Seeing the cyber battlefield: Why 3D visuals are critical to cybersecurity

Seeing the cyber battlefield: Why 3D visuals are critical to cybersecurity
By Lee Trossbach
Mar 18, 2020
You cannot stop the enemy that you cannot see. Interactive 3D visualizations are enabling cybersecurity analysts to model their cyber domain and dynamically shape data in accordance with mission parameters—turning dense datasets into noticeable patterns in the hunt for malicious activity. 
Military missions involve intense planning. Maps, organizational charts, and analytics all factor into intelligence preparation. From rehearsal to execution, teams learn every mountain and river of the terrain they must navigate. 

The same deep knowledge is essential to cybersecurity missions. But, instead of scaling mountains, the landscape is made of networks, user devices, and a wide variety of applications, services, and protocols. And it is constantly changing. 

How can the military see the challenges ahead when the enemy is comprised of pixels and code? Spreadsheets, textual lists, and text-focused applications take too much time to review and interpret. Meanwhile, malicious actors can cause serious harm in just a few keystrokes—moving quickly and hiding easily in the noise. 

For a cybersecurity mission to succeed, the road ahead must be just as tangible as the landscapes of a traditional battlefield. This is where 3D visualization comes in.  

Transforming data into virtual terrain

In cybersecurity, visualization is a critical element of data analysis and awareness. A good visualization provides at-a-glance situational awareness of a network's defense posture. 

In our work alongside the U.S. Army Combat Capabilities Development Command (CCDC) Army Research Laboratory (ARL) and the CCDC Command, Control, Computers, Communications, Cyber, Intelligence, Surveillance and Reconnaissance (C5ISR) Center, we have discovered the powerful impact of 3D visualization tools and techniques in military defense efforts. These advances allow new ways of exploring and interacting with data to improve understanding.
Go to ICF

Vids: A new dynamic and interactive tool for 3D visualization in cybersecurity 

Vids is a 3D visualization tool that’s rapidly approaching a production release. It takes raw text data and projects it into a 3D space. Within this space, users can move, compare, manipulate, and interact with the data. Running on top of the Unity game engine, Vids seamlessly allows user interaction while visualizing a large amount of data.

Intended as a tool to support both security analysts and researchers, Vids is highly flexible; users can configure it to process multiple data types. Once parsed, the data are processed into an appropriate node-edge graph and displayed, as defined by the user. Within the visualization, users can pivot through multiple graph layouts and find information hidden in the data. This provides a visual aid for known tactics, and also offers a hands-on visual analysis for hunting adversaries amongst ever-elusive unknowns.

Vids is under active development by ICF and our partners. A version 1.0 release to the cyber defense community is expected soon, alongside supporting technical papers.

Given the different terrain, new visualizations and methods are needed to facilitate cybersecurity situational understanding. Visualization for awareness can be used by cybersecurity analysts and decision-makers to assess trends and patterns in large volumes of network traffic information—potentially faster than any other form of information media. Network traffic and organization visualization thus offer the ability to understand a rapidly evolving and complex environment. 

Building upon emerging technologies

In the near future, emerging technologies like virtual reality (VR), augmented reality (AR), and mixed reality (MR) will become the norm. These technologies create a fundamental shift in the way data are currently visualized. In the context of intelligence preparation, VR and AR can allow decision-makers to process larger volumes of information far faster than traditional methods. 

Rather than looking at a paper map, commanders can place themselves in a virtual representation of the battlefield. Or, they can navigate a virtualized representation of communication networks instead of reviewing an analog diagram. Commanders and their supporting staff elements—who may be located anywhere in the world—can collaborate in the same VR space or experience the same AR representation collaboratively. In this way, cybersecurity analysts and their respective peers can work together in tailored VR environments whereby their interfaces and data visualizations are not reduced and locked into small rectangles (i.e., monitors) on their desk. 

To explore these virtual environments, new tools are needed to translate network data into 3D visualizations, enable interactivity, and integrate into an analyst’s workflow. 

For example, the Vids software (referenced above) leverages off-the-shelf modern game development technology using the Unity development platform—enabling faster development than a ground-up solution. The platform also allows for compatibility through targeted builds for different operating systems, including Windows and Linux. Vids is a tool that works on a computer supported by a traditional 2D monitor, but is intended for future VR/AR technologies. Analysts today are testing the tool and plan to integrate it into their workflows. And when future technologies are common and readily available, analysts will have an established precedent and a degree of familiarity.

These tools and concepts sound futuristic now, but they continue to progress rapidly towards field-ready applications. Once in the hands of cybersecurity experts, the U.S. military will be able to plan and execute cyber missions faster than ever before.

What the U.S. Army CCDC C5ISR wants to learn

For now, our work with the U.S. Army approaches 3D visualization with one goal: to provide a modern, highly flexible, and functional research and development platform relevant to network security and awareness. Its primary intent focuses on research purposes. 

The programs allow testing of multiple visualizations simultaneously with prospective users. Results from user evaluations are then used as feedback for new development or refinement of network security visualizations. 

Once this research and evaluation phase is complete, the program may move into active use through collaboration with CCDC C5ISR Center. It can operate as a visualization analysis tool for cybersecurity analysts across workstations and large screens, or as a training tool to interact with and understand data. 

The future of cybersecurity analysis

Future development includes the following new and expanded features—all aimed at reaching the goal of wider flexibility and functionality:

  • Expanded options for input data sources. Compatibility with a number of different data sources is desired beyond the current local Comma-separated values (CSV) reading capability. JavaScript Object Notation (JSON) reading is a likely next step, along with remote operations such as reading a remote file.
  • Expanded abilities for the user to interact with data sources and perform transparent configuration. Data sources will be reread, and the graph will be dynamically reconfigured to accommodate changes since the last reading and rendering.
  • Novel layouts based on new algorithms or user feedback as to the most helpful data views.
  • New styles for nodes and edges to allow maximum options for data visualization.
  • Expanded interaction options, including node and edge-to-graph translation. This feature would allow data contained within an individual node or edge to be shown and interacted with graphically rather than through text. For example, a timeline graph could show activity over time for two connecting partners. 
  • Work toward future integration with the CCDC C5ISR Center Virtual Reality Data Analysis Environment (VRDAE).  This collaborative environment has already integrated a 3D visualization model (Virtual Data Explorer) by Mr. Kaur Kullman from the CCDC ARL Open Campus program. So, Vids is primed for future integration thanks to this existing collaboration. 

Faced with ever-increasing data volumes, new solutions are needed to ensure situational understanding. Visualizations are one way to enable cybersecurity professionals to process and—most importantly—understand a larger volume of data. 

By using a modern game development platform, projects like the collaboration between ICF, U.S. Army CCDC ARL, and CCDC C5ISR Center allow streamlined development, strong compatibility across systems, and enhanced 3D, VR, and AR display options. It is a first step to bridge the gap between network and security visualizations as they currently exist and the future—where visualizations act as a ubiquitous and crucial aid to operations in cyberspace.


Meet the author
  1. Lee Trossbach, Senior Director, Cybersecurity Systems Engineer

Subscribe to get our latest insights