Originally published on Feb 5, 2014 on YouTube, this video shows a dataset graphically with various colors that represent different entity types as follows:

  • Blue: Domain
  • Yellow: IP address
  • Green: AS number

The edges between the nodes in the graph represent different connection types:

  • Domain to IP: A certain domain is mapped to a certain IP
  • IP to ASN: A certain IP belongs to a certain ASN
  • Domain to Domain: Related domain or Co-occurrences

This is a nice example of the type of visualization needed for cyberspace situational awareness. Each node in the graph is an object in the object-base. The user should be able to filter and drill down as required.

For example, if using augmented reality (AR) tools, the user should be able to visualize the network as a graph of objects connected at the network layer (not necessarily at the physical layer). This means when one object (a client process on a computer) establishes a connection with another object (a server, for example), the colors of both objects change and become nodes in a graph where the connection is represented as an edge.

Then, the user can “travel” though the network using hand gestures and drill down and view what is going on any object they have access rights to view. For example, they could filter the view to an application view of the objects, if necessary. If the client (for example a state actor) had successfully gained access to an object, the user could open the object and then view an augmented graphical representation of the file system of that object. For example, if the object was capable of showing changes to the file system (foe example using iNotify tools on a Linux server), the graph could illustrate changes to the file system in real time.

This is the kind of visualization needed to realize cyberspace situational awareness.