Sol: An Agent-Based Framework for Cyber Situation Awareness

Abstract: In this article, we describe how we augment human perception and cognition through Sol, an agent-based framework for distributed sensemaking. We describe how our visualization approach, based on IHMC's OZ flight display, has been leveraged and extended in our development of the Flow Capacitor, an analyst display for maintaining cyber situation awareness, and in the Parallel Coordinates 3D Observatory (PC3O or Observatory), a generalization of the Flow Capacitor that provides capabilities for developing and exp… Show more

“…The authors specifically call out a key challenge: "the difficulty in finding the flight performances model for network analysis. Whereas the primary task of the pilot is to fly effectively within the known parameters of a fixed aerodynamic model, the job of the NOC analyst is to understand emerging threats accurately against the moving target of a network that is constantly changing" (Bradshaw et al, 2012). The approach taken in this paper could be characterized in exactly that manner: how does an organization find its appropriate cyber performance model?…”

Towards Network Science Enhanced Cyber Situational Awareness

“…The authors specifically call out a key challenge: "the difficulty in finding the flight performances model for network analysis. Whereas the primary task of the pilot is to fly effectively within the known parameters of a fixed aerodynamic model, the job of the NOC analyst is to understand emerging threats accurately against the moving target of a network that is constantly changing" (Bradshaw et al, 2012). The approach taken in this paper could be characterized in exactly that manner: how does an organization find its appropriate cyber performance model?…”

Towards Network Science Enhanced Cyber Situational Awareness

“…6 In addition, Sol was designed to support continuous knowledge preservation by collaborative logging of cases and workflows by analysts and software agents. 5,7 The framework manages a large logical pool of event data that is shared by many analysts and software agents. All actors can collaboratively explore, filter, and annotate the data within the constraints established by KAoS, a semantic policy framework that governs data use.…”

Principles for human-centered interaction design, Part 2: Can humans and machines think together?

“…The emphasis of our own work on sensemaking is to put questions about the role and benefits of computer interaction with people front and center. 10 In light of the current emphasis on validation using multiple methods within the sensemaking literature, the question for the system designer becomes not only, "How can we help analysts know whether their hypotheses are correct?" but also, "How can we, to the greatest possible degree, use visualization, automation, and collaboration tools to help them expose their hypotheses to the light of experience and inquiry, in order to evaluate and refine them as thoroughly as possible?"…”

“…10 This communication must be bidirectional: the structure of the visualization communicates to the analyst the structure and processing performed by the machines (software agents in the system), while at the same time the user interactions with the visualization are used to direct and modify the activity of the software agents. For example, software agents that classify incoming NetFlow data into classes such as "normal," "communications to whitelisted sources," and "communications from blacklisted sources" may be visualized as a flow between a source and three sinks.…”

Command and Control Requirements for Moving-Target Defense