MS Defense: Real-time Cybersecurity Situation Awareness Through a User-Centered Network Security Visualization

One of the most common problems amongst cybersecurity defenders is a lack of network visibility, leading to decreased situation awareness and overlooked indicators of compromise. This presents an opportunity for the use of information visualization in the field of cybersecurity. Prior research has looked at applying visual analytics to computer network defense, which has led to the development of visualizations for a variety of use cases in the security field. However, many of these visualizations do not consider user needs and requirements or require some predetermined user knowledge about the network to create the visuals, leading to low adoption in practice. With this in mind, I took a bottom-up, user-centered approach through interviews and scenario-based evaluations to design, develop, and evaluate a network security visualization tool, called Riverside. I attained technical features through interviews with network and security professionals.

I designed a visualization that attempts to balance providing a comprehensive view of an environment while supplying details-on-demand. Riverside's key contribution is a data-driven, dynamic view of a network's security state over time, meant to supplement an analyst's real-time situation awareness of their network. Riverside's system automatically graphs and partitions internal from external network components to visualize potential attack vectors across the entire environment. This research supports the need for further incorporation of users into the cybersecurity visualization development lifecycle. I call attention to key requirements for creating effective cybersecurity visualizations and specific use cases where visualizations can be leveraged to augment operational cybersecurity capabilities.

Examining Committee

Chair:

Dr. Niklas Elmqvist

Members:

Dr. Michel Cukier

Dr. Leo Zhicheng Liu