Cyberspace Situation Graphs - A Brief Overview
Cyberspace Situation Graphs - A Brief Overview

T. Bass, Cyberspace Situation Graphs – A Brief Overview, Presentation, 26 September 2016, DOI: 10.13140/RG.2.2.16014.56643/8

Abstract of Presentation

“Cyberspace Situational Awareness may be achieved over time by the application of the JDL model for multisensor data fusion [1] to build Cyberspace Situation Graphs. Critical to a Cyberspace Situation Graph is the creation and management of the Cyber-Object Base. Cyberspace Situation Graphs can be viewed, processed, filtered, stored, and matched all in the context of applying graph theory to Cyberspace Situational Awareness as outlined in Intrusion Detection Systems and Multisensor Data Fusion (Bass 2000) [2].”

Keywords: cyberspace situational awareness, cyberspace situation graph, cyberspace object base (cyber object base), cyberspace situation base (cyber situation base), cyber-object, parent cyber-object, child cyber-object, device cyber-clone

A Few Issues in Cyberspace SA (CSA)

  • Cybersecurity has historically been based on access controls, file system integrity checking and other controls.
  • Computer systems were not designed to create cyberspace situational awareness, so creating a simple cyberspace situation graph for routine CSA is a fairly difficult task.
  • Computer systems need to support CSA by creating and updating objects “the object base” based on events in real time.


Cyberspace Situational Awareness may be achieved over time by the application of the JDL model for multisensor data fusion to build Cyberspace Situation Graphs.

Cyberspace Situation Graphs are simply graphical representations of the relationships between objects in cyberspace as simply illustrated in the previous slides where we use graphs to visualize the process of (1) attempted connection to object, (2) successful connection to object, (3) open file on object, (3) write file on object.

  • Required: Cyber systems must support an event-driven cyber-object base which is updated based real-time events.
  • Tradition log file analysis, “adapters” and other “bolt-on technologies” are not an efficient way to manage cyber object-bases.
  • Future computer operating systems and platforms should be designed to support cyber object base management in real-time if we are to efficiently achieve CSA.

Copyright by Tim Bass 2016. The Concepts “Cyber-Object Base” and “Cyberspace Situation Graphs” and other “first use terms” are Copyright by Tim Bass 2016. All Right Reserved. Use of these terms are granted for public use provided proper citation credit is given in the document (in accordance with normal academic standards). The right-to-use in commercial products and patents is not granted. All Commercial Rights Reserved by Tim Bass

[1] D. Hall and J. Llinas, “An Introduction to Multisensor Data Fusion”, Proceedings of the IEEE, Vol. 85, No. 1, January 1997
[2] T. Bass, “Intrusion detection systems and multisensor data fusion”, Communications of the ACM 43 (4), 99-105, 2000
[3] Joint Publication 3-12 (R) “Cyberspace Operations”, 05 February 2013
[4] N. A. Giacobe, “Application of the JDL Data Fusion Process Model for Cyber Security”, Proc. of SPIE – The International Society for Optical Engineering, April 2010
[5] E. P. Blasch, and S. Plano, “JDL level 5 fusion model: user refinement issues and applications in group tracking.”, Proc. of SPIE, Vol. 4729, 270-279 (2002).

Download full text of draft presentation (version 0.87) in PDF format here.


  1. Updated to version 0.88 to add a copyright statement and grant the right for academic and research use (with proper references and citations) of this work.

Comments are closed.