The Use of a Game-based Interface for
Home Network Security
Laura Pla Beltran, Madjid Merabti, Qi Shi
PROTECT: Research Centre for Critical Infrastructure Computer Technology and Protection School of Computing and Mathematical Sciences, Liverpool John Moores University
Liverpool, UK
[email protected], {M.Merabti, Q.Shi}@ljmu.ac.uk
Abstract – New technological advances go hand in hand with new security risks. With organisations and businesses becoming more aware of the importance of IS security and constricting their security measures, home users become an easier target for attackers. Home users are generally less aware of security issues or do not take interest in them. Often, there is also a conflict between security and usability, which tends to cause users to disregard security features as they interfere with their primary tasks. With the aim to address these issues and improve the overall security of home networks and systems, we propose the creation of a game-like interface that promotes home systems security by allowing users to understand their systems, make informed security decisions, and configure their security settings through game-play.
Keywords – network security; usability; game interface; security visualisation; home user.
I. INTRODUCTION
Information security is an area of knowledge which goes back a long time before the invention of computers. However, with technological advances and the pervasiveness of computing devices, it now poses a greater challenge than ever before.
With new technology developments and innovations, new vulnerabilities and risks appear. Moreover, many attackers use “old tricks with a new twist” [1, 2]. Information security is a fast-moving, dynamic field which poses great challenges as its application span extends and widens, and security should be preventive as well as corrective [1].
A number of factors can make computer security difficult to apply. The foremost reasons why security practices are not always being observed to the extent they should are users themselves and issues closely related to their views on and use of security, primarily awareness and usability.
Academic, government or industry „non-home‟ users are usually forced by their organisations to learn about security threats and vulnerabilities, and enhance their skills and awareness in order to be able to protect their systems [3]. Home users, however, lack the enforcement by a third party or authority that compels them to be security-aware. Security issues can be bypassed if they wish to do so, making them more vulnerable to potential security breaches and attacks [4].
This paper provides an overview on the main barriers to computer security, specifically in the context of home environments, and proposes a solution using a game-based visualisation interface. Section 2 describes the challenges of protecting systems and networks, and the main reasons why security and usability are often in conflict. Existing attempts at using visualisation for security are highlighted in Section 3, followed by the use of game interfaces to convey this visualisation in Section 4. Section 5 draws the previous areas together by proposing the use of a game-based interface to visualise and protect home networks and systems. Finally, section 6 summarises the ideas presented on this paper and presents a conclusion.
II.BACKGROUND
New technological advances come hand in hand with new risks. Additionally, organisations and businesses are constricting their security measures; this makes them less susceptible to attacks and translates into home users becoming an easier, more vulnerable target for attackers [4], [5]. Moreover, with the current “bring-your-own-device” culture in which users access work networks using their private devices (phone, tablet, etc.) [6], the importance of home users‟ own systems and devices being secured is even greater.
A great majority of home users do not feel motivated to learn about security issues or understand them better. This suggests a lack of awareness of the importance of security in home systems [5]. There are also differences in the extent to which users feel responsible for the security of their systems. Some users consider security should not be their concern, but rather that of websites or software vendors, and claim to be victims of threats and attacks which other people should take care of [5, 6].
In [7], Furnell summarises the issues that might affect the application of security practices as perception (user‟s view of security and threats), priority (given to security issues by a user), responsibility, confidence, capability and usability. A. Raising Awareness
With the increasing growth of the number of threats and attacks, most large organisations have realised the importance of security and created training programmes for their employees. User security awareness for organisations poses
numerous challenges. Furnell and Thomson point out how one of the main variables is the extent to which users understand, accept and apply security practices and “organisations need to recognise the level of security culture that exists within their environment and, where necessary, take steps to enhance it” [8].
However, most of the difficulties arising from security awareness concern primarily home users. The obligation to observe security practices does not exist in this domain, so those who are not particularly interested in learning about secure practices can easily bypass them [3].
B. Security v Usability
An aspect widely researched in the field of Computer Security is the relationship between the usability and security of a system. One of the main reasons why security features often conflict with systems and software usability is the fact that security issues are not considered during the systems requirement phase, but rather they are addressed once the development process has been completed [9]. Security should be part of an iterative design process to ensure that the end product is effective, usable and secure [10].
Although there is extensive research on interface design and usability, building applications that are both usable and secure still remains an issue. Most of the existing work in the field focuses on building usable applications but there is little research on how these applications can provide the user with user-help techniques to make security-related decisions; this is a very important point as most of these security decisions cannot be overturned, and an incorrect decision could wreak havoc in the system [11].
Security tools can be very useful if configured correctly, but configuration often poses a great challenge for users [12]. One of the main reasons why security is often disregarded or downplayed is the general attitude towards it; normally, users do not want to spend time configuring these tools or being interrupted from their primary task by security notifications and alerts.
User reactions can depend on numerous factors, such as trust in the system, attitude towards security, and issues related to the threat alert, namely amount and quality of information provided and context in which it is issued [12]. However, other factors also come into play, such as who owns the system, the consequences of a security attack, etc.
III.VISUALISATION OF COMPUTER SECURITY
The use of visualisation to monitor and control network traffic and events can be helpful, as sophisticated network security tools can overlook certain aspects that a human user could detect with a simple glance [13]. By representing the state of the network and related security features in a graphical manner, visualisation can aid the user understand the system he or she is monitoring, gather a picture of the current state, and detect any possible anomalies or suspicious behaviour.
Several network management tools, such as HP OpenView [14], provide a range of applications to enable network management, but they are aimed at professionals, and can be too complicated for most non-expert users [15]. Non-expert home users need to be able to get an idea of the security status of their network without the need to understand more complex concepts [17, 18]. A common problem for most home users, even advanced ones, is the lack of understanding of the network and its structure [17, 19]. If the user does not understand what is happening, he or she will have difficulty making security decisions. Poole et al. [15] observe how, despite there being a considerable body of research on the problems that home users face when tackling these issues, not much has been proposed in terms of solutions.
Additionally, there are several difficulties associated with existing tools for visualising security-related network traffic data. Issues with current visualisation tools include scalability, applicability, and presentation of data [18]. Additionally, usability and customisability also need to be considered. Some tools are very powerful but do not translate well when applied to home networks, as general users lack the deep understanding of technical concepts network administrators and other experts have. Our proposed solution will then need to be able to convey the complexity of the system in an easy-to-understand manner.
The main objective is therefore to provide a visual representation of the current state of the network and related security issues that is simple enough for non-expert users to be able to understand it and make security decisions accordingly without this simplification affecting the accuracy or comprehensiveness of the model.
Wong et al. [19] present a visualisation tool that is „expert-aware‟, i.e. a tool that can adapt to users‟ needs and level of expertise, and represent network security data in a manner that is easily understood by them. This tool could be further improved by the addition of a more innovative and engaging interface.
IV. GAME-LIKE INTERFACES
The widespread acceptance and engaging nature of games suggests other types of software could benefit from applying some of the game interface design principles. A pioneer in this area of research is Malone who, in [20], analysed the key features that make computer games so engaging and how these could be applied to interfaces of other types of software in order to make them more efficient, usable and enjoyable. Dyck et al. [21] point out how games interfaces and interaction paradigms are completely different to those of other types of programs; they have no restrictions regarding creativity, innovation and efficiency, and this is the reason why some of these techniques could be applied to conventional software user interfaces.
Moreover, in certain contexts of software use, motivation can pose a great challenge. Such is the case of computer-based repetitive work in certain areas of industry, in which dullness
and boredom can result in workers‟ decreased productivity. In these cases, the introduction of a fun, engaging interface could make workers feel more motivated and result in improved productivity and personal satisfaction [22].
Game interfaces tend to include features such as deep customizability [23, 25], difficulty-regulation strategies [24], fluid human-system interaction [21], metaphors [25, 27, 28], challenge [23], and promote collaboration and the creation of communities [21]. Other types of software could make use of some of these elements to enhance the user experience.
A common challenge when designing user interfaces is meeting the needs of both novice and expert users, which might have conflicting interests: advanced users will normally expect a rich interface with many options, whilst novice users will prefer things to be kept as simple as possible – games address this with difficulty-regulation strategies, which could be applied to non-gaming software [24].
The addition of only selected game-like elements, such as action or animations, to an otherwise non-game style interface, could result in these elements appearing out of place and inappropriate or condescending [27]. For this reason, we propose the use of a full game interface as opposed to the simple addition of individual features.
Another risk involves the user becoming too engrossed with the game and forgetting the primary objective. This can manifest itself in the cases of „modding‟ existing games for non-gaming purposes, in which it is very difficult for the game to translate every aspect of the original application in a metaphor. Chao observes how some of the users of his psDoom game (a modification of the first-person shooter Doom to represent system administration) ignored the running processes metaphor and killed as many monsters (representing processes) as possible, rather than only those who needed to be killed, resulting in critical applications being stopped [27].
There are two possible approaches to the use of game interfaces for non-gaming software. The first is the creation from scratch of an interface that is game-like and adopts some of the aforementioned features to make the user experience not only effective but also more engaging and entertaining [28]. The second approach involves modifying an existing game interface to create an interface for another application. An example of this is Chao‟s work, in which he modifies the Doom FPS game for use in system administration, obtaining excellent feedback from users who found the interface intuitive (and therefore easier to use) and engaging [25]. The use of existing games engines, particularly older ones, also presents a limitation in terms of visualisation of real-time events [29] as well as not having as much flexibility with regards to the game metaphor and features.
V. PROPOSED APPROACH
Furnell et al. [5] suggest two possible solutions to address the lack of understanding of their systems, security awareness and motivation of home users. The first involves increasing the
security in the default settings of systems and removing part of the responsibility from the user by automating some of the decisions [4]. The alternative approach is to force users to take more responsibility for the security of their systems by compelling them to meet certain security requirements before their system can go online, i.e. enforcing security awareness [5]. Although some models have been proposed to raise awareness by means of enforcement [3], this approach would however need a change of security culture and the way users view these issues, which might not be realistic to expect from home users in the short term [5].
A new approach is therefore needed. A possibility could be getting users to learn about and use security in their systems without neither forcing them to, nor doing it for them – it would involve achieving a way of engaging users to take interest in their systems‟ security. This project aims to propose the design of a visualization model that depicts the current state of system security. The visualization will be conveyed via a game interface which will also receive input from the user and feed it back to the system to adjust the security settings. This presents several challenges:
- The creation of a model that provides an accurate
representation of the system‟s security status and chosen features. The interface must be able to act as a bridge between system and user, and must abstract the complexity of the former in order to present the user with an easy-to-understand yet thorough visualisation.
- The establishment of boundaries to which network
security and behaviour is monitored, as well as which aspects need to be monitored in order to provide an accurate picture of the current system status.
- The creation of a game interface that attracts users with different levels of experience (both gamers and non-gamers), regardless of their security awareness knowledge.
- A game interface that enables not only the visualisation of
data in real-time but also feeds actions back to the system and configures its security as the user plays the game, i.e. an interactive tool.
- Security itself. The tool should be effective enough to be
able to enforce security measures based on user gameplay while allowing a margin for human error.
We propose the creation of a model that provides an accurate, real-time representation of the chosen system security features. This model will take the form of a game-based user interface which incorporates usability and playability principles, as well as the ability to process feedback and adjust security settings accordingly.
Consequently, we aim at bridging the gap between users and system security by allowing them to understand their systems and adjust these settings in an enjoyable, engaging manner. Therefore, network security visualisation is taken a step further by providing this visualisation through a game-like interface, which allows the user to not only observe the system state and detect any threats or anomalies, but also to react to it
by means of gameplay, which will in turn make the appropriate changes to protect the system.
This presents a novel approach to user system security configuration. Although several projects have taken a similar approach [27, 31, 32], there is not much work focusing of the application of game-like interfaces to information systems security for home users. Inspired by Chao‟s psDoom [25] our project not only develops this visualisation into a more complex game, but also allows the user to feed changes back into the system through gameplay, rather than just providing a passive visual representation.
At the PROTECT Centre [31], we are currently working on a project studying the use of a game-based interface for the management of critical infrastructure protection [32]. This paper attempts to apply this concept to the protection of networks instead of critical systems. The features, requirements and challenges are significantly different and will have to be addressed.
The majority existing home network management tools are quite limited in terms of scope and do not consider the different levels of security, or the threat that new devices added to the network can create. We will take a system-of-systems approach to security that takes into account the security of boundary devices and their effect on the security of the overall network.
This interface will visualise network security data from a home network and incoming external traffic into it. The home network might be heterogeneous, containing different types of
devices (from laptops or desktop PCs to mobile phones or even networked house appliances). The network status data will be transferred from these hosts to the network monitoring tool, and appropriately visualised by an icon in the game. Furthermore, external traffic captured by the router will also be represented. Any suspicious incoming traffic will appear in the game as a threat to which the user must react to in order to protect the home network. For this, boundary checking will be used to ensure that any new devices connected to the network comply with the minimum security requirements and cannot compromise the network by presenting a vulnerable access point for possible exploitation. The game will allow the user to react to these changes and feed this back into the system via the game, resulting in the appropriate actions being taken to enforce security measures (Fig. 1).
Drawing from Njemanze et al [33], the tool will initially consist on a module which collects firewall and IDS output in real-time and normalises it in a common format. Once security events are gathered, filtered and correlated, these alerts will be displayed to the user in order to be acted upon and protect the system. The filtering will decide which events are to be represented in the game as a possible threat. We will make use of a game interface to output these alerts to the user in real time. The user will then be prompted to take action by the game, and this will be translated in an action being performed in the home network or system (e.g. closing a port, update firewall rules and access lists, change the configuration of certain devices, etc.)
Internet
IDS
Game interface
Game Interface
Home Network
IDS Firewall + Access Control Agent module
- Read IDS + Firewall alerts - Normalise format (XML) - Parse and sort event data - Output data to game
Game ANALYSIS VISUALISATION SYSTEM STATE/MODIFICATION
(other actions)
(activate rules) Agent module - Read game input - Interpret feedback + make decision - Route decision to appropriate device (e.g. activate firewall rule, kill process, etc.)
Home network
Fig. 2. System architecture
As a starting point for our prototype, we have chosen the Snort intrusion detection system [34] and Windows Firewall on a Windows 7 environment. This initial prototype (Fig. 2) will consist of a manager module that will collect information from Snort alerts and a script will normalise the output format and parse the relevant events in order to decide which of them are to be represented in the game. The final list of events will then be fed into the game, initially implemented on XNA [35]. Once the user has reacted to these security alerts by playing the game appropriately, these actions will be fed back into the manager module, which will then send the corresponding message to the relevant application for action (examples of this could include adding a new firewall rule, closing a port or denying access to a device.)
The user will log into the security game-based interface as soon as he or she connects to the network. If it is the first time this device attempts to connect to the home network, a policy check and virus scan will be run on it to ensure it meets the minimum security requirements. For this, we will develop a set of policies which can be modified by the user depending on the level of security desired.
Fig. 3. Prototype interface screenshot
If the device passes the test, the user will then be prompted to assign an avatar to it, in order for it to be represented in the game-based visualisation, and to facilitate future identification. Once the avatar is chosen and named, the device can then connect to the network.
The tool will run in the background until an alarm is raised. When this occurs, a pop-up will prompt the user to take action, in a similar way as an anti-virus program would do.
The game will initially represent a home and each networked device will be represented by a pet-like avatar (which the user can choose from a list of options). The avatars will be placed in the pertinent rooms in the house for easier identification (e.g. if Paul‟s laptop is usually in his room his chosen avatar of a cat will be placed in the bedroom).
When a threat is detected, it will be represented by a burglar avatar which, depending on the action, will be approaching, grabbing, or stealing the pet. The user will have to go to said room and choose an action to perform, including locking the burglar out (quarantine threat), closing the room door (closing a port), or hiding the pet in a box (disconnecting device), to name a few. The chosen action will translate in the pertinent action in the network (Fig. 3)
This prototype will then be further developed, and possibly include outputs from other types of network monitoring devices. Similarly, the game metaphor might need changes after being user tested.
VI. CONCLUSIONS AND FUTURE WORK
Information systems security presents a greater challenge than ever. With organisations investing more time and resources in protecting their systems, home users become a more vulnerable, easier target for attackers.
Certain aspects such as the lack of knowledge and awareness of the importance of security make home users particularly vulnerable. However, increasing user awareness is a great challenge, as is the creation of security tools that are both effective and usable.
Drawing from the idea of using a game-based visualisation, this paper proposes the use of a game interface that provides a visualisation of the home network and allows the user to understand, detect and react to observed events through game-play.
This addresses both the challenges of usability and awareness, as well as allowing users to understand their systems and networks before they are required to make security decisions.
Our future work will then focus on the development of the proposed tool, taking into consideration usability principles and choosing the most effective technique for real-time visualisation of network traffic and events.
REFERENCES
[1] M. T. Dlamini, J. H. P. Eloff, and M. M. Eloff, “Information
security: The moving target,” Computers & Security, vol. 28, no. 3-4, pp. 189-198, May 2009.
[2] R. McMillan, “New Rootkit Uses Old Trick to Hide,” PC World,
2008.
[3] E. Kritzinger and S. H. von Solms, “Cyber security for home users:
A new way of protection through awareness enforcement,” Computers & Security, pp. 1-8, Sep. 2010.
[4] S. Furnell, P. Bryant, and A. Phippen, “Assessing the security
perceptions of personal Internet users,” Computers & Security, vol. 26, no. 5, pp. 410-417, Aug. 2007.
[5] S. Furnell, V. Tsaganidi, and A. Phippen, “Security beliefs and
barriers for novice Internet users,” Computers & Security, vol. 27, no. 7-8, pp. 235-240, Dec. 2008.
[6] Sophos Group, “Security Threat Report 2012,” Boston, MA, United
States, 2012.
[7] S. Furnell, “Jumping security hurdles,” Computer Fraud & Security,
vol. 2010, no. 6, pp. 10-14, Jun. 2010.
[8] S. Furnell and K.-L. Thomson, “From culture to disobedience:
Recognising the varying user acceptance of IT security,” Computer Fraud & Security, vol. 2009, no. 2, pp. 5-10, Feb. 2009.
[9] I. Flechais, M. A. Sasse, and S. Hailes, “Bringing security home: a
process for developing secure and usable systems,” in Proceedings of the 2003 workshop on New security paradigms, 2003, pp. 49–57.
[10] K.-P. Yee, “Guidelines and Strategies for Secure Interaction Design,”
in Security and Usability: Designing Secure Systems That People Can Use, L. F. Cranor and S. Garfinkel, Eds. O‟Reilly Media, 2005, pp. 253-280.
[11] A. Herzog and N. Shahmehri, “User help techniques for usable
security,” in Proceedings of the 1st ACM Symposium on Computer Human Interaction for Management of Information Technology (CHIMIT), 2007, p. 11.
[12] N. Ben-Asher, J. Meyer, S. Möller, and R. Englert, “An
Experimental System for Studying the Tradeoff between Usability and Security,” 2009 International Conference on Availability, Reliability and Security, pp. 882-887, Mar. 2009.
[13] D. Ferebee and D. Dasgupta, “Security Visualization Survey,” in
Proceedings of the 12th Colloquium for Information Systems Security Education, 2008, pp. 119-126.
[14] Hewlett Packard, “HP OpenView.” 2010.
[15] E. S. Poole, M. Chetty, R. E. Grinter, and W. K. Edwards, “More
than meets the eye: transforming the user experience of home network management,” in Proceedings of the 7th ACM conference on Designing interactive systems, 2008, pp. 455–464.
[16] C. P. Lee, J. Trost, N. Gibbs, R. Beyah, and J. A. Copeland, “Visual
Firewall: Real-time Network Security Monitoring,” in IEEE Workshops on Visualization for Computer Security (VizSec‟05), 2005, pp. 16-16.
[17] R. E. Grinter, W. K. Edwards, M. W. Newman, and N. Ducheneaut,
“The work to make a home network work,” in ECSCW 2005, 2005, no. September, pp. 469–488.
[18] R. Ball, G. A. Fink, and C. North, “Home-Centric Visualization of
Network Traffic for Security Administration,” in VizSEC/DMSEC‟04, 2004.
[19] D. H.-T. Wong, K.-S. Chai, S. Ramadass, and N. Vavasseur,
“Expert-Aware Approach: A New Approach to Improve Network Security Visualization Tool,” 2010 2nd International Conference on Computational Intelligence, Communication Systems and Networks, pp. 227-231, Jul. 2010.
[20] T. W. Malone, “Heuristics for Designing Enjoyable User Interfaces:
Lessons from Computer Games,” in Conference on Human factors in computing systems, 1982, pp. 63-68.
[21] J. Dyck, D. Pinelle, B. Brown, and C. Gutwin, “Learning from
Games : HCI Design Innovations in Entertainment Software,” in Graphics Interface, 2003, pp. 237-246.
[22] I. Kuramoto, K. Kashiwagi, Y. Shibuya, Y. Tsujino, and S. Ohtsuka,
How can entertainment improve workers‟ motivation and their productivity? New York, New York, USA: ACM Press, 2004, pp. 24-31.
[23] E. Kuts, “Playful User Interfaces : Literature Review and Model for
Analysis,” in Breaking New Ground: Innovation in Games, Play, Practice and Theory. Proceedings of DiGRA 2009, 2009.
[24] J. Larson, “Out of the video arcade, into the office,” interactions, vol. 14, no. 1, p. 18, Jan. 2007.
[25] D. L. Chao, “Doom as an interface for process management,” in
Proceedings of the SIGCHI conference on Human factors in computing systems - CHI ‟01, 2001, no. 3, pp. 152-157.
[26] B. Shneiderman, “Designing for fun,” Interactions, vol. 11, no. 5, p.
48, Sep. 2004.
[27] D. L. Chao, “Computer games as interfaces,” interactions, vol. 11,
no. 5, p. 71, Sep. 2004.
[28] K. Stubbs, “Kana no Senshi ( Kana Warrior ): A New Interface for
Learning Japanese Characters,” Computing Systems, pp. 894-895, 2004.
[29] W. Harrop and G. Armitage, “Real-time collaborative network
monitoring and control using 3D game engines for representation and interaction,” Proceedings of the 3rd international workshop on Visualization for computer security - VizSEC ‟06. ACM Press, New York, New York, USA, p. 31, 2006.
[30] W. Harrop and G. Armitage, “Modifying first person shooter games
to perform real time network monitoring and control tasks,” Proceedings of 5th ACM SIGCOMM workshop on Network and system support for games - NetGames ‟06. ACM Press, New York, New York, USA, p. 10, 2006.
[31] “PROTECT: Research Centre for Critical Infrastructure Computer
Technology and Protection,” 2012. [Online]. Available: http://www.protect-ci.org/.
[32] L. P. Beltran, M. Merabti, and Q. Shi, “Game-based Interface for
Critical Infrastructure Protection,” in Proceedings of the 12th Annual Postgraduate Symposium on Convergence of Telecommunications, Networking and Broadcasting (PGNet 2011), 2011, pp. 193-197 .
[33] H. S. Njemanze and P. S. Kothari, “Real Time Monitoring And
Analysis Of Events From Multiple Network Security Devices,” U.S. Patent US 7376969B12008.
[34] M. Roesch, “Snort.” Sourcefire, 2011.
[35] Microsoft Corporation, “Microsoft XNA Game Studio.” Microsoft,
