The Swirl Project:
Effective Security Through Visualization		  

Swirl
Home
Research
People
Publications
Sponsors
Projects
Impromptu
HistVis
NAV
Yancees
Vavoom
Faculty
Paul Dourish
David Redmiles
Intranet

Network Activity Viewer

The first approach we took for helping users assess the situation at hand, and consequently make informed decisions rests on the visualization of events on the network that are often hidden from the end-users. As opposed to creating “agents” or “critiques” that monitor the network, attempt to detect “abnormal” events, and inform users, we decided to expose underlying activities so that users can better perceive the underlying mechanisms and activities on the network and consequently better understand the implications of their actions. To this end, we the used Vavoom visualization engine for the Java virtual machine, which uses a custom classloader to dynamically rewrite Java byteloaders at load-time, instrumenting the class files with low level event notifications. These event notification were then routed to an extensible event service, YANCEES, which filtered these events, providing a high-level notification channel to a network activity visualizer component. The architecture shown in Figure 1.

Figure 1: YANCEES and Vavoom integration

YANCEES was used to handle all communication between system components, including between the Vavoom JVM itself and the visualization displays. In addition to the visualization displays designed as part of the initial Vavoom implementation, we created specialized displays customized to security needs, particularly focused on web browsing as our initial scenario. The focus of the proof-of-concept was the question: can we visualize network activity as part of Web browsing, so that users couldb ecome aware of the ways in which aspects of their activity might be tracked while visiting web sites?

By tracking the bytecode patterns, this prototype monitored network activity, maintaining a view of active connections and indicating when they were read or written, opened or closed.

Figure 2 shows the visualizations of various connections that were established when members of our group connected to the Department of Justice (DoJ) website. When the users visited the website, they expected that the target site would be the only site to which they would be connecting. However, as shown in the highlighted bar, the DoJ site also established a connection to the site of Department of Homeland Security. This connection is not evident to the users during a normal visit to the targeted site, but our visualization showed such "hidden" connections to the users. This visualization would help them to further assess risks and security associated with their browsing behavior.

Figure 2: Event visualization of Department of Justice website

This particular prototype was used only for demonstrations and internal activities; its function was not to be the basis of user trials, but rather to demonstrate the fundamental principle, and provide a test-bed for experimenting with implementation ideas. Although this was a very preliminary demonstration, the application was able to show its potential to uncover aspects of network activity otherwise hidden, such as the use of off-site images and “web bugs” to maintain records of web site visitor activity. By making visible the pattern of network activity that leads to a particular page rendering, this system could begin to help people understand the consequences of their actions. More than the specific application or the particular design of the visual tools, this was the initial goal.
Institute for Software Research
University of California, Irvine
Irvine, CA 92697-3455, USA
swirl@dourish.com