Ian Ardouin-Fumat

Overview / Process

What do botnets tell us when given a voice? Specimen Box is a research tool that lets us explore the personality of those malware networks.

Microsoft DCU tasked the Office for Creative Research with exploring the organic structures and behaviors uncovered by observing millions of zombie computers. The resulting application is an interactive, audiovisual installation living in Microsoft’s Cybercrime Center.

Design Lead and Processing Dev Lead with The OCR, for Microsoft Cybercrime Unit.

Press: Wired

02/28/2014

Finding each botnet's voice

If Specimen Box's interface was designed to show off the colorful nature of botnet activity, it also meant to give them a voice. The sonification of Specimen Box was composed by Ben Rubin, assisted by Ellery Royson.

When inactive, the app stands on the Board View, which gives a broad vision of botnet activity all over the world. Each botnet is assigned its own musical instrument, composing a larger ensemble of cyber threats all over the world. The slight variations in the importance of these instruments over time give a sense of the evolution of this landscape, as some botnets gain in importance or gradually die off.

The portrait mode gives a more granular sense of each botnet's personality. The sweeping motion of the interface is translated musically as the botnet communications are read as varying pitches. If visualizing botnets can be compared to studying birds feathers' colors, sonifying them is like listening to their chirping.

02/25/2014

An interface like in a sci-fi starship

As we dived deep in understanding botnets and their behaviors, the need to portray each network as a unique entity became apparent. We designed Specimen Box as an interface to help Microsoft giving a voice to botnets and reveal their unique character. I set out to create an interface that would facilitate that exploration.

The application was designed to take its aesthetic cues from a mix of obvious movie references (War Games, Minority Report) and petri dish imagery. We build the interface as a specimen box, where each botnet was pinned down for us to study.

Given the final product of our collaboration with Microsoft was going to live on a massive Perceptive Pixel touch screen, we gave special attention to creating an interface leveraging touch interactions. The set of gestures designed for this application facilitates the exploration of botnet activity through time and space.

In the process of documenting touch interactions

Besides an interactive experience, the application also features a 'daydreaming mode' that navigates within the complex landscape of botnet activity, and reveal new patterns autonomously as the installation constantly ingests new data. That way, the installation could be experienced by Microsoft researchers as an ambiant information display, part of their daily work environment.

Funnily enough, Wired Magazine described the interface as "fit for a sci-fi starship." Mission accomplished.

02/14/2014

Getting our hands dirty with malware data

The initial phase of the project was very prolific, as we gathered a team of coders, statisticians and music composers to look at the data provided to us by Microsoft. In the matter of a couple weeks each team member came up with a number of quick prototypes taking a stab at various aspects of the data: periodicity, language, network dynamics, etc... A first breakthrough came from OCR co-founder Jer Thorp's contribution: a botnet "portrait" based on its activity over time across all infected IPs.

A botnet portrait, graphing time (radius) and infected IPs (circumference), shows communication patterns for an entire day

These portraits revealed intricate details about the structures and behaviors of each network. The variations in their size and activity translated into equally diverse patterns. The visual form of several botnets—including Waledac, a favorite of mine— reminded us of Tron-like graphics, as they revealed complex hierarchichal structures.

Co-worker Noa Younse took this initial visualization further by developing a number of algorithms sorting IP activity with other metrics, such as geo-location and behavior similarity. His experiments allowed us to generate new portraits that reflected the deeper mechanics of each botnet and their hierarchies.

This research helped us defining an overall concept for our work with Microsoft. We now had to define how to interact with it.

02/01/2014

What's a botnet?

Microsoft Cybercrime Unit is a group operating in Redmond WA, fighting various cyberthreats in collaboration with the American government and foreign agencies. The threats they address range from counterfeiting to child trafficking networks, to botnet herding.

What is a botnet?

According to Wikipedia:
"A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control (C&C) or by passing messages to one another (C&C might be built into the botnet as P2P).[1] Botnets have been used many times to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation."

Because of the pervasiveness of Windows products, Microsoft has been in a privileged position to address the threats caused by botnets. The DCU is based in Minority-Report-like offices, where investigators track online "bad guys" day and night from an evidence room. In an effort to communicate these efforts to the general public, they commissioned the Office for Creative Research to visualize botnet data.

Botnet activity across the world — Microsoft DCU

With this project, the Office for Creative Research was tasked to build an installation piece that would live in DCU's main space. It had to create a data visualization that would communicate botnet data in a creative, engaging way.

We set out to create an interactive piece that would not only show the inherent beauty of these complex systems, but also become a useful tool for researchers to explore botnets' organic behaviors.

The Cybercrime Center in Microsoft's headquarters — Microsoft DCU