Understanding User Behaviour through Action Sequences: from the Usual to the Unusual

Phong H. Nguyen, Cagatay Turkay, Gennady Andrienko, Natalia Andrienko, Olivier Thonnard and Jihane Zouaoui

Action sequences, where atomic user actions are represented in a labelled, timestamped form, are becoming a fundamental data asset in the inspection and monitoring of user behaviour in digital systems. Although the analysis of such sequences is highly critical to the investigation of activities in cyber security applications, existing solutions fail to provide a comprehensive understanding due to the complex semantic and temporal characteristics of these data. This paper presents a visual analytics approach that aims to facilitate a user-involved, multi-faceted decision making process during the identification and the investigation of ``unusual'' action sequences. We first report the results of the task analysis and domain characterisation process. Then we describe the components of our multi-level analysis approach that comprises of constraint-based sequential pattern mining and semantic distance based clustering, and multi-scalar visualisations of users and their sequences. Finally, we demonstrate the applicability of our approach through a case study that involves tasks requiring effective decision-making by a group of domain experts. Although our solution here is tightly informed by a user-centred, domain-focused design process, we present findings and techniques that are transferable to other applications where the analysis of such sequences is of interest.

Citation and full paper:

Nguyen, P.Turkay, C., Andrienko, G., Andrienko, N., Thonnard, O. & Zouaoui, J. (2018). Understanding User Behaviour through Action Sequences: from the Usual to the UnusualIEEE Transactions on Visualization and Computer Graphics

Supplementary Material on further details on the design process and the design alternatives produced

A video featuring the presented techniques and the prototype

Acknowledgments: This work is supported by the European Commission through the H2020 programme under grant agreement 700692 -- DISIEM project