1 / 48

Network Attack Visualization

Network Attack Visualization. Greg Conti www.cc.gatech.edu/~conti. Disclaimer.

douglasjames
Download Presentation

Network Attack Visualization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Attack Visualization Greg Conti www.cc.gatech.edu/~conti

  2. Disclaimer The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm

  3. information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization

  4. An Art Survey… A B C http://www.clifford.at/cfun/progex/ http://www.muppetlabs.com/~breadbox/bf/ http://www.geocities.com/h2lee/ascii/monalisa.html http://www.artinvest2000.com/leonardo_gioconda.htm

  5. Why InfoVis? Views • Patterns • Anomalies • Comparisons • Outliers/Extremes • Big Picture & Details • Interaction • Large Datasets Replies

  6. TCP Dump Packet Capture Visualizations EtherApe Ethereal Tcpdump image: http://www.bgnett.no/~giva/pcap/tcpdump.png TCPDump can be found at http://www.tcpdump.org/ Ethereal image: http://www.linux-france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif Ethereal by Gerald Combs can be found at http://www.ethereal.com/ EtherApe image: http://www.solaris4you.dk/sniffersSS.html Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/

  7. So What? • Go Beyond the Algorithm • Complement current systems • Make CTF a Spectator Sport • Enhance forensic analysis • Mine large datasets • Logs • Monitor in real time • Allow big picture, but details on demand • Fingerprint attacks/tools (people?) • Alerts (2-3 Million /day) • Observe attacker behavior (example) What tasks do you need help with?

  8. Recon Focused Attacks Destination IP Next Wave Time

  9. Classical InfoVis Research

  10. InfoVis Mantra Overview First Zoom and Filter Details on Demand http://www.cs.umd.edu/~ben/

  11. Overview and Detail Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2002/ cs7450_spring/Talks/09-overdetail.ppt for more details. Game shown is Civilization II

  12. Focus and Context Table Lens Fisheye View Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2001/ cs7450_fall/Talks/8-focuscontext.ppt for more details. Table lens (right) is from Xerox Parc and Inxight

  13. For more information… • Courses (free) • Conferences • Systems • Research Groups • Bookmarks on CD

  14. Example Classical InfoVis Systems

  15. example 1 - data mountain http://www1.cs.columbia.edu/~paley/spring03/assignments/HW3/gwc2001/mountain.jpg

  16. example 2 - filmfinder http://transcriptions.english.ucsb.edu/archive/colloquia/Kirshenbaum/filmfinder.gif

  17. example 3 - parallel coordinates MPG 35 0 A. Inselberg and B. Dimsdale. Parallel coordinates: A tool for visualizing multidimensional geometry. Proc. of Visualization '90, p. 361-78, 1990. http://davis.wpi.edu/~xmdv/images/para.gif

  18. example 4 -informative art http://www.viktoria.se/fal/projects/infoart/

  19. examples 5 - 72 (on CD) Many, many untapped security applications…

  20. More InformationInformation Visualization • Envisioning Information by Tufte • The Visual Display of Quantitative Information by Tufte • Visual Explanations by Tufte • Beautiful Evidence by Tufte (due this year) • Information Visualization by Spence • Information Visualization: Using Vision to Think by Card • See also the Tufte road show, details at www.edwardtufte.com images: www.amazon.com

  21. Representative Security Visualization Research

  22. Soon Tee Teoh Routing Anomalies http://graphics.cs.ucdavis.edu/~steoh/ See also treemap basic research: http://www.cs.umd.edu/hcil/treemap-history/index.shtml

  23. Secure Scope http://www.securedecisions.com/main.htm

  24. Starlight http://starlight.pnl.gov/

  25. Open Source Security Information Management (OSSIM) http://www.ossim.net/screenshots/metrics.jpg

  26. TCP/IP SequenceNumber Generation Michal Zalewski Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1] x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1] Follow-up paper - http://lcamtuf.coredump.cx/newtcp/ Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html

  27. Wireless Visualization http://www.ittc.ku.edu/wlan/images_all_small.shtml

  28. Observing Intruder Behavior Dr. Rob Erbacher • Visual Summarizing and Analysis Techniques for Intrusion Data • Multi-Dimensional Data Visualization • A Component-Based Event-Driven Interactive Visualization Software Architecture http://otherland.cs.usu.edu/~erbacher/

  29. GlyphsDr. Rob Erbacher http://otherland.cs.usu.edu/~erbacher/

  30. examples 9 - 45 (to be posted)

  31. Hot Research Areas… • visualizing vulnerabilities • visualizing IDS alarms (NIDS/HIDS) • visualizing worm/virus propagation • visualizing routing anamolies • visualizing large volume computer network logs • visual correlations of security events • visualizing network traffic for security • visualizing attacks in near-real-time • security visualization at line speeds • dynamic attack tree creation (graphic) • forensic visualization http://www.cs.fit.edu/~pkc/vizdmsec04/

  32. More Hot Research Areas… • feature selection and construction • incremental/online learning • noise in the data • skewed data distribution • distributed mining • correlating multiple models • efficient processing of large amounts of data • correlating alerts • signature and anomaly detection • forensic analysis http://www.cs.fit.edu/~pkc/vizdmsec04/

  33. Building a System

  34. Visual IDS

  35. System Architecture Ethernet tcpdump (pcap, snort) Perl Perl xmgrace (gnuplot) tcpdump capture files winpcap VB VB VB Packet Capture Creativity Parse Process Plot

  36. rumint tool components (CD)

  37. parallel port views External Port Internal Port 65,535 65,535 0 0 External IP Internal Port 255.255.255.255 65,535 0.0.0.0 0 External IP Internal IP 255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0

  38. External IP External Port Internal Port Internal IP 255.255.255.255 65,535 65,535 255.255.255.255 0.0.0.0 0 0 0.0.0.0 Also a Port to IP to IP to Port View

  39. sara 5.0.3 (port to port view) Medium Heavy Light

  40. Tool Fingerprinting (port to port view) nmap 3 UDP (RH8) scanline 1.01 (XP) SuperScan 3.0 (XP) nmap 3 (RH8) NMapWin 3 (XP) nmap 3.5 (XP) nikto 1.32 (XP) SuperScan 4.0 (XP)

  41. time sequence data(external port vs. packet) nmap win superscan 3 ports ports packets packets Also internal/external IP and internal port

  42. packet length and protocol type over time packets ports length

  43. 30 days on the Georgia Tech honeynet External IP Internal Port External Port Internal Port

  44. Demo’s rumint xmgrace treemap worm propagation survey x 2 .ppt links

  45. classic infovis survey (on CD) security infovis survey (www.cc.gatech.edu/~conti) perl/linux/xmgrace demo (on CD) this talk (on CD & www.cc.gatech.edu/~conti) rumint tool (on CD) bookmarks (on CD)

  46. Acknowledgements • 404.se2600 • Clint • Hendrick • icer • Rockit • StricK • Dr. John Stasko • http://www.cc.gatech.edu/~john.stasko/ • Dr. Wenke Lee • http://www.cc.gatech.edu/~wenke/ • Dr. John Levine • http://www.eecs.usma.edu/ • Julian Grizzard • http://www.ece.gatech.edu/

  47. Questions? http://carcino.gen.nz/images/index.php/04980e0b/53c55ca5

More Related