs and data representation using graphs have become the main method for tracking and relating information to the cloud users. While it is still in use, tracking and relating information with ‘Data Provenance’ (i.e. series of chronicles and the derivation history of data on meta-data) is the new trend for cloud users. However, there is still much room for improving representation of data activities in cloud systems for end-users. In this thesis, we propose “UVisP (User-centric Visualization of Data Provenance with Gestalt)”, a novel user-centric visualization technique for data provenance. This technique aims to facilitate the missing link between data movements in cloud computing environments and the end-users’ uncertain queries over their files’ security and life cycle within cloud systems. The proof of concept for the UVisP technique integrates D3 (an open-source visualization API) with Gestalts’ theory of perception to provide a range of user-centric visualizations. UVisP allows users to transform and visualize provenance (logs) with implicit prior knowledge of ‘Gestalts’ theory of perception.’ We presented the initial development of the UVisP technique and our results show that the integration of Gestalt and the existence of ‘perceptual key(s)’ in provenance visualization allows end-users to enhance their visualizing capabilities, extract useful knowledge and understand the visualizations better. This technique also enables end-users to develop certain methods and preferences when sighting different visualizations. For example, having the prior knowledge of Gestalt’s theory of perception and integrated with the types of visualizations offers the user-centric experience when using different visualizations. We also present significant future work that will help profile new user-centric visualizations for cloud users

UVisP: User-centric visualization of data provenance with gestalt principles

The need to understand and track files (and inherently, data) in cloud computing systems is in high demand. Over the past years, the use of logs and data representation using graphs have become the main method for tracking and relating information to the cloud users. While being used, tracking related information with 'data provenance' (i.e. series of chronicles and the derivation history of data on metadata) is the new trend for cloud users. However, there is still much room for improving data activity representation in cloud systems for end-users. We propose 'User-centric Visualization of data provenance with Gestalt (UVisP)', a novel user-centric visualization technique for data provenance. This technique aims to facilitate the missing link between data movements in cloud computing environments and the end-users uncertain queries over their files security and life cycle within cloud systems. The proof of concept for the UVisP technique integrates an open-source visualization API with Gestalt's theory of perception to provide a range of user-centric provenance visualizations. UVisP allows users to transform and visualize provenance (logs) with implicit prior knowledge of 'Gestalt's theory of perception.' We presented the initial development of the UVisP technique and our results show that the integration of Gestalt and 'perceptual key(s)' in provenance visualization allows end-users to enhance their visualizing capabilities, to extract useful knowledge and understand the visualizations better

Security visualization intelligence model for law enforcement investigations

Data analytic methods and techniques have proven crucial in aiding law enforcement investigations and day-to-day operations. However, the rise of cyber-attacks across transnational jurisdictions creates a challenge to share information across law enforcement agencies. Malware, Bitcoin and social media datasets are some examples. Security visualization is a solution to facilitate information sharing across jurisdictions comfortably in enhancing investigations without revealing the underlying sensitive raw data therefore, reducing the time spent on analysing and processing such large dataset. In this paper we introduce the "Security Visualization Intelligence (SVInt) framework", a visualization intelligence model for investigations and situation awareness deployed for the international law enforcement domain. We provide an effective user-centric visual method of analysing, sharing and exchanging complex datasets using visualization to aid law enforcement investigations. Attribution and evidence preservation without revealing the underlying raw data is the primary goal for SVInt. The SVInt framework provide visualizations of Bitcoin transaction relationships and threat map visualization showing top malware threats using geo-locations. It also provides expendable visualization features for future investigation demands. Finally, we provide possible future work within the law enforcement security visualization domain

Visualizing the New Zealand Cyber Security Challenge for Attack Behaviors

Datasets are important for security analytics and mitigation processes in cyber security research and investigations. "Cyber security challenge (CSC)" events provide the means to collect datasets. The New Zealand National cyber security challenge event is designed to promote cyber security education, awareness and equally as important, collect datasets for research purposes. In this paper, we present the: (1) Importance of cyber security challenge events, (2) Highlight the importance of collecting datasets, and (3) present a user-centric security visualization model of attack behaviors. User-centric features with the theoretical concept of Data Provenance as a Security Visualization Service (DPaaSVS) reused to display attacks commencing at the reconnaissance stage through to compromising a defending team machine and exploiting the systems. DPaaSVS creates the ability for users to interact and observe correlations between cyber-attacks. Finally we provide future work on Security Visualization with Augmented Reality capabilities to enhance and improve user interactions with the security visualization platform

Cyber security visualization effectiveness

Security visualization utilises predefined data attributes and translates them into visual nodes to form images for the purpose of communicating critical security information to targeted audiences. It is commonly used for two reasons: exploring and reporting purposes thus, sharing insights on suspected security events. However, the challenge of selecting the best visualization out of two or more visualization samples, regardless of existing limitations such as screen dimensions and visual complexities, required users to utilise certain measurement criteria. These criteria urge security visualization researchers, developers and users (viewers) to ask themselves the following two questions: What makes a security visualization effective? How do we measure visualization effectiveness in the context of investigating, analysing, understanding and reporting cyber security incidents? This thesis explores a range of effectiveness measurement techniques for web and mobile platforms. We investigated existing effectiveness methods for the design, implementation and user observation phases in security visualizations. Consequently, we identified effectiveness criteria and metrics in applications include visual clarity, visibility, distortion rates and user cognitive response (viewing) times. With the goal of aiding decision making in cyber security operations, we provided a distinctive security visualization paradigm of a full-scale effectiveness measurement (SvEm framework) approach for both theoretical and user-centric visualization techniques. Our framework facilitates effectiveness through our SvEm algorithm thus, providing various interactive three-dimensional (3D) visualization applications to enhance both single and multi-user collaboration. The SvEm framework involves several key components: (1) web/mobile display dimensions and resolution, (2) security incident entities, (3) user cognitive activators and alerts, (4) working memory load, (5) threat scoring system and (6) the colour usage management. To evaluate effectiveness in our framework, we developed several use cases: (1) VisualProgger - a real-time security visualization analytic application (web and mobile platforms), (2) a security visualization with augmented reality and (3) a security visualization for intelligence tracking and monitoring. In addition, we developed and documented a new security visualization guideline (a SCeeVis pre-standard) as part of the SvEm framework to aid with the design, implementation and observation environments. This pre-standard further allowed us to develop our SCeeVis colour chaining standard and a new cognition and working memory (SvEm-CWML) instruction set to enhance the user’s cognition and perception process for security visualizations. As a result, our visualization application outputs effectiveness measurement by capturing and increasing the user's attention span through the process of reducing cognitive load, while increasing the viewer’s memory efficiency. Thus, users have a high potential to gain security insights from a given visualization. Our evaluation shows that, viewers perform better with the existence of prior knowledge of security events and if they operate in a comfortable visual environment. It has also indicated that circular visualization designs attracted and maintained the viewer’s attention. Finally, these discoveries have revealed new research directions for future work relating to effectiveness measurement in security visualization

Visualization and Data Provenance Trends in Decision Support for Cybersecurity

The vast amount of data collected daily from logging mechanisms on web and mobile applications lack effective analytic approaches to provide insights for cybersecurity. Current analytical time taken to identify zero-day attacks and respond with a patch or detection mechanism is unmeasurable. This is a current challenge and struggle for cybersecurity researchers. User- and data provenance-centric approaches are the growing trend in aiding defensive and offensive decisions on cyber-attacks. In this chapter we introduce (1) our Security Visualization Standard (SCeeL-VisT); (2) the Security Visualization Effectiveness Measurement (SvEm) Theory; (3) the concept of Data Provenance as a Security Visualization Service (DPaaSVS); and (4) highlight growing trends of using data provenance methodologies and security visualization methods to aid data analytics and decision support for cyber security. Security visualization showing provenance from a spectrum of data samples on an attack helps researchers to reconstruct the attack from source to destination. This helps identify possible attack patterns and behaviors which results in the creation of effective detection mechanisms and cyber-attacks

A full-scale security visualization effectiveness measurement and presentation approach

What makes a security visualization effective? How do we measure visualization effectiveness in the context of investigating, analyzing, understanding and reporting cyber security incidents? Identifying and understanding cyber-attacks are critical for decision making - not just at the technical level, but also the management and policy-making levels. Our research studied both questions and extends our Security Visualization Effectiveness Measurement (SvEm) framework by providing a full-scale effectiveness approach for both theoretical and user-centric visualization techniques. Our framework facilitates effectiveness through interactive three-dimensional visualization to enhance both single and multi-user collaboration. We investigated effectiveness metrics including (1) visual clarity, (2) visibility, (3) distortion rates and (4) user response (viewing) times. The SvEm framework key components are: (1) mobile display dimension and resolution factor, (2) security incident entities, (3) user cognition activators and alerts, (4) threat scoring system, (5) working memory load and (6) color usage management. To evaluate our full-scale security visualization effectiveness framework, we developed VisualProgger - a real-time security visualization application (web and mobile) visualizing data provenance changes in SvEm use cases. Finally, the SvEm visualizations aims to gain the users' attention span by ensuring a consistency in the viewer's cognitive load, while increasing the viewer's working memory load. In return, users have high potential to gain security insights in security visualization. Our evaluation shows that viewers perform better with prior knowledge (working memory load) of security events and that circular visualization designs attract and maintain the viewer's attention span. These discoveries revealed research directions for future work relating to measurement of security visualization effectiveness

Returning control of data to users with a personal information crunch - a position paper

With the data universe expanding to uncontrollable limits, we are losing control of our personal information. From online purchases to movie streaming, we are giving vendors more and more information, such that our privacy is at stake. Hackers and third-parties can gain access to this information, putting us at risk to a number of attacks. The current model where every online vendor has personal information, such as name, addresses and date of birth should be reconsidered. A user needs to have full or at least more control over their personal data, and who has access to it. This paper presents alternatives to vendors having all of a users personal information and raises many concerns about the current state of play. A simple model is proposed where personal information is stored on the users mobile device, and requested by vendors when needed. Information can then be given in either a private or trusted manor, and encrypted responses can be cached by a relay service. Vendors should only use the data inflight, and never store personal information. This provides the user with data provenance and access control, while providing the vendor with accountability and enhanced security