Elsevier

Displays

Volume 47, April 2017, Pages 12-24
Displays

Sonification of a network’s self-organized criticality for real-time situational awareness

https://doi.org/10.1016/j.displa.2016.05.002Get rights and content

Abstract

Communication networks involve the transmission and reception of large volumes of data. Research indicates that network traffic volumes will continue to increase. These traffic volumes will be unprecedented and the behaviour of global information infrastructures when dealing with these data volumes is unknown. It has been shown that complex systems (including computer networks) exhibit self-organized criticality under certain conditions. Given the possibility in such systems of a sudden and spontaneous system reset the development of techniques to inform system administrators of this behaviour could be beneficial. This article focuses on the combination of two dissimilar research concepts, namely sonification (a form of auditory display) and self-organized criticality (SOC). A system is described that sonifies in real time an information infrastructure’s self-organized criticality to alert the network administrators of both normal and abnormal network traffic and operation. It is shown how the system makes changes in a system’s SOC readily perceptible. Implications for how such a system may support real-time situational awareness and post hoc incident analysis are discussed.

Introduction

With the large volumes of traffic passing across networks it is important to know about the state of the various components involved (servers, routers, switches, firewalls, computers, network-attached storage devices, etc.) and the types and volume of the data traffic passing through the network. In the case of the hardware, network administrators need to know if a component has failed or is approaching some capacity threshold (e.g., a server has crashed, a hard drive has become full, etc.) so that appropriate action can be taken. Likewise, the administrators need to be aware of traffic type and flow. For example, a large increase in traffic volume (perhaps as would occur if the network were to broadcast a live stream of a major sporting event) might require extra servers to be brought online to handle and balance the load. A sudden increase in certain types of traffic (such as small UDP packets) might indicate that a distributed denial-of-service attack is in progress, for example, and corrective action would need to be taken to protect the network.2

Given the large volume of traffic passing through a network every second in the form of data packets and the fact that each packet will be associated with particular sender and receiver IP addresses and port numbers, understanding what is happening to a network requires information about the traffic data to be aggregated and presented to the network administrator in an easy-to-understand way. This problem of information presentation and interpretation, or ‘situational awareness’, was addressed by the military leading to Boyd’s OODA (observe, orient, decide, act) model (see [1]), and others have followed (notably Endsley’s three-level model [2]). Situational awareness, as Cook put it, “requires that various pieces of information be connected in space and time” (Nancy Cooke in McNeese [3]).

Computer networks possess high tempo and granularity but with low visibility and tangibility. Administrators rely on complex data feeds which typically need translation into language that can be understood by decision makers. Each layer of analytical tools that is added can increase the margin for error as well as adding Clausewitzian friction (see von Clausewitz’s ‘On War’, 1873). Furthermore, it is practically impossible for most administrators to watch complex visual data feeds concurrently with other activity without quickly losing effectiveness [4].

In military circles there is debate about whether cyberspace has become the fifth warfighting domain (the others being sea, land, air, and space) [4]. Computer networks are increasingly coming under strain both from adversarial attacks (warfighting in military parlance) and from load and traffic pressures (e.g., increased demand on web services).

Another term that has made its way from the military lexicon into the wider world of network administration is situational awareness. Endsley [2, p. 36] defined situational awareness (SA) as the “perception of elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future”. So, SA facilitates an administrator in becoming aware of a network’s current state. The perception phase of SA comprises the recognition of situational events and their subsequent identification. Sonification is a process of computational perceptualisation which Vickers [5] suggested is well suited to the monitoring of time-dependent processes and phenomena such as computer networks.

Fairfax et al. [4] noted that the cyber environment is increasingly being viewed as the fifth warfighting domain (alongside land, sea, air, and space). They stated the challenge for maintaining situational awareness in the cyber environment as:

…whilst land, sea, air and space are physically distinct and are defined by similar criteria, cyberspace is defined in a different way, existing on an electronic plane rather than a physical and chemical one. Some would argue that cyber space is a vein which runs through the other four warfighting domains and exists as a common component rather than as a discrete domain. One can easily see how cyber operations can easily play a significant role in land, sea, air or space warfare, due to the technology employed in each of these domains [4, p. 335].

Thus, in this environment where human perception is constrained, adversaries and protagonists alike are dependent on tools for their perception and understanding of what is going on. Many tools on which we rely for situational awareness are focused on specific detail. The peripheral vision (based on a range of senses) on which our instinctive threat models are based is very narrow when canalised by the tools we use to monitor the network environment. The majority of these tools use primarily visual cues (with the exception of alarms) to communicate situational awareness to operators. Put simply, situational awareness is the means by which protagonists in a particular environment perceive what is going on around them (including hostile, friendly, and environmental events), and understand the implications of these events in sufficient time to take appropriate action.

When network incidents occur experience shows that the speed and accuracy of the initial response are critical to a successful resolution of the situation. Operators observe the indicators, orient themselves and their sensors to understand the problem, decide on the action to be taken, and act in a timely and decisive way. Traditional approaches to monitoring can hinder this by not making the initial indication and its context clear thus requiring an extensive orientation stage. An ineffective initial response is consistently seen to be one of the hardest things for people to get right in practice [4]. D’Amico (see McNeese [3]) put the challenge of designing visualizations for situational awareness this way:

…visualization designers must focus on the specific role of the target user, and the stage of situational awareness the visualizations are intended to support: perception, comprehension, or projection.

While work has been carried out to use information visualization techniques on network data we note that the perceive and comprehend stages in Endsley’s three-level situational awareness model (the third being project) [2] align themselves with Pierre Schaeffer’s two fundamental modes of musical listening, écouter (hearing, the auditory equivalent of perception) and entendre (literally ‘understanding’, the equivalent of comprehension). Vickers [6] demonstrated how Schaeffer’s musical context can be applied sonification. This paper proposes a sonification tool as one of the means by which real-time situational awareness in network environments may be facilitated. A more detailed discussion of situational awareness and its relationship to network monitoring (specifically within a cybersecurity and warfighting context) can be found in Fairfax et al. [4].

Sonification has been applied to many different types of data analysis (for a recent and broad coverage see The Sonification Handbook [7]). One task for which it seems particularly well suited is live monitoring, as would be required in situational awareness applications [5]. The approach described in this article provides one way of addressing the challenges outlined above by enabling operators to monitor networks concurrently with other tasks using additional senses. This has the potential to increase operators’ available bandwidth without overloading individual cognitive functions, and could provide an immediate and elegant route to practical situational awareness.

It has been suggested that understanding the patterns of network traffic is essential to the analysis of a network’s survivability [8]. Typically, analysis takes place post hoc through an inspection of log files to determine what caused a crash or other network event. Lessons would be learned and counter measures put in place to prevent a re-occurrence.

For the purpose of keeping a network running smoothly load balancing can sometimes be achieved automatically by the network itself, or alerts can be posted to trigger a manual response by the network administrators. Guo et al. [8] observed that “from the perspective of traffic engineering, understanding the network traffic pattern is essential” for the analysis of network survivability.

Often, the first the administrators know about a problem on a network is after an attack, or other destabilizing event, has taken place or the network has crashed. Here, the traffic logs would be examined to identify the causes and steps would be taken to try to protect against the same events in future. Live monitoring of network traffic assists with situational awareness and could provide administrators either with advanced warning of an impending threat or with real-time intelligence on network threatening events in action.3

Real-time network monitoring offers a challenge in that, except for alarms for discrete events, the administrator must be looking at a console screen to observe what is happening. To identify changes in traffic flow would this require attention to be devoted to the console [4]. Vickers [5, p. 455] categorised monitoring tasks as direct, peripheral, or serendipitous-peripheral:

In a direct monitoring task we are directly engaged with the system being monitored and our attention is focused on the system as we take note of its state. In a peripheral monitoring task, our primary focus is elsewhere, our attention being diverted to the monitored system either on our own volition at intervals by scanning the system …or through being interrupted by an exceptional event signalled by the system itself.

Serendipitous-peripheral is similar to peripheral monitoring except that it uses what Mynatt et al. [9] term “serendipitous information”, that is, the information gained “is useful and appreciated but not strictly required or vital either to the task in hand or the overall goal” [5, p. 456].

Thus, a system to sonify network traffic may allow us to monitor the network in a peripheral mode, the monitoring becoming a secondary task for the operator who can carry on with some other primary activity. Network traffic is a prime candidate for sonification as it comprises series of temporally-related data which may be mapped naturally to sound, a temporal medium [5].

Gilfix and Crouch’s Peep system [10] is an early network sonification example. They used natural sounds to represent network states and events and hoped that repeated listening would enable users to build up an understanding of what normal operation of their network sounds like. The system was offered very much as a proof-of-concept and no specific guidance was given on particular ways in which Peep could be used.

Kimoto and Ohno [11] developed a network sonification system called Stetho which uses HTTP traffic data to generate MIDI events which are in turn rendered into sound by MIDI-compatible sound synthesis software.4 An experiment showed that four participants who used the system for five minutes to identify peaks in HTTP traffic. Kimoto and Ohno concluded that the system was suitable to grasp “traffic vaguely”, so like Peep there was a lack of a sense of real use cases that Stetho might support.

Ballora et al. [12], [13], [14] built on these ideas to address the particular case of situational awareness. Rather than use environmental sounds, Ballora et al. used synthesized musical instruments to represent network data as pitched tones. Using an auditory model of the network packet space they produced a “nuanced soundscape in which unexpected patterns can emerge for experienced listeners”. Their approach used the five-level JDL fusion model which is concerned with integrating multiple data streams such that situational awareness is enhanced (see Blasch and Plano [15]). Rather than focus on simple bytes and packets coming in and leaving the network, their system allowed differentiation between the geographic origin of packets (via IP addresses), and the nature of the traffic (via port numbers). However, Ballora et al. [12] noted that the high data speeds and volumes associated with computer networks can lead to unmanageable cognitive loads. Endsley and Connor (in McNeese [3]) came to the same conclusion, stating that the “extreme volume of data and the speed at which that data flows rapidly exceeds human cognitive limits and capabilities.” They concluded:

The combination of the text-based format commonly used in cyber security systems coupled with the high false alert rates can lead to analysts being overwhelmed and unable to ferret out real intrusions and attacks from the deluge of information. The Level 5 fusion process indicates that the HCI interface should provide access to and human control at each level of the fusion process, but the question is how to do so without overwhelming the analyst with the details.

Like Stetho, Giot and Courbe’s InteNtion (Interactive Network Sonification) system mapped network activity to a musical aesthetic via MIDI [16]. Four sound channels were implemented. The first three processed HTTP, FTP, and DNS traffic respectively, while the fourth channel dealt with traffic from all other protocols together. The system mapped several details of traffic properties to the parameters of the output sounds. For instance, packet size controlled the frequency of a tone while the TTL (time to live) of a datagram controlled the duration of the tone. Geographic distance (estimated from IP addresses) controlled the amount of reverberation applied to the tone. Unfortunately, no target use case was stated and no description or demonstration of the system was provided. It remains to be determined how effective this deliberate approach to consider musical aesthetics was.

Wolf and Fiebrink [17] designed the SonNet system to help users (artists or people have an interest in network traffic information) to easily access network traffic through a simple coding interface without requiring knowledge of Internet protocols. The system used three levels of abstraction dealing with raw packet data, temporal aspects and directionality of traffic (via source and destination IP addresses, port numbers, and time since the last packet), and aggregated information over multiple packets (via packet state and flags) respectively.

The system’s default operation is to process TCP packets on port 80 (i.e., HTTP traffic), though users can select to monitor UDP traffic and traffic on all network ports if they wish. The sonification itself was left to the user to specify by writing a script to control a ChucK module.5

The system was evaluated with four composers and students of music composition. The objective was to discover whether SonNet would support composers in creating a musical piece. Therefore, the target use case is quite different from the systems mentioned above which were more concerned with assisting with the monitoring of a network.

Worrall’s NetSon project [18] is a network sonification tool that aims to “sonically reveal aspects of the temporal structure of computer network data flows in a relatively large-scale organization”. The system began as an exploratory tool for an art and technology event and includes visualizations alongside the auditory output and aims to assist people with the peripheral monitoring of a network. The sonification design is not explained in detail, but it is based on using the features of raw traffic data to control various aspects of the output sound. The overall design is explained thus: “in contradistinction to much parameter mapping sonification, ‘melodic’ pitch structures are used very sparingly in favour of a diverse klangfarben (timbral) palette.”

One particular configuration of the system is described as revealing “a combination of interesting features (such as printer server activity) and load-balancing” Worrall [18]. However, in its present version NetSon is presented as a sonification for public spaces so further work is necessary to see how well it supports specific network monitoring tasks and goals.

As seen in the work mentioned above, network sonification typically approaches the task by representing the raw traffic data (packets) or aggregated information about those packets. To address managing the complexity we propose that the study of self-organized criticality has the potential to provide a way of aggregating network behaviour and presenting the ‘health’ of the network as a simple variable, or set of related variables.

Section snippets

Self organized criticality in network traffic

The 20th century witnessed a number of advances in our understanding of complexity in dynamical systems. In 1987 Bak et al. [19] brought together the concept of emergent complexity in simple systems, the mathematics describing the complexity of fractals in natural systems, and the scale-invariant power laws, fractal geometries, and the pink (1/f) noise observed at the critical points between phase transitions in physical systems in a single explanatory model they termed self-organized

The SOC sonification system

A prototype SOC sonification system, socs, was designed and constructed to facilitate the real-time auditory perception of the SOC properties of network traffic. The tool was implemented using the Pure Data audio programming environment (freely available from http://puredata.info) and a custom Python script that used the Python socket library for dealing with the capture of network packets and the transmission to the tool of the log return values of the variables being monitored.

Discussion

The system was driven by a number of traffic data sets captured from live networks. Traffic data were aggregated over 1 s intervals and the number of bytes and packets sent and received per interval were fed to the socs application via the Python script. Each time a set of log return values is received the system uses the values to modulate the four respective audio channels.

When the traffic is exhibiting normal patterns small fluctuations in log return values do not lead to very noticeable

Concluding remarks

The combination of using a system’s self-organized criticality as the underlying data set for situational awareness and a tool for sonifying this SOC offers a number of potential advantages. First, because SOC is an emergent property of the network as a whole, and can be seen at different timescales, it means that one can get an impression of the overall state of a network by monitoring a relatively small number of data streams, thereby ameliorating the problems of extreme volumes and speeds of

Acknowledgements

This work was funded by the United Kingdom’s Technology Strategy Board (Innovate UK) (Grant No. BK008B). The authors gratefully acknowledge the input of Jonathan Christison, a final-year student on Northumbria University’s BSc Ethical Hacking for Computer Security who provided assistance with constructing the Python packet sniffer. This system described in this article was the subject of UK Patent Application No. GB1205564.6.

References (30)

  • S. Valverde et al.

    Self-organized critical traffic in parallel computer networks

    Physica A

    (2002)
  • K. Fukuda et al.

    Origin of critical behavior in ethernet traffic

    Physica A

    (2000)
  • W.S. Angerman

    Coming Full Circle with Boyd’s OODA Loop Ideas: An Analysis of Innovation Diffusion and Evolution

    (2004)
  • M. Endsley

    Toward a theory of situation awareness in dynamic systems

    Hum. Factors

    (1995)
  • M. McNeese

    Perspectives on the role of cognition in cyber security

  • T. Fairfax et al.

    Network situational awareness: sonification & visualization in the cyber battlespace

  • P. Vickers

    Sonification for process monitoring

  • P. Vickers

    Ways of listening and modes of being: electroacoustic auditory display

    J. Sonic Stud.

    (2012)
  • C. Guo et al.

    Study on the internet behavior’s activity oriented to network survivability

  • E.D. Mynatt et al.

    Designing audio aura

  • M. Gilfix et al.

    Peep (the network auralizer): monitoring your network with sound

  • M. Kimoto et al.

    Design and implementation of Stetho – network sonification system

  • M. Ballora et al.

    Preliminary steps in sonifying web log data

  • M. Ballora et al.

    Songs of cyberspace: an update on sonifications of network traffic to support situational awareness

    Proc. SPIE

    (2011)
  • Cited by (0)

    This paper was recommended for publication by Richard H.Y. So.

    1

    This work was done while Chris Laing was at Northumbria but he is now at sciendum.org.uk.

    View full text