Attack Navigator Map: Analysis results dashboard

The Attack Navigator Map tool unites a large part of the TREsPASS tool chain (model creation, attack tree creation, analysis, visualisation) in one user interface. The analysis results visualisation dashboard is the last step in the tool chain, and will appear as a different view on top of the regular ANM user interface. It gathers all the results of the analysis (and other intermediate tools) and makes them available as download, and visualises them as attack trees. Next to this the dashboard also offers alternative visualisations, that are derived from the attack tree. If needed it also displays additional visualisations, that are specific for the output format of individual tools, for instance the Attack Cloud visualisation and the tree map view.

Integrated and stand-alone

The TREsPASS visualisations are developed as single, loosely coupled components – entirely independent of one another. By avoiding interdependence we can ensure complete modularity, which in turn allows us to use the components as building blocks for applications like the ANM analysis results dashboard, with the option to easily replace components with compatible alternatives, if needed).

At the same time it is also entirely possible to take a single visualisation component, and –with only a thin layer of application logic around it– package it and distribute it as a standalone (desktop) application.

How it works

The javascript framework that is used is react, where components take required or optional inputs (very similar to function arguments in programming), called “props” (short for properties). The input data must be provided in a certain format, which can be a common format shared among similar visualisation types (attack trees, for instance), or specific to the output of individual analysis tools (for instance ATEvaluator). Best practices dictate to build components that only contain a minimum amount of logic themselves. The task(s) of parsing and preparing the input data is therefore handed over to the host application, whose responsibility it is to provide the component with the right data.

All of the preparation and pre-processing routines are outsourced into an external library, and available as reusable utility functions. The trespass.js library has sub modules for working with the TREsPASS socio-technical model format, different “flavours” of attack trees, and the output formats of the analysis tools that are part of the TREsPASS family of tools.

Visualisation explorations of analysis tools

Most of the analysis tools provide outcomes comparable to a `top 10′, but all do that in slightly different ways. The visualisation of the outcomes of these tools are presented with small charts on the left and a sub set of the attack tree on which the analysis is applied to on the right, and they are always linked to each other. This makes it easy for a user to look for the most vulnerable attack traces.

analyzer-1
ATAnalyzer presents the attack traces with the highest utility for an attacker. In this example a user hovers over the highest utility (utility=1000, cost=600).
evaluator-1
ATEvaluator calculates pareto efficient solutions for the attack tree. Hovering over the pareto frontier highlights the involved attack traces in the sub set of the attack tree on the right.
atcalc-big-1
ATCalc displays the likelihood of attack over time, as well as which leafs become more probable at a certain point in time. The two small graphs on the left plus the sub set of the attack tree on the right interact with each other so that a user can quickly explore the results of the analysis tool.
atcalc
Detail of the two parts of the visualisation of the ATCalc results. Each time step allows explorations and visualises in the graph under it which leaf nodes are involved.

 

screen-shot-2016-11-01-at-09-17-39
Visualisation of an attack tree generated from a map that was build in the Attack Navigator Map.


Watch the visualisation dashboard in action on Vimeo

screen-shot-2016-11-01-at-09-18-28
Circular visualisation of an attack tree generated from a map that was build in the Attack Navigator Map.
screen-shot-2016-11-01-at-09-18-46
Circular visualisation of an attack tree generated from a map that was build in the Attack Navigator Map. Colours indicate similar actions, grey actions are unique actions.

 

screen-shot-2016-11-01-at-09-19-08
Circular visualisation of an attack tree generated from a map that was build in the Attack Navigator Map. The list on the right is ordered on label frequency, how many times the same label appears in the tree.

 

Attack Tree component visualiser

The TREsPASS visualisations are developed as single, loosely coupled components – entirely independent of one another. By avoiding interdependence we can ensure complete modularity, which in turn allows us to use the components as building blocks for applications like the ANM analysis results dashboard, with the option to easily replace components with compatible alternatives, if needed).

At the same time it is also entirely possible to take a single visualisation component, and –with only a thin layer of application logic around it– package it and distribute it as a standalone (desktop) application.

The Attack Tree component visualiser visualises attack trees from XML files, including countermeasures (green). It automatically detects which flavour of Attack Tree (for instance ADTool outputs a different style of Attack Tree XML as TreeMaker). The user can zoom-in and out, to inspect details and change view, from tree structure to circular. It can also visualise similarity for the nodes.

Try out the Attack Tree component visualiser

Download example XML file to load in visualiser

InterActor

interactor_homepage

From our extensive contact with security practitioners, in a long series of LEGO engagements and evaluations, we sketched out the beginnings of a potential digital prototype. After nearly 300 people have used the LEGO method with great success on a wide range of contrasting cases, it was clear to us that there was also a need for an extension to the method, where data can be captured during and after the co-creation process which had closely involved stakeholders of all types and kinds. The InterActor prototype is designed to extend the physical modelling process, so that stakeholders may continue to work on these problems together, by creating shareable digital models of their tangible LEGO models, ensuring that the resulting insights are not lost.

map2

InterActor has been conceived as a way of extending and facilitating the co-construction process, and is intended to be used during and after workshops, in face-to-face sessions, and work can also be shared remotely via its web-based architecture. Starting points are provided to users so that they may shape things so that they are relevant to their own practice (using a spreadsheet view of their data).

This can include practitioners modelling their own roles within an organisation, managing and accounting for how an issue is being tracked within the workforce. Doing this requires a narrative that can be jointly developed with teams and stakeholders involved in a risk scenario, and InterActor is also designed to suit this purpose.

relationships

The overall aim of the prototype is to assist the security practitioner in finding and mapping the communities of practice that surround controls. It provides a more refined and integrated view of how control strengths in specific areas are supported by (and are also based on) the specific values and perspectives of actors, in groups and as individuals.

acmemap1

The digital tool operates in such a way that the techniques can be applied in depth or with a light touch, depending on the level and amount of data that is encoded with the prototype. In the security domain no comparable tools exist that can be compared to the LEGO analogue tool kit and the InterActor prototype produced by TREsPASS, as they work in combination to visualise socio-technical patterns, and inform our view of risk.

The first version of prototype can be accessed online: InterActor-Creative Securities/RHUL

The second version of the prototype following user feedback can be found here

 

Cloud Environment & Actor Visualiser (CEAV)

The Cloud Environment & Actor Visualiser (CEAV) visualises a cloud environment, including infrastructure such as physical servers and virtual machines as well as cloud actors. The environment is depicted over time with a focus on the roles the administrators have on parts of the infrastructure. As cloud environments typically have a large number of components, the view abstracts/summarises unchanging parts visually, allowing the user to focus on the changing elements over a given time interval. The time interval of interest can be selected from a timeline that indicates changes in an overview of the available date range.

Representing the overall cloud environment including its actors does not leave room for the explicit representation of time as a spatial dimension. Therefore in this prototype snapshots of the system state, and respectively highlighted changes during a selected time interval, are shown together with a timeline to summarise times of change as well as to select the time interval for which to show changes.

Figure 1 shows the initial view of CEAV for data from a real medium-level private cloud (for protection, the data is anonymised – a cloud administrator would see instead the user and infrastructure names with which he is familiar). This more complicated view shows on the left hand side the various cloud actors (represented by their user ids in the cloud), and on the right hand side a depiction of the parts making up the cloud infrastructure. Both parts are connected by role links that show what level of access control the actors on the left have over which part of the cloud infrastructure on the right. The infrastructure parts form a hierarchy through parent-child relationships (as given by the cloud management backend, here VMware vCenter) essentially used for grouping of similar types of the infrastructure. Additionally there are many other typed relations between the elements, e.g., the containment relationship between virtual machines and physical hosts, as exploited in the TiCoVis prototype.

ceavis
Figure 1: Changes of the cloud environment over time. The upper part shows the cloud actors to the left, the cloud infrastructure parts to the right, while connecting both parts by showing the access roles the actors have on the infrastructure. A timeline below shows where changes occur (red for changes in the infrastructure, blue for access role changes), allowing the selection of a time interval for which the changes are summarised and highlighted above.

These relationships can be highlighted and named when selecting individual elements (see Figure 2).

Figure 2: tooltips and highlighting for more detailed information.

This structural representation of the cloud environment is accompanied by a timeline below that shows the full range of observation available, marking again where changes occurred (where red marks changes in the infrastructure, blue a change in actors and or roles).

As the structure here is more complex to represent and there is typically a large number of cloud infrastructure elements, the representation focuses on changes occurring in the time interval as selected in the timeline. Hereby a red colour signifies vanishing, a green colour newly introduced relationships in the graph. To keep the representation visually readable despite the large number elements, abstraction is employed here to summarise similar elements into nodes marked ’Unchanging’ together with a counter of summarised nodes (on this particular level, each of which potentially represents a much larger number of lower-level elements).

Figure 3 shows the selection of a smaller time interval around the time where the role change occurred. Hovering over the role connection shows details of the role type and the explicit user respectively infrastructure element.

ceav-timeselection
Figure 3: selection of a smaller time interval around the role change shows the correspondingly different set of environment changes in the main graph.

The prototype can be found online at TREsPASS CEAV.

 

Time-Containment Visualiser (TiCoVis)

The Time-Containment Visualiser (TiCoVis) creates an ’alluvial’ view of a selected ’container- content’ relations, e.g., between physical servers and virtual machines, over time. In an alluvial diagram, time is an integral part of the visualisation and the ’flow’ of contained elements between containers over time is directly visible as it is laid out spatially. Zooming and panning functionality allows seeing the big picture over time as well as details for specific time intervals.

In this prototype the focus is just on one specific containment-like relation between two types of instances, here the placement of virtual machines on physical hosts, therefore it is possible to explicitly show time as one dimension of the representation. Still, the large number of elements and change events require steps to visually summarise and focus on changes rather than unchanging elements.

The alluvial flow of virtual machines contained by physical hosts over time.
Figure 1: The alluvial flow of virtual machines contained by physical hosts over time.

Figure 1 shows the entry screen of TiCoVis with the representation of data from a live medium-level private cloud (for protection, the data is suitable anonymised — a cloud administrator would of course see instead the host names with which he is familiar).

The different horizontal bands represent physical host machines over time, the width of the bands indicates the number of virtual machines deployed on that host.
Rectangles represent a host at a specific point in time, when a change occurred for this host. Flows are coloured with a gradient in order to further clarify visually where changes are occurring.

Time is represented in the horizontal axis. The upper part shows the main information for the time interval selected in the timeline at the bottom. The timeline summarises the available data as a fixed full interval by placing red markings for all change events, giving a direct indication where respectively when changes occurred.

Hovering over flows or host rectangles will dim all flows except the ones connected to this flow/host and show information of the involved virtual machines and related changes in a tooltip (see Figure 2).

Figure 2: highlighting selections while hovering and tooltips for detailed data.

Zooming and panning is enabled on both the data area and the timeline for easily selection of arbitrary time intervals, allowing to resolve time interval dense with changes (see Figure 3 for a detail).

Figure 3: zooming and panning is possible for the selection of time intervals.

Still, some time intervals contain so many changes to the system that marking each change by a rectangle would lead to an overload. For these time intervals, the entries have been summarised into special summarisation nodes (double the width of normal nodes with slightly darker color and a pattern indicating how many events are summarised within). This can for example be seen in Figure1 } in the lower right hand side. Zooming into this time regime will gradually unfold the contained nodes (shown in Figure 4).

ticovis-unfolding
Figure 4: unfolding summarisation nodes while zooming.

The prototype can be found online at TREsPASS TiCoVis.