scispace - formally typeset

Journal ArticleDOI

Sonification of a network’s self-organized criticality for real-time situational awareness

01 Apr 2017-Displays (Elsevier)-Vol. 47, pp 12-24

TL;DR: A system is described that sonifies in real time an information infrastructure’s self-organized criticality to alert the network administrators of both normal and abnormal network traffic and operation.

AbstractCommunication networks involve the transmission and reception of large volumes of data. Research indicates that network traffic volumes will continue to increase. These traffic volumes will be unprecedented and the behaviour of global information infrastructures when dealing with these data volumes is unknown. It has been shown that complex systems (including computer networks) exhibit self-organized criticality under certain conditions. Given the possibility in such systems of a sudden and spontaneous system reset the development of techniques to inform system administrators of this behaviour could be beneficial. This article focuses on the combination of two dissimilar research concepts, namely sonification (a form of auditory display) and self-organized criticality (SOC). A system is described that sonifies in real time an information infrastructure’s self-organized criticality to alert the network administrators of both normal and abnormal network traffic and operation. It is shown how the system makes changes in a system’s SOC readily perceptible. Implications for how such a system may support real-time situational awareness and post hoc incident analysis are discussed.

Topics: Sonification (52%), Network monitoring (52%), Situation awareness (52%), Information infrastructure (51%)

Summary (5 min read)

1. Introduction

  • With the large volumes of traffic passing across networks it is important to know about the state of the various components involved (servers, routers, switches, firewalls, computers, network-attached storage devices, etc.) and the types and volume of the data traffic passing through the network.
  • In military circles there is debate about whether cyberspace has become the fifth warfighting domain (the others being sea, land, air, and space) [4].
  • Sonification is a process of computational perceptualisation which Vickers [5] suggested is well suited to the monitoring of time-dependent processes and phenomena such as computer networks.
  • When network incidents occur experience shows that the speed and accuracy of the initial response are critical to a successful resolution of the situation.

1.1. Sonification for Network Monitoring

  • Sonification has been applied to many different types of data analysis (for a recent and broad coverage see The Sonification Handbook [7]).
  • One task for which it seems particularly well suited is live monitoring, as would be required in situational awareness applications [5].
  • It has been suggested that understanding the patterns of network traffic is essential to the analysis of a network’s survivability [8].
  • It remains to be determined how effective this deliberate approach to consider musical aesthetics was.
  • Worrall’s NetSon project [18] is a network sonification tool that aims to “sonically reveal aspects of the temporal structure of computer network data flows in a relatively large-scale organization”.

2. Self Organized Criticality in Network Traffic

  • In the case of the sandpile the external driving force is the addition of sand grains and the internal relaxation process is the avalanche.
  • Since then, SOC has been demonstrated in other natural systems such as earthquakes (in which the relaxation process can take seconds compared to the years or decades involved in the external driving force) and forest fires and has subsequently been observed in artificial systems such as stock markets and, latterly, computer networks.
  • In a wavelet analysis of the burstiness of self-similar computer network traffic Yang et al. [24] demonstrated that the avalanche volume, duration time, and the interevent time of traffic flow fluctuations obey power law distributions.
  • This supports Fukuda et al. [25]’s suggestion that that self-organized criticality could be the origin of the fluctuation of burstiness in network traffic.

2.1. Identifying and Measuring the SOC

  • SOC is not a discrete variable that can be identified and monitored directly.
  • Again the characteristic burstiness can be seen in the residuals, this time slightly more intense and regular.
  • Both figures plot the same data sets, but Figure 2(b) is a representation of the denoised residuals of normal traffic data that is also carrying malicious traffic data.
  • Firstly, at approximately 500 (x-axis) in Figure 2(b), a small amount of SOC activity can be observed ).
  • In the next section the authors describe a system for sonifying the SOC characteristics of network traffic.

3. The SOC Sonification System

  • A prototype SOC sonification system, socs, was designed and constructed to facilitate the real-time auditory perception of the SOC properties of network traffic.
  • For purposes of illustration, the example chosen here sonifies the log returns of the following time-dependent network traffic data items: number of bytes sent, number of packets sent, number of bytes received, number of packets received by the network which the authors call bs, ps, br, pr respectively.
  • (5) This may result in negative values for the log return which can be used to indicate the direction of a SOC event’s change in level (i.e., an increase in value means a step up to the next level of steady state, whilst a decrease means a step down).
  • In addition, all values can be squared with the sign retained or discarded.
  • The Python script calculates the log return values and feeds them as input to the sonification engine.

3.1. Sonification Parameters

  • There are many possible mappings between the input data values and the various parameters that affect the audio.
  • This may be done by increasing/decreasing the amplitude, altering a sound’s position in a sound field (e.g., left-right pan in a stereo field, front/back/left/right in a surround-sound field, or front/back/left/right and azimuth in a full threedimensional sound field), altering the sound’s phase, or altering its spectral characteristics (e.g., by changing the parameters of a filter).
  • The following sections describe the processes that were used in the system.

3.1.1. Scaling

  • Therefore, it was necessary to scale all incoming data so a scaler module was built that takes four arguments: the minimum and maximum values of the input range and the minimum and maximum of the desired output range.
  • Any any value received on the scaler’s input is converted to a corresponding value in the specified output range.

3.1.2. Amplitude Control

  • An amplitude control module was constructed that adjusts the amplitude, or level, of the output sound according to the value of the module’s input variable, in this case, the log return values.
  • The lower the log return value the quieter the sound, the higher it is the louder the sound that is played back.
  • Thus, the real-time monitoring of the network leads to constant fluctuations in the amplitude of the output, but only large changes in level are readily perceived.

3.1.3. Filtering

  • There are several ways that the spectral characteristics of an audio signal may be processed, each of which will cause a change in the timbre of the audio.
  • The advantage of a biquad filter is that it offers a richer set of filtering options than a single type of dedicated (e.g., band pass) filter and its coefficients can be altered in run time to changed the sound processing in real time.
  • The higher the resonance the wider the band of frequencies that are allowed to pass through.
  • The choice of filter depends on the kinds of sounds being loaded into the system.
  • The filter’s initial parameters are hard-coded into the loopChannel3 sub patch to best fit the sonic material being used but ultimately it is intended to expose this functionality to the end user.

3.1.4. Sampled and Synthesized Voices

  • Because the prototype system monitored four variables four voices or channels were used, one per variable.
  • The loop playback method incorporates a sub patch designed by Farnell [29] which loads a wave audio file and plays it continuously, restarting it when it reaches the end.
  • Thus, the log return value of each data stream is used to modulate the corresponding voice.
  • In the version described here, the channels contained different sounds that combined to make a countryside soundscape.
  • Any wave files can be loaded into the system.

3.2. System Architecture

  • Figure 3 shows the architecture of the sonification design used for sonifying four data streams.
  • Network traffic is captured from a log file or a live packet sniffer program by the custom Python script, also known as 1. Capture network traffic.
  • Modulates the amplitude of the voice by the log return value, also known as 5. Amplitude control.
  • The four audio channels are combined into a single stereo output which is then sent to the audio system of the host computer.
  • The channel processing section contains four similar units: three for dealing with audio loop playback and one for dealing with synthesized tone playback.

4. Discussion

  • The system was driven by a number of traffic data sets captured from live networks.
  • Traffic data were aggregated over 1 s intervals and the number of bytes and packets sent and received per interval were fed to the socs application via the Python script.
  • Each time a set of log return values is received the system uses the values to modulate the four respective audio channels.
  • Using the mappings described above one hears a soundscape comprising the combination of sounds described above.
  • When one or more very large log returns occur (such as would be expected during a dynamic system relaxation event) the corresponding soundscape experiences a very noticeable change: the amplitude varies greatly and the timbre alters as filters are adjusted .

4.1. Audio examples

  • Audio files demonstrating the system output can be found in the project repository [28].
  • Running the Python script at different playback rates and with signed, unsigned, and squared log return values leads to different auditory outputs.
  • Running the system using signed log returns (the system default) reveals that the traffic spikes shown in Fig. 5 are both negative.
  • This renders all large changes as positive spikes which results in all spikes being heard as large increases in amplitude and filtering effects.
  • In the audio file multiSpike 1s.wav the negative spikes are clearly heard as gaps in the soundscape whilst the positive spike is very audible, particularly in the wind sound which represents the received bytes variable.

4.2. The Situational Awareness Loop

  • On hearing an events such as described above (situational awareness level 1— Perception) the network aministrator would be drawn to inspecting the state of the network (situational awareness level 2 — Comprehension) to decide whether any action needs to be taken (situational awareness level 3 — Projection).
  • After deciding what action to take (level 3) then comes the stage of managing the action, which itself requires situational awareness as actions are taken to address the situation.
  • Some of these events may go unnoticed by the administrator (if, for example, they left the monitoring station for a short period of time) but individual events are not a matter of great concern.
  • What will be of particular interest is when there is an extended series of repeated high log return values which might indicate growing instability in the network.

4.3. Timescales

  • The system was run with log return intervals of 1 s and 20 ms.
  • The running of the socs system at a higher rate than the traffic data’s initial sample rate allowed historical feeds to be listened to post-hoc in a manner analogous to spooling quickly through an audio tape (the main difference being that there is no consequent alteration of pitch).
  • This means that logs can be auditioned quickly and interesting areas of activity spotted.
  • This is useful for post-incident investigations and means that the system can be used for more than live monitoring.
  • The Python script can be supplied with run-time arguments to focus on certain sections of the traffic data, and/or to slow down playback once a particular point is reached.

5. Concluding Remarks

  • The combination of using a system’s self-organized criticality as the underlying data set for situational awareness and a tool for sonifying this SOC offers a number of potential advantages.
  • While the work described here focused on the traditional traffic metrics of bytes and packets sent and received, it is important to explore what other variables and characteristics are implicated in a network’s SOC and this is the subject of ongoing work.
  • The underlying system architecture promotes interactivity by letting the user select the combination of incoming data streams to be sonified and the sonic balance of the auditory streams.
  • A tangible user interface object (e.g., a cube) with a fiducial marker on its bottom surface is placed above the router.
  • In this way the administrator can gain intelligence about the state of the network in a hands-on way.

Did you find this useful? Give us your feedback

...read more

Content maybe subject to copyright    Report


        !"#$% &' 
()&*+,-*&.(/0-1$//
#!*!1/2&&"#1#*345!
-67
8 99/9#"/#"#:9;//!"#:/"</""!
=99/9#"/#"#:9;//!"#:/"</""!>
 7 ( (    
99///999!:$<<9
87-7 %
87-?/-@
-7 %9-(/&
-7-
-**'
(     7      
7(-98/
-(-/--
(-/ -
799///9/
-A'7
7(/9
7   7 ? ( 
-B/%

Sonification of a Network’s Self-Organized Criticality for Real-time Situational
Awareness
Paul Vickers
a,
, Chris Laing
b,1
, Tom Fairfax
c
a
Northumbria University, Newcastle upon Tyne NE1 8ST, United Kingdom
b
Sciendum Ltd, 20-22 Wenlock Road, London, N1 7GU, UK
c
SRM Solutions, The Grainger Suite, Dobson House, Regent Centre, Gosforth, Newcastle upon Tyne, NE3 3PF, UK
Abstract
Communication networks involve the transmission and reception of large volumes of data. Research indicates that
network trac volumes will continue to increase. These trac volumes will be unprecedented and the behaviour
of global information infrastructures when dealing with these data volumes is unknown. It has been shown that
complex systems (including computer networks) exhibit self-organized criticality under certain conditions. Given the
possibility in such systems of a sudden and spontaneous system reset the development of techniques to inform system
administrators of this behavior could be beneficial. This article focuses on the combination of two dissimilar research
concepts, namely sonification (a form of auditory display) and self-organized criticality (SOC). A system is described
that sonifies in real time an information infrastructure’s self-organized criticality to alert the network administrators
of both normal and abnormal network trac and operation. It is shown how the system makes changes in a system’s
SOC readily perceptible. Implications for how such a system may support real-time situational awareness and post-
hoc incident analysis are discussed.
Keywords: Auditory Display, Sonification, Information Visualization, Self-Organized Criticality, Network
Monitoring
1. Introduction
With the large volumes of trac passing across net-
works it is important to know about the state of the var-
ious components involved (servers, routers, switches,
firewalls, computers, network-attached storage devices,
etc.) and the types and volume of the data trac passing
through the network. In the case of the hardware, net-
work administrators need to know if a component has
failed or is approaching some capacity threshold (e.g.,
a server has crashed, a hard drive has become full, etc.)
so that appropriate action can be taken. Likewise, the
administrators need to be aware of trac type and flow.
For example, a large increase in trac volume (perhaps
as would occur if the network were to broadcast a live
stream of a major sporting event) might require extra
Corresponding author
Email addresses: paul.vickers@northumbria.ac.uk (Paul
Vickers), christopher.laing@sciendum.org.uk (Chris Laing),
tom.fairfax@srm-solutions.com (Tom Fairfax)
1
This work was done while Chris Laing was at Northumbria but
he is now at sciendum.org.uk.
servers to be brought online to handle and balance the
load. A sudden increase in certain types of trac (such
as small UDP packets) might indicate that a distributed
denial-of-service attack is in progress, for example, and
corrective action would need to be taken to protect the
network.
2
Given the large volume of trac passing through a
network every second in the form of data packets and
the fact that each packet will be associated with par-
ticular sender and receiver IP addresses and port num-
bers, understanding what is happening to a network re-
quires information about the trac data to be aggre-
gated and presented to the network administrator in an
easy-to-understand way. This problem of information
presentation and interpretation, or ‘situational aware-
ness’, was addressed by the military leading to Boyd’s
OODA (observe, orient, decide, act) model (see [1]),
2
UDP, or user datagram protocol, is a way of sending internet
packets without handshaking. It means that packets can be lost, but in
some real-time systems (e.g., online gaming) it is preferable to lose a
packet than to wait for a delayed one.
Preprint submitted to Displays April 18, 2016

and others have followed (notably Endsley’s three-level
model [2]). Situational awareness, as Cook put it, “re-
quires that various pieces of information be connected
in space and time” (Nancy Cooke in McNeese [3]).
Computer networks possess high tempo and granu-
larity but with low visibilty and tangibility. Administra-
tors rely on complex data feeds which typically need
translatation into language that can be understood by
decision makers. Each layer of analytical tools that
is added can increase the margin for error as well as
adding Clausewitzian friction (see von Clausewitz’s On
War’, 1873). Furthermore, it is practically impossible
for most administrators to watch complex visual data
feeds concurrently with other activity without quickly
losing eectiveness [4].
In military circles there is debate about whether cy-
berspace has become the fifth warfighting domain (the
others being sea, land, air, and space) [4]. Com-
puter networks are increasingly coming under strain
both from adversarial attacks (warfighting in military
parlance) and from load and trac pressures (e.g., in-
creased demand on web services).
Another term that has made its way from the military
lexicon into the wider world of network administration
is situational awareness. Endsley[2, p. 36] defined sit-
uational awareness (SA) as the “perception of elements
in the environment within a volume of time and space,
the comprehension of their meaning, and the projection
of their status in the near future”. So, SA facilitates an
administrator in becoming aware of a network’s current
state. The perception phase of SA comprises the recog-
nition of situational events and their subsequent iden-
tification. Sonification is a process of computational
perceptualisation which Vickers [5] suggested is well
suited to the monitoring of time-dependent processes
and phenomena such as computer networks.
Fairfax et al. [4] noted that the cyber environment is
increasingly being viewed as the fifth warfighting do-
main (alongside land, sea, air, and space). They stated
the challenge for maintaining situational awareness in
the cyber environment as:
. . . whilst land, sea, air and space are physi-
cally distinct and are defined by similar crite-
ria, cyberspace is defined in a dierent way,
existing on an electronic plane rather than a
physical and chemical one. Some would ar-
gue that cyber space is a vein which runs
through the other four warfighting domains
and exists as a common component rather
than as a discrete domain. One can easily see
how cyber operations can easily play a signifi-
cant role in land, sea, air or space warfare, due
to the technology employed in each of these
domains [4, p. 335].
Thus, in this environment where human perception is
constrained, adversaries and protagonists alike are de-
pendent on tools for their perception and understand-
ing of what is going on. Many tools on which we rely
for situational awareness are focused on specific detail.
The peripheral vision (based on a range of senses) on
which our instinctive threat models are based is very
narrow when canalised by the tools we use to moni-
tor the network environment. The majority of these
tools use primarily visual cues (with the exception of
alarms) to communicate situational awareness to oper-
ators. Put simply, situational awareness is the means
by which protagonists in a particular environment per-
ceive what is going on around them (including hostile,
friendly, and environmental events), and understand the
implications of these events in sucient time to take ap-
propriate action.
When network incidents occur experience shows that
the speed and accuracy of the initial response are critical
to a successful resolution of the situation. Operators ob-
serve the indicators, orient themselves and their sensors
to understand the problem, decide on the action to be
taken, and act in a timely and decisive way. Traditional
approaches to monitoring can hinder this by not making
the initial indication and its context clear thus requir-
ing an extensive orientation stage. An ineective initial
response is consistently seen to be one of the hardest
things for people to get right in practice [4]. D’Amico
(see McNeese [3]) put the challenge of designing visu-
alizations for situational awareness this way:
. . . visualization designers must focus on
the specific role of the target user, and the
stage of situational awareness the visualiza-
tions are intended to support: perception,
comprehension, or projection.
While work has been carried out to use informa-
tion visualization techniques on network data we note
that the perceive and comprehend stages in Endsley’s
three-level situational awareness model (the third be-
ing project) [2] align themselves with Pierre Schaeer’s
two fundamental modes of musical listening, ´ecouter
(hearing, the auditory equivalent of perception) and en-
tendre (literally ‘understanding’, the equivalent of com-
prehension). Vickers [6] demonstrated how Schaeer’s
musical context can be applied sonification. This pa-
per proposes a sonification tool as one of the means by
2

which real-time situational awareness in network en-
vironments may be facilitated. A more detailed dis-
cussion of situational awareness and its relationship to
network monitoring (specifically within a cybersecurity
and warfighting context) can be found in Fairfax et al.
[4].
1.1. Sonification for Network Monitoring
Sonification has been applied to many dierent types
of data analysis (for a recent and broad coverage see
The Sonification Handbook [7]). One task for which
it seems particularly well suited is live monitoring, as
would be required in situational awareness applications
[5]. The approach described in this article provides one
way of addressing the challenges outlined above by en-
abling operators to monitor networks concurrently with
other tasks using additional senses. This has the poten-
tial to increase operators’ available bandwidth without
overloading individual cognitive functions, and could
provide an immediate and elegant route to practical sit-
uational awareness.
It has been suggested that understanding the patterns
of network trac is essential to the analysis of a net-
work’s survivability [8]. Typically, analysis takes place
post-hoc through an inspection of log files to determine
what caused a crash or other network event. Lessons
would be learned and counter measures put in place to
prevent a re-occurrence.
For the purpose of keeping a network running
smoothly load balancing can sometimes be achieved au-
tomatically by the network itself, or alerts can be posted
to trigger a manual response by the network administra-
tors. Guo et al. [8] observed that “from the perspective
of trac engineering, understanding the network trac
pattern is essential” for the analysis of network surviv-
ability.
Often, the first the administrators know about a prob-
lem on a network is after an attack, or other destabiliz-
ing event, has taken place or the network has crashed.
Here, the trac logs would be examined to identify the
causes and steps would be taken to try to protect against
the same events in future. Live monitoring of network
trac assists with situational awareness and could pro-
vide administrators either with advanced warning of an
impending threat or with real-time intelligence on net-
work threatening events in action.
3
3
By threat, we do not only mean a hacking/DDOS attack, but also
include ‘natural’ disasters such as component failures, legitimate traf-
fic surges, etc.
Real-time network monitoring oers a challenge in
that, except for alarms for discrete events, the admin-
istrator must be looking at a console screen to observe
what is happening. To identify changes in trac flow
would this require attention to be devoted to the console
[4]. Vickers [5, p. 455] categorised monitoring tasks as
direct, peripheral, or serendipitous-peripheral:
In a direct monitoring task we are directly en-
gaged with the system being monitored and
our attention is focused on the system as we
take note of its state. In a peripheral mon-
itoring task, our primary focus is elsewhere,
our attention being diverted to the monitored
system either on our own volition at intervals
by scanning the system . . . or through being
interrupted by an exceptional event signalled
by the system itself.
Serendipitous-peripheral is similar to peripheral
monitoring except that it uses what Mynatt et al. [9]
term “serendipitous information”, that is, the informa-
tion gained “is useful and appreciated but not strictly
required or vital either to the task in hand or the overall
goal” [5, p. 456].
Thus, a system to sonify network trac may allow us
to monitor the network in a peripheral mode, the moni-
toring becoming a secondary task for the operator who
can carry on with some other primary activity. Network
trac is a prime candidate for sonification as it com-
prises series of temporally-related data which may be
mapped naturally to sound, a temporal medium [5].
Gilfix and Crouch’s Peep system [10] is an early net-
work sonification example. They used natural sounds
to represent network states and events and hoped that
repeated listening would enable users to build up an un-
derstanding of what normal operation of their network
sounds like. The system was oered very much as a
proof-of-concept and no specific guidance was given on
particular ways in which Peep could be used.
Kimoto and Ohno [11] developed a network sonifica-
tion system called Stetho which uses HTTP trac data
to generate MIDI events which are in turn rendered into
sound by MIDI-compatible sound synthesis software.
4
An experiment showed that four participants who used
the system for ve minutes to identify peaks in HTTP
trac. Kimoto and Ohno concluded that the system was
suitable to grasp “trac vaguely”, so like Peep there was
4
MIDI (musical instrument digital interface) is a set of software
and hardware protocols developed by leading synthesizer manufac-
turers in the 1980s to allow interoperability between previously in-
compatible devices.
3

a lack of a sense of real use cases that Stetho might sup-
port.
Ballora et al. [12, 13, 14] built on these ideas to
address the particular case of situational awareness.
Rather than use environmental sounds, Ballora et al.
used synthesized musical instruments to represent net-
work data as pitched tones. Using an auditory model
of the network packet space they produced a “nuanced
soundscape in which unexpected patterns can emerge
for experienced listeners”. Their approach used the
five-level JDL fusion model which is concerned with
integrating multiple data streams such that situational
awareness is enhanced (see Blasch and Plano [15]).
Rather than focus on simple bytes and packets coming
in and leaving the network, their system allowed dier-
entiation between the geographic origin of packets (via
IP addresses), and the nature of the trac (via port num-
bers). However, Ballora et al. [12] noted that the high
data speeds and volumes associated with computer net-
works can lead to unmanageable cognitive loads. Ends-
ley and Connor (in McNeese [3]) came to the same con-
clusion, stating that the “extreme volume of data and the
speed at which that data flows rapidly exceeds human
cognitive limits and capabilities. They concluded:
The combination of the text-based format
commonly used in cyber security systems
coupled with the high false alert rates can
lead to analysts being overwhelmed and un-
able to ferret out real intrusions and attacks
from the deluge of information. The Level 5
fusion process indicates that the HCI interface
should provide access to and human control at
each level of the fusion process, but the ques-
tion is how to do so without overwhelming the
analyst with the details.
Like Stetho, Giot and Courbe’s InteNtion (Interac-
tive Network Sonification) system mapped network ac-
tivity to a musical aesthetic via MIDI [16]. Four sound
channels were implemented. The first three processed
HTTP, FTP, and DNS trac respectively, while the
fourth channel dealt with trac from all other protocols
together. The system mapped several details of trac
properties to the parameters of the output sounds. For
instance, packet size controlled the frequency of a tone
while the TTL (time to live) of a datagram controlled
the duration of the tone. Geographic distance (estimated
from IP addresses) controlled the amount of reverbera-
tion applied to the tone. Unfortunately, no target use
case was stated and no description or demonstration of
the system was provided. It remains to be determined
how eective this deliberate approach to consider musi-
cal aesthetics was.
Wolf and Fiebrink [17] designed the SonNet system
to help users (artists or people have an interest in net-
work trac information) to easily access network traf-
fic through a simple coding interface without requiring
knowledge of Internet protocols. The system used three
levels of abstraction dealing with raw packet data, tem-
poral aspects and directionality of trac (via source and
destination IP addresses, port numbers, and time since
the last packet, and aggregated information over multi-
ple packets (via packet state and flags) respectively.
The system’s default operation is to process TCP
packets on port 80 (i.e., HTTP trac), though users can
select to monitor UDP trac and trac on all network
ports if they wish. The sonification itself was left to the
user to specify by writing a script to control a ChucK
module.
5
The system was evaluated with four composers and
students of music composition. The objective was to
discover whether SonNet would support composers in
creating a musical piece. Therefore, the target use case
is quite dierent from the systems mentioned above
which were more concerned with assisting with the
monitoring of a network.
Worrall’s NetSon project [18] is a network sonifica-
tion tool that aims to “sonically reveal aspects of the
temporal structure of computer network data flows in a
relatively large-scale organization”. The system began
as an exploratory tool for an art and technology event
and includes visualizations alongside the auditory out-
put and aims to assist people with the peripheral moni-
toring of a network. The sonification design is not ex-
plained in detail, but it is based on using the features
of raw trac data to control various aspects of the out-
put sound. The overall design is explained thus: “in
contradistinction to much parameter mapping sonifica-
tion, ‘melodic’ pitch structures are used very sparingly
in favour of a diverse klangfarben (timbral) palette.
One particular configuration of the system is de-
scribed as revealing “a combination of interesting
features (such as printer server activity) and load-
balancing” Worrall [18]. However, in its present version
NetSon is presented as a sonification for public spaces
so further work is necessary to see how well it supports
specific network monitoring tasks and goals.
As seen in the work mentioned above, network soni-
fication typically approaches the task by representing
5
ChucK is a concurrent music programming language that can be
used to generate audio (see http://chuck.cs.princeton.edu).
4

Figures (9)
Citations
More filters

Journal ArticleDOI
19 Apr 2018-PLOS ONE
TL;DR: SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system for monitoring computer networks to support network administrators’ situational awareness, is presented.
Abstract: Maintaining situational awareness of what is happening within a computer network is challenging, not only because the behaviour happens within machines, but also because data traffic speeds and volumes are beyond human ability to process. Visualisation techniques are widely used to present information about network traffic dynamics. Although they provide operators with an overall view and specific information about particular traffic or attacks on the network, they often still fail to represent the events in an understandable way. Also, because they require visual attention they are not well suited to continuous monitoring scenarios in which network administrators must carry out other tasks. Here we present SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system for monitoring computer networks to support network administrators’ situational awareness. SoNSTAR provides an auditory representation of all the TCP/IP traffic within a network based on the different traffic flows between between network hosts. A user study showed that SoNSTAR raises situational awareness levels by enabling operators to understand network behaviour and with the benefit of lower workload demands (as measured by the NASA TLX method) than visual techniques. SoNSTAR identifies network traffic features by inspecting the status flags of TCP/IP packet headers. Combinations of these features define particular traffic events which are mapped to recorded sounds to generate a soundscape that represents the real-time status of the network traffic environment. The sequence, timing, and loudness of the different sounds allow the network to be monitored and anomalous behaviour to be detected without the need to continuously watch a monitor screen.

12 citations


Cites background from "Sonification of a network’s self-or..."

  • ...[19, 45, 46] applied sonification to the inherent self-organised criticality observed in network traffic....

    [...]


Proceedings ArticleDOI
23 Aug 2017
TL;DR: Using a variety of sonification techniques, this work examines the user context, how this sonification leads to system design considerations, and feeds back into the user experience.
Abstract: The existing sonification of networks mainly focuses on security. Our novel approach is framed by the ways in which network traffic changes over the national JANET network. Using a variety of sonification techniques, we examine the user context, how this sonification leads to system design considerations, and feeds back into the user experience.

6 citations


Proceedings ArticleDOI
23 Aug 2017
TL;DR: This paper investigates the use of data sonification as a narrative tool in soundscape composition, and shows a strong ability in participants to decode and comprehend additional layers of narrative information communicated through the soundscape.
Abstract: Soundscape composition is an art form that has grown from acoustic ecology and soundscape studies. Current practices foster a wide range of approaches, from the educational and documentary function of the world soundscape project (WSP) to the creation of imaginary sonic worlds supported by theories of acousmatic and electroacoustic music.Sonification is the process of rendering audio in response to data, and is often used in scenarios where visual representations of data are impractical. The field of auditory display has grown in isolation to soundscape composition, however fosters conceptual similarities in its representation of information in sonic form.This paper investigates the use of data sonification as a narrative tool in soundscape composition. A soundscape has been created using traditional concrete sounds (fixed media recorded sound objects), augmented with sonified real-time elements. An online survey and listening experiment was conducted, which asked participants to rate the soundscape on its ability to communicate specific detail with regard to environmental and social elements contained within. Research data collected shows a strong ability in participants to decode and comprehend additional layers of narrative information communicated through the soundscape.

4 citations


Journal ArticleDOI
01 Jul 2021
TL;DR: “CyberWarner” is introduced, a sonification sandbox that can be installed on the Google Chrome browser to enable auditory representations of certain security threats and cues that are designed based on several URL heuristics that are feasible to develop sonified cyber security threat indicators that users intuitively understand with minimal experience and training.
Abstract: This paper reports a formative evaluation of auditory representations of cyber security threat indicators and cues, referred to as sonifications, to warn users about cyber threats. Most Internet browsers provide visual cues and textual warnings to help users identify when they are at risk. Although these alarming mechanisms are very effective in informing users, there are certain situations and circumstances where these alarming techniques are unsuccessful in drawing the user’s attention: (1) security warnings and features (e.g., blocking out malicious Websites) might overwhelm a typical Internet user and thus the users may overlook or ignore visual and textual warnings and, as a result, they might be targeted, (2) these visual cues are inaccessible to certain users such as those with visual impairments. This work is motivated by our previous work of the use of sonification of security warnings to users who are visually impaired. To investigate the usefulness of sonification in general security settings, this work uses real Websites instead of simulated Web applications with sighted participants. The study targets sonification for three different types of security threats: (1) phishing, (2) malware downloading, and (3) form filling. The results show that on average 58% of the participants were able to correctly remember what the sonification conveyed. Additionally, about 73% of the participants were able to correctly identify the threat that the sonification represented while performing tasks using real Websites. Furthermore, the paper introduces “CyberWarner”, a sonification sandbox that can be installed on the Google Chrome browser to enable auditory representations of certain security threats and cues that are designed based on several URL heuristics.

2 citations


Journal ArticleDOI
TL;DR: This paper reviews the previous research on utilizing human senses and capabilities in cryptography, and proposes several topics and problems that need to be solved in order to build cryptography that is more accessible to humans.
Abstract: Cryptography is a key element in establishing trust and enabling services in the digital world. Currently, cryptography is realized with mathematical operations and represented in ways that are not readily accessible to human users. Thus, humans are left out of the loop when establishing trust and security in the digital world. In many areas the interaction between users and machines is being made more and more seamless and user-friendly, but cryptography has not really enjoyed such development. In this paper, we review the previous research on utilizing human senses and capabilities in cryptography. We present the most relevant existing methods and summarize the current state of the art. In addition, we propose several topics and problems that need to be solved in order to build cryptography that is more accessible to humans. These range from practical implementations of existing methods and utilizing a wider range of human senses all the way to building the theoretical foundations for this new form of cryptography.

2 citations


References
More filters

Journal ArticleDOI
TL;DR: A theoretical model of situation awareness based on its role in dynamic human decision making in a variety of domains is presented and design implications for enhancing operator situation awareness and future directions for situation awareness research are explored.
Abstract: This paper presents a theoretical model of situation awareness based on its role in dynamic human decision making in a variety of domains. Situation awareness is presented as a predominant concern in system operation, based on a descriptive view of decision making. The relationship between situation awareness and numerous individual and environmental factors is explored. Among these factors, attention and working memory are presented as critical factors limiting operators from acquiring and interpreting information from the environment to form situation awareness, and mental models and goal-directed behavior are hypothesized as important mechanisms for overcoming these limits. The impact of design features, workload, stress, system complexity, and automation on operator situation awareness is addressed, and a taxonomy of errors in situation awareness is introduced, based on the model presented. The model is used to generate design implications for enhancing operator situation awareness and future directio...

6,755 citations


"Sonification of a network’s self-or..." refers background in this paper

  • ...three-level situational awareness model (the third being project) [2] align themselves with Pierre Schaeffer’s two fundamental modes of musical listening, écouter (hearing, the auditory equivalent of perception) and entendre (literally ‘understanding’, the equivalent of comprehension)....

    [...]

  • ...…on network data we note that the perceive and comprehend stages in Endsley’s three-level situational awareness model (the third being project) (Endsley, 1995) align themselves with Pierre Schaeffer’s two fundamental modes of musical listening, écouter (hearing, the auditory equivalent of…...

    [...]

  • ...and others have followed (notably Endsley’s three-level model [2])....

    [...]

  • ...This problem of information presentation and interpretation, or ‘situational awareness’, was addressed by the military leading to Boyd’s OODA (observe, orient, decide, act) model (see (Angerman, 2004)), and others have followed (notably Endsley’s three-level model (Endsley, 1995))....

    [...]


Journal ArticleDOI
TL;DR: It is shown that dynamical systems with spatial degrees of freedom naturally evolve into a self-organized critical point, and flicker noise, or 1/f noise, can be identified with the dynamics of the critical state.
Abstract: We show that dynamical systems with spatial degrees of freedom naturally evolve into a self-organized critical point. Flicker noise, or 1/f noise, can be identified with the dynamics of the critical state. This picture also yields insight into the origin of fractal objects.

6,078 citations


"Sonification of a network’s self-or..." refers background in this paper

  • ...Thus, a system can exhibit many many differing states, each of which is ‘barely stable’, a condition called metastability (Bak et al., 1987)....

    [...]

  • ...According to Bak et al. (1987) such power law distributions in complex systems are evidence of self-organized criticality (SOC)....

    [...]

  • ...Thus, a system can exhibit many many differing states, each of which is ‘barely stable’, a condition called metastability [19]....

    [...]

  • ...[19] such power law distributions in complex systems are evidence of SOC....

    [...]

  • ...In 1987 Bak, Tang, and Wiesenfeld [19] brought together the concept of emergent complexity in simple systems, the mathematics describing the complexity of fractals in natural systems, and the scale-invariant power laws, fractal geometries, and the pink (1/ f ) noise observed at the critical points between phase transitions in physical systems in a single explanatory model they termed self-organized criticality, or SOC....

    [...]


Journal ArticleDOI
TL;DR: It is shown that the self-similarity in WWW traffic can be explained based on the underlying distributions of WWW document sizes, the effects of caching and user preference in file transfer, the effect of user "think time", and the superimposition of many such transfers in a local-area network.
Abstract: The notion of self-similarity has been shown to apply to wide-area and local-area network traffic. We show evidence that the subset of network traffic that is due to World Wide Web (WWW) transfers can show characteristics that are consistent with self-similarity, and we present a hypothesized explanation for that self-similarity. Using a set of traces of actual user executions of NCSA Mosaic, we examine the dependence structure of WWW traffic. First, we show evidence that WWW traffic exhibits behavior that is consistent with self-similar traffic models. Then we show that the self-similarity in such traffic can be explained based on the underlying distributions of WWW document sizes, the effects of caching and user preference in file transfer, the effect of user "think time", and the superimposition of many such transfers in a local-area network. To do this, we rely on empirically measured distributions both from client traces and from data independently collected at WWW servers.

2,579 citations


Proceedings ArticleDOI
01 Oct 1993
Abstract: We demonstrate that Ethernet local area network (LAN) traffic is statistically self-similar, that none of the commonly used traffic models is able to capture this fractal behavior, and that such behavior has serious implications for the design, control, and analysis of high-speed, cell-based networks. Intuitively, the critical characteristic of this self-similar traffic is that there is no natural length of a "burst": at every time scale ranging from a few milliseconds to minutes and hours, similar-looking traffic bursts are evident; we find that aggregating streams of such traffic typically intensifies the self-similarity ("burstiness") instead of smoothing it.Our conclusions are supported by a rigorous statistical analysis of hundreds of millions of high quality Ethernet traffic measurements collected between 1989 and 1992, coupled with a discussion of the underlying mathematical and statistical properties of self-similarity and their relationship with actual network behavior. We also consider some implications for congestion control in high-bandwidth networks and present traffic models based on self-similar stochastic processes that are simple, accurate, and realistic for aggregate traffic.

1,053 citations


Book
01 Jan 1998

610 citations


Frequently Asked Questions (1)
Q1. What contributions have the authors mentioned in the paper "Sonification of a network’s self-organized criticality for real-time situational awareness" ?

This article focuses on the combination of two dissimilar research concepts, namely sonification ( a form of auditory display ) and self-organized criticality ( SOC ). Implications for how such a system may support real-time situational awareness and posthoc incident analysis are discussed.