ConstellationBuilder — Cyberthreat Analytics Platform

Role: Project Leader & Design Lead
Team: 4 Researchers, 4 Designers, 3 Supervising Professors
Project Duration: 2 Months (May-July 2020)

Project Overview

In the summer of 2020, I led my team to create a cybersecurity analytics tool to address the IEEE VAST 2020 Mini-Challenge 3. The after developing its data, multiple iterations, heuristic evaluations, and critiques, proposed the Visual Analytics platform called ConstellationBuilder. The tool leverages artificial intelligence to aid technically inexperienced analysts in tracking cyber threats and assemble highly skilled white hats to address them. This project received the only Best Paper Award for the mini-challenge.

VAST Challenge 2020 Award: Award for Effectively Transforming Task Decomposition into Conceptual Design

VAST Challenge 2020: Mini-Challenge 3

The goal of the annual IEEE Visual Analytics Science and Technology (VAST) Challenge is to advance the field of visual analytics through competition.

The Problem

A group of “white hat” hackers have accidentally caused a global internet outage. The organization — Center for Global Cyber Strategy (CGCS), which tracks white hat activities, has tasked researchers to develop a new robust analytics system to address future outages. The designs must have a High-level situation awareness of issues. ii. They should have the ability to assemble a team from across the white hat community to respond to new events. iii. Incorporates machine learning as much as possible.

This is a summary of the challenge brief. You can read the full prompt here.

Solution — ConstellationBuilder

ConstellationBuilder is an interactive visualization system to support high-level situation awareness of cybersecurity events and the fast assembly of response teams. It allows visual analytics experts and non-experts in machine learning to quickly and effectively analyze cybersecurity reports and events. The systems provide an evaluative mechanism to select the best response team based on their achievements and familiarity with the issue. The system’s flexibility makes it easy to extend and integrate with any other monitoring and investigation tasks in the future.

Figure 1. Three views of the Interface

Design Process

Our design mantra was ‘Divide and Conquer,’ Each team member contributed significantly at one point in the design. This was an all virtual design process with a team member from about five different timezones. Tasks were assigned to individual members and were later synthesized as a group. The team was divided into two — The Design and the Research team— after the initial research phase. I tried to participate in all meetings on both sides as the Design Lead to give have a first-hand contribution to the research synthesis.

My Role

As the Project Lead and Design Team Lead, I was involved to some degree in most activities throughout the project process, but there were certain elements that I took the lead on.

Key responsibility
→ Defined the design and collaborative process and assigned project tasks
→ Conducted three rounds of literature review
→ Served as the intermediary between the research and design team
→ Conducted unstructured interviews with two cybersecurity expert
→ Led design team by leading virtual brainstorming and critique sessions
→ Defined the overall flows, UI pattern, and over UX for the final solution
→ Unified the final visual design to be consistent with the design systems

Research

Literature Review

After every team member was tasked to conduct the secondary research, the team meet three times over two weeks (2–3hours) to review and refine the secondary review conducted individually by each member. We planned to understand the following questions:

1. What are some common cyber threats that cause global internet outages?
2. Review historical data on past cyber threats across the global
3. Understand how white-hat groups operate on a local and global scale
4. How situation awareness is leveraged in software and cybersecurity.
5. Get some initial sense on cyber threat tracking tools.

Interviews

We conducted two interviews in parallel with the secondary research. The goal was to get a broad understanding of the project brief, the problem space(internet outages, white hat groups, cyber threats e.t.c).

Participant 1 — CISO with 8years of experience. We did a systematic review of the prompt after the interview to get his thoughts on it.

Participant 2—Cybersecurity Ph.D. has designed several visual analytics tools for the police in West Lafayette.

‘You could look into DDOS, which is probably one of the most invasive attacks a system can be attacked with. ‘

‘The systems needs to address multiple issues at a time and alert the users

Peer product review

Anomaly detection in cybersecurity data (Cambridge Intelligence)

Some team members spent the time reviewing other high-level applications we could take inspiration from and see the gaps within their products. They reviewed products from the industry, academia, and past submissions into the IEEE SecVis. Some key learnings were

• Most of the analytics dashboards didn’t have team building feature (which made our problem unique with great opportunity)
• We realized artificial intelligence and machine learning were still in their early stages, so we had to take a strategic approach when implementing them in ours.
• “Cyber threat intelligence is densely connected.” This illustrated how the systems have to be connected in various parts of the system. Each movement in the data affects. another
• Visual analytics still needed high-level product thinking to make it usable in day-to-day activities. This meant our choice of design had to be user-friendly and simple to navigate.