Building Cyberspace Situation Graphs with the JDL – A Level 0 to Level 2 Sensor Fusion Idea by Tim Bass
Building Cyberspace Situation Graphs with the JDL – A Level 0 to Level 2 Sensor Fusion Idea by Tim Bass

Building Cyberspace Situation Graphs with the JDL
A Level 0 to Level 2 Sensor Fusion Idea

Brief Thought Paper by Tim Bass
19 September 2016

DOI: 10.13140/RG.2.2.17456.35843/3

As readers know, I’m in the process of surveying hundreds of papers that address cyberspace situational awareness (CSA). My thoughts so far are that many researchers have been doing a great job of “going down deeply into the weeds” (perhaps too quickly) before the community agrees on a more comprehensive high level model for visualizing cyberspace situations.

For example, it appears to me, based on my survey, that researchers have been focused on threat detection and attack graphs without a deeper understanding on a clear way to represent, model and visualize cyberspace objects, cyberspace situations and cyberspace events (the core building blocks of cyberspace situational awareness). My intuition tells me that one basic problem is how to create dynamic graphs (visualizations) that represent situations in cyberspace from raw sensor data, following the JDL (Level 0, Level 1, Level 2 sensor fusion, etc), and then filtering and processing these graphs with the capability to easily visual cyberspace situation graphs as required (automated graph matching real-time graphs with historical graphs per the JDL multi-sensor data fusion / situation awareness model I applied to cyberspace in 1999 and 2000 would also be required as well).

One idea that has come to mind after reading so many research papers this year is to build a working prototype and real-time visualization of “cyber situations” using a single “busy server” at first, like the tech forums I manage at The high level idea would be to construct graphs in near real time of events as they occur, for example, a node would appear on the screen when someone attempts to connect to the server, and then the graphical node would change color if they successful connected, then logged in, etc). Also, when someone (or some process) “opened a file” there would be a line (action to open file) and a new node (file) appearing, etc.

Therefore, what seems to be required is a tremendous amount of research work in creating a graphical, object-oriented ontology of these core cyber-objects and situations. There also needs to be simple and easy basic situations to visualize, and filter the visualizations, at many levels. My thoughts are that the high level CSA approach should be to have the basic building blocks in place.before processing “big data”. I have read and seen a lot of research on “big data” in my literature survey. What is missing, in my current view, is a fundamental lack of definition and clarity of the basic building blocks to build cyber situation graphs and the core capability for cyber operations to be able to filter the graphs, at many levels, point-and-click, to make human visualizations and “what if” situational analysis easier.

I recently have been starting discussing this idea and “way forward” on ResearchGate with Richard Zuech who wrote a very good survey paper, Intrusion Detection and Big Heterogeneous Data: A Survey by Zuech et al.

Also, I would like also like to thank Robert Meyer for our Facebook chat sessions where Rob strongly recommended I focus on graph theory as I get my feet wet again in this exciting technology area.

Papers surveyed that helped motivate me toward these thoughts and this summary working paper / research proposal may be found at my Cyberspace Event Processing Blog.

DOI: 10.13140/RG.2.2.17456.35843/3