Professional Documents
Culture Documents
A Full-Scale Security Visualization Effectiveness Measurement and Presentation Approach
A Full-Scale Security Visualization Effectiveness Measurement and Presentation Approach
A Full-Scale Security Visualization Effectiveness Measurement and Presentation Approach
Abstract—What makes a security visualization effective? How that users are already competent when interacting and collabo-
do we measure visualization effectiveness in the context of rating with security visualizations. We address data processing
investigating, analyzing, understanding and reporting cyber secu- performance, visual clarity and user interactive enhancement
rity incidents? Identifying and understanding cyber-attacks are
critical for decision making – not just at the technical level, but features for a better user experience. To measure effectiveness
also the management and policy-making levels. Our research of security visualizations, we require extensive assessments
studied both questions, and extends our Security Visualization of both Web and mobile platforms, and their respective user
Effectiveness Measurement (SvEm) framework by providing a response reaction times.
full-scale effectiveness approach for both theoretical and user- The moment a user comes into contact with a given security
centric visualization techniques. Our framework facilitates ef-
fectiveness through interactive three-dimensional visualization to visualization, we are interested in understanding how the
enhance both single and multi-user collaboration. We investigated visualizations captured the user’s attention within minimal
effectiveness metrics including (1) visual clarity, (2) visibility, (3) time, and measure their ‘attention span’. As such, we focus on
distortion rates and (4) user response (viewing) times. observing the user’s cognitive load and working memory load
The SvEm framework key components are: (1) mobile display efficiency. Visualization effectiveness is optimized when cog-
dimension and resolution factor, (2) security incident entities, (3)
user cognition activators and alerts, (4) threat scoring system, nitive load decreases while working memory load increases.
(5) working memory load and (6) color usage management.
To evaluate our full-scale security visualization effectiveness II. BACKGROUND AND S COPE
framework, we developed VisualProgger - a real-time security In most scientific, framework and user interface research,
visualization application (web and mobile) visualizing data prove- increasing ‘effectiveness’ translates to the goal of improving
nance changes in SvEm use cases.
Finally, the SvEm visualizations aims to gain the users’ atten- productivity by reducing time spent to gain tangible results.
tion span by ensuring a consistency in the viewer’s cognitive load, In this paper, our framework defines ‘effectiveness’ in security
while increasing the viewer’s working memory load. In return, visualization as an entire full-scale security approach which
users have high potential to gain security insights in security maximize user interaction and efficiently deliver tangible in-
visualization. Our evaluation shows that viewers perform better sights (information) to the targeted audience with the use of
with prior knowledge (working memory load) of security events
and that circular visualization designs attract and maintain visualization.
the viewer’s attention span. These discoveries revealed research In this paper, we measure effectiveness across the entire
directions for future work relating to measurement of security security visualization process, including both graphical repre-
visualization effectiveness. sentation and user interaction. We also take the view that se-
Index Terms - Security visualization; Effectiveness measure- curity visualization supplements data analytics and automated
ment; Cyber-attacks; Cyber security; Mobile security; Network
security; Web application security; Cognitive load; Attention processes in transforming raw security/‘cyber-attack’ event
span. data into useful analysis. Security visualizations connect and
present security incidents to users by providing interactive [14]
I. I NTRODUCTION visual experiences. Interactivity captures the user’s interest
Security visualizations are useful tools for gaining insights to take further necessary steps into collaborating and under-
into security events but how effective are they? Do they im- standing cyber-attack landscapes. Visualization also facilitates
prove cognition and decision making in time-critical security the ability to process large data volumes and present trends
events, or do they slow the analysts down? This research and patterns visually. However, presentation and performance
presents a framework for measuring the effectiveness and challenges exist. Hence, the core purpose of this paper which is
presentation of security visualizations. Our primary focus is ‘effectiveness measurement’ in security visualization. Our re-
improving the SvEm framework [11] by providing a full- search provides a link between user cognitive knowledge with
scale security visualization effectiveness measurement ap- the security visualization effectiveness measurement frame-
proach across an entire visualization experience. We assume work (SvEm) [11]. Our security visualization effectiveness ap-
640
presented.
IV. S V E M F RAMEWORK D ESIGN
In order to implement a framework whereby security visual-
ization effectiveness can be assessed, measured and evaluated,
framework designs are a very critical stage of the whole
development cycle. Therefore, in this section we present our
framework design. Our effectiveness measurement (SvEm)
components in security visualization are: (1) mobile display
dimensions, (2) security incident entities, (3) user cognition
Fig. 2: Error Sensitivity Design activators and alerts, (4) threat scoring system, (5) working
memory load, and (6) color usage management. These com-
ponents are discussed in following subsections.
ideal user rating would fall in ‘Region A’ (Figure. 3) [30]
whereby performance reading is high while mental effort is A. System Backend Design Architecture
low. This also means the user’s working memory load is The SvEm security visualization framework server-side
high. User studies have provided means for cognitive load (backend) infrastructure is designed to accommodate both
measurement [17] particularly mental effort and performance static and real-time visualization scenarios. It handles all data
assessment techniques which address visualization efficiency. analytic processes occurring within the database, collectors
and parser environment. Our system architecture includes
the following components: Windows Progger (Logging Tool),
Redis, MongoDB, Nodejs and WebGL. Windows progger (a
windows version of linux progger [21]) is an internal sys-
tem/kernel level provenance logging tool currently being de-
veloped with emphasis of providing security within computer
and cloud systems. Redis 1 [2] facilitates our cache/database
link between Windows progger and mongoDB. All data are
stored permanently in mongoDB [3], while nodejs [39] and
webgl [5],[31] facilitates the client-side frontend security vi-
sualization framework.
The server-side architecture is designed to handle data
processes while managing data storage. Preprocessed data are
engineered based on the visualization scenario. For exam-
ple, a real-time logging of a computer’s kernel system for
provenance purposes is visualized to show and keep track
of file creation, modification and deletion. In addition, data
Fig. 3: Mental Effort Efficiency Reading [30]
are standardised to meet the effectiveness assessment of the
security visualizations in web and mobile platforms. Both web
Insight-based evaluation [40],[34],[35] by InfoVis have el-
and mobile requirements enabled the need to provide efficient
evated the use of insights as an evaluation measure for tech-
data querying, processing, parsing, rendering and scaling tasks
nologies. ‘Insight’ [40] is defined as gaining accurate and deep
for a security visualization. Figure. 4 shows the basic tools
understanding of something i.e. a unit of discovery. It is often
and libraries required to host the SvEm security visualization
not achieved by predefined tasks or procedure but with higher
server-side backend.
probability a by-product of exploring without an initial goal
While there are many application features to consider when
or destination. Moreover, ‘sensemaking’ [32] plays a major
designing a framework, other key features include security,
role in gaining insights although the model (Information -¿
data processing performance and visualization presentation
Scheme -¿ Insight -¿ Product) includes insight as a component.
clarity. These are the main concerns for our framework.
It enhances the entire experience of gaining and understanding
insight. B. Security Visualization Technical Aspects
Summarizing all related research, we see that effectiveness Mobile dimensions contribute to visualization designs. For
measurement in visualization covers not only technologies example the limitations in an IPhone 6s Plus - 1920 x 1080
but in users as well. With all key areas mentioned in this pixels display, with a hight of 122mm and width of 68mm
section, we now have a clear understanding on existing work as shown in Figure. 5 indicates that our visualization designs
around effective measurement methodologies in visualization. have to set design controls. These controls include the amount
However, our framework covers specifically on security visu-
alization with the aim of assessing effectiveness measurement 1 Redis is an open source (BSD Licensed) in-memory data structure store,
with regards to the urgency of security incident information used as a database, cache and message broker
641
! " providing the ‘source’ of cyber-attack since most destination
are considered the victim. Despite our attribution visualization
design, data collected in real case scenarios are not able to
show a full-scale attribution visualization. We therefore pro-
vide predictive analytics with patterns that are able to connect
dots between key identifiers of the attack for attribution at an
abstract level through visualization.
2) Provenance Visualization Design: Another core design
# $
feature in this framework is effectively representing prove-
nance from large volume of data collected. Large volume of
data are transformed into visualization for mobile platforms
posing scalability and display space limitation. This frame-
work utilizes attribution and provenance design with abstracts
of data to alert and notify users of security events. Provenance
is crucial for security experts and end-users to be aware of.
Figure. 6 provides the provenance visualization design with
‘time’, ‘attack type’ and ‘source of attack’ information. This
Fig. 4: SvEm Backend Design and Architecture circular design targets the user’s attention span with prime
focus on information presented and reduces the number of
clicks/tabs to acquire further information.
642
Fig. 7: Helix (Spiral) Visualization Design
attention on a particular file, pattern, or group of interest anomaly detection utilizes existing algorithm which will be
with common behavior/colors, cognitively he/she perceives discussed later in our evaluation and validation section. Our
and builds a visual content that he/she could easily understand. ground-truth dataset consists of known pre-identified threats,
The sphere visualization design leverages on the Gestalt’s user-input logs and known threat patterns & behavior schema.
law of Closure, where everything is perceived as being part of This provides a better controlling and monitoring environment.
a whole, therefore a closed complete visualization approach.
C. Security Incident Entities, Relationships and Landscapes
Figure. 8 shows the content of a system visualized and
also highlights the technique of providing a clear simple 1) Entities:: Entities (En), Relationships (EnR) and Secu-
visualization that can be scaled to fit any mobile platform rity Landscapes (SL) are core effective components of our
displays. Regardless of how many files or process required framework. Entities refers to the following: threat actors,
to be visualized, the sphere approach provides visualization malicious payloads, Infected IP address and more. These
where all parts are the sum of a whole. entities are the point of interest for how the SvEm effectiveness
Our grid visualization design provides a layered visual measurement theory works. Identifying these entities through
approach where new files are either visually displayed on visualization within the minimal time required affects the
top or in front of the grid visualization view. This design performance of our framework.
attracts the viewers attention to the new files/process of interest 2) Entity Relationships: Entity Relationships also known
presented. Maintaining the viewer’s attention keeps them focus as links are vital for our framework. The EnR functions
while providing other alert mechanisms to relate information are to connect entities together. These links also activate
across to the viewer. Figure. 9 shows a sample grid design user-cognitive functionalities which allows a user to perceive
visualization with multiple layers of files and processes. hidden information and potential security insights.
3) Security Incident Landscapes: Security Landscapes (SL)
Additionally, we provide a ‘circular-layered’ design as
provide the incident scope and environment for users (viewers)
shown in Figure. 10 which addresses multiple attributes and
to control their imaginations around a certain security incident.
categorization of different files and processes. Effectiveness in
A familiar SL enhances a user to establish a conceptual
this case, is shown by traversing through the layers allowing
boundary which enables him/her to confront a visualization
viewers to see and understand how different file systems func-
with confidence.
tion. The use of a layered visual approach connects various
levels of information hierarchy, and connecting information D. Security Visualization Color Standard
relationships together. It is critical to standardize the use of colors in security vi-
4) Threat Scoring Components: Another effective com- sualization. Large volumes of dataset with potential interested
ponent of our SvEm framework is identifying threats and entities require simplified security visualization to enhance
visualizing them. Our threat scoring design (Figure. 11) covers rapid information processing. For example, using the color
anomaly, malware and customized detection designed mecha- ‘red’ and ‘orange’ in the same visual space automatically
nisms. Datasets are filtered through test/training & ground- creates confusion to users therefore adding complication to
truth data [10] and known threat signature databases. The the entire visualization experience. Our standardized selection
643
Fig. 8: Sphere Visualization Design
of colors as shown in Figure. 12 are: ‘red, yellow, green, matching them to security event attributes in visualization is
blue, purple and orange’. These colors are categorized into important. This triggers the need for color management to
two categories, primary and secondary groups. Our primary avoid the issue of colors overlapping in representing security
color choices for security visualization are red, yellow, green, incidents which can contribute to visualization misinterpreta-
and blue. The secondary group are purple and orange. These tion.
additional colors are specifically for law enforcement security E. Cognitive Requirements for Security Visualization
visualization with concepts matching the Interpol’s color-
coded Notice system [1],[18]. For example, orange is only Information processing is a natural human role where tech-
used to show illegal trafficking contents and it is regarded as nology can not control. However, there are methods applied
an independent visualization type. as forms of control while processing information in a given
security visualization. The establishment of these controls
The color standard addresses simplicity, familiarity and the aim at minimizing cognitive bias [13] which often leads
establishment of comfort environment with prior knowledge. to perception distortion, inaccurate judgement and illogical
From a developer’s point of view, understanding colors and interpretations.
644
the link between viewers and the visualization presented.
We refer to these activators as ‘Semi-permanent Hold’ and
‘Permanent Hold.’ Section V and the Evaluation (Section VI)
section further discuss how cognition plays an important role
in this framework.
(w ∗ h)/Svf ∗ dn
Fig. 10: Locky Ransomware Mobile Visualization Design SvEm = > 50%(Distortion)
Cl ∗ tme ∗ nclicks
(1)
Training / Ground-Truth
Dataset (SvEm) Theory for Time (tsvem ) Assessment
Threat Scoring Anomaly Detect-
System ion Mechanism (Cl ∗ tme )
Signature SvEm = ≤ 0.25sec(s)(T ime)
Database
nclicks ∗ Svf /dn
Malware Detect- (2)
ion Mechanism
Customized
Detection
Where:
Fig. 11: Threat Scoring Mechanism Design w * h : Mobile Display Area (dimensions)
Svf : Security Visual Nodes (e.g. Infected-IP, Times-
tamps, etc.)
Therefore a critical design component of our SvEm frame- dn : n-dimensional view of security visualization
work is the establishment of cognitive psychological features Cl : Cognitive Load (Identifiable Attributes (Quantity)
in security visualization. This allows setting up requirements - Prior Knowledge)
and tasks that users (viewers) need in order for the whole tme : Memory efficiency (Effort based on Working
visualization experience to be effective. The requirements are: memory - Time-base)
(1) cognitive load, (2) working memory load and (3) user nclicks : Number of clicks on Visualization
cognition activators. In addition, psychological tasks involves:
(1) attention process, (2) pre-attentive (pre-attention) process,
and (3) mental (memory) effort. Our SvEm theory is derived with respect to ‘distortion rate’
From the security visualization application stand-point, cog- and ‘time’. Although the distortion pivot rate is 50%, our over-
nitive ‘activators’ and ‘alert’ features are designed to create all assessment are measured against a ‘high’ or ‘low’ rating
to make our assessment more realistic. Factors affecting our
SvEm-distortion rate are: (1) phone dimensions and resolution,
(2) user knowledge and (3) the number of clicks users execute.
Malicious Content: payload, event (file,process, etc.)
SvEm-time is measured against a constant: 0.25 sec-
Suspicious Content: payload, event (file,process, etc.) onds [27] - known in science and psychology research as the
least minimal cognitive time required for a human to process
Normal Content: data traffic and understand information through human perception. Thus,
our overall assessment are calculated as an average and rated
Intelligence Content: tracking files, tagged files, etc.
against many other samples.
Trafficking Content: drug trafficking, etc. Application performance, data processing and management
techniques are implemented to enhance the final distortion and
Fraud Content: currencies, account details, etc. time outputs. Data representation in our application visual
space are managed in order to balance hardware processing
Fig. 12: Security Visualization Color Standard capabilities and visualization complexities.
645
Cognitive load (Cl) and working memory load (tme ) are 3) ‘Critical-File Detected’ activator: This is an alert iden-
calculated using past theorems and user studies. Our SvEm tifier to gain the viewer’s attention.
algorithm inherits existing methods and utilizes them. 4) ‘Sound alert’ activator: An additional alert identifier to
B. Data Process Flow gain the viewer’s attention, particularly for color-blind
people.
A contributor to making our SvEm framework effective is
the ability to process and manage data from our database
right through to our WebGL front-end visualization. Figure. 13
presents the data flow diagram with the core component
of the back-end infrastructure. Utilizing Progger, Redis, and
MongoDB enables a proper data flow management. High
volume of security data are pushed to the security visualization
front-end with high consideration of the mobile platform
used, i.e. accounting for the hardware processing power,
display dimensions and resolution capabilities. This allows our
‘analysis-scripts’ to scale data accordingly for better and clear
visualization with less complex appearance.
Based on the understanding of the data analyzed, we provide These SvEm:cognitive-activators are primarily used to iden-
several use cases as part of our implementation and testing of tify and display critical security files and malicious attributes.
our framework. A video demo of the use cases are compiled Files and attributes within the data visualized are transformed
and can be viewed in the link provided: SvEm Security into several security visualization representation types to pro-
Visualization Use case demo. vide knowledge, awareness and aid decision making.
C. Use-case 1: A Collaborative Real-time Security Visualiza- D. Use-case 2: Locky Ransomware Visualization
tion Application The Locky Ransomware security visualization seen in Fig-
A provenance log visualizer, VisualProgger, was built by our ure. 15 uses the ‘circular-layered’ design purposely to contain
team to visualize provenance logs generated by Progger [21]. and maintain the user’s concentration entirely to focus on
VisualProgger is a real-time user-centric security visualiza- the visualization provided. Our circular design allows mobile
tion application which facilitates visualization effectiveness platforms to accommodate the data used by building visual
through clarity, performance and the use of cognitive activa- layers on top of each other to represent classifications of
tors. Important security information were identified through libraries, processes and files within the infected system/kernel.
data analytic processes with visual animations and relevant The ability to visually see how Locky Ransomware traverse
alert methods. through the system in a reconnaissance step of attack to iden-
1) VisualProgger Features: VisualProgger provides distinc- tify files (.docx, .png, .jpeg, .xlsx, etc.) before encrypting them
tive effective security features for both real-time and static gives the user a clear understanding of how the Ransomware
visualization as observed in a red-blue (attack - defend) team works. Encrypted files are then highlighted in red to indicated
cyber challenge [10]. In a real-time visualization scenario, we that the file has been encrypted.
created an alert system technique to capture our targeted users Encrypted files (critical files) are marked red which allow
(viewers) with a goal to increase their attention span. We refer viewers to select (mouse-over, click, etc) them for further anal-
to this technique as ‘SvEm:cognitive-activators’: ysis (See Figure. 16). With these visualization effectiveness
1) ‘Semi-permanent Hold’ activator: An animated feature features, users are attracted and motivate to investigate while
(shown in Figure. 14) allowing a critical (suspicious) interacting with the visualization for a longer time span.
file of interest being pushed out from the normal visual
pattern and behavior for at least 3 seconds to capture E. Use-case 3: Effective Interactions with Augmented Reality
the viewer’s attention. Visualization
2) ‘Permanent Hold’ activator: A permanent colored file An Augmented Reality (AR) experience for users in security
indicator, marking out a malicious (suspicious) file. Red visualization activates a whole new realm of experience for
or yellow is used, depending on how critical the file is. users. It increases the viewer’s attention span to security
646
Fig. 17: Augmented Reality Visualization Frontend Design
Fig. 15: A Visualization of Locky Ransomware Encrypting
Files
In Figure. 17 various colored spheres representing different
attack attributes are utilized to show and observe how cyber-
attacks are executed in a real-time simulated cyber challenge
environment. The interactive AR visualization enable users to
interact and understand type of attacks which are executed by
the red teams.
647
tation, (2)Back-end to Front-end data transfer performance,
and (3) SvEm:cognitive-activators presentation assessment.
Visualization clarity and representation testing were executed
during the application development stages. These includes
designing predefined data nodes based on the security visual-
ization (SCeeVis) standard. For example, The use of WebGL
with a 3-dimensional visualization presentation enables a new
interactive visual view for the user’s experience to process
more information. The application design has allowed large
volumes of data to be processed and presented in our security
visualization front-end.
648
D. Cognitive Load Assessment expected results. This enabled us to verify our threat detection
Past research in psychology have heavily invested in user scoring system performance. A normal action will be scored
studies and theoretical proofs [7],[8] helped understand cog- 10-80, where an anomaly behavior will be scored with a
nitive loads in users. From a less psychological approach, negative value. Likewise, suspicious files in the systems are
we performed a cognitive and working memory load method also scanned against a stored signature-base Database. Fig-
with the concept of linking the user’s perception with their ure. 22 visually illustrate normal versus abnormal behaviors
cognition process to understand relationships between per- and malicious records. In addition, scanning files within the
ception, cognition and the SvEm framework. These are ex- system and having a pre-configured log history helps identifies
ecuted when the user’s mind has the ability to perceive known file paths. Therefore if a known or suspected file
and apprehend objects (e.g. security visual nodes) through appears in another location, automatically this file is flagged
interactive security visualization. Thus, the process allow users with a yellow or red color. We evaluated our threat scoring
to think of key words relevant to the security visual nodes system performance against the ground truth datasets and the
presented thus enhance their perception process which relates several anomaly algorithms and malicious signatures are used
back to past/previous visualization experiences. This process as filters. Our scoring system utilizes Progger (Logging mech-
is executed as a result of having a high memory working anism) to flag out anomalies and malicious files. Hence,‘files
load/capacity in the security incident presented. of interest’ are visually represented in the following color
codes: malicious (red in color), suspicious (yellow in color),
intelligence tracking (blue in color) and a normal legitimate
data (green in color).
^ǀŵͲtD>KďƐĞƌǀĂƚŝŽŶ^Ğƚ͘ϭ
ϭϰϬ
LJсϴ͘ϳϬϰϲdžнϮϮ͘ϰϮϵ
ZϸсϬ͘ϳϰϲϮ
ϭϮϬ
LJсϳ͘ϱϲϲϴdžнϭϯ͘Ϯϯϱ
ϭϬϬ ZϸсϬ͘ϵϬϵϵ
dŝŵĞŝŶ^ĞĐŽŶĚƐ
ϴϬ
ϲϬ
ϰϬ
ϮϬ
Ϭ
Ϭ Ϯ ϰ ϲ ϴ ϭϬ ϭϮ ϭϰ
^ĞĐƵƌŝƚLJsŝƐƵĂůEŽĚĞƐ/ĚĞŶƚŝĨŝĞƌ
DĞŵŽƌLJĨĨŝĐŝĞŶĐLJ;ƚͺŵĞͿ ŽŐŶŝƚŝǀĞ>ŽĂĚ;ůͿ
>ŝŶĞĂƌ;DĞŵŽƌLJĨĨŝĐŝĞŶĐLJ;ƚͺŵĞͿͿ >ŝŶĞĂƌ;ŽŐŶŝƚŝǀĞ>ŽĂĚ;ůͿͿ
649
different domains (health, finance education, etc.) - carrying [19] A. Inselberg and B. Dimsdale. Parallel coordinates for visualizing
out further analysis on how users interact and respond. multi-dimensional geometry. In Computer Graphics 1987, pages 25–
44. Springer, 1987.
ACKNOWLEDGMENT [20] M. Kay and J. Heer. Beyond weber’s law: A second look at ranking
visualizations of correlation. IEEE transactions on visualization and
The authors wish to thank Mark A. Will, Cameron Brown, computer graphics, 22(1):469–478, 2016.
Meena Mungro, the members of Cyber Security Researchers [21] R. K. Ko and M. A. Will. Progger: an efficient, tamper-evident kernel-
space logger for cloud data provenance tracking. In Cloud Computing
of Waikato (CROW Lab) and the contributions of our in- (CLOUD), 2014 IEEE 7th International Conference on, pages 881–889.
terns [Isaiah Wong, Jia Cheng Yip, Wen Liang Goh, Xin IEEE, 2014.
Li Yuan] from Nanyang Polytechnic, Singapore. This project [22] A. Lazarevic, L. Ertoz, V. Kumar, A. Ozgur, and J. Srivastava. A
comparative study of anomaly detection schemes in network intrusion
is supported by STRATUS (Security Technologies Returning detection. In Proceedings of the 2003 SIAM International Conference
Accountability, Trust and User-Centric Services in the Cloud) on Data Mining, pages 25–36. SIAM, 2003.
(https://stratus.org.nz), a science investment project funded [23] K. Leung and C. Leckie. Unsupervised anomaly detection in network
intrusion detection using clusters. In Proceedings of the Twenty-eighth
by the New Zealand Ministry of Business, Innovation and Australasian conference on Computer Science-Volume 38, pages 333–
Employment (MBIE)). This work was also supported in part 342. Australian Computer Society, Inc., 2005.
by the New Zealand and Pacific Scholarship Programme [24] Y. K. Leung and M. D. Apperley. E3: Towards the metrication of
graphical presentation techniques for large data sets. In International
(NZAid). Conference on Human-Computer Interaction, pages 125–140. Springer,
1993.
R EFERENCES [25] Y. Liao and V. R. Vemuri. Use of k-nearest neighbor classifier for
[1] M. Anderson. Policing the world: Interpol and the politics of interna- intrusion detection. Computers & security, 21(5):439–448, 2002.
tional police co-operation. Clarendon Press Oxford, 1989. [26] P. E. McKight and J. Najab. Kruskal-wallis test. Corsini Encyclopedia
[2] J. L. Carlson. Redis in Action. Manning Publications Co., Greenwich, of Psychology, 2010.
CT, USA, 2013. [27] T. Okoshi, J. Ramos, H. Nozaki, J. Nakazawa, A. K. Dey, and H. Tokuda.
[3] K. Chodorow. MongoDB: The Definitive Guide: Powerful and Scalable Attelia: Reducing user’s cognitive load due to interruptive notifications
Data Storage. ” O’Reilly Media, Inc.”, 2013. on smart phones. In Pervasive Computing and Communications (Per-
[4] H. Choo and S. Franconeri. Enumeration of small collections violates Com), 2015 IEEE International Conference on, pages 96–104. IEEE,
webers law. Psychonomic bulletin & review, 21(1):93–99, 2014. 2015.
[5] J. Congote, A. Segura, L. Kabongo, A. Moreno, J. Posada, and O. Ruiz. [28] T. Olsson, E. Lagerstam, T. Kärkkäinen, and K. Väänänen-Vainio-
Interactive visualization of volumetric data with webgl in real-time. In Mattila. Expected user experience of mobile augmented reality services:
Proceedings of the 16th International Conference on 3D Web Technol- a user study in the context of shopping centres. Personal and ubiquitous
ogy, pages 137–146. ACM, 2011. computing, 17(2):287–304, 2013.
[6] EOOD and M. Angelov. 20 Impressive Examples for Learning WebGL [29] Ö. Öztürk and D. A. Wolfe. An improved ranked set two-sample mann-
with Three.js, Nov. 2017. whitney-wilcoxon test. Canadian Journal of Statistics, 28(1):123–135,
[7] C. Firestone and B. J. Scholl. Enhanced visual awareness for morality 2000.
and pajamas? perception vs. memory in top-downeffects. Cognition, [30] F. Paas, J. E. Tuovinen, H. Tabbers, and P. W. Van Gerven. Cognitive
136:409–416, 2015. load measurement as a means to advance cognitive load theory. Educa-
[8] C. Firestone and B. J. Scholl. Cognition does not affect perception: tional psychologist, 38(1):63–71, 2003.
Evaluating the evidence for” top-down” effects. Behavioral and brain [31] T. Parisi. WebGL: up and running. ” O’Reilly Media, Inc.”, 2012.
sciences, 39, 2016. [32] P. Pirolli and S. Card. The sensemaking process and leverage points
[9] Y.-H. Fua, M. O. Ward, and E. A. Rundensteiner. Hierarchical parallel for analyst technology as identified through cognitive task analysis.
coordinates for exploration of large datasets. In Proceedings of the In Proceedings of international conference on intelligence analysis,
conference on Visualization’99: celebrating ten years, pages 43–50. volume 5, pages 2–4, 2005.
IEEE Computer Society Press, 1999. [33] R. A. Rensink and G. Baldridge. The perception of correlation in
[10] J. Garae, R. K. Ko, J. Kho, S. Suwadi, M. A. Will, and M. Apperley. Vi- scatterplots. In Computer Graphics Forum, volume 29, pages 1203–
sualizing the new zealand cyber security challenge for attack behaviors. 1210. Wiley Online Library, 2010.
In Trustcom/BigDataSE/ICESS, 2017 IEEE, pages 1123–1130. IEEE, [34] P. Saraiya, C. North, and K. Duca. An insight-based methodology
2017. for evaluating bioinformatics visualizations. IEEE transactions on
[11] J. Garae and R. K. L. Ko. Visualization and Data Provenance visualization and computer graphics, 11(4):443–456, 2005.
Trends in Decision Support for Cybersecurity, pages 243–270. Springer [35] P. Saraiya, C. North, V. Lam, and K. A. Duca. An insight-based lon-
International Publishing, Cham, 2017. gitudinal study of visual analytics. IEEE Transactions on Visualization
[12] L. Harrison, F. Yang, S. Franconeri, and R. Chang. Ranking visu- and Computer Graphics, 12(6):1511–1522, 2006.
alizations of correlation using weber’s law. IEEE transactions on [36] E. W. Weisstein. Bonferroni correction. 2004.
visualization and computer graphics, 20(12):1943–1952, 2014. [37] M. Wertheimer. A brief introduction to gestalt, identifying key theories
[13] M. G. Haselton, D. Nettle, and D. R. Murray. The evolution of cognitive and principles. Psychol Forsch, 4:301–350, 1923.
bias. The handbook of evolutionary psychology, 2005. [38] D. A. Wheeler and G. N. Larsen. Techniques for cyber attack attribution.
[14] J. Heer, F. B. Viégas, and M. Wattenberg. Voyagers and voyeurs: Technical report, INSTITUTE FOR DEFENSE ANALYSES ALEXAN-
supporting asynchronous collaborative information visualization. In DRIA VA, 2003.
Proceedings of the SIGCHI conference on Human factors in computing [39] J. R. Wilson and J. Carter. Node. js the right way: Practical, server-side
systems, pages 1029–1038. ACM, 2007. javascript that scales. Pragmatic Bookshelf, 2013.
[15] V. A. C. Henmon. The time of perception as a measure of differences [40] J. S. Yi, Y.-a. Kang, J. T. Stasko, and J. A. Jacko. Understanding and
in sensations. Number 8. Science Press, 1906. characterizing insights: how do people gain insights using information
[16] R. V. Hogg and A. T. Craig. Introduction to mathematical statistics.(5”” visualization? In Proceedings of the 2008 Workshop on BEyond time and
edition). Upper Saddle River, New Jersey: Prentice Hall, 1995. errors: novel evaLuation methods for Information Visualization, page 4.
[17] W. Huang, P. Eades, and S.-H. Hong. Measuring effectiveness of graph ACM, 2008.
visualizations: A cognitive load perspective. Information Visualization, [41] F. Zhou, H. B.-L. Duh, and M. Billinghurst. Trends in augmented reality
8(3):139–152, 2009. tracking, interaction and display: A review of ten years of ismar. In
[18] J. J. Imhoff and S. P. Cutler. Interpol: Extending law enforcement’s Proceedings of the 7th IEEE/ACM International Symposium on Mixed
reach around the world. FBI L. Enforcement Bull., 67:10, 1998. and Augmented Reality, pages 193–202. IEEE Computer Society, 2008.
650