U.S. Department of Energy

Pacific Northwest National Laboratory

Daniel Best

Daniel Best
(509) 372-6728
Principal Investigator
  • Cyber Analytics: Investigating algorithms and visualizations to enable the identification of patterns and features in cyber data to enable efficient analysis of the given problem space.
  • Visual Analytics: Investigation into the visual metaphors and human computer interactions needed to enable users to utilize human cognition to understand their data.
  • Graph Analytics: Applying algorithms and techniques to find solutions to problems that can be described as a graph.

Professional Activities

Patchwork Cyber Analytics Pwnage Squad
I founded a group called the Patchwork Cyber Analytics Pwnage Squad (PCAPS) in 2012 in effort to bring cyber analysts together to discuss current trends and topics affecting the domain of cyber analytics. PCAPS gained visibility throughout the lab for both staff and management as a mechanism for collaboration and team building.

VisSec Program Committee
VizSec is a yearly conference that focuses on visualization in cyber security and related areas. The program committee organizes the program for the conference and determines which posters and papers are accepted. Activities for this group include reviewing submissions, scoring papers with justification, and if appropriate providing feedback on how to strengthen the submission for acceptance to the conference.

VisWeek Compass Committee
The VisWeek Compass Committee’s goal is to provide an opportunity for participants at VisWeek that are early in their career or still in school to meet with more established members of the visualization community. Activities for this committee include registering new participants, coordinating events such as lunches focused on a particular subject in visualization, participating or leading events established by the committee, and compass web site maintenance.


Storing and managing information artifacts collected by information analysts using a computing device. Patent Number 8,271,461. Inventors: Pike; William A. (Richland, WA), Riensche; Roderick M. (West Richland, WA), Best; Daniel M. (Pasco, WA), Roberts; Ian E. (Kennewick, WA), Whytt; Marie V. (West Richland, WA), Hart; Michelle L. (Richland, WA), Carr; Norman J. (Pasco, WA), Thomas; James J. (Richland, WA)

Book Chapters

William A Pike, Best, Daniel M., Douglas Love, and Shawn Bohn. Data-intensive visual analysis for cyber security. In Ian Gorton and Deborah Gracio, editors, Data Intensive Computing: Architectures, Algorithms, and Applications. Cambridge University Press, Cambridge, United Kingdom., 2012.

Journal Papers

GWVis: A Tool for Comparative Ground-Water Data Visualization

Best DM, and RR Lewis. 2010. "GWVis: A Tool for Comparative Ground-Water Data Visualization." Computers & Geosciences 36(11):1436-1442. doi:10.1016/j.cageo.2010.04.006

The Ground-Water Visualization application (GWVis) presents ground-water data visually in order to educate the public on ground-water issues. It is also intended for presentations to government and other funding agencies. Current three dimensional models of ground-water are overly complex, while the two dimensional representations (i.e., on paper) are neither comprehensive, nor engaging. At present, GWVis operates on water head elevation data over a given time span, together with a matching (fixed) underlying geography. Two elevation scenarios are compared with each other, typically a control data set (actual field data) and a simulation. Scenario comparison can be animated for the time span provided. We developed GWVis using the Python programming language, associated libraries, and pyOpenGL extension packages to improve performance and control of attributes of the mode (such as color, positioning, scale, and interpolation). GWVis bridges the gap between two dimensional and dynamic three dimensional research visualizations by providing an intuitive, interactive design that allows participants to view the model from different perspectives and to infer information about scenarios. By incorporating scientific data in an environment that can be easily understood, GWVis allows the information to be presented to a large audience base.

The Scalable Reasoning System: Lightweight Visualization for Distributed Analytics

Pike W, J Bruce, B Baddeley, D Best, L Franklin, R May, D Rice, R Riensche, and K Younkin. 2009 The Scalable Reasoning System: Lightweight Visualization for Distributed Analytics. Information Visualization. 8(1): 71-84.

A central challenge in visual analytics is the creation of accessible, widely distributable analysis applications that bring the benefits of visual discovery to as broad a user base as possible. Moreover, to support the role of visualization in the knowledge creation process, it is advantageous to allow users to describe the reasoning strategies they employ while interacting with analytic environments. We introduce an application suite called the scalable reasoning system (SRS), which provides web-based and mobile interfaces for visual analysis. The service-oriented analytic framework that underlies SRS provides a platform for deploying pervasive visual analytic environments across an enterprise. SRS represents a 'lightweight' approach to visual analytics whereby thin client analytic applications can be rapidly deployed in a platform-agnostic fashion. Client applications support multiple coordinated views while giving analysts the ability to record evidence, assumptions, hypotheses and other reasoning artifacts. We describe the capabilities of SRS in the context of a real-world deployment at a regional law enforcement organization.

Conference Papers

Best DM, SJ Bohn, DV Love, AS Wynne, and WA Pike. 2010. Real-Time Visualization of Network Behaviors for Situational Awareness.(Offsite link) In Proceedings of the Seventh International Symposium on Visualization for Cyber Security, pp. 79-90. ACM , New York, NY.

Plentiful, complex, and dynamic data make understanding the state of an enterprise network difficult. Although visualization can help analysts understand baseline behaviors in network traffic and identify off-normal events, visual analysis systems often do not scale well to operational data volumes (in the hundreds of millions to billions of transactions per day) nor to analysis of emergent trends in real-time data. We present a system that combines multiple, complementary visualization techniques coupled with in-stream analytics, behavioral modeling of network actors, and a high-throughput processing platform called MeDICi. This system provides situational understanding of real-time network activity to help analysts take proactive response steps. We have developed these techniques using requirements gathered from the government users for which the tools are being developed. By linking multiple visualization tools to a streaming analytic pipeline, and designing each tool to support a particular kind of analysis (from high-level awareness to detailed investigation), analysts can understand the behavior of a network across multiple levels of abstraction.

Best DM, DV Love, WA Pike, and SJ Bohn. 2010. High-Throughput Real-Time Network Flow Visualization. FloCon2010, New Orleans, LA.

This presentation and demonstration will introduce two interactive, high-throughput visual analysis tools, Traffic Circle and CLIQUE, and will discuss the analytic requirements of the U.S. government cyber security capabilities for which the tools were developed and are being deployed. Both tools take a time-based approach to visual analysis, with Traffic Circle displaying raw data and CLIQUE computing real-time behavioral models. Performance benchmarks will also be discussed; the tools are currently capable of ingesting and presenting data volumes on the order of hundreds of millions of flow records at once.

B. Baddeley, K. Younkin, R. Riensche, Best, Daniel M., W.A. Pike, and R. May. From desktop to field: Deploying visual incident analysis for law enforcement. In Technologies for Homeland Security, 2008 IEEE Conference on, pages 209 –214, may 2008.

Dowson S., J Bruce, DM Best, RM Riensche, L Franklin, WA Pike. 2009. "Visual analytics for law enforcement: deploying a service-oriented analytic framework for web-based visualization.(Offsite link)Association for the Advancement of Artificial Intelligence Proc. SPIE, Vol. 7346, 734603 2009

This paper presents key components of the Law Enforcement Information Framework (LEIF), an information system that provides communications, situational awareness, and visual analytics tools in a service-oriented architecture supporting web-based desktop and handheld device users. LEIF simplifies interfaces and visualizations of well-established visual analytic techniques to improve usability. Advanced analytics capability is maintained by enhancing the underlying processing to support the new interface. LEIF development is driven by real-world user feedback gathered through deployments at three operational law enforcement organizations in the U.S. The system incorporates a robust information ingest pipeline supporting a wide variety of information formats. LEIF also insulates interface and analytical components from information sources making it easier to adapt the framework for many different data repositories.

P. Hui, J. Bruce, G. Fink, M. Gregory, Best, D.M., L. McGrath, and A. Endert. Towards efficient collaboration in cyber security. In Collaborative Technologies and Systems (CTS), 2010 International Symposium on, pages 489 –498, may 2010.

Best, Daniel M., Joe R. Bruce, Oriana J. Love, and Liam R. McGrath. Web-based visual analytics for social media. In Proceedings of Workshop on Social Media Visualization 2012, SOCMEDVIS ’12, 2012.

Best, Daniel M., Ryan P. Hafen, Bryan K. Olsen, and William A. Pike. Atypical behavior identification in large-scale network traffic. In Large Data Analysis and Visualization (LDAV), 2011 IEEE Symposium on, pages 15 –22, oct. 2011.

| Pacific Northwest National Laboratory