Evaluation of the Presentation of Network Data via Visualization Tools for Network Analysts

Report No. ARL-TR-6865
Authors: Renée E. Etoty, Dr. Robert F. Erbacher, and Dr. Christopher Garneau
Date/Pages: March 2014; 62 pages
Abstract: In response to chaotic nature of network traffic, making it very difficult to differentiate normal from malicious traffic, we have designed a user study that tests the effectiveness and usefulness of tabular versus graphical displays on such data. The U.S. Army Research Laboratory's (ARL) in-house defense service providers are expert subjects, who undergo a simplified version of their computer network defense (CND) analyst tasks. We use their performance to acquire initial insights to their interpretation of display components, cognitive processes, and contextual knowledge. We quantitatively compare tabular versus graphical displays and compare their feedback with that of students, who serve as primary test subjects for developing visual displays for network monitoring. In this study, all participants act as analysts; their job is to identify evidence of compromise within a dataset of intrusion attempts on the fabricated network visually provided. We observe the participants responses to the pattern matching activity created with interacting with the visual displays. The design variables are the distinct graphical layouts: tabular, parallel coordinates, and node-link. The response variables are true positive and false positive rates of event identification, the time required for event identification, and the qualitative questionnaire. Results help us better understand which of the visual layouts is most effective and useful for predicting cyber attacks.
Distribution: Approved for public release
  Download Report ( 1.940 MBytes )
If you are visually impaired or need a physical copy of this report, please visit and contact DTIC.

Last Update / Reviewed: March 1, 2014