Professional Documents
Culture Documents
By
Nathan L. Reynolds
A DISSERTATION
Submitted to
MASTER OF SCIENCE
06/09/2010
ABSTRACT
Nathan L. Reynolds
The goal of this research is to bridge the fields of Augmented Reality and Network Manage-
ment (including Security), and demonstrate the benefits of using an Augmented Reality inter-
face to improve the coupling of logical data to physical Network Access Devices. The initial
problem this research attempts to address is the distancing of users from the physical network
infrastructure by traditional Network Management and security systems. This distancing leads
to users tending more to the Network Management and security systems instead of the physi-
cal hardware.
A framework was developed to inter-connect with existing management systems and perform
data interchange in order to create virtual incarnations, which are then overlaid as three-
interface with which the user can view network management and security data, whilst in the
presence of the network hardware. Design choices for this framework were partly driven by
In order to evaluate the effect of the framework, an experimental prototype was designed and
developed. The prototype implemented a subset of the framework functionality, and was also
developed to detect and highlight one style of network-based attack. This prototype was then
used by 10 subjects to evaluate the effect of the framework on the defined problem.
All subjects were not able to detect and diagnose an attack simulation using traditional Network
Management software, but all detected and correctly identified at least 1 attack simulation
when using the experimental prototype! 87% of all attack simulations presented with the ex-
perimental prototype were identified correctly, with 7 subjects correctly diagnosing all 3 attack
simulations. The evaluation provided insight into the effect of the framework, and avenues for
others is set forth, quotation marks so indicate, and that appropriate credit is given where I
I declare that the dissertation describes original work that has not previously been presented
Signed,
Nathan L. Reynolds
First, I would like to acknowledge the support, encouragement and understanding that
my wife and son, Alison and Austin, have shown for the past three years. Without their selfless
attitudes I would not have been able to complete this undertaking. Austin, you’ve only known
life with a dad hard at study. I’m looking forward to our new found time together.
I would also like to thank my dad, Tony, whose encouragement throughout my child-
hood and hacking of my code helped me find the passion for Information and Computer Secu-
rity. Thanks also to my mum, Gerry, for reminding me as a child, that there is a world beyond
computing. I would like to thank my mother-in-law, Sheila, who offered support and congratula-
I would also like to acknowledge the support of all the Laureate Online Education staff
that have assisted me, guided me, and encouraged me throughout my study. With special
thanks to Taly Sharon for her advice, encouragement and patience throughout the dissertation
process. I’d like to thank the professional course facilitators, whose style and example consis-
tently provoked the best quality work possible from me, especially Yongge Wang and Lelia
Lividas. Also, there were many classmates I encountered throughout the programme who in-
spired me, and through their responses, encouraged well researched and provoking debate,
thank you. Thank you also to the student support and enrolment teams, who’ve handled every
Thank you to my employer, Rockwell Automation, for the support and the opportunity
given, as well as to all my colleagues and professional contacts and all those who set aside
time to participate in the preliminary survey and the framework evaluation. Your participation is
much appreciated.
TABLE OF CONTENTS
Page
LIST OF FIGURES ix
Chapter 1. Introduction 1
1.1 Scope 1
1.2 Problem Statement 1
1.3 Approach 2
1.4 Outcome 3
1.5 Document Structure 3
1.6 Chapter Summary 4
v
3.5.5 AR Viewer Identification and Authentication ................................................... 32
3.6 Chapter Summary 32
Chapter 6. Conclusions 63
6.1 Conclusions 63
6.2 Lessons Learned 64
6.3 Prospects for Further Work 65
6.4 Summary 66
REFRENCES CITED 68
vi
Appendix B. Set-up of the Evaluation Environment 75
B.1 Installation of the AR Middleware 75
B.2 Installation of CactiEZ 77
B.3 Client Configuration 78
B.4 Preparing the Environment 82
vii
LIST OF TABLES
Page
Table 1: Primitive shapes and their associated meaning within the framework ......... 26
Table 2: Primitive shapes and their associated meaning within the framework ......... 27
Table 3: Primitive colours and their associated meaning within the framework ........ 27
Table 4: List of software used in the developing the prototype ................................. 36
Table 5: List of hardware to be used in the prototype ............................................... 37
Table 6: Relevant Object Identifiers (OIDs) as data sources .................................... 38
Table 7: Additional software unrelated to direct development.................................. 41
Table 8: Additional software required for testing ..................................................... 44
viii
LIST OF FIGURES
Page
ix
Figure 43: Question 4 .............................................................................................. 73
Figure 44: Question 5 .............................................................................................. 73
Figure 45: Question 6 .............................................................................................. 74
Figure 46: Turnkey Linux Configuration Console ................................................... 75
Figure 47: BackTrack 4’s Start NETWORK option ................................................. 79
Figure 48: BackTrack 4’s Setup SSHD option ......................................................... 80
Figure 49: Resetting root’s password using passwd ................................................. 81
Figure 50: Fiducial marker for Cisco Ethernet switch .............................................. 82
Figure 51: Question 1 .............................................................................................. 83
Figure 52: Question 2 .............................................................................................. 84
Figure 53: Question 3 .............................................................................................. 84
Figure 54: Question 4 .............................................................................................. 85
Figure 55: Questions 5 thru 8 .................................................................................. 86
Figure 56: Question 9 .............................................................................................. 87
Figure 57: Question 11 ............................................................................................ 87
Figure 58: Question 13 ............................................................................................ 87
Figure 59: Question 15 ............................................................................................ 87
Figure 60: Question 17 ............................................................................................ 87
Figure 61: Question 19 ............................................................................................ 88
x
Chapter 1. INTRODUCTION
The project reviews the development of Mixed Realities (MR), and the potential benefits
also presents a framework and experimental prototype for an Augmented Reality (AR)
interface to network management and security data, and an evaluation of the framework.
This chapter presents the project scope, the problem statement, and the proposed ap-
1.1 Scope
This work attempts to bridge the fields of Augmented Reality (AR) and Network Manage-
relating to physical Network Access Devices (NADs) for hands-on network management
and security incident response. This will be achieved through a framework for an AR in-
terface for coupling Network Management and Security data with physical NADs within
focus upon coupling of network management and security data to physical assets, and
will not be a full implementation of the framework. Evaluation of the framework will include
user testing of the prototype within an experimental network using a number of scenarios,
Network Management Systems (NMSs) and Security Information and Event Management
(SIEM) systems are primarily presented in windowed Graphic User Interfaces (GUIs) or
Virtual Reality (VR) simulations. NMSs are typically focused upon controlling, monitoring,
alerting and reporting upon the link and flow state of NADs (Haggerty & Seetharaman
1998, p. 73 – 74). Whilst SIEM systems are typically used to manage and correlate data
1
(Kent 2006, p. 3-2) from sources not associated with traditional network management.
SIEMs focus upon event data from perimeter enforcement points (E.G. Firewalls), hosts,
When NADs are local to operational personnel, it is common that data required to support
to interpret. Such information is traditionally presented via UI types that inherently dis-
tance operatives from the physical network infrastructure. Users tend more to the man-
agement systems, instead of to the physical infrastructure. In order to provide more value
for NMS and SIEM data as a tool, a different approach to presenting the data is required.
1.3 Approach
This project reviews the fields of MR and network management research, and aims to
of AR interfaces for viewing network management and security data in relation to physical
network infrastructure. This framework consists of the design of an AR solution which can
retrieve data from multiple sources via standard protocols, and create virtual incarnations
of data overlaid on to a live video stream to augment the NADs. Figure 1 depicts the ap-
proach taken for the execution of the project, including the design, development, and
evaluation phases.
The methodology used reflected the project’s focus upon Human-Computer-Reality inter-
action, and consists of a modular design which supports distributed components, multiple
data sources and managed delivery. Design choices in the framework were driven by the
results and analysis of a preliminary survey which was used to collect data regarding op-
2
Experimental prototyping is used to implement a proof of concept installation of the
framework, in order to conduct an evaluation of the framework. The prototype was tested
through a process of functional testing using various states of network management data.
An evaluation of the framework was conducted through an on-line survey which consisted
of interactive attack simulation scenarios using a freely available NMS, and the prototype
AR Network Management and Security software. Data from this evaluation was used to
measure the effectiveness of the proposed framework and identify areas of improvement.
1.4 Outcome
The scholarly contributions of this project consist of the presented framework for an AR
for network management and security. The framework is demonstrated through the
evaluation of an experimental prototype. The prototype has been used to confirm that
physical NADs can be augmented with network management and security data to assist
in the diagnosis of, and the remediation of faults. Illustrating the benefits of reducing com-
plexity and the divide between logical information and physical presence in data-centres
and process areas. This paradigm change in network management and security inter-
faces can assist first responders in identifying and handling incidents, whilst maintaining
This dissertation document is organised as follows. The next chapter, Chapter 2 – Back-
ground and review of literature presents a review of network management and security
and of existing MR paradigms focusing on AR. Also, related academic work, and the cur-
analysis and design provides an analysis of the preliminary survey, and details of the pro-
the design of the experimental prototype, and the implementation of the prototype in an
3
isolated development network. Chapter 5 – Results and evaluation presents an analysis
of the framework evaluation survey results and feedback from users. Finally, Chapter 6 –
Conclusions details the summary of the project, including identified gaps in the framework
The appendices are organised as follows. Appendix A – Preliminary Survey details the
questions posed in the preliminary survey, and the results of the survey. Followed by Ap-
pendix B – Set-up of the Evaluation Environment details the configuration of the isolated
evaluation network. Finally, Appendix C – Framework Evaluation Survey details the ques-
tions posed in the evaluation survey, and the results of the evaluation.
The next chapter presents a literature review of existing research in the fields of MR and
network management, a summary of related work, and a review of the current state of
4
Chapter 2. BACKGROUND AND REVIEW OF LITERATURE
This chapter presents a review of the development of the AR interface paradigm, inherent
benefits for the realm of network management and security, and a discussion on network
(1994, p. 283). Figure 2 illustrates an RV continuum, in which one end of the continuum
incarnations. Whilst the opposing end of the continuum represents environments which
VR can be used to represent both data and virtual incarnations of physical objects (Conn
et al. 1989, p. 7 – 8). However because VR consists primarily of media presentation and
little media input from reality, it fails to address the relationship between physical incarna-
term which was coined Tom Caudell and David Mizell from Boeing (Höllerer & Feiner
2004, p. 3) and the term describes the use of media-based representation of data. Typi-
age, thereby augmenting the image or video stream with data which is not immediately
physically apparent, yet can be contextually relevant. Because AR primarily takes input
5
from the real world, and then applies media, it is a concept which is unique in that the
process of coupling data to a physical incarnation is an inherent trait (Mackay 1998, p. 13)
Figure 3 presents four separate interface paradigms. Figure 3a represents a typical win-
dowed GUI, in which the user interacts entirely through manipulating two-dimensional
virtual incarnations. This level of interface does not take inputs from physical incarnations,
and therefore does not perform coupling of incarnations, or present situation-based con-
text. Rekimoto & Nagao (1995, p. 29.) states “GUIs cannot deal with real world contexts,
where the real world situation is less important.” This statement has lost value in the in-
tervening time, as mobility has become ubiquitous; however the gap is still relevant, as
even standard mobile computing draws user attention to the computer, and away from the
Figure 3b demonstrates a VR interface which encapsulates the user’s interaction with the
real world (Rekimoto & Nagao 1995, p. 30.) This isolation of the user’s senses from the
real world can be addressed by implementing an Augmented Virtuality (AV) (Milgram &
Figure 3c illustrates ubiquitous computing, in which computers are prevalent in the real
world (Weiser 1993), and interaction with the real world drives interaction with the inte-
grated computers.
Finally, Figure 3d presents an AR in which the real world is viewed through the computer,
which utilizes the real world as an input, which can then be augmented with data to create
an output to be consumed by the user. The computer has become something in which the
6
Figure 3: A comparison of Human-Computer Interface (HCI) styles (Rekimoto & Nagao
1995, p. 30)
through using the real world as an input, changes the user experience of the real world.
digm. Brooks (1996, p. 64) described the inherent effect of an AR system as ‘Intelligence
Amplification (IA)’. As AR can be used to complement reality with data that is typically
AR research primarily focuses upon applying visual elements in which to represent data
or transform the perception of the physical incarnation. However, multiple senses can be
tactile stimulus can be used along-side visual stimulus; however additional points of hu-
man interaction will require specialised equipment (Azuma et al. 2001), further pushing an
2.2.1 Mobility
Ubiquitous mobile computing is pre-requisite for the adoption level of AR as a viable al-
ternate interface (Wagner 2007.) In recent years, there has been convergence in the Per-
7
sonal Display Assistant (PDA) and Mobile Telephony fields which has yielded powerful
mobile computing platforms which are also highly-connected using a multitude of wireless
Many of these consumer level devices – such as Apple’s iPhone and Google’s Android-
based devices – now have AR capable applications available (Srinivasan et al. 2009).
Although tracking within these applications is commonly driven by Global Positioning Sys-
tem (GPS) and digital compass data. The common form-factor is similar to that presented
era. Such devices are used to create a form of ‘see-through interface’ (Bier et al. 1993), in
which the user uses the device to sample both the AR interface, and reality (Wagner
gives the user a natural flexibility in choosing when and when not to view data. Using the
device as a ‘cursor’ (Wagner 2007) to highlight a physical incarnation and then discarding
Development of handheld AR for common mobile devices has also become less incum-
bent, as frameworks and toolkits for both low and high level programming languages are
By its definition, an AR interface must combine the virtual with reality (Azuma 1997, p. 2).
not detract from the immersion of reality, but when displaying data, it must render it in a
fashion which is noticeable and intuitive. Wagner (2007, p. 171) states “While it is tantaliz-
ing to create unique user interfaces that are optimal for the specific applications, it is more
important to stick to the user interface conventions of the target device.” Whilst this
statement referred to Operating System (OS) and User Interface (UI) widget variance be-
tween platforms, it also reflects that an interface for reality should be augmented in a con-
sistent fashion.
8
Data in an AR can be expressed in a multitude of languages, at different levels of abstrac-
tion. The Extensible 3D (X3D) standard (web|3D n.d.) is an eXtensible Mark-up Language
(XML) based standard draft, which supersedes the Virtual Reality Modelling Language
(VRML). X3D can be used to describe virtual incarnations, by defining scene information
such as placement of virtual objects, texture, colour, size, ETC. Before rendering of virtual
objects, network management and security data sources can be presented as a series of
sensors and actuators (EEML.org 2008) through the use of the Extended Environments
Markup Language (EEML). EEML is a schema which is used to describe sensor data
format from physical or virtual incarnations (EEML.org 2008.) EEML could be used as a
data abstraction layer to provide vendor agnostic representation of data, prior to conver-
2.2.3 Tracking
In order for the AR application to determine where to overlay data in an image, the appli-
cation must be able to determine the orientation, and positioning of the viewing device in
relation to the target object. This location data must be sampled at an appropriate gradi-
ent (e.g., site, suite or network equipment rack) using a suited model (Mantoro & Johnson
2003, p. 47 – 53) in order to best determine the position of the user in relation to their sur-
Fiducial marker tracking is commonly used in handheld AR, when operating in a prepared
environment, primarily because of the reduced CPU utilisation over other tracking tech-
niques. Figure 4 shows three types of Fiducial markers (from left to right); the template
marker, an ID marker which is used to represent 12 bits and The DataMatrix ISO stan-
dard marker, which can represent dense patterns of data (Wagner 2007, p. 45).
9
Figure 4: Example of Fiducial markers from Wagner (2007, p. 45)
ISO DataMatrix markers as Fiducial markers in an AR for network management and sse-
curity could be
e deployed as a dual-use
dual label, as they are also used in some physical a
as-
set-tagging
tagging solutions for asset inventory. Wagner (2007, p. 16 – 18) demonstrates
demonstrate the
2.2.4 Collaboration
gral to a solution, whilst simultaneous assisted interaction can also take place. Fuhrmann
et al. (1998) identifies the potential for increased collaboration through augmented real
reali-
ties; however the research focuses towards the VR end of the mixed reality spectrum.
asynchronous communication,
ion, in order to better handle sporadic network connectivity.
Wagner (2007) presents similar framework called ‘Muddleware’, which uses an XML
based communication component between clients and server, which can be used to cr
cre-
for querying, and setting data and counters stored in network aware devices. The protocol
Abstract Syntax Notation One (ASN.1) namespace addressable Object identifier (OID).
Support is also provided for addressing OIDs in a more human readable format by using
standard, vendor and device specific Management information base files (MIBs).
mation Protocol (CMIP) was a competing standard, and can also be utilised over TCP/IP
(Warrier et al. 1990). However, CMIP did not gain the equivalent saturation as SNMP.
network topology, to application data and ad hoc peer-to-peer overlays (Pras et al. 2007,
p. 105), and it is clear that one Human Interface paradigm will not be adequate for man-
Support Systems (BSS), to minutiae of individual NADs and data (and metadata) for Op-
centralized decision process as described in Greenberg et al. (2005) as the ‘4D Architec-
ture’. The 4D Architecture defines four sub-planes of the control plane of the network. The
sub-planes (as shown in Figure 5) are decision, dissemination, discovery, and data
(Greenberg et al. 2005, p. 47). The Data sub-plane is the state capabilities of the network
discover logical connectivity (Yan et al. 2007, p. 2). This includes neighbour discovery
protocols, and route discovery protocols. The Dissemination sub-plane is used for control
and management data, which can originate from the decision sub-plane. Finally, the De-
cision sub-plane draws information from the discovery, and vicariously the data sub-
11
Decision
Disemmination
Discovery
Data
Intelligence
tal to changing this limited form of management, but the effective visualization would re-
quire context and data from OSSs and BSSs. In order to reduce perceived complexity of
network management data visualization (Maltz n.d.), layers of abstraction within the inter-
The current state of commercial NMSs and SIEM systems has moved from single access
models, to rich applications, and now as Rich Internet Applications (RIAs). There are mul-
tiple drivers which have led to this state of affairs, most of which are commercially ori-
ented. The requirement for remote support and mobile network engineers has contributed
to zero-footprint tools in which no installation is required for the client. This in culmination
with the rise (or return) to Software as a Service (SaaS) or Utility Computing has given
web-based interfaces (including RIAs) an edge in reduced cost of ownership, and the
12
ability
ity to outsource infrastructure and operational support. SIM (Security Information
tual incarnation of a Cisco Ethernet switch as it is being monitored for unusual Media
Media Ac-
A
Figure 7 demonstrates the similar web-based GUI of Nagios XI, this image illustrates the
Figure 8 shows an image of the physical incarnation of the ar_switch host showing in
the previous
revious examples, demonstrating that the data displayed from the traditional Network
Management GUIs is difficult to draw contextual meaning when viewing the physical
NAD.
Figure 8: Physical incarnation of ar_switch host
including: mobile telephones, games consoles, general use computers, and via applets
delivered via the World-Wide Web (WWW). However, few of the popularised applications
perform any useful commercial function such as data representation, and are primarily
entertainment driven.
of physical components inherently prevent the ability to couple data and presence
(Crutcher et al. 1993, p. 13). However, larger cross-continental networks do not solely
exist at such an abstract layer. They are comprised of physical connections, and equip-
on them.
Crutcher et al. (1993, p. 5 – 7) concludes that a VR interface will provide more ‘direct con-
15
trol and observation’. However, both interfaces are capable of providing an equivalent
level of direct control and observation, as they both do not effectively couple data to
physical incarnations, and only couple data to virtual incarnations (Mackay 1998, p. 13 –
14). This approach assumes that the human operative performs the coupling through a
cognitive process. In order to execute this, the operative must be familiar with the network
topology, and the physical devices. Within the use for network management and security,
users are already isolated from the physical incarnation of their networks by traditional
AR couples both physical incarnations with virtual incarnations, and so would not isolate
users from physical reality, but instead uses reality as a source of data. The use of aug-
mented realities implies mobile technology; unlike typical NMSs. Freeing the users from
interacting with a standard network management workstation (Fay 2004, p. 56) will enable
physical device which is considered to be data dense. As an example, whilst Harrop’s &
Armitage’s (2006) representation of network and security events as in-game avatars func-
tions well in a VR interface, it is unlikely to convert well to an AR platform for coupling in-
carnations. Similarly, not all network management and security data will suit to coupling
sum of components. For example, Maltz’s (n.d.) summarization metrics of complexity and
reachability may be applicable to the network as a whole, but may not prove useful when
coupled with individual NADs. The decision on applicability in the case of AR can be ad-
event data is a field which has not received significant study. With no agreed correct ap-
proach, and only examples of VR implementations (which seek to re-define reality as op-
posed to enhance reality), no formal foundation is set for effective ways of communicating
16
Identification and close to real-time visualization of unusual traffic is an emerging area in
with traffic trending and resource utilization, primarily for tactical and strategic planning
(Pras et al. 2007, p. 106). There is also potential to improve upon collaboration through
Use of MRs for network management data has been the subject of a mixture of academic
research, yet none specifically address the potential benefits of coupling virtual incarna-
tions with physical incarnations (Jacquet, Bourda & Bellik 2007, p. 164) in order to facili-
VR GUIs for network management have been explored earlier. Crutcher et al. (1993) pre-
tions, which utilizes context in order to adjust visualization. Harrop & Armitage (2006)
solve the requirements for specialist navigation capabilities by reducing complexity of the
ing implicit collaboration capabilities. Sterritt (2002) details the benefit of a human in cor-
relating network events, including benefits of presence and ability to recognise patterns
Crutcher et al. (1993, p. 16) concluded with the observation “progress is rapid, and we
believe that, by the end of this decade, for many applications, 3D graphics environments
will supersede the 2D systems that are now in common use.” The replacement of one
form of isolating interface with another is a prediction which did not come to fruition.
Fay (2004) reviewed the conceptual benefits of a mobile Network Operations Centers
utilizing AR network management and collaboration tools aboard U.S. naval ships. How-
ever the assessment was purely conceptual and no functional prototype evaluated. This
17
research was also conducted during a period where hardware required for implementing
an AR was still considered specialist hardware and therefore not widely available.
Jacquet, Bourda & Bellik (2007) provide a generic framework for addressing attributes
ronment, and include SNMP driven attributes, however, the research did not seek to draw
data from existing NMSs, nor demonstrate the coupling of network management data with
a physical incarnation.
This chapter presented the results of the literature search and review, including details of
the current state of commercial UI interfaces for NMS and SIEM systems, and research
The next chapter presents the analysis of the preliminary survey, the design methodology
18
Chapter 3. FRAMEWORK ANALYSIS AND DESIGN
This chapter presents the proposed distributed framework for an AR capable network and
A sample of 33 subjects completed the preliminary survey which was directed towards
Information and Communication Professionals (see Appendix A). The primary function of
the preliminary survey was to gain better understanding in the installation base of NMSs
Subjects were surveyed in two areas of operational commitment; how many operational
hours were spent in their organization were spent using NMS and SIEM systems and per-
forming hands-on physical work with NADs. Secondly, subjects were asked to categorize
the hands-on physical work performed with NADs. These topics were selected to gain
and to also understand tasks performed outside of those systems. The task categories
selected were tasks that could be assisted by network management and security data,
and would therefore likely benefit from coupling of assets and data.
Figure 9 illustrates the distribution of hours (per month) between two operational catego-
ries; using NMS and SIEM systems, and performing physical tasks with NADs. From this
‘hands-on’ tasks. As notably more time is spent performing physical tasks, which the win-
dowed GUIs of existing NMS and SIEM systems would inherently introduce separation
between data and physical incarnations. This separation does not support that physical
19
Distribution of Operational Hours
Figure 9:
9 Distribution of operational hours
curity tasks:
• De-commissioning
commissioning Network Access Devices
Security Categories:
Figure 10 details the categorization given to the reported operational tasks that required
agement tasks consisted of 64% of operational tasks requiring physical access, whilst
security tasks consisted of 31%,
31% and other and unknown tasks at 5%. This demonstrates
that security personnel also require physical access to NADss during investigation or inc
inci-
dent response.
Other
Responding to
Commissioning Network
suspected malicious
Access Devices
Responding to unusual usage activity
(not bandwidth related)
De-commissioning Network
Access Devices
Responding to unusual
bandwidth utilization
Subjects were also surveyed upon which NMS and SIEM systems had been adopted at
their place of work.. The results assisted in identifying commonality for integration capabil
capabili-
ties between the more common products. Figure 11 and Figure 12 show the installation
base of the selected NMS and SIEM systems amongst the subjects. HP Network Ma
Man-
supports an XML capable Application Programming Interface (API) for integration with
HP Network Automation (NA), which provides an API that supports Simple Object Access
Figure 12: Security Information and Event Management system installation count
The results from the preliminary survey illustrate details on the division of operational
operational
is evident that security data is an important source of information to the subjects. Impor-
tant information was also gathered regarding the products which were being used by the
subjects. The more popular commercial products identified have capable Application Pro-
gramming Interfaces, which can be used to extract data for use in a third-party systems,
such as an AR interface.
In order to better equip network and security personnel in performing physical ‘hands-on’
tasks with NADs and reduce the gap between virtual and physical incarnations, the pro-
posed solution is to provide existing network and security data in a mobile and contextual
This framework converts data from existing management systems into virtual incarna-
face with which the user can view network management and security data, whilst in the
As the framework is designed to interface with existing network management and security
systems its function is comparable to those systems. Network management data such as
physical port state and device state which are available in traditional NMSs, will be avail-
able under this framework. Similarly, security data available from traditional SIEM sys-
tems will also be available using this framework. However, this framework will present the
The design methods used in the framework design reflect the project’s focus upon Hu-
straction between the multiple components. The design methodology used includes Uni-
23
a data-flow
flow diagram describing data
data-interchange
interchange between components and sub
sub-
Figure 13 illustrates both the function of the framework, and the framework’s AR interface
with
ith additional callouts to highlight each element. The environment depicted has been
prepared using Fiducial ISO DataMatrix markers, and coloured cuboids are used to re
rep-
resent the state of Ethernet ports by augmenting the Registered jack 45 (RJ45) conne
connec-
tors.
rs. The red cuboid acts as a virtual incarnation, representing an improper port state,
Port not
functioning
correctly
As illustrated in Figure 14,, the user interface primarily consists of the display of the au
aug-
object. The user can ‘tap’ one of the virtual incarnations to display more detailed inform
informa-
display as a 3D primitive.
viewing of reality through the AR interface, and the detection of Fiducial markers. Once a
Fiducial marker is detected, the connected management systems are queried for logical
«uses»
«extends» Display AR
Activate virtual
representation of incarnation's
incarnation
User data
3.4.1 Primitives
The primitives for the 3D objects used within the AR UI represent the various port connec-
tors available to NADs. For example, cuboids are used to represent the RJ45 connector.
This enables an alpha blended 3D object to be overlaid on the video stream, whilst mini-
mising the occlusion of physical data in the video stream. Table 1 details 3D primitives
as the RJ45.
Table 1: Primitive shapes and their associated meaning within the framework
Information from counters and sources which have more variance to data than a series of
states will be represented using graphs coupled with the corresponding connector. For
example, when viewing bytes received and bytes transmitted for an Ethernet switch port
26
the connector for that port will be augmented with a histogram primitive. The histogram
will consist of two bars, each representing bytes received and bytes transmitted. Table 2
dual data. For example, bytes in and bytes out will be rep-
chart.
Table 2: Primitive shapes and their associated meaning within the framework
As shown in Table 3, a ‘traffic light’ system of colouring has been adopted to represent
in a functioning state.
Table 3: Primitive colours and their associated meaning within the framework
27
3.5 Component Design
In order to interact with existing Network Management and Security Information Event
Management systems, the framework proposed will consist of number of interfaces. Fig-
ure 16 illustrates at a high level the distributed component interconnects in the framework.
The Fiducial Marker is captured by Visual Input, which is interpreted by the AR Viewer.
The AR Viewer then creates a Simple Object Access Protocol (SOAP) request for X3D
data from the AR Middleware. Upon receipt of the request, the AR Middleware then re-
quests XML data via a SOAP request to each of the connected management systems.
The response is then converted to virtual incarnations described as X3D content which is
fiducially prepared environment for device identification and tracking. It is a common prac-
tise in many organizations to already prepare environments for the purpose of financial
asset tracking, and so adding Fiducial markers can be integrated into an existing asset
ISO DataMatrix markers offer enough variance to provide a unique identifier, which will be
used to associate the marker with the virtual incarnations of the device it represents. This
unique identifier should not be a new system, but an existing identifier such as, Partially
28
3.5.2 AR Viewer
The distributed nature of the framework will be beneficial to mobility, as data processing
logic will be implemented on a server platform, freeing up the mobile platform processing
resources.
The AR Viewer is a client component which takes video input, detects the presence and
orientation (in relation to the video camera angle) of Fiducial markers, then instigates a
Web Oriented Architecture (WOA) service call to request information regarding detected
markers. The response from the service call is then interpreted into virtual incarnations,
which are overlaid on to the video stream to produce the final visual output.
The initiating service call is a SOAP call to a web service (AR Middleware) which is pre-
sented using the Web Service Definition Language (WSDL). The response to this service
call will be formatted as X3D. The response solely includes 3D geometry data for the AR
Viewer to render. The AR Viewer is therefore reduced to a small amount of data process-
ing and logic, dependent upon responses from the AR Middleware component for instruc-
tions on the manner of rendering a 3D overlay to the video output. Figure 17 depicts a
dardised WOA service calls, it will be possible to deliver the AR Viewer using either a na-
29
tive code package or a mobile code package, permitting additional choice regarding the
client platform.
must take into account factors dependent upon the deployment environment. These fac-
tors will include form-factor, mobility and connectivity. It is anticipated that a beneficial
platform is the next generation of tablet computing devices equipped with a video camera.
3.5.3 AR Middleware
The AR Middleware is a server component which receives requests for information from
the AR Viewer. These requests are simple in format and describe the unique identifier of
the asset, retrieved from the Fiducial marker as it came into view of the video camera.
The AR Middleware then initiates data requests to the associated third-party NMS and
SIEM systems using the most appropriate connectivity mechanism and Application Pro-
gramming Interface (API), as API specifications will be different between vendors. Based
upon the response from the management systems, the AR Middleware then selects a
configuration template, which matches the device model and hardware configuration. The
configuration template is used to map physical ports of the base NAD, and installed
The configuration template is then populated with virtual incarnations of the retrieved
data, and communicated back to the AR Viewer as a response to the initial request. The
AR Viewer then renders the virtual incarnations. In 4D Architecture terms, the AR Mid-
dleware is the Intelligence, which retrieves data via the Discovery plane, and then proc-
esses data to present in the Decision plane (Yan et al. 2007, p. 2).
component.
30
Figure 18: UML Statechart for AR Middleware
Figure 19 illustrates the data flow of the framework’s distributed components and the
Figure 19: Distributed component data flow, including a third-party Network Management
System
Transport for WOAs is provided using standard WWW protocols, such as the Hypertext
Transfer Protocol (HTTP) and Hypertext Transfer Protocol over Secure Socket Layer or
Transport Layer Security protocols (HTTPS). HTTPS will be used in the framework for
communication between the AR Viewer and AR Middleware, and – where available – be-
tween the AR Middleware and connected NMS and SIEM systems, as the protocol pro-
31
3.5.5 AR Viewer Identification and Authentication
Due to the coupling of the AR Viewer and AR Middleware component, it is imperative for
uninterrupted operation that AR Viewer requests are made and serviced in a timely man-
ner. This limitation also applies to the initial requests from connect NMS and SIEM sys-
tems, but not subsequent requests for the same devices, as responses can be cached by
the AR Middleware.
important to the security of the system as NMS and SIEM data is sensitive and should
latency, which can be introduced through the cryptographic steps required for strong iden-
tification and authentication, the framework will use a form of token-based identification
and authentication.
The AR Viewer will connect to the AR Middleware, verify the X.509 certificate which is
presented via HTTPS, and then proceed to supply the AR Middleware with a salted hash
of a pre-shared key over the encrypted communications channel. Upon successful au-
thentication, the AR Middleware will return a reusable token, which the AR Middleware
This chapter presented the results of the preliminary survey and the proposed distributed
framework. The next chapter presents the design and implementation of the framework
prototype.
32
Chapter 4. PROTOTYPE DESIGN AND IMPLEMENTATION
This chapter presents the design and implementation of the experimental prototype of the
proposed framework.
4.1 Methodology
The prototype was developed using an exploratory and experimental prototyping ap-
proach, which supported the exploratory nature of the research, whilst allowing for further
4.2 Scope
AR interface to network management and security data. Therefore the prototype’s scope
does not cover the full framework, but is limited to a single use scenario and without inte-
In order to demonstrate the potential for the framework to contribute towards network
management and security, the prototype will implement an algorithm to detect ARP cache
poisoning attacks, and adjust the virtual incarnations to highlight the source of the attack.
Manwani (2003, p. 7) states that an ARP cache poisoning attack is “the act of introducing
a specious IP-to-Ethernet address mapping in another host’s ARP cache.” This practise
4.3 Design
The prototype implements a focused use-case scenario, which is shown in Figure 20.
This use-case represents the ambient usage of the AR which includes: detection of Fidu-
cial markers, retrieving network management data, and displaying relevant virtual incar-
nations.
33
Figure 20: Use-Case for experimental prototype.
Figure 21 details the component inter-connections for the prototype. This is similar to the
framework’s inter-connections, except for two primary alterations: Instead of Simple Ob-
ject Access Protocol (SOAP) calls over HTTPS from the AR Viewer to the AR Middle-
ware, the prototype implements HTTP GET requests in order to query the AR Middle-
ware. There is also no integration with third-party NMS and SIEM systems; instead the
AR Middleware component performs SNMP get requests against the evaluation Ethernet
4.3.1 Environment
The development environment required a Fiducial marker. For the prototype ARToolkit
style ID markers were selected. This reasoning for this selection was that the tracking
framework (FLARToolkit) natively supports ID markers and so their use would improve
the rendering frame rate over alternatives. Also, marker variance was not required as the
34
implementation would be limited in scale. The presence of and ID marker enables the
FLARToolkit framework to track position and orientation information of the marker, and
the associated NAD in relation to the position and orientation of the camera. By attaching
these ID markers in specific positions, the 3D locations of the physical ports are assumed
When servicing the connection from the AR Viewer, the AR Middleware component
responds using arbitrary XML, which is then interpreted by the AR Viewer. The XML
response consists of parent elements for each physical port, and child elements which
are used to signal the AR Viewer to how they are to be rendered. The following XML
describes the state of a single port (port number 1) with instructions to render the virtual
<physicalports>
<physicalport>
<portnumber>1</portnumber>
<red>1</red>
<yellow>0</yellow>
<green>0</green>
</physicalport>
</physicalports>
4.4 Implementation
video capture and output, Fiducial marker tracking, and Representational State Transfer
(REST). Table 4 details the software packages and frameworks which were used in pro-
35
Software Title Description Web Site
4.4.1 ActionScript3
ActionScript3 language was selected for the development of the AR Viewer component
based upon multiple factors. It has received wide community support for use in web-
AR frameworks for ActionScript3 also made the language suitable for rapid prototyping.
The Adobe Flex Software Development Kit (SDK) has also received support as a mobile
platform runtime for Rich Internet Applications (RIAs), and may be a deciding component
36
4.4.2 PHP: Hypertext Preprocessor
PHP language was selected for the development of the AR Middleware component. PHP
is well suited to handling of HTTP requests that have been handed off by the web server
and formatting suitable response headers and content. PHP translates scripts which are
requested of a web server. Because of this a network aware server process did not need
4.4.3 Hardware
In order to augment a physical incarnation such as a NAD, additional equipment was re-
Hardware Description
The Cisco 2900XL Ethernet switch represents the physical incarnations which were aug-
mented in the prototype. The device is also a source of network management data, ac-
4.5 Data
Due to the ‘real-time’ nature of the interface and the system, the network management
data used was state related, and so therefore was live data from the development envi-
ronment. For the single use nature of the prototype, two tables of information were used
in detecting ARP poisoning attacks. This data is related to the mapping of Internet Proto-
col (IP) addresses to Media Access Control (MAC) address, and determining which inter-
face the MAC addresses were discovered on. Table 6 details the relevant SNMP Object
37
MiB (OID) Description
4.5.1 Algorithms
SNMP data from the ipNetToMediaTable and dot1dTpFdbTable are compared in order to
determine the total occurrences of each MAC address from the ipNetToMediaTable to
each MAC address report by the dot1dTpFdbTable. The AR Middleware is responsible for
processing network management data into an XML-based response for the AR Viewer.
The AR Middleware for the prototype identifies ARP Poisoning attacks using this algo-
When the matchCount is equal to 1, one match has been found between the ipNetToMe-
diaTable and dot1dTpFdbTable table. This is considered normal, and the output XML will
and will result in an amber virtual incarnation. Any value greater than 2 will result in a red
virtual incarnation. If additional hubs or switches were connected, their upstream ports
38
would also be represented as red virtual incarnations. However, in a single switch envi-
The AR Middleware XML response is interpreted by the AR Viewer component, once the
response has been loaded into a data structure. The AR viewers steps through each
physical port element within the XML and alters the virtual incarnation of the correspond-
ing port in order to change its material and visibility. In this manner, virtual incarnations
are re-used and only materials are modified. This bolsters frame rate and responsiveness
as destroying and re-creating cuboids would be a more intensive process. This algorithm
Figure 22 illustrates the functioning interface of the AR Viewer. Two ‘green’ virtual incar-
nations are showing, representing each of the two connections which are also shown in
the video stream output of the UI. Clearly visible and affixed on the left of the Ethernet
39
Figure 22: Prototype UI displaying two virtual incarnations
Figure 23 demonstrates the state of the virtual incarnations in the event on an ARP cache
poisoning attack from one host, against the other. As the host connect to Ethernet port 4
is now registering two MAC addresses, the virtual incarnation has changed colour to indi-
cate unusual behaviour. Ethernet port 9’s virtual incarnation is no longer displayed, as the
state data relating to the IP address to MAC address relationship is no longer associated
40
Figure 24 depicts the same host attacking two other hosts on the switch. As Ethernet port
4 now has three MAC addresses associated with it, the virtual incarnation has become
In order to develop the experimental prototype, it was necessary to execute both the AR
Ethernet switch state data was also generated to facilitate testing. Table 7 lists the addi-
tional platform components which were required to host the AR Middleware component.
Because the AR Viewer is delivered as a compiled Adobe Flash file, any Flash capable
41
The TurnKey Linux LAMP distribution is available as a VMWare image, and is prepared
with LAMP applications Linux, Apache, MySQL and PHP. Therefore, requiring very little
configuration (see Appendix B). Figure 25 illustrates the topology of the development
network.
The next chapter presents the implementation of the experimental prototype within an
42
Chapter 5. EVALUATION AND RESULTS
This chapter presents the method of functional testing by using attack simulations, and
illustrates the topology of the network, which is an extension of the existing development
network. The development network was extended by the introduction of 4 additional client
devices. Server Computer, Client Computer and Cisco Ethernet LAN Switch. These de-
vices held the same base set-up and configuration state previously used in the develop-
ment environment. State data from these additional devices led to the creation and dis-
play of more virtual incarnations, and also allowed for flexibility in launching simulated
43
5.1.1 Additional Software
In order to utilize the additional client computers and to launch attack simulations in which
to test the experimental prototype, additional software was required. Table 8 details the
dual-use cracking and auditing tools. The clients were booted from a ‘live’ Digital Versatile
Disc (DVD) of BackTrack 4. CactiEZ is a freely available traditional NMS that is also dis-
performing ARP cache poisoning attacks. Ettercap was used to simulate attacks
In order to test the experimental prototype, different states were introduced into the
evaluation environment. These states consisted of normal running state, and simulated
All the devices connected to the evaluation network were booted, and executing their
normal components. Figure 27 depicts the normal idle state as observed by viewing the
Ethernet switch through the AR Viewer application. It should be noted that Port 2x’s vir-
tual incarnation is depicted in an attack state because the server connected to this port
was hosting two virtual machines, therefore accounting for three MAC addresses.
44
Figure 27: Augmented reality interface depicting normal network state.
In order to test the prototype’s functional capacity to detect and highlight ARP cache poi-
soning attacks. ARP cache poisoning attacks were conducted to generate appropriate
state data. These attack simulations comprised of targeted attacks, in that they attacked
selected hosts, and untargeted attacks, all hosts were attacked simultaneously.
Clients used Ettercap to simulate attacks. The command line switches used were ‘–T’, ‘–
q’ and ‘–M arp:remote’. ‘–T’ instructs Ettercap to only present a text interface, whilst ‘–q’
suppresses packet dump output to the console. Finally, ‘–M arp:remote’ specifies that the
Figure 28 illustrates the state of the AR interface during an attack simulation. Client 4 is
performing an attack against clients 1 thru 3. Note that client 4’s virtual incarnation has
become red, whilst client 1 thru 3’s Ethernet ports’ virtual incarnations have disappeared
In order to conduct this simulation, Ettercap was evoked using the following command on
45
Client 1 Client 2 Client 3 Client 4
Figure 29 details the interface during another attack simulation. Client 4 is performing an
attack against client 1. Note that as client 4 is only attacking one other host, only two
MAC addresses will have been discovered on the corresponding port, and so the virtual
In order to conduct this simulation, Ettercap was called using the following command on
Figure 30 shows the interface during a simulated attack scenario. Client 4 is performing
an attack against clients 1 thru 3, whilst client 3 is performing an attack against clients 1,
2, and 4. Client 4’s attack simulation was executed using the command:
As two attacks were occurring simultaneously, the Ethernet switch only retained state
data for the last attack to execute. Only Client 3’s attack data is shown.
Client 1 Client 2 Client 3 Client 4
Figure 30: Attack from multiple sources against all other clients.
Finally, an untargeted attack was executed from Client 2, using the command:
This attack attempted to target all discovered network hosts, including the AR Middleware
and AR Viewer hosts. Figure 31 shows that as Client 2 was poisoning entries for all hosts;
no state data was available for any port other than Client 2’s port.
Figure 31: Untargetted attack from single source against all other hosts.
The evaluation of the framework was conducted via monitoring usage of the experimental
prototype under controlled conditions. This evaluation consisted of three sections and
responses were recorded using an on-line survey which subjects completed (see Appen-
dix D.) Time measurements were also taken as part of a set of interactive scenarios. All
subjects were familiar with Ethernet switches as they were all Information and Communi-
10 subjects participated in the framework evaluation. They were presented with an elec-
tronic form of consent to inform the subject of evaluation monitoring, and capture the sub-
ject’s permission to monitor the evaluation. The form captured basic subject information
and network management and security systems used, as well as the type of operational
tasks which required physical hands-on access to NADs, which they performed.
49
Subjects were questioned on their use of NMSs and SIEM systems. Figure 32 and Figure
33 illustrate the installation base for each commercially available suite selected. These
results show a high percentage of subjects didn’t know which NMS and SIEM systems
be introduced by the subjects which were more familiar with Control Systems, other than
generic Information Technology systems. With this understanding the results may repr
repre-
7
1 2
8
1
1
‘hands-on’ access to NADs. Using the high level categorization which was defined in the
analysis of the preliminary survey results (see Chapter 3.) The categories of physical
tasks were divided up into network management tasks, and security tasks.
tasks Figure 34
shows that 81% of the tasks selected were network management related, whilst only 16%
Security
16%
Network
Management
81%
This demonstrates that a majority of the subjects were primarily experienced in diagnosis
Boolean states (connected / disconnected). Whereas security related tasks were repre-
repr
This suggests that subjects may respond well to the simple data
data representation in the
Subjects were provided with access to a freely available traditional network management
anagement
interface using CactiEZ, and the AR prototype interface,, in order to monitor the Cisco
Ethernet LAN switch in the evaluation network. At an adjusted random time and without
notification, the Evaluation Administrator introduced ARP cache poisoning attacks origi-
nating from different selected clients. Subjects were timed between introduction of the
attack, and their acknowledgement of the attack, with a limit placed at three minutes after
introduction of the attack. The subject’s identification of the source of the attack was also
recorded. Each group of simulations consisted of one simulation using the traditional
Network Management interface, and three simulations using the AR prototype interface.
none of the subjects were able to identify that an attack was initiated, nor identify a sus-
pected Ethernet port which the attack was originating from. Most subjects continued to
investigate for the full 3 minutes; one gave up, and expressed frustration before continu-
ing with the evaluation. This simulation led some subjects, at the end of the evaluation, to
express disbelief that it was possible to complete the simulation with the traditional Net-
work Management interface. The solution to the simulation was then presented for these
subjects.
order to monitor the Cisco Ethernet LAN switch to detect the attack and identify the sus-
pected Ethernet port which the attack was originating from. All subjects attained at least
one correct identification of the origin of the attack, and all simulations were responded to
within the allotted 3 minutes each. 70% of the subjects achieved a correct identification of
all 3 simulations. Figure 35 details the frequency of correct identifications per subject.
52
Correct Identifications Using AR
Prototype
7
6
5
Subjects
4
3
2
1
0
0 1 2 3
87%
% of all simulations conducted with the AR prototype interface were successfully dia
diag-
nosed with the correct originating Ethernet port. The average response time recorded for
detecting that the attack had been introduced was 21.08 seconds, with a low of 3 sec-
onds,, and a high of 82 seconds. Figure 36 illustrates the frequency of detection times rre-
10
Simulations
4 Correct Identification
Incorrect Identification
2
Subjects were also surveyed in order to gather qualitative information from their percep-
tions and experience of the evaluation process. The survey included areas of framework
improvement and additional functionality that the subjects felt would be useful.
using the AR framework, and the remaining 30% noted “some improvement”.
The additional comments garnered in response to this question provided insight in to the
• “Very easy to identify the originating port of the attack. Easy to see when the at-
• “Much the simpler than wading through complex switch interface sogtware [sic]”
One subjected highlighted an issue with the prototype implementation and its sensitivity to
lighting conditions; “Lighting dependent and no legend for red/green identification”. This
was an intermittent issue with the AR toolkits, which was aggravated by changing ambient
light conditions. This resulted in symptoms such as slow Fiducial marker detection, virtual
incarnations not correctly aligned with the Fiducial marker, and dark areas of the image
being misidentified as the Fiducial marker, which resulted in virtual incarnations appearing
The comment also suggested a legend for further explanation of the primitives used. The
request for further information via a point of reference was a common trend throughout all
of the feedback. One subject noted, “Graphical representation needs some key for inter-
54
pretation; given that I would expect the framework to improve troubleshooting.” Thereby
One in-depth comment was, “Simple up/down or red/green indications lead engineers
quickly to the cause of an incident, but there are many tools which give a graphical repre-
sentation of a device with similar outputs that reduce the requirement for additional hard-
ware. The comparison during the evaluation of a full management platform to a [sic]
up/down indication is not as fair comparison. In our organisation we use use [sic] an ex-
tensive tool (Spectrum) that can again provide up/down indication via a simple interface
that is comparable to this tool. Although having a real time interface that can be used to
positive point, as a support group we do hold some pictures of equipment but this quickly
go out of date and are not reliable.” This comment embodies a discussion point raised
during the Literature Search and Review that AR could assist in Network Management
when physical incarnations are within view of the user, yet the Human-Computer-Reality
interface paradigm of AR does not suit the use of network management of geographically
dispersed networks from a central point. The benefits of AR to on-site collaboration and
One subject noted that the framework did not require experience in order to facilitate de-
tection and diagnosis of the attack, unlike the traditional NMS, “With almost no experience
with the standard tool I was unable to identify and attack. The framework improved this
considerably”. One subject stated that the effect was, “Obvious and immediate.”
5.3.3.2 Does the framework effectively couple logical data with physi-
cal presence?
All subjects observed a positive effect in using virtual incarnations coupled with physical
incarnations. 50% stated there was “very effective coupling”, and 50% stated there was
55
• “The graphics over lay on the physical switch makes is very easy to relate with
These comments highlight that the coupling was effective, as it was easy to identify the
simulated attack Ethernet ports. These comments also suggest that the primitives used
One subject stated, “Yes, real time and up to date.” demonstrating that effective coupling
is not merely a matter of over-laying logical data on to a physical incarnation, but timeli-
ness of the ephemeral state data is also important to the subject to effectively couple.
An issue with the prototype was raised with the comment “Small issue regarding the
counting of port number because of perspective view and no reference (grey blocks)
when fault occurred.” This issue was likely to be induced by the form-factor the prototype
was presented in and the limited visual definition of the prototype. Had the prototype been
presented in a handheld format this subject may have felt it easier to switch between the
AR and reality more quickly, using data from the AR and reality in the simulations.
“significant improvement” using the framework, 30% thought “some improvement”, whilst
10% anticipated “no improvement”. This shows that overall; subjects thought the frame-
work would be a beneficial tool to deploy for additional network management functionality.
56
Would the framework improve your
network management environment?
No improvement
10%
Some improvement
30% Significant
improvement
60%
Figure 37:: Would the framework improve your network management environment?
comments:
• “It [the framework] would help reduce the risk of people making physical errors
like patching.”
• “Simplified
Simplified attack detection”
• “As I have very little experience with SNMP tools the graphical alert would im-
This demonstrates a crossover area between NMS functionality, and SIEM. Where avai
avail-
ability of a service resides in interests of effective network management, and is also a key
tenet of security. The framework could also be considered a valuable interface for Intru-
Intr
agement tools.”
shows that 30% of subjects noted that the framework would show “significant improve-
improv
ment” and 50% noted “some improvement”, and finally 20% registered “no improvement.”
Significant
No improvement
improvement
20%
30%
Some
improvement
50%
Figure 38:: Would the framework improve your Security Information and Event
Management environment?
• “Would
Would need to understan
understandd the capabilities of the tool. Simple up/down indic
indica-
tions require less skilled staff to monitor items and make escalations based on
simple status.”
• “Would need to see how this data can be linked and correlated with other data
sources..”
These comments denote some uncertainty with the extent of the framework and the p
po-
also highlight additional areas in which the framework could contain explicit definition. For
example, correlation of attack data is normally one role of an SIEM system, and so ther
there-
fore would not be a function performed by the framework. However, correlation of attack
data in association with physical incarnations and collaboration with other framework u
us-
ers
rs could be an area of potential extension to the framework.
• “The
The port status overlay makes it very easy to spot attacking ports or suspected
ports.”
• “Simplified
Simplified information and management environment”.
environment”
that registered “somewhat difficult” also received a 100% success rate in detecting a
at-
Very easy
50%
Somewhat easy
40%
representation:
• “Visually intuitive.”
Two subjects also noted that additional information regarding the primitives used for data
• “No explanation of the on screen indicators was given, no ‘click here’ to see a de-
Whilst the framework did support context sensitive callout menus in the event that a user
interacts with a virtual incarnation, this function was not implemented in the prototype.
Finally, one subject commented, “Image jumped around”. This was an intermittent occur-
rence introduced during the simulations and was caused by multiple factors. The thresh-
olds set regarding Fiducial marker tracking and changing ambient light levels were the
primary cause. Additionally, the author noted a small amount of ‘drift’ in the positioning of
the virtual incarnations which were furthest from the Fiducial marker, as errors in tracking
observations and potential improvements, which could not be categorized through previ-
ous questions. Two subjects again highlighted the benefits of providing additional infor-
mation in regards to identifying the virtual incarnations, and explanation as to their state
changes.
60
• “Once alerted, guidance/identification information for cause or error.”
form of attack, “I think It [sic] would be beneficial to be able to over lay virus worm attacks
in the ar.” This form of usage would be possible if drawing information from an SIEM sys-
tem, which in turn was receiving input from a managed Anti-Virus solution.
The attack simulations conducted with the AR prototype showed an average detection
time of 21.08 seconds and 87% of all attack simulations using the framework resulted in
correct identification of the source of the attack. None of the attack simulations conducted
provement through using the framework was also perceived by the subjects, with all 10
physical incarnations. 90% of subjects also recorded that the prototype was easy to use.
In regards to existing systems, 90% of subjects noted that the framework would improve a
Network Management environment, and 80% thought the framework would also improve
a SIEM environment.
The framework evaluation results were primarily positive for the framework, demonstrat-
ing that detection and accuracy of diagnosis of the ARP cache poisoning attack was sig-
nificantly improved when compared to the traditional NMS which was also tested. Feed-
back suggested positive experiences for most subjects, as well as perceived potential for
adoption and growth of the framework. One common theme prevailed throughout the
comments captured in multiple questions was the requirement for additional information,
both ambient information, and virtual incarnation specific information. Additionally, it was
noted that the AR framework not only reduced time to detect, but also yielded a high level
61
5.5 Chapter Summary
This chapter presented the configuration of the evaluation network and the process and
results from functional testing of the experimental prototype. This chapter also presented
the framework evaluation process, from initial questioning to attack simulations, and fi-
nally recording feedback from the subjects. Analysis of the evaluation was also given, and
demonstrated that the framework had a positive effect in aiding detection and identifica-
The next chapter presents the project conclusions, including lessons learned, future activ-
62
Chapter 6. CONCLUSIONS
This chapter presents the summary of the conclusions, and lessons learned. Suggestions
6.1 Conclusions
The primary conclusion is that the use of an AR interface for viewing network manage-
ment and security data, and coupling the data with physical components has demon-
strated benefits over two-dimensional windowed network management and security GUIs.
• Added value to extending existing NMSs and SIEM systems to include an AR in-
terface.
providing users, with little experience or training, a tool which enables them to still
Improvements in detection and identification are shown through the framework evaluation
by the measurement of subjects’ detection response times, and the accuracy of their di-
agnosis. This, along with evaluators’ comments, demonstrated that an AR interface for
beneficial to staff who access NADs physically, as opposed to via isolated (from reality)
traditional interfaces. Such a tool could be useful to staff in data centres and process net-
work installations.
63
Evaluators that specialised in industrial networking solutions, and had little generic Infor-
mation and Communication Technology networking experience noted the ease of use
even with lack of experience. The AR framework provided simple state information repre-
sented in a recognisable fashion, and coupled with the physical device to infer logical
state against a physical presence. This trait circumvented the requirement to understand
the scenario in order to diagnose the attack, and instead evaluators were provided em-
Subjects of the preliminary survey (see Chapter 3) spent 57% of network management
and security operational time performing hands-on tasks with NADs. The efficiency im-
operational commitment, including the potential for the framework to reduce the time
The prototype suffered from two key issues which became prevalent during evaluation.
The toolkits used were sensitive to changing ambient light conditions. In order to combat
this, ambient light levels were altered prior to each subject’s participation in the evalua-
tion. Such sensitivity would not be suitable in a production scenario, but may also have
toolkit. This issue may have also been avoided or minimised through the adjustment of
the thresholds set in the configuration of the selected AR toolkit after installation of the
evaluation network.
The second key issue was reduced accuracy in tracking the orientation of the Fiducial
marker in relation to the camera. This was impacted by many factors, including ambient
lighting, and resolution of processed images. The symptom witnessed by the tracking is-
sue was the observation of ‘drift’ in tracker orientation, in which virtual incarnations would
appear noticeably detached from their physical incarnations. This affect became more
64
pronounced for the virtual incarnations of higher numbered Ethernet ports as they were a
Finally, the form factor proposed for presentation of the framework was that of a handheld
device such as a tablet computer. However, the prototype was presented by using a web-
cam attached to a laptop. This choice was made partly due to lack of device availability of
a commercial handheld or tablet device which supported full Adobe Flash 10 applications.
Such devices are only now (at time of writing) becoming available with the release of the
Android 2.2 OS. The use of the laptop and the webcam to work around this issue intro-
duced a limitation to the interactive element during the evaluation of the framework. Sub-
jects did not move the webcam, and so the viewing angle of the Cisco Ethernet switch
remained static. This perhaps removed subjects from a level of interaction with the physi-
cal incarnation, by making the transition between an augmented and non-augmented re-
ality unintuitive. This may have also been compounded by subjects responding to the
evaluation survey from the same laptop in which the AR prototype was also executing.
The experimental prototype of the framework presented in this dissertation project utilized
simplified primitives for data representation. There is potential for further work to be con-
ducted on the effect of complex data representation, such as histograms and pie-charts,
and traffic analysis, thereby providing additional NMS functionality to the AR interface.
Also, complex data representation could be utilised to represent additional security data,
such as Intrusion Detection System alerts or enterprise Anti-Virus console activity. Addi-
tionally there is potential for an investigation of the possible benefits of utilizing animations
For example, Ethernet ports that are associated with the source and destination of a TCP
stream could be coupled to each other through animated representation of the traffic flow.
65
In order to resolve the ‘drift’ issue observed with virtual incarnations furthest from the ori-
gin of the 3D scene, it is the author’s opinion that multiple tracking and identification tech-
niques may be combined in order to complement each other. For example, the ISO
DataMatrix Fiducial marker could be utilised for asset identification and placement of ori-
gin, whilst Natural Feature Tracking (NFT) (Nuemann & You 1999, p. 53 – 54) could si-
multaneously be applied to determine location of Ethernet ports and other physical incar-
nations on the identified device. The data utilized for the NFT could be dynamically as-
signed from the device template, specified by data encoded in the Fiducial marker.
Collaboration featured as a prominent subject in the results from the framework evalua-
tion survey. A number of subjects commented on the potential to direct on-site resources.
By ‘tagging’ ports from a centralized GUI, on-site resources could use the AR interface to
physically identify and work with the tagged port. This form of collaboration could be be-
tween a traditional windowed GUI for the centralized Operations Centre, and the AR inter-
faces at remote data centres. Collaboration could be bi-directional, and could also include
Centre. It is the author’s opinion that there is potential for further research in the field of
Finally, as handheld devices which support Adobe Flash 10 are now available, and with
Adobe Flash 10 capable tablet devices coming soon. It is the author’s opinion that there is
potential for additional research to assess the benefits of the form factor upon the frame-
work. Additionally, there is potential for research in the effect that the handheld and tablet
form factors may have upon collaboration in data centres and process networks.
6.4 Summary
The framework presented and evaluated has shown to potentially have considerable
benefits in providing data relating to physical NADs for hands-on network management
and security incident response, through the coupling of logical data – represented as vir-
tual incarnations – with physical incarnations. This effect was noted by the evaluation
66
subjects, who all successfully detected and identified the source of at least one attack
simulation when using the prototype. This was also demonstrated by the comments gar-
nered from the evaluation subjects, which were mostly positive, and highlighted the po-
tential of the framework to perhaps provide additional benefits when coupled with existing
67
REFRENCES CITED
Al-Shaer, E., Greenberg, A., Kalmanek, C., Maltz, D.A., Ng, T.S.E. & Xie, G.G. (2009)
'New frontiers in internet network management', ACM SIGCOMM Computer Commu-
nication Review, vol. 39, no. 5, pp. 37-39. D.O.I.: 10.1145/1629607.1629615
Azuma, R.T. (1997) 'A Survey of Augmented Reality', Presence: Teleoperators and Vir-
tual Environments, vol. 6, no. 4, pp. 355-385. D.O.I.: 10.1.1.35.5387
Azuma, R.T., Baillot, Y., Behringer, R., Feiner, S., Julier, S., MacIntyre, B. (2001) ‘Recent
advances in augmented reality’, Computer Graphics and Applications, IEEE, vol.21,
no.6, pp.34-47, Nov/Dec 200. D.O.I.: 10.1109/38.963459
Bier, E.A., Stone, M.C., Pier, K., Buxton, W. & DeRose, T.D. (1993) 'Toolglass and magic
lenses: the see-through interface', in Proceedings of the 20th annual conference on
Computer graphics and interactive techniques, ACM New York, NY, USA, Anaheim,
CA, pp. 73-80.
Brooks, F.P. (1996) 'The computer scientist as toolsmith II', Communications of the ACM,
vol. 39, no. 3, pp. 61-68. D.O.I.: 10.1145/227234.227243
Brown, D., Julier, S., Baillot, Y. & Livingston, M.A. (2003) 'An Event-Based Data Distribu-
tion Mechanism for Collaborative Mobile Augmented Reality and Virtual Environ-
ments', in Proceedings of the IEEE Virtual Reality 2003, IEEE Computer Society
Washington, DC, USA.
Cisco Systems, I. (n.d.) 'User Guide for Cisco Security MARS Local Controller, Release
4.2.x - Cisco Security MARS XML API Reference', Cisco Systems, Inc. [Online]. Avail-
able from: http://www.cisco.com/en/US/docs/security/security_management/cs-
mars/4.2/user/guide/local_controller/appxml.html (Accessed 21st May 2010).
Conn, C., Lanier, J., Minsky, M., Fisher, S. & Druin, A. (1989) 'Virtual environments and
interactivity: windows to the future', ACM SIGGRAPH Computer Graphics, vol. 23, no.
5, pp. 7-18. D.O.I.: 10.1145/77277.77278
Crutcher, L.A., Lazar, A.A., Feiner, S.K. & Zhou, M. (1993) 'Management of Broadband
Networks Using a 3D Virtual World', IEEE Parallel and Distributed Technology, pp. 1-
25. D.O.I.: 10.1.1.44.9612
Fay, J.J. (2004) 'Transforming Fleet Network Operations With Collaborative Decision
Support And Augmented Reality Technologies', Postgraduate, Naval Postgraduate
School, United States of America.
Frye, R., Levi, D., Routhier, S. & Wijnen, B. (2003) 'Coexistence between Version 1, Ver-
sion 2, and Version 3 of the Internet-standard Network Management Framework',
Internet Engineering Task Force [Online]. Available from:
http://datatracker.ietf.org/doc/rfc3584/ (Accessed 26th March 2010).
Greenberg, A., Hjalmtysson, G., Maltz, D.A., Myers, A., Rexford, J., Xie, G., Yan, H.,
Zhan, J. & Zhang, H. (2005) 'A clean slate 4D approach to network control and man-
agement', ACM SIGCOMM Computer Communication Review, vol. 35, no. 5, pp. 41-
54. D.O.I.: 10.1145/1096536.1096541
68
Haggerty, P. & Seetharaman, K. (1998) 'The benefits of CORBA-based network man-
agement', Communications of the ACM, vol. 41, no. 10, pp. 73-79. D.O.I.:
10.1145/286238.286250
Harrop, W. & Armitage, G. (2006) 'Real-time collaborative network monitoring and control
using 3D game engines for representation and interaction', in Proceedings of the 3rd
international workshop on Visualization for computer security, ACM New York, NY,
USA, Alexandria, Virginia, USA, pp. 31-40.
Höllerer, T.H. & Feiner, S.K. (2004) 'Mobile Augmented Reality' in Telegeoinformatics:
Location-Based Computing and Services, ed H Karimi & A Hammad, Taylor &Francis
Books Ltd.
Jacquet, C., Bourda, Y. & Bellik, Y. (2007) 'A Component-Based Platform for Accessing
Context in Ubiquitous Computing Applications', Journal of Ubiquitous Computing and
Intelligence, vol. 1, no. 2, pp. 163-173. D.O.I.: 10.1166/juci.2007.205
Kent, K. & Souppaya, M. (2006) 'Guide to Computer Security Log Management: Recom-
mendations of the National Institute of Standards and Technology', National Institute of
Standards and Technology [Online]. Available from: http://cs-
www.ncsl.nist.gov/publications/nistpubs/800-92/SP800-92.pdf (Accessed 12th July
2010).
Mackay, W.E. (1998) 'Augmented reality: linking real and virtual worlds: a new paradigm
for interacting with computers', in Proceedings of the working conference on Advanced
visual interfaces, ACM New York, NY, USA, L'Aquila, Italy, pp. 13-21.
Mantoro, T. & Johnson, C. (2003) 'User Mobility Model in an Active Office' in Lecture
Notes in Computer Science, Springer Berlin, Heidelberg, pp. 42-55.
Manwani, S. (2003) 'ARP Cache Poisoning Detection and Prevention', Master of Com-
puter Science, San Jose State University, United States of America.
Milgram, P., Takemura, H., Utsumi, A. & Kishino, F. (1994) 'Augmented Reality: A Class
of Displays on the Reality-Virtuality Continuum', SPIE, vol. 2351, pp. 282-292. D.O.I.:
10.1.1.83.6861
Milgram, P. & Kishino, F. (1994) ‘A Taxonomy of Mixed Reality Visual Displays’, IEICE
Transactions on Information Systems, vol. E77-D, no. 12, pp. 1 – 15. D.O.I.:
10.1.1.102.4646
Neumann, U. & You, S. (1999) ‘Natural feature tracking for augmented reality’, IEEE
Transactions on Multimedia, vol.1, no.1, pp.53-64, Mar 1999. D.O.I.:
10.1109/6046.748171
Nicolett, M. & Kavanagh, K.M. (2009) 'Magic Quadrant for Security Information and Event
Management', Gartner, pp. 1-22.
Pras, A., Schonwalder, J., Burgess, M., Festor, O., Perez, G.M., Stadler, R. & Stiller, B.
(2007) 'Key research challenges in network management', Communications Maga-
zine, IEEE, vol. 45, no. 10, pp. 104-110. D.O.I.: 10.1109/MCOM.2007.4342832
Rekimoto, J. & Nagao, K. (1995) 'The world through the computer: computer augmented
interaction with real world environments', in Proceedings of the 8th annual ACM sym-
69
posium on User interface and software technology, ACM New York, NY, USA, Pitts-
burgh, Pennsylvania, United States, pp. 29-36.
Srinivasan, S., Fang, Z., Iyer, R., Zhang, S., Epsig, M., Newell, D., Cermak, D., Wu, Y.,
Kozintsev, I. & Haussecker, H. (2009) ‘Performance Characterization and Optimization
of Mobile Augmented Reality on Handheld Platforms’, IISWC '09: Proceedings of the
2009 IEEE International Symposium on Workload Characterization (IISWC), pp. 128-
137. D.O.I.: http://dx.doi.org/10.1109/IISWC.2009.5306788
Wang, Y., Langlotz, T., Billinghurst, M. & Bell, T. (n.d.) 'An Authoring Tool for Mobile
Phone AR Environments', Human Interface Technology Laboratory New Zealand
[Online]. Available from: http://www.hitlabnz.org/publications/2009-
Mobile_phone_AR_environments_final.pdf (Accessed 21st March 2010).
Warrier, U., Besaw, L., LaBarre, L. & Handspicker, B. (1990) 'The Common Management
Information Services and Protocols for the Internet (CMOT and CMIP)', Internet Engi-
neering Task Force [Online]. Available from: http://datatracker.ietf.org/doc/rfc1189/
(Accessed 26th March 2010).
Weiser, M. (1993) ‘Ubiquitous Computing’, Computer, vol. 26, no. 10, pp. 71-72, Oct.
1993, D.O.I.:10.1109/2.237456
Yan, H., Maltz, D.A., Ng, T.S.E., Gogineni, H., Zhang, H. & Cai, Z. (2007) 'Tesseract: A
4D Network Control Plane', in Proceedings of USENIX Symposium on Networked Sys-
tems Design and Implementation, Carnegie Mellon: School of Computing Science.
70
APPENDICES
A.1 Briefing
Your participation in this preliminary survey is entirely voluntarily, and you are free to
withdraw at any time. By completing this survey you are giving consent for the responses
submitted to be used in this research, and only for assisting in the design of a framework
Please also be aware that your data will be handled in a secure manner, and no personal
identifiable or confidential information will be included in any of the research. Your E-Mail
address will not be published, and is optionally supplied only if you would like to be noti-
fied when the final dissertation report has been published. Or in the event that an open
evaluation of the prototype is deemed appropriate and you would like to receive notifica-
tion.
This is a brief preliminary survey designed to assist in gathering information detailing the
usage of Network Management and Security Information and Event Management Sys-
This survey forms a part of my research dissertation, which itself is a part of my study
towards a Master of Science Degree (M.Sc.) in Computer Security. The estimated time to
complete this survey is two to five minutes. Your participation is much appreciated.
http://sgiz.mobi/s3/ba70c61ac949
71
A.2 Questions
This information can be used to affirm the selection of communication and data inte
inter-
This information can be used to affirm the selection of communication and data inte
inter-
Responses will assist in understanding the commitment of time spent tending to physical
NADs.
Figure 45: Question 6
This information will be used to categorise the activities which require physical interve
interven-
tion in Data Centres or Process networks. This will assist in understanding the scenarios
which may benefit from an AR interface, and drive decision on possible primitives.
A.3 De-Briefing
Thank you for taking this survey. Your response is very important and will provide further
insight for this piece of research. Please do encourage your professional Information and
http://sgiz.mobi/s3/ba70c61ac949
A.4 Results
Preliminary Survey
Results.xlsx
Appendix B. SET-UP OF THE EVALUATION ENVIRONMENT
http://www.turnkeylinux.org/lamp
Figure 46 illustrates the configuration console of the Turnkey Linux installation. A static IP
PHP’s SNMP libraries, which are not installed by default. In order to install this required
library, a full package update was performed and then the php5-snmp package was in-
apt-get update
The Apache Web Server daemon was then restarted using the following command:
/etc/init.d/apache2 restart
Finally the AR Middleware was installed to the Apache Web Server’s Document Root di-
/var/www/
ARViewer.swf
ar_middleware.php
includes/
dot1dTpFdbTable-class.php
ipNetToMediaTable-class.php
snmp-include.php
mibs/
BRIDGE-MIB
RFC1213-MIB
templates/
ws-c2924c-xl-class.php
resources/
assets/
vi-material-black-50.png
vi-material-green-50.png
vi-material-red-50.png
76
vi-material-yellow-50.png
flar/
ARViewer_flarConfig.xml
FLARCameraParams.dat
patterns/
pat8/
patt001.pat
A separate virtual machine with a CactiEZ installation was used to provide access to a
freely available Network Management interface, which is accessible via a web browser.
However, the MAC Track plug-in for CactiEZ which was used to detect the ARP cache
poisoning attack simulations does not function in v0.6 without some adjustments. The
following commands were executed on the CactiEZ virtual machine in order to obtain a
functional plug-in.
First, the database tables relating to the MAC Track plug-in required upgrading. This was
php /var/www/html/plugins/mactrack/database_upgrade.php
Then a new version of the MAC Track plug-in from the project’s Subversion repository
was required. This was obtained and installed using the following commands:
cd ~/
svn co svn://svn.cacti.net/cacti_plugins/mactrack
rm –rf /var/www/html/plugins/mactrack
77
mv mactrack/2.8 /var/www/html/plugins/mactrack
reboot
Finally in order to facilitate fast data polling required for the attack simulation, the polling
process was executed in a continual loop via the console using the following commands:
–f –d; done
The attack simulation clients were booted using a ‘live’ BackTrack 4 DVD. This penetra-
tion testing centric distribution of GNU/Linux includes the Etterpcap tool, which was used
to create Address Resolution Protocol (ARP) cache poisoning attacks. Once each of the
four attack simulation clients were fully booted some additional configuration was re-
quired. First, the windows manager and desktop manager were executed using the com-
mand:
startx
Then the network interface card modules were configured and associated networking
processes were started by using the “Start NETWORK” option, as shown in Figure 47.
78
Figure 47:: BackTrack 4’s Start NETWORK option
In order to remote administer the attack simulation clients from the central server for the
purpose of initiating the attacks. The client required that the Secure Shell Daemon
(SSHD) be configured and started. This was performed by using the “Setup SSHD
SSHD” op-
Finally, in order for the Secure Shell Daemon to authenticate root logins via the network,
root’s authentication tokens must be updated. This can be performed by resetting root’s
The AR Viewer client is a mobile Adobe Flash applet, which will execute on any OS which
supports Adobe Flash. For the evaluation network, the AR Viewer was executing on a
standard Microsoft Windows XP SP3 laptop with the Adobe Flash Player installed, and
The final preparation required was to create a Fiducial marker for the Cisco Ethernet
switch. The stock AR Tag marker pattern depicted in Figure 50 was printed on to hard
card. The Fiducial marker measured 40 millimetres by 40 millimetres, and was then af-
82
Appendix C. FRAMEWORK EVALUATION SURVEY
C.1 Briefing
Your participation in this evaluation survey is entirely voluntary, and you are free to with-
wit
draw at any time. By completing this survey you are giving consent for the responses
submitted
d to be used in this research.
Please also be aware that your data will be handled in a secure manner, and no personal
security.
This evaluation forms a part of my research dissertation, which itself is a part of my study
towards a Master of Science Degree (M.Sc.) in Computer Security. The estimated time to
C.2 Questions
This information will assist in determining if respondents have expectations of the frame-
fram
This information will assist in determining if respondents have expectations of the frame-
fram
This information will assist in understanding the scenarios which individual subjects d
de-
termine are important, which may affect how they perceive the single purpose experime
experimen-
Functional testing consists of a simulated attack being introduced into the evaluation ne
net-
work from a client selected at random. Subjects are then provided with an interface to
network management data to assist them in identify the occurrence of the attack, and to
determine the source of the attack. Question 5 is answered whilst using the traditional
Network Management tool, and questions 6 thru 8 are answered whilst using the AR pro-
totype.
Figure 55: Questions 5 thru 8
Timing between initiating the attack and the subject detecting the attack are recorded.
Also, the subject is queried upon identifying the source of the attack.
In total, four interactive tests are used to determine an average degree of accuracy and
timeliness
ness in the subjects’ responses, and to analyze difference in timings between the
Subjects are surveyed upon their experience in using the prototype of the framework in
order to garner their opinions on the affect the framework had upon diagnosing and ident
identi-
fying the attack and source of the attack. Each category of questioning is posed in pairs of
C.6 De-Briefing
Thank you for taking this survey. Your response is very important and will provide further
insight
ght for this piece of research.
C.7 Results
Framework
Evaluation Results.xlsx