The document presents a seminar by Cagatay Turkay on visual analytics for user behavior analysis in cyber systems, highlighting the importance of combining visual and computational analysis. It details a case study on interactive user behavior analytics (Vasabi) that tracks user actions over 31 days, focusing on how visual analytics can provide a comprehensive understanding of user behavior. The study emphasizes the need for human-centered approaches in data-intensive decision making to enhance the evaluation and context of algorithmic results.

1. Visual Analytics for
User Behaviour Analysis in
Cyber Systems
Cagatay Turkay
Senior Lecturer in Applied Data Science,
giCentre, City, University of London
(Assoc. Prof. @ CIM, University of Warwick)
#VizTIG Seminar, Alan Turing Institute, 13 September 2019

2. VIS for communication
VIS for analysis
Sources:
[*] http://www.theguardian.com/politics/ng-interactive/2015/apr/20/election-2015-constituency-map
[**] http://www.nytimes.com/interactive/2012/05/17/business/dealbook/how-the-facebook-offering-compares.html
[Elzen & Wijk, 2010]
http://playground.tensorflow.org
[*] [**]
VIS for
decision-making
with algorithms

3. Visual Analytics?
Combining visual and computational analysis:
human strengths & computing
[SACHA et al., 2014]

4. ... provide several perspectives concurrently (e.g.,
multiple datasets, scales, parameters, algorithms,
representations ...)
... support the interactive comparison &
evaluation of (several) algorithmic results by putting
the results in context
VA can …

5. CASE STUDY –
Interactive User Behaviour Analytics in Cyber Systems
VASABI: Hierarchical User Profiles for
Interactive Visual User Behaviour Analytics
Nguyen PH, Henkin R, Chen S, Andrienko N, Andrienko G, Thonnard
O, Turkay C. IEEE TVCG, 2019
Understanding User Behaviour through
Action Sequences: from the Usual to the
Unusual
Nguyen, P.H., Turkay, C., Andrienko, G., Andrienko, N., Thonnard, O. and
Zouaoui, J. , IEEE TVCG, 2018

6. https://www.networkworld.com/article/2904356/detecting-advanced-threats-with-user-behavior-analytics.html
https://www.csoonline.com/article/2998174/user-entity-behavior-analytics-next-step-in-security-visibilty.html
https://www.csoonline.com/article/3026175/time-to-consider-user-behavior-analytics-uba.html
https://searchsecurity.techtarget.com/feature/User-behavioral-analytics-tools-can-thwart-security-attacks

7. Design Process
~ 2 years of close collaboration with cyber security experts
interviews to understand workflow and status quo
iterative workshops
rapid prototypes

8. …
….
session 3 score = 0.7
session 2 score = 0.8
user
actions
user
digital
application
08:40:05 Search Account
08:40:45 Unlock Account
08:41:03 Search Account
08:41:15 Search Account
08:42:01 Display Account
………
session 1 score = 0.2
user
behaviour
usual?
unusual?
why?
In this study:
31 days
15,000 sessions
1,400 users
300 action types

9. score
color hue → type
position → time
Search Account Display Account Unlock Account
semantic distance based action clustering
08:30 09:00 11:30 12:30 13:0012:0011:0010:00 10:3009:30
action
Preserving the sequence (but dropping actual time):

10. How expected is
… given that the user has done all of …
… before?
Most important decision to make is:

11. 0.7(not 42)
the algorithm says …

12. A comprehensive & multi-faceted
understanding of user behaviour is needed
to put the the result in context
for making a decision…
this is where VA comes in …

13. Summarising User Behaviour
Extracting Common Tasks using Topic Modelling
Chen, S., Andrienko, N., Andrienko, G., Adilova, L., Barlet, J., Kindermann, J., Nguyen, P.H.,
Thonnard, O. and Turkay, C., 2019. LDA Ensembles for Interactive Exploration and
Categorization of Behaviors. IEEE transactions on visualization and computer graphics.

14. Summarising User Behaviour
Extracting Common Tasks using Topic Modelling
Each “topic” becomes a “task”
<search, unlock> ~ Help-desking
<CreateUser, AssignRole1, AssingRole2>
~ User Management

15. Summarising User Behaviour
Visual task distribution summaries
timelines of sessions
A user with
repetitive behaviour
A user with
diverse behaviour
<search, unlock>
Help-desk person?

16. Putting sessions in context
Visual user profiles
Historic data context
Sessions of interest

17. Extracting User Roles
Task-based user clusters
Task distributions for groups
e.g., a group managing user accounts
Most representative users

18. An unusually long session
but a common task,
i.e., office management
Lots of user accounts locked ..

20. ... provide several perspectives concurrently (e.g.,
multiple datasets, scales, parameters, algorithms,
representations ...)
... support the interactive comparison &
evaluation of (several) algorithmic results by putting
the results in context
VA can …

21. Effective data-intensive decision making
requires approaches designed with
human-centred thinking
to empower people at all stages
of the data science process
… and visualisation research offers theories,
methodologies, techniques and know-how

22. Visual Analytics for
User Behaviour Analysis in
Cyber Systems
#VizTIG Seminar, Alan Turing Institute, 13 September 2019
giCentre: https://www.gicentre.net/
CIM: https://warwick.ac.uk/fac/cross_fac/cim/
Personal Web:
http://www.staff.city.ac.uk/cagatay.turkay.1/
Twitter: @cagatay_turkay
Slides: https://www.slideshare.net/cagatayturkay
Cagatay Turkay
Senior Lecturer in Applied Data Science,
giCentre, City, University of London
(Assoc. Prof. @ CIM, University of Warwick)
Thanks to: