290 likes | 297 Views
Explore the visual methods to identify network attack tools, their characteristics, and methodologies for appropriate response. Utilize passive visualizations on various network data layers. Scholars' research findings on weaknesses and strengths of these tools. Future work includes enhancing forensic capabilities and exploring less aggressive attack classes.
E N D
Passive Visual Fingerprinting of Network Attack ToolsGregory ContiKulsoom AbdullahCollege of ComputingGeorgia Institute of Technology Passive Visual Fingerprinting of Network Attack ToolsGregory ContiKulsoom AbdullahCollege of ComputingGeorgia Institute of Technology
Motivation Common network reconnaissance and vulnerability assessment tools can be visualized in such a way as to identify the attack tool used. • Law enforcement forensics • Identify characteristics of new tools/worms • Provide insight into attacker’s methodology & experience level • Help network defender to initiate appropriate response
System Architecture Ethernet tcpdump (pcap, snort) Perl Perl xmgrace (gnuplot) tcpdump capture files winpcap VS VS VS Packet Capture Parse Process Plot Interact
Examining Available Data… Link Layer (Ethernet) All raw data available on the wire: • Application layer data • Transport layer header • Network layer header • Link layer header Network Layer (IP) • Focused on: • Source / Destination Port • Source / Destination IP • Timestamp • Length of raw packet • Protocol Type Transport Layer (TCP) IP: http://www.ietf.org/rfc/rfc0791.txt UDP: http://www.ietf.org/rfc/rfc0768.txt TCP: http://www.ietf.org/rfc/rfc793.txt Transport Layer (UDP) Ethernet: http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif
Attacks Fingerprinted http://www.insecure.org/tools.html
Visualizations • Time Sequence Data • Sequence of Source/Destination Ports and IP’s • Sequence of Packet Lengths • Sequence of Packet Protocols • Port and IP Mapping • Source Port to Destination Port • Source IP to Destination IP • Source IP to Destination Port • Source Port/IP to Destination IP/Port • Source IP/Port to Destination Port/IP • Characterization of home/external network
parallel plot views External Port Internal Port 65,535 65,535 0 0 External IP Internal Port 255.255.255.255 65,535 0.0.0.0 0 External IP Internal IP 255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0
Baseline External Port Internal Port External IP Internal IP
nmap 3 UDP (RH8) scanline 1.01 (XP) SuperScan 3.0 (XP) nmap 3 (RH8) NMapWin 3 (XP) nmap 3.5 (XP) nikto 1.32 (XP) SuperScan 4.0 (XP)
Sara 5.0.3(port to port) Medium Heavy Light
Georgia Tech Honeynet External IP Internal Port External Port Internal Port External IP Internal IP
External IP External Port Internal Port Internal IP 255.255.255.255 65,535 65,535 255.255.255.255 0.0.0.0 0 0 0.0.0.0 Also a Port to IP to IP to Port View
Exploring nmap 3.0 in depth(port to IP to IP to port) default (root) stealth FIN (-sF) NULL (-sN) UDP (-sU) SYN (-sS -O) stealth SYN (-sS) CONNECT (-sT) XMAS (-sX)
nmap within Nessus (port to IP to IP to port) CONNECT (-sT) Nessus 2.0.10 UDP (-sU)
SuperScan Evolution (port to IP to IP to port) SuperScan 3.0 SuperScan 4.0 scanline 1.01
packet length and protocol type over time packets ports length
time sequence data(external port vs. packet) nmap win superscan 3 ports ports packets packets Also internal/external IP and internal port
Findings (Weaknesses) • Interaction with personal firewalls • Countermeasures • Scale / labeling are issues • Occlusion is a problem • Greater interactivity required for forensics and less aggressive attacks • Some tools are very flexible • Source code not available for some tools
Findings (Strengths) • Aggressive tools have distinct visual signatures • Threading / multiple processes may be visible • Some source code lineage may be visible • Some OS/Application features are visible • Some classes of stealthy attack are visible
Findings (Strengths) • Sequence of ports scanned visible • Frequently attacked ports visible • Resistant to high volume network traffic • Viable in the presence of routine traffic • Useful against slow scans (hours-weeks) • Useful against distributed scans
Future Work • Add forensic capability • Task driven interactivity (Zoom & filter, details on demand) • Smart books (images & movies) • Usability studies • Stress test • Explore less aggressive attack classes
classic infovis survey www.cc.gatech.edu/~conti security infovis survey www.cc.gatech.edu/~conti rumint tool http://www.rumint.com/software.html Kulsoom’s Research http://users.ece.gatech.edu/~kulsoom/research.html Visual Security Community http://www.ninjabi.net/index.php?option=com_nxtlinks&catid=41&Itemid=47 VizSEC Paper/Slides http://users.ece.gatech.edu/~kulsoom/research.html www.cc.gatech.edu/~conti
Acknowledgements • Dr. John Stasko • http://www.cc.gatech.edu/~john.stasko/ • Dr. Wenke Lee • http://www.cc.gatech.edu/~wenke/ • Dr. John Levine • http://www.eecs.usma.edu/ • Julian Grizzard • http://www.ece.gatech.edu/ • 404.se2600 • Clint • Hendrick • icer • Rockit • StricK
Questions? Greg Conti conti@cc.gatech.edu www.cc.gatech.edu/~conti Kulsoom Abdullah gte369k@mail.gatech.edu http://users.ece.gatech.edu/~kulsoom/research.html Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg