Visualization of Network Security Data by Haptic

Abstract

Antivirus software technology is a security technology for analysis of networks and detection of information leakage and virus software. Computers are designed to process the detected viruses in the background. Here we report our design, construction, and investigation of a prototype system to sense virus-induced traffic anomalies in a network and react haptically, as a form of haptic visualization security technology that can provide physical experience of anomalies generated when viruses occur, in training beginners, as well as other applications.

1 Introduction

All the many methods of cyberattacks can present a threat to the underpinnings of society. Antivirus software is a type of security technology that functions in an invisible world (i.e., the background) to analyze operations, discover anomalies, and eliminate the related viruses. Visualization of security technology [1] enables intuitive understanding of virus-induced anomalies by rendering virus-peculiar behavior recognizable to humans. A typical example is the NIRVANA-Kai system developed by the National Institute of Information and Communications Technology [2] to monitor cybersecurity. The visualizations can also be used for education and training of non-specialists. However, relatively few studies have been reported on performing security technology visualization, haptization, and other modes of conversion to sensory perception.

Here we describe our development and investigation of a system for intuitive representation by haptic display of DDoS, using IP address analysis [3] with network security in the background state and assuming an attack on the Web.

2 Equipment Used

The SensAble PHANToM Omni haptic presentation device (hereafter, Omni) shown in Fig. 1 was used in this study. The system control computer was constructed with a 3.40 GHz 4 GB RAM Intel Core i7-2600 CPU, with Windows 7 Professional as the OS. An Imada DPS-5 digital force gauge was used as a torque meter to measure the actual force presented by the Omni. Microsoft Visual C++ 2008 was used as the development environment. Open Haptics was used as the library file for control of the Omni and WinPcap for control of packet capture.

Fig. 1.

PHANToM Omni.

3 System Overview

The system performs the four steps of (1) packet capture, (2) analysis, (3) drawing, and (4) haptic presentation. It automatically performs packet capture on startup, searches the packet for IP address and time to live (TTL), and displays images for the packets on the screen. Finally, it presents the reaction to the user. The user operates Omni to touch the virtual objects on the screen and sense the traffic amount response on the hand. IP packets ordinarily reach their destination after passing through routers less than 30 times, but some have unusually long TTL values. Many of those are generated by special software, and the long TTL value may indicate occurrence of an anomalous communication. Yamada et al. have described a method of detecting malicious communications from their TTL values [3], and in our proposed system, we apply it to packet analysis for detection of malicious communication.

4 Force Threshold Measurement Experiment [13]

4.1 Method

Various studies relating to the difference necessary to distinguish between two presented forces, such as the elucidation by Weinstein and Weber [4, 5] on the relation between reference force and rate of change, have been reported, but the relation for a force-sensing haptic device such as that of the present study has remained unclear.

We therefore investigate the level of recognizable difference in this study, in which the force values are expressed in terms of the Omni “force levels” of 0.0 to 1.0, with 1.0 as the maximum force that can be presented by Omni and 0.0 as the level when no force is presented. The maximum force presented by the Omni is given as 3.0 kg-m/s² (3.0 N), and a force level of 1.0 thus represents a force of about 3.0 N.

In operating Omni, the participant grasps the Omni stylus (It’s mean pen part) and uses it to compare the size of the forces in the left and right halves of the virtual space on the screen shown in Fig. 2. The reference stimulus is displayed on one side and the comparison stimulus (4 types) on the other, in random combinations. The comparison stimulus force level is presented in increments of 0.2 in the range 0.0 to 0.8 and the reference stimulus is the center value 0.4. The participant compares the left and right force sizes and chooses between the three choices of “both about the same”, “stronger on the left”, and “stronger on the right”, and the results are analyzed [6].

Fig. 2.

Force threshold measurement screen.

4.2 Results

Table 1 shows the experimental results for 14 male participants aged 18 to 21, with a as the reference stimulus and xi as the comparison stimulus. Figure 3 shows these results in terms of maximum likelihood, and Table 2 shows the obtained parameter values.

Table 1. Force threshold measurement results.

Fig. 3.

Result of maximum likelihood method.

Table 2. Force threshold parameters.

Figure 3 shows a graphical representation of the results with the data points plotted along the horizontal axis for the presented comparison stimulus and along the vertical axis for the probability distribution (determination ratio), and thus the determination probabilities for the parameter values.

As this shows, nearly all the participants recognized a difference in force size in all cases except where the reference stimulus in Table 1 was presented on both sides. The analysis results indicate the determination criterion c was 0.056, and thus that a difference of 0.2 between two stimuli is sufficient for good discrimination between them, so we used increments of 0.2 in the constructed system and related the resulting values to the differences in traffic amount for their recognition.

5 System Prototype

5.1 Calculation of Traffic Volume

The system prototype presents a reaction force corresponding to the results of the IP packet analysis and traffic amount, with the packet amount calculated as follows.

We measure the total outflow n (bytes) of the traffic each minute and calculate the mean traffic amount in that minute. We first investigate the IP address recorded in the IP header of the arriving packet. If this address has already been recorded, then we add the packet length in the IP header to the packet buffer of that IP address. If not, then we record this new IP address and initialize the packet buffer with the packet length. This operation is repeated for 1 min. At the end of 1 min, we add the previous packet buffer mean multiplied by the number of data n and the newest packet buffer, divide by n + 1, and take the result as the new average. We next divide the newest packet buffer by the average and change the presented force by the resulting value. The calculation algorithm is as follows.

Sn: sum from 0 to n; \( \bar{x} \): mean from 0 to n; \( \bar{x}_{n + 1} \): mean from 0 to n + 1.

$$ \begin{aligned} S_{n} & = \sum\limits_{0}^{n} {x_{i} } \\ \bar{x}_{n} & = \frac{{S_{n} }}{n} = \frac{{\sum\limits_{0}^{n} {x_{i} } }}{n} \\ \bar{x}_{n + 1} & = \frac{{S_{n + 1} }}{n + 1} = \frac{{\sum\limits_{0}^{n} {x_{i} + x_{n + 1} } }}{n + 1} = \frac{{n \times \bar{x}_{n} + x_{n + 1} }}{n + 1} \\ \end{aligned} $$

5.2 Traffic Display System

The operating screen in the prototype system is as shown in Fig. 4, with the personal computer that controls the system being represented at the center and lines representing LANs extending radially from the computer with the IP address of each nearby. The blue triangular pyramid is the pointer, which is moved freely by the user. In this figure, the system is performing automatic packet capture.

Fig. 4.

Prototype system operating screen. (Color figure online)

The traffic amount on each line can be sensed by the user as a force by touching the line with the Omni stylus while depressing the stylus button. The line color changes from blue through yellow to red with increasing traffic volume, thus reflecting the emotional color meaning [7] in a manner analogous to temperature change. The system shows the line of a packet with 30 or more hops in red, as an anomalous packet. The relation between the assessed traffic amount, the line color, and the force level is shown in Table 3.

Table 3. Traffic assessment, line color, and force level.

The system algorithm flow begins with packet capture, followed by reading of the IP address, packet length, and TTL from the IP header and then by determination of whether that IP address has already been recorded from the dataset holding recorded IP addresses, total traffic amounts, and hop numbers. If it has, then that packet length is added to the total traffic amount, and if it has not, then a new dataset is constructed, the IP address is recorded, and the packet length is added to the total traffic amount. The hop number is next calculated from the TTL value and if it exceeds 30, then 1 is added to the hop number in the dataset. This is repeated, and at 1 min, the top 6 cases of total traffic amount are displayed in descending order. If the hop number of the dataset is 1 or more, then the hop number of 30 or more in Table 3 is applied. The dataset is written to the text file as a log and then initialized. The process is repeated thereafter.

In the next step, the system displays the traffic amounts on a two-dimensional day–time plane as shown in Fig. 5, with the colors in the figure changing with the traffic amount as shown in Table 3. This change to an algorithm with a two-dimensional day–time display facilitates the detection of anomalous behavior by comparison with the most recent traffic amount.

Fig. 5.

Day–time plane.

5.3 Improvement and Attendant Modification

Figure 6 shows the improved version of the system operation screen. In this improved version, the computer is again located in the center of the screen, but blocks are used to show the traffic amount at given times. The blue cone is the pointer moved by the user. The IP address is shown near the trailing edge of the block.

Fig. 6.

Improved system operation screen.

In this way, each block provides a summary of the traffic amount for a given time and enables comparison with the previous and subsequent times, and the user can feel the force of a given block by touching it with the stylus. The block stacking for each day enables comparison of the time on a given day with the same time on the previous two days.

The use of blocks instead of lines to present the haptic sensation posed a new problem that required resolution before adoption of the improved version. If the force was presented instantaneously when the stylus touched the block, then in many cases the force was sufficient to cause immediate recoil from the block and disappearance of the presented force, resulting in an instantly vanishing force sensation.

To resolve this problem, we modified the force presentation as weak near the block surface, increasing with proximity to the block center, and reaching full strength for that block near its center. For maximum ease of use, we investigated the optimum proportion of the block for this force change, by measuring the threshold relative to the block proportion.

In this measurement, we had the participant grasp the Omni stylus and use it to touch two blocks in a virtual space, and compared block proportions containing the force change. Figure 7 shows the program execution screen in this experiment. The reference stimulus was presented in the block on one side. In the other block, four comparison stimuli and five reference stimuli were presented at random. In the change portion, changes in presented force ratio of 1/4, 1/3, 1/2, 2/3, and 3/4 between the block surface and the maximum value were compared. The value 1/2 was taken as the reference stimulus and the others were taken as comparison stimuli. Figure 8 shows the relation between the block and the change portion. We first confirmed that differences in the comparison targets could be perceived and then had each participant compare the left and right changes and select one of the two-choice responses: “the left change is sharper” or “the right change is sharper”. The participants were three men in aged 18 to 21 with 5 iterations for each participant.

Fig. 7.

Screen for execution of the change portion measurement program.

Fig. 8.

Relation between block and change portion.

5.4 Results of Change Portion Threshold Measurement

Table 4 shows the measurement results, in terms of the number of answers given. As in Sect. 4.2, a is the reference stimulus and xi is the comparison stimulus. Figure 9 shows the maximum likelihood derived from these results, with the horizontal axis representing the stimulus strength and the vertical axis representing the number of correct answers.

Table 4. Results of determination of proportion threshold in change portion.

Fig. 9.

Result of maximum likelihood method.

The reference stimulus was 1/2 and the point of subjective equality (PSE) was 0.55, thus showing only a slight error in the PSE relative to the reference stimulus. The range of stimuli deemed equivalent to the PSE was 0.41 to 0.69. Stimuli outside this range will therefore be deemed nonequivalent.

5.5 Optimum Decision by Analytic Hierarchy Process (AHP)

The results of this experiment indicate that a difference of 0.2 or more is sufficient for recognition of the difference in the change portion. To select the optimum value, we therefore performed pairwise comparison of differences increasing or decreasing in increments of 0.2 centered on the reference stimulus of 1/2 and thus comprising 0.3, 0.5, and 0.7, with decision by AHP.

Although AHP is generally used for ambiguous decisions, it is also used for decisions on human sensation amount and haptic sensation [8,9,10], which are considered mainly as ranking of determinations, and it was applied in this experiment in the same light. Two blocks were presented, and the stimuli were compared pairwise. Each participant then responded to the question of which was easier to use and to what degree on a scale of 1 to 9.

The participants were three men (A, B, and C) in aged 18 to 21, and the results shown in Table 4 were obtained. Determination was made by AHP based on the criterion index (CI). A determination is used if the CI is 0.1 or less, or for practical operation, 0.15 or less. We accordingly concluded that the changes can be ranked for each difference of 0.2, and here regarded the application of a value of 0.2 or more as appropriate for ranking sensation amount and decided to perform the design with 0.5 as the difference. Table 5 shows the results.

Table 5. Results of optimum decision by AHP.

5.6 Conversion of Force Level

5.6.1 Investigation of Presented Frictional Force

To date, the presented stimuli in experiments have been considered mainly as frictional forces, which might be regarded as not representative of the normal force. The PHANToM operating sensation and observations during the experiment, however, provide experiential evidence of close mutuality between the sensation of force pushing down on the plane of virtual space and the sensation of frictional resistance. In contrast, the experiments to date have indicated that a difference existed between the value settings on the PHANToM when treated as a coefficient of friction and the coefficient of friction actually presented by the PHANToM.

No description relating to this difference is given in the control program OpenHaptics^TM toolkit v3.0 reference documents, and there is no detailed specification of parameters of the friction sensation presentation other than that “0 represents no presentation and 1 is the maximum value that can be presented by the machine.” To clarify the relation between these set values and the values actually presented, we therefore investigated the coefficient of friction values in the actual presentation by the PHANToM.

5.6.2 Experimental Method

As shown schematically in Fig. 10, we immobilized part of the PHANToM arm, to simulate the PHANToM operation by the participant, by suspending a weight from its stylus and connecting it to a force gauge with kite string (No. 8). The force gauge was used to pull the stylus at a constant speed, thus reproducing the participant’s experimental operation of the PHANToM and the resulting frictional force sensation of the participant, as well as to measure the frictional force. The suspended weight itself was 0.2 kg and the total weight including the 0.029 kg of the material used to immobilize the arm and the 0.042 kg of the stylus component on the arm was 0.271 kg.

Fig. 10.

Configuration in force level conversion experiment.

To determine the relation between the value setting on the PHANToM (the “setting”) and the frictional force obtained from the force gauge measurement, we measured the normal force of the weight with the configuration shown in Fig. 10 and calculated the coefficient of friction from that value.

The measurements were made with settings for 0.0 to 1.0 in increments of 0.1 on the PHANToM, with reference to the PHANToM specification of the definition in the Sensable OpenHaptics^TM API Reference Manual of 0 as the setting with no force presented and 1 as the maximum possible force presentation of the machine.

The measurement was performed 12 times at each setting but the maximum and minimum obtained values were excluded as possible measurement errors, and the results of 10 measurements for each setting were therefore used in the calculation. It was also considered that the minimum measured value of 0.0 might not be correct at the minimum setting at which no force is presented, and that measurement for 1.0, involving the maximum force that can be presented by the PHANToM, might lead to system breakage.

In the calculation from these measurement results, we applied the formula

$$ \text{frictional}\;\text{force} = \text{coefficient}\;\text{of}\;\text{friction} \times \text{normal}\;\text{force}, $$

to investigate the actual values handled by the haptic device.

5.6.3 Experimental Results

The measurement results are shown in Table 6 and graphically in Fig. 11. As noted above, the setting values are those that can be entered on the PHANToM, and the measurement results are the mean values of the measurements with the force gauge excluding the maximum and minimum measured values, and the coefficient of friction was calculated from the resulting values and the suspended weight.

Table 6. Frictional forces presented by the PHANToM.

Fig. 11.

Relation between settings and coefficients of friction.

These results show that the relation between the settings and the coefficients of friction is not linear, and we therefore applied approximation (Fig. 12).

Fig. 12.

Measurement results and quadratic approximation.

Comparison of the approximation and the measurement results show that the approximation curve fits within the range of measurement error, and thus that the approximation is correct. The equation obtained by the approximation is

$$ {\text{M}} = 0. 0 4 2 {\text{p}}^{2} + 0.0045{\text{p}} + 0.0236, $$

(1)

where M represents the value of the coefficient of friction actually presented and p represents the values of 0.0 to 1.0 with the setting entries on the PHANToM. With the experiment described above performed using the parameter \( {\text{F}}^{{\prime }} \) defined as the product of p and 7.9, the maximum value that can be presented by the PHANToM DeskTop, the relation \( {\text{p}} = {\text{F}}^{{\prime }} /7.9 \) can therefore be applied to use the actually presented coefficient of friction as the variable.

5.6.4 Investigation

These experimental results show the relation between frictional sensation in the presentation by the PHANToM DeskTop and the setting in the application. From this, by applying Eq. (1) to the experimental results therefore enables investigation of the human sensation induced with the haptic device using values closer to the actual values. It is difficult for humans to recognize changes in frictional sensation with stimulus increments of 0.4 N or less, which by Eq. (1) corresponds to an actual coefficient of friction of about 0.23. Observations during the experiment showed that the force (normal force) applied by the humans pushing on the surface to perceive a frictional sensation using the haptic device was about 1.5 N. This is near the pen pressure generally applied by healthy individuals, and thus that no large difference from pen pressure occurs even when pressing on a virtual space. Taken together, the results showed that a change of 0.3 N or more is necessary for sensing a change in the frictional force presented by the haptic device.

5.6.5 Application to the Proposed System

To facilitate the use of various haptic devices, we converted the presented force to newtons (N) in the MKS unit system, a common unit system. In the experimental method for this purpose, the device [11] was installed in the configuration shown schematically in Fig. 10, force changes were applied in increments of 0.1 between 0 to 1.0 by the Omni control program variable with 12 measurement repetitions, and the mean value was calculated from the measurement results exclusive of the maximum and the minimum.

The experimental results are shown in Fig. 13. In the third-order approximation, the error remained within 5%, suggesting that the haptic force presented by the Omni indirect drive is nonlinear due to displacements generated by the dive, and thus follows a characteristic curve resembling a third-order approximation.

Fig. 13.

Relation between force and force level.

6 System Specification

We applied these experimental results to redefine the system specification. As modified thereby, the system performs packet capture automatically after start-up, writes the top 6 cases of IP addresses having the largest traffic amount in 1 min in the order of descending traffic amount, and draws blocks colored in correspondence with those amounts. When the user touches a block with the pointer, it presents the force corresponding to that traffic amount. The process is then repeated. The relation between the traffic amount and the presented force is determined by comparison with the average from the time of system start-up and the size of the divergence, as in the Nakajima et al. method of network anomaly detection [12]. Table 7 shows the relation between the traffic amount, block color, and force level after modification of the prototype system.

Table 7. Traffic amount, color, and force level relation.

The modifications of the prototype system are essentially as follows.

• Blocks are used instead of lines to present force.

• A new block is added once every 1 min instead of renewing the force represented by each line every 10 s.

With a block used to present the haptic sensation, in touching it, the pointer would become partially or wholly invisible to the user if the block were completely impenetrable. We therefore instead used semi-impenetrable blocks to make the pointer portion behind the block visible as shown in Fig. 14 and thus facilitate understanding of its location by the user.

Fig. 14.

Before and after penetrability modification.

With the maxim force level of 1.0, which is the maximum possible on Omni, operation could not be performed and it was therefore excluded. A slight force presentation was used for the minimum value, since a minimum value of 0.0 would represent an empty space in which no force can be applied.

A basic reason for use of Omni in this system is that it allows the use of a mouse to zoom and rotate the display in the operation, which facilitates positioning of the reference base on the screen.

7 Conclusions

The results indicate this system can show communication amounts and malicious packets intuitively via Omni and that, with the improved version, it can be effectively used as whitelist filtering software through comparison of communications by their day and time based on human haptic sensing. The method can be used to pass only communications approved in advance and block all others, but as applied here, it can also focus on communication amount and block any communication with an amount exceeding a basic standard. In this way, it is expected to provide a tool for general users of ordinary personal computers to learn the need for security technology and understand its importance, required reliability, and other essential aspects, as well as to aid the search for defensive methods in regard to the Internet.

The experimental results also showed that third-order curve force levels and the MKS unit system can be adopted in the system and thus that we have been able to construct a system that can run with haptic devices other than Omni and therefore used more widely.

We plan to add functions enabling classification not only by IP address but also by port number, and switching between transmission and receiving amounts.