You are here

Reasoned Cyber Visualization (RC-Vis)


OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Advanced Computing and Software


The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.


OBJECTIVE: The objective of Reasoned Cyber Visualization (RC_Vis) is to develop semantic technology that drives generation of tiered visualizations of cyber defense coverage and interactions of defenses to enable assessment of cyber vulnerability with current and future tools.


DESCRIPTION: Information Technologies (IT) systems are woven into all aspects of our work and personal lives, raising the question of how we communicate IT concepts to all stakeholders. The task of securing our IT infrastructure falls to Security Operation Centers (SOC) who layer defenses such as security products, lockdown systems, inspect traffic on the network, and monitor operating systems via logs and antivirus to ensure a secure environment. These cyber security defenses are developed to address focused parts of the threat landscape. For example, antiviruses inspect a host operating system to ensure no known malware is running. Intrusion detection systems inspect network traffic to discover if the network in under attack. In the bazaar of cyber defensive tools, the interaction of defenses is not explicitly explored and the true scope of coverage from the collective set of defenses is not explicitly expressed or easily conveyed.


There currently is a gap in reasoning and visualizing how multiple cyber defenses interrelate at all points in the Open Systems Interconnection (OSI) model and the implications of known threats, e.g., Common Vulnerabilities and Exposures (CVE), to a SOC’s current security posture. In fact, cyber security tools lack the ability to

  • enumerate and consider the system wide effect (hardware to application layer) of their presences in the cyber ecosystem, and
  • extrapolate community knowledge from CVEs to illustrate a realistic assessment of current security gaps.

IT is part of the fabric of an organization and thus discussions of cyber risk tolerance inherently involve stakeholders with non-cyber backgrounds. In fact, what is needed is a Rosetta Stone to act as a bridge between disparate stakeholders.  


SOCs face a data ergonomics problem, in that they must relay the risks of the current cyber landscape in a clear and concise manner to a range of audiences, with a wide range of attributes affecting their ability to understand and appreciate the risk. Data ergonomics refers to the process of shaping data for comprehension of a particular target audience. Audience attributes include technical understanding, available time, level of patience, prior experience, sense of responsibility and bias.  Key to the SOC’s ability to deliver effective cyber communication to a range of audiences is a tiered visualization capability that is tailorable to audiences and based on their ability. 


Reasoned Cyber Visualization (RC-Vis) will address the cyber data ergonomics problem, communicating the state of the defensive ecosystem to a variety of stakeholders. RC-Vis is composed of three main technical challenges that address the data ergonomics problem 1) translate cyber defenses and known threats in to modular, intermediate semantic representation, 2) reason over this intermediate language discovering the interactions of defenses defining the current cyber landscape, and 3) create tiered visualizations to illustrate the cyber landscape in a way that accommodates audience ability to understand and appreciate cyber information framed by their experience.


1) Modular, intermediate semantic representation: In order to create our Rosetta Stone, the first translation from disparate cyber-SMEs and information sources must be into a common intermediate semantic representation. This common intermediate language will represent both the defensive and offensive capabilities, supporting both deductive and inductive reasoning approaches, and is the foundation of RC-Vis. It represents the current network, including defenses, and the known CVEs threats to enable collective reasoning. RC-Vis will develop an architecture to produce this modular intermediate semantic representation based on existing mathematical and/or logical symbolism sufficient for describing the functions and mechanisms of cyber systems and their interactions (e.g., predicate logic, Systems Modeling Language (SysML), etc.). Formal logic has shown value as an intermediate semantic

representation for information from disparate systems [1, 2]. In their approach, proposers should favor concise logically equivalent formulas, to reduce complexity when using constructive graphical representations. 


2) Reasoning about interactions of defenses and threats: Focusing our thoughts via our Rosetta Stone to interactions of defenses, RC-Vis will leverage the intermediate representation language to enable the discovery of defensive coverage against known threats, as well as the effect of new defenses and potential threats in the current landscape. Let us consider the example of a spear phishing email attack with an attached PDF file, this particular attack will interact with the email server application (e.g., Microsoft exchange server), the client application (e.g., outlook, web browser), the PDF reader (e.g., Adobe Acrobat), and many users. Each interaction is a potential attack surface (e.g., CVE-2023-21529 exchange server, CVE-2023-23397 Outlook, CVE-2023-26397 Adobe Acrobat Reader, and users via social engineering). The RC-Vis intermediate representation language must enable, via inductive and deductive reasoning, the discovery of defensive coverage against known threats as well as the effect of new defenses and potential threats on the current landscape.   


3) Tiered visualizations of reasoned data for disparate audiences: Creating tiered visualizations to illustrate the true cyber landscape and its impact to teach audiences ranging from cyber novice to expert presents two challenges; determining audience requirements for understanding and appreciating the information, and developing visualizations that are appropriately scoped based on audience requirements.  In order to teach we must consider the definition of learning; learning is a change in behavior based on experience. Let us consider a business with a legal, human resources, IT and accounting department. Legal and human resources might share the concern of personally identifiable information (PII) being leaked as a high threat, where the IT department would want the best equipment and the accounting department would want to ensure return on investment. Each department has a different technical level of expertise and needs information presented with respect to their concerns and experiences.   To address the technical challenge of creating tiered visualizations constructive methods (e.g., transforming intermediate modular language into three-dimensional Maya code) and machine learning based generative (text to image) models [3] should be explored. The granularity of information presented to the user should range from info-graphic, making a few proponent points, to retaining significant technical detail for SME consumption.  


Successful proposals will present a clear plan for conceptualizing, developing and delivering:

  • an architecture for producing a modular, intermediate semantic representation unifying cyber threat and defense information from disparate sources, based on existing mathematical and/or logical symbolism,
  • a methodology for reasoning over this representation to enable the discovery of defensive coverage against known threats, as well as the effect of new defenses and potential threats in the current landscape,
  • a constructive and/or generative approach for creating tiered visualizations of the reasoning output, for multiple audience types, and
  • a graphic user interface to create and tailor the tiered visualizations, taking as input audience experience definitions.


The focus for RC-Vis is on generating images from reasoning over cyber offensive and defensive data and not on new Human Subject Research. Therefore, proposals should leverage prior research in education and visualization effects on users.  


PHASE I: Phase I is a six-month, $250,000 effort that will result in the design of a semantic representation architecture and code, and prototype visualizations based on semantic representation Schedule / Milestones / Deliverables: Phase I fixed milestones for this program must include:

  • Months 1-5: Monthly report of technical progress, tasks accomplished, and tasks remaining
  • Month 3: Working technical demonstration of semantic architecture, presentation of prototype visualization concepts
  • Month 6: Final report of technical progress, final demonstration of semantic architecture, presentation of prototype visualizations


All proposals must include the following meetings in the proposed schedule and costs:

  • One-day kickoff meeting at DARPA in Arlington, VA


PHASE II: Phase II is a 24-month, $1.8M effort that will result in a full prototype that can generate both semantic and graphic representations, and can be transitioned or is commercially a minimum viable product. 


Schedule / Milestones / Deliverables: Phase II fixed milestones for this program must include:

  • Months 3, 6, 9, 12, 18, 21: Quarterly report of technical progress, tasks accomplished, and tasks remaining
  • Months 6, 12, 18: Working technical demonstrations of semantic and visualization architecture and user interface
  • Month 18: Draft user manual and installation CONOP
  • Month 24: Code for semantic and visualization architecture, final report of technical progress, final demonstration of semantic and visualization architecture and user interface, final user manual and installation CONOP 


All proposals must include the following meetings in the proposed schedule and costs:

  • One one-day meeting at DARPA in Arlington, VA


PHASE III DUAL USE APPLICATIONS: Both commercial and open source will be considered valid transition paths. Potential commercial and military applications of the technology resulting from this STTR include management of risk associated with new software (as with the DoD’s Risk Management Framework), cyber security training, and informing business cases for improvements to cyber security posture.



  1. Kausch, Hendrik, et al. "An Approach for Logic-based Knowledge Representation and Automated Reasoning Over Underspecification and Refinement in Safety-Critical Cyber-Physical Systems." Combined Proceedings of the Workshops at Software Engineering 2020, Innsbruck, CEUR Workshop Proceedings, 2581, Feb 2020
  2. Marin, Ericsson et al. “Inductive and Deductive Reasoning to Assist in Cyber-Attack Prediction.” 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2020, pp. 0262-0268, doi: 10.1109/CCWC47524.2020.9031154.
  3. OpenAI DALL-E


KEYWORDS: Cyber security, visualization, reasoning, symbolism

US Flag An Official Website of the United States Government