Understanding expert analysis patterns is important for improving analyst workflows. Experts in the field of cyber analysis work with applications that use multiple coordinated views to allow for data exploration. We are working toward an approach to visually understand expert usage patterns from interacting with multiple coordinate view systems. By visually reformulating the user’s rationale, we can better understand how different types of data are used together and how to improve the design of analysis tools. The aim of our work is to visually summarize analysts’ complex interactions and strategies employed and present usage behavior in a contextualized manner to support meta-analysis of analysis patterns. We are exploring visual designs (Figure 1) that involve not only a user’s logged interactions but also their eye movement and data coverage.
We conducted a user study with 10 participants (all computer science students with a basic understanding of networks) to collect data on how they analyzed a multidimensional data set. The test scenario used the VAST 2009 MC1 dataset, which involves a cyber security scenario with network data combined with information about analyst workstations. For our test scenario, we created a simple visual analysis application (Figure 2) that allowed users to explore the dataset. We gave each participant the broad task of flagging any activity that they thought was suspicious with the provided backstory--an insider at an embassy trying to exfiltrate data to an outside criminal organization. Each session lasted approximately 90 minutes followed by a short interview to better understand participants’ various trains of thought. We hosted our application on a desktop with a 1920 x 1080 resolution and logged various user interactions such as mouseenter, click, and brush. We also tracked user eye movement and recorded their screen and audio. Participants were also asked to think aloud while undergoing their task. We have anonymized and uploaded the data collected for open use.