VIDI surveillance - embassy monitoring and oversight system

We hypothesized that potential spies would try to use other employees' terminals in order to not draw attention to themselves. We define one type of suspicious activity as IP use on a terminal when the owner is inside the classified area. We created a timeline visualization of IP usage, overlaid with classified area entrances and exits. The vertical axis divides the timelines into 31 rows, one for each day of the month. The horizontal axis represents the time of day from early morning to late evening. A single employee's entire month is viewed all at once using this visualization. The employee being viewed can be changed using the arrow keys. Every IP event is represented by a vertical bar positioned at the exact time of its appearance. We color the IP events by port number, which is either intranet, HTTP, tomcat, or email, and size the bar based on the outgoing data size. Whenever an employee enters the classified area, a semi-transparent yellow region is drawn until that user exits the classified area. In rare cases when the user double enters, the region is twice as opaque, and in the other rare case where a user leaves the exits without entering, a red region is drawn until the next time the employee enters. The legend key and office diagram showing the current selected employee, highlighted in red, can be seen in the top left-hand corner.