scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Sonification of a network’s self-organized criticality for real-time situational awareness

Paul Vickers1, Christopher Laing, Tom Fairfax
Northumbria University1
01 Apr 2017-Displays (Elsevier)-Vol. 47, pp 12-24
TL;DR: A system is described that sonifies in real time an information infrastructure’s self-organized criticality to alert the network administrators of both normal and abnormal network traffic and operation.
About: This article is published in Displays.The article was published on 2017-04-01 and is currently open access. It has received 8 citations till now. The article focuses on the topics: Sonification & Network monitoring.

Summary (5 min read)

Jump to: [1. Introduction][1.1. Sonification for Network Monitoring][2. Self Organized Criticality in Network Traffic][2.1. Identifying and Measuring the SOC][3. The SOC Sonification System][3.1. Sonification Parameters][3.1.1. Scaling][3.1.2. Amplitude Control][3.1.3. Filtering][3.1.4. Sampled and Synthesized Voices][3.2. System Architecture][4. Discussion][4.1. Audio examples][4.2. The Situational Awareness Loop][4.3. Timescales] and [5. Concluding Remarks]

1. Introduction

  • With the large volumes of traffic passing across networks it is important to know about the state of the various components involved (servers, routers, switches, firewalls, computers, network-attached storage devices, etc.) and the types and volume of the data traffic passing through the network.
  • In military circles there is debate about whether cyberspace has become the fifth warfighting domain (the others being sea, land, air, and space) [4].
  • Sonification is a process of computational perceptualisation which Vickers [5] suggested is well suited to the monitoring of time-dependent processes and phenomena such as computer networks.
  • When network incidents occur experience shows that the speed and accuracy of the initial response are critical to a successful resolution of the situation.

1.1. Sonification for Network Monitoring

  • Sonification has been applied to many different types of data analysis (for a recent and broad coverage see The Sonification Handbook [7]).
  • One task for which it seems particularly well suited is live monitoring, as would be required in situational awareness applications [5].
  • It has been suggested that understanding the patterns of network traffic is essential to the analysis of a network’s survivability [8].
  • It remains to be determined how effective this deliberate approach to consider musical aesthetics was.
  • Worrall’s NetSon project [18] is a network sonification tool that aims to “sonically reveal aspects of the temporal structure of computer network data flows in a relatively large-scale organization”.

2. Self Organized Criticality in Network Traffic

  • In the case of the sandpile the external driving force is the addition of sand grains and the internal relaxation process is the avalanche.
  • Since then, SOC has been demonstrated in other natural systems such as earthquakes (in which the relaxation process can take seconds compared to the years or decades involved in the external driving force) and forest fires and has subsequently been observed in artificial systems such as stock markets and, latterly, computer networks.
  • In a wavelet analysis of the burstiness of self-similar computer network traffic Yang et al. [24] demonstrated that the avalanche volume, duration time, and the interevent time of traffic flow fluctuations obey power law distributions.
  • This supports Fukuda et al. [25]’s suggestion that that self-organized criticality could be the origin of the fluctuation of burstiness in network traffic.

2.1. Identifying and Measuring the SOC

  • SOC is not a discrete variable that can be identified and monitored directly.
  • Again the characteristic burstiness can be seen in the residuals, this time slightly more intense and regular.
  • Both figures plot the same data sets, but Figure 2(b) is a representation of the denoised residuals of normal traffic data that is also carrying malicious traffic data.
  • Firstly, at approximately 500 (x-axis) in Figure 2(b), a small amount of SOC activity can be observed ).
  • In the next section the authors describe a system for sonifying the SOC characteristics of network traffic.

3. The SOC Sonification System

  • A prototype SOC sonification system, socs, was designed and constructed to facilitate the real-time auditory perception of the SOC properties of network traffic.
  • For purposes of illustration, the example chosen here sonifies the log returns of the following time-dependent network traffic data items: number of bytes sent, number of packets sent, number of bytes received, number of packets received by the network which the authors call bs, ps, br, pr respectively.
  • (5) This may result in negative values for the log return which can be used to indicate the direction of a SOC event’s change in level (i.e., an increase in value means a step up to the next level of steady state, whilst a decrease means a step down).
  • In addition, all values can be squared with the sign retained or discarded.
  • The Python script calculates the log return values and feeds them as input to the sonification engine.

3.1. Sonification Parameters

  • There are many possible mappings between the input data values and the various parameters that affect the audio.
  • This may be done by increasing/decreasing the amplitude, altering a sound’s position in a sound field (e.g., left-right pan in a stereo field, front/back/left/right in a surround-sound field, or front/back/left/right and azimuth in a full threedimensional sound field), altering the sound’s phase, or altering its spectral characteristics (e.g., by changing the parameters of a filter).
  • The following sections describe the processes that were used in the system.

3.1.1. Scaling

  • Therefore, it was necessary to scale all incoming data so a scaler module was built that takes four arguments: the minimum and maximum values of the input range and the minimum and maximum of the desired output range.
  • Any any value received on the scaler’s input is converted to a corresponding value in the specified output range.

3.1.2. Amplitude Control

  • An amplitude control module was constructed that adjusts the amplitude, or level, of the output sound according to the value of the module’s input variable, in this case, the log return values.
  • The lower the log return value the quieter the sound, the higher it is the louder the sound that is played back.
  • Thus, the real-time monitoring of the network leads to constant fluctuations in the amplitude of the output, but only large changes in level are readily perceived.

3.1.3. Filtering

  • There are several ways that the spectral characteristics of an audio signal may be processed, each of which will cause a change in the timbre of the audio.
  • The advantage of a biquad filter is that it offers a richer set of filtering options than a single type of dedicated (e.g., band pass) filter and its coefficients can be altered in run time to changed the sound processing in real time.
  • The higher the resonance the wider the band of frequencies that are allowed to pass through.
  • The choice of filter depends on the kinds of sounds being loaded into the system.
  • The filter’s initial parameters are hard-coded into the loopChannel3 sub patch to best fit the sonic material being used but ultimately it is intended to expose this functionality to the end user.

3.1.4. Sampled and Synthesized Voices

  • Because the prototype system monitored four variables four voices or channels were used, one per variable.
  • The loop playback method incorporates a sub patch designed by Farnell [29] which loads a wave audio file and plays it continuously, restarting it when it reaches the end.
  • Thus, the log return value of each data stream is used to modulate the corresponding voice.
  • In the version described here, the channels contained different sounds that combined to make a countryside soundscape.
  • Any wave files can be loaded into the system.

3.2. System Architecture

  • Figure 3 shows the architecture of the sonification design used for sonifying four data streams.
  • Network traffic is captured from a log file or a live packet sniffer program by the custom Python script, also known as 1. Capture network traffic.
  • Modulates the amplitude of the voice by the log return value, also known as 5. Amplitude control.
  • The four audio channels are combined into a single stereo output which is then sent to the audio system of the host computer.
  • The channel processing section contains four similar units: three for dealing with audio loop playback and one for dealing with synthesized tone playback.

4. Discussion

  • The system was driven by a number of traffic data sets captured from live networks.
  • Traffic data were aggregated over 1 s intervals and the number of bytes and packets sent and received per interval were fed to the socs application via the Python script.
  • Each time a set of log return values is received the system uses the values to modulate the four respective audio channels.
  • Using the mappings described above one hears a soundscape comprising the combination of sounds described above.
  • When one or more very large log returns occur (such as would be expected during a dynamic system relaxation event) the corresponding soundscape experiences a very noticeable change: the amplitude varies greatly and the timbre alters as filters are adjusted .

4.1. Audio examples

  • Audio files demonstrating the system output can be found in the project repository [28].
  • Running the Python script at different playback rates and with signed, unsigned, and squared log return values leads to different auditory outputs.
  • Running the system using signed log returns (the system default) reveals that the traffic spikes shown in Fig. 5 are both negative.
  • This renders all large changes as positive spikes which results in all spikes being heard as large increases in amplitude and filtering effects.
  • In the audio file multiSpike 1s.wav the negative spikes are clearly heard as gaps in the soundscape whilst the positive spike is very audible, particularly in the wind sound which represents the received bytes variable.

4.2. The Situational Awareness Loop

  • On hearing an events such as described above (situational awareness level 1— Perception) the network aministrator would be drawn to inspecting the state of the network (situational awareness level 2 — Comprehension) to decide whether any action needs to be taken (situational awareness level 3 — Projection).
  • After deciding what action to take (level 3) then comes the stage of managing the action, which itself requires situational awareness as actions are taken to address the situation.
  • Some of these events may go unnoticed by the administrator (if, for example, they left the monitoring station for a short period of time) but individual events are not a matter of great concern.
  • What will be of particular interest is when there is an extended series of repeated high log return values which might indicate growing instability in the network.

4.3. Timescales

  • The system was run with log return intervals of 1 s and 20 ms.
  • The running of the socs system at a higher rate than the traffic data’s initial sample rate allowed historical feeds to be listened to post-hoc in a manner analogous to spooling quickly through an audio tape (the main difference being that there is no consequent alteration of pitch).
  • This means that logs can be auditioned quickly and interesting areas of activity spotted.
  • This is useful for post-incident investigations and means that the system can be used for more than live monitoring.
  • The Python script can be supplied with run-time arguments to focus on certain sections of the traffic data, and/or to slow down playback once a particular point is reached.

5. Concluding Remarks

  • The combination of using a system’s self-organized criticality as the underlying data set for situational awareness and a tool for sonifying this SOC offers a number of potential advantages.
  • While the work described here focused on the traditional traffic metrics of bytes and packets sent and received, it is important to explore what other variables and characteristics are implicated in a network’s SOC and this is the subject of ongoing work.
  • The underlying system architecture promotes interactivity by letting the user select the combination of incoming data streams to be sonified and the sonic balance of the auditory streams.
  • A tangible user interface object (e.g., a cube) with a fiducial marker on its bottom surface is placed above the router.
  • In this way the administrator can gain intelligence about the state of the network in a hands-on way.

Did you find this useful? Give us your feedback

Figures (9)
Citations
More filters
Journal ArticleDOI
Sonification of network traffic flow for monitoring and situational awareness.

[...]

Mohamed Debashi1, Paul Vickers1
Northumbria University1
19 Apr 2018-PLOS ONE
TL;DR: SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system for monitoring computer networks to support network administrators’ situational awareness, is presented.
Abstract: Maintaining situational awareness of what is happening within a computer network is challenging, not only because the behaviour happens within machines, but also because data traffic speeds and volumes are beyond human ability to process. Visualisation techniques are widely used to present information about network traffic dynamics. Although they provide operators with an overall view and specific information about particular traffic or attacks on the network, they often still fail to represent the events in an understandable way. Also, because they require visual attention they are not well suited to continuous monitoring scenarios in which network administrators must carry out other tasks. Here we present SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system for monitoring computer networks to support network administrators’ situational awareness. SoNSTAR provides an auditory representation of all the TCP/IP traffic within a network based on the different traffic flows between between network hosts. A user study showed that SoNSTAR raises situational awareness levels by enabling operators to understand network behaviour and with the benefit of lower workload demands (as measured by the NASA TLX method) than visual techniques. SoNSTAR identifies network traffic features by inspecting the status flags of TCP/IP packet headers. Combinations of these features define particular traffic events which are mapped to recorded sounds to generate a soundscape that represents the real-time status of the network traffic environment. The sequence, timing, and loudness of the different sounds allow the network to be monitored and anomalous behaviour to be detected without the need to continuously watch a monitor screen.

19 citations

Cites background from "Sonification of a network’s self-or..."

  • ...[19, 45, 46] applied sonification to the inherent self-organised criticality observed in network traffic....

    [...]

Journal ArticleDOI
Review of the use of human senses and capabilities in cryptography

[...]

Kimmo Halunen1, Outi-Marja Latvala1
VTT Technical Research Centre of Finland1
01 Feb 2021-Computer Science Review
TL;DR: This paper reviews the previous research on utilizing human senses and capabilities in cryptography, and proposes several topics and problems that need to be solved in order to build cryptography that is more accessible to humans.

9 citations

Proceedings ArticleDOI
A Network of Noise: Designing with a Decade of Data to Sonify JANET

[...]

Iain Emsley, David De Roure, Alan Chamberlain1
University of Nottingham1
23 Aug 2017
TL;DR: Using a variety of sonification techniques, this work examines the user context, how this sonification leads to system design considerations, and feeds back into the user experience.
Abstract: The existing sonification of networks mainly focuses on security. Our novel approach is framed by the ways in which network traffic changes over the national JANET network. Using a variety of sonification techniques, we examine the user context, how this sonification leads to system design considerations, and feeds back into the user experience.

6 citations

Journal ArticleDOI
Warning users about cyber threats through sounds

[...]

Prerit Datta1, Akbar Siami Namin1, Keith S. Jones1, Rattikorn Hewett1
Texas Tech University1
01 Jul 2021
TL;DR: “CyberWarner” is introduced, a sonification sandbox that can be installed on the Google Chrome browser to enable auditory representations of certain security threats and cues that are designed based on several URL heuristics that are feasible to develop sonified cyber security threat indicators that users intuitively understand with minimal experience and training.
Abstract: This paper reports a formative evaluation of auditory representations of cyber security threat indicators and cues, referred to as sonifications, to warn users about cyber threats. Most Internet browsers provide visual cues and textual warnings to help users identify when they are at risk. Although these alarming mechanisms are very effective in informing users, there are certain situations and circumstances where these alarming techniques are unsuccessful in drawing the user’s attention: (1) security warnings and features (e.g., blocking out malicious Websites) might overwhelm a typical Internet user and thus the users may overlook or ignore visual and textual warnings and, as a result, they might be targeted, (2) these visual cues are inaccessible to certain users such as those with visual impairments. This work is motivated by our previous work of the use of sonification of security warnings to users who are visually impaired. To investigate the usefulness of sonification in general security settings, this work uses real Websites instead of simulated Web applications with sighted participants. The study targets sonification for three different types of security threats: (1) phishing, (2) malware downloading, and (3) form filling. The results show that on average 58% of the participants were able to correctly remember what the sonification conveyed. Additionally, about 73% of the participants were able to correctly identify the threat that the sonification represented while performing tasks using real Websites. Furthermore, the paper introduces “CyberWarner”, a sonification sandbox that can be installed on the Google Chrome browser to enable auditory representations of certain security threats and cues that are designed based on several URL heuristics.

5 citations

Proceedings ArticleDOI
Datascaping: Data Sonification as a Narrative Device in Soundscape Composition

[...]

Jon Pigrem1, Mathieu Barthet1
Queen Mary University of London1
23 Aug 2017
TL;DR: This paper investigates the use of data sonification as a narrative tool in soundscape composition, and shows a strong ability in participants to decode and comprehend additional layers of narrative information communicated through the soundscape.
Abstract: Soundscape composition is an art form that has grown from acoustic ecology and soundscape studies. Current practices foster a wide range of approaches, from the educational and documentary function of the world soundscape project (WSP) to the creation of imaginary sonic worlds supported by theories of acousmatic and electroacoustic music.Sonification is the process of rendering audio in response to data, and is often used in scenarios where visual representations of data are impractical. The field of auditory display has grown in isolation to soundscape composition, however fosters conceptual similarities in its representation of information in sonic form.This paper investigates the use of data sonification as a narrative tool in soundscape composition. A soundscape has been created using traditional concrete sounds (fixed media recorded sound objects), augmented with sonified real-time elements. An online survey and listening experiment was conducted, which asked participants to rate the soundscape on its ability to communicate specific detail with regard to environmental and social elements contained within. Research data collected shows a strong ability in participants to decode and comprehend additional layers of narrative information communicated through the soundscape.

4 citations

References
More filters
Journal ArticleDOI
Toward a Theory of Situation Awareness in Dynamic Systems

[...]

Mica R. Endsley1
Texas Tech University1
01 Mar 1995-Human Factors
TL;DR: A theoretical model of situation awareness based on its role in dynamic human decision making in a variety of domains is presented and design implications for enhancing operator situation awareness and future directions for situation awareness research are explored.
Abstract: This paper presents a theoretical model of situation awareness based on its role in dynamic human decision making in a variety of domains. Situation awareness is presented as a predominant concern in system operation, based on a descriptive view of decision making. The relationship between situation awareness and numerous individual and environmental factors is explored. Among these factors, attention and working memory are presented as critical factors limiting operators from acquiring and interpreting information from the environment to form situation awareness, and mental models and goal-directed behavior are hypothesized as important mechanisms for overcoming these limits. The impact of design features, workload, stress, system complexity, and automation on operator situation awareness is addressed, and a taxonomy of errors in situation awareness is introduced, based on the model presented. The model is used to generate design implications for enhancing operator situation awareness and future directio...

7,470 citations

"Sonification of a network’s self-or..." refers background in this paper

  • ...three-level situational awareness model (the third being project) [2] align themselves with Pierre Schaeffer’s two fundamental modes of musical listening, écouter (hearing, the auditory equivalent of perception) and entendre (literally ‘understanding’, the equivalent of comprehension)....

    [...]

  • ...…on network data we note that the perceive and comprehend stages in Endsley’s three-level situational awareness model (the third being project) (Endsley, 1995) align themselves with Pierre Schaeffer’s two fundamental modes of musical listening, écouter (hearing, the auditory equivalent of…...

    [...]

  • ...and others have followed (notably Endsley’s three-level model [2])....

    [...]

  • ...This problem of information presentation and interpretation, or ‘situational awareness’, was addressed by the military leading to Boyd’s OODA (observe, orient, decide, act) model (see (Angerman, 2004)), and others have followed (notably Endsley’s three-level model (Endsley, 1995))....

    [...]

Journal ArticleDOI
Self-organized criticality: An explanation of the 1/ f noise

[...]

Per Bak1, Chao Tang1, Kurt Wiesenfeld1
Brookhaven National Laboratory1
27 Jul 1987-Physical Review Letters
TL;DR: It is shown that dynamical systems with spatial degrees of freedom naturally evolve into a self-organized critical point, and flicker noise, or 1/f noise, can be identified with the dynamics of the critical state.
Abstract: We show that dynamical systems with spatial degrees of freedom naturally evolve into a self-organized critical point. Flicker noise, or 1/f noise, can be identified with the dynamics of the critical state. This picture also yields insight into the origin of fractal objects.

6,486 citations

"Sonification of a network’s self-or..." refers background in this paper

  • ...Thus, a system can exhibit many many differing states, each of which is ‘barely stable’, a condition called metastability (Bak et al., 1987)....

    [...]

  • ...According to Bak et al. (1987) such power law distributions in complex systems are evidence of self-organized criticality (SOC)....

    [...]

  • ...Thus, a system can exhibit many many differing states, each of which is ‘barely stable’, a condition called metastability [19]....

    [...]

  • ...[19] such power law distributions in complex systems are evidence of SOC....

    [...]

  • ...In 1987 Bak, Tang, and Wiesenfeld [19] brought together the concept of emergent complexity in simple systems, the mathematics describing the complexity of fractals in natural systems, and the scale-invariant power laws, fractal geometries, and the pink (1/ f ) noise observed at the critical points between phase transitions in physical systems in a single explanatory model they termed self-organized criticality, or SOC....

    [...]

Journal ArticleDOI
Self-similarity in World Wide Web traffic: evidence and possible causes

[...]

Mark Crovella1, Azer Bestavros1
Boston University1
01 Dec 1997-IEEE ACM Transactions on Networking
TL;DR: It is shown that the self-similarity in WWW traffic can be explained based on the underlying distributions of WWW document sizes, the effects of caching and user preference in file transfer, the effect of user "think time", and the superimposition of many such transfers in a local-area network.
Abstract: The notion of self-similarity has been shown to apply to wide-area and local-area network traffic. We show evidence that the subset of network traffic that is due to World Wide Web (WWW) transfers can show characteristics that are consistent with self-similarity, and we present a hypothesized explanation for that self-similarity. Using a set of traces of actual user executions of NCSA Mosaic, we examine the dependence structure of WWW traffic. First, we show evidence that WWW traffic exhibits behavior that is consistent with self-similar traffic models. Then we show that the self-similarity in such traffic can be explained based on the underlying distributions of WWW document sizes, the effects of caching and user preference in file transfer, the effect of user "think time", and the superimposition of many such transfers in a local-area network. To do this, we rely on empirically measured distributions both from client traces and from data independently collected at WWW servers.

2,608 citations

Proceedings ArticleDOI
On the self-similar nature of Ethernet traffic

[...]

Will E. Leland1, Murad S. Taqqu2, Walter Willinger1, Daniel V. Wilson1
Telcordia Technologies1, Boston University2
01 Oct 1993
TL;DR: In this paper, the authors demonstrate that Ethernet local area network (LAN) traffic is statistically self-similar, that none of the commonly used traffic models is able to capture this fractal behavior, and that such behavior has serious implications for the design, control, and analysis of high-speed, cell-based networks.
Abstract: We demonstrate that Ethernet local area network (LAN) traffic is statistically self-similar, that none of the commonly used traffic models is able to capture this fractal behavior, and that such behavior has serious implications for the design, control, and analysis of high-speed, cell-based networks. Intuitively, the critical characteristic of this self-similar traffic is that there is no natural length of a "burst": at every time scale ranging from a few milliseconds to minutes and hours, similar-looking traffic bursts are evident; we find that aggregating streams of such traffic typically intensifies the self-similarity ("burstiness") instead of smoothing it.Our conclusions are supported by a rigorous statistical analysis of hundreds of millions of high quality Ethernet traffic measurements collected between 1989 and 1992, coupled with a discussion of the underlying mathematical and statistical properties of self-similarity and their relationship with actual network behavior. We also consider some implications for congestion control in high-bandwidth networks and present traffic models based on self-similar stochastic processes that are simple, accurate, and realistic for aggregate traffic.

1,089 citations

Book
Self-Organized Criticality

[...]

Henrik Jeldtoft Jensen
01 Jan 1998

610 citations

Related Papers (5)
Sonification of a Network's Self-Organized Criticality

[...]

17 Jul 2014-arXiv: Human-Computer Interaction
Paul Vickers, Christopher Laing, Tom Fairfax
A sonification system for process monitoring as secondary task

[...]

01 Nov 2014
Tobias Hildebrandt, Thomas Hermann, Stefanie Rinderle-Ma
Supplementary Material for "A Sonification System for Process Monitoring as Secondary Task"

[...]

01 Jan 2014
Tobias Hildebrandt, Thomas Hermann, Stefanie Rinderle-Ma
Designing a Situational Awareness Information Display: Adopting an Affordance-Based Framework to Amplify User Experience in Environmental Interaction Design

[...]

09 Jun 2016
Yingjie Victor Chen, Zhenyu Cheryl Qian, Weiran Tyki Lei
Effects of coherent, integrated, and context-dependent adaptable user interfaces on operators’ situation awareness, performance, and workload

[...]

01 Aug 2021-Cognition, Technology & Work
Ellemieke van Doorn, Imre Horváth, Zoltán Rusák
Frequently Asked Questions (1)
Q1. What contributions have the authors mentioned in the paper "Sonification of a network’s self-organized criticality for real-time situational awareness" ?

This article focuses on the combination of two dissimilar research concepts, namely sonification ( a form of auditory display ) and self-organized criticality ( SOC ). Implications for how such a system may support real-time situational awareness and posthoc incident analysis are discussed.