1 / 29

Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Instit

Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology. Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology. Motivation.

niveditha
Download Presentation

Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Instit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Passive Visual Fingerprinting of Network Attack ToolsGregory ContiKulsoom AbdullahCollege of ComputingGeorgia Institute of Technology Passive Visual Fingerprinting of Network Attack ToolsGregory ContiKulsoom AbdullahCollege of ComputingGeorgia Institute of Technology

  2. Motivation Common network reconnaissance and vulnerability assessment tools can be visualized in such a way as to identify the attack tool used. • Law enforcement forensics • Identify characteristics of new tools/worms • Provide insight into attacker’s methodology & experience level • Help network defender to initiate appropriate response

  3. System Architecture Ethernet tcpdump (pcap, snort) Perl Perl xmgrace (gnuplot) tcpdump capture files winpcap VS VS VS Packet Capture Parse Process Plot Interact

  4. Examining Available Data… Link Layer (Ethernet) All raw data available on the wire: • Application layer data • Transport layer header • Network layer header • Link layer header Network Layer (IP) • Focused on: • Source / Destination Port • Source / Destination IP • Timestamp • Length of raw packet • Protocol Type Transport Layer (TCP) IP: http://www.ietf.org/rfc/rfc0791.txt UDP: http://www.ietf.org/rfc/rfc0768.txt TCP: http://www.ietf.org/rfc/rfc793.txt Transport Layer (UDP) Ethernet: http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif

  5. Attacks Fingerprinted http://www.insecure.org/tools.html

  6. Visualizations • Time Sequence Data • Sequence of Source/Destination Ports and IP’s • Sequence of Packet Lengths • Sequence of Packet Protocols • Port and IP Mapping • Source Port to Destination Port • Source IP to Destination IP • Source IP to Destination Port • Source Port/IP to Destination IP/Port • Source IP/Port to Destination Port/IP • Characterization of home/external network

  7. parallel plot views External Port Internal Port 65,535 65,535 0 0 External IP Internal Port 255.255.255.255 65,535 0.0.0.0 0 External IP Internal IP 255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0

  8. Baseline External Port Internal Port External IP Internal IP

  9. nmap 3 UDP (RH8) scanline 1.01 (XP) SuperScan 3.0 (XP) nmap 3 (RH8) NMapWin 3 (XP) nmap 3.5 (XP) nikto 1.32 (XP) SuperScan 4.0 (XP)

  10. Sara 5.0.3(port to port) Medium Heavy Light

  11. Georgia Tech Honeynet External IP Internal Port External Port Internal Port External IP Internal IP

  12. External IP External Port Internal Port Internal IP 255.255.255.255 65,535 65,535 255.255.255.255 0.0.0.0 0 0 0.0.0.0 Also a Port to IP to IP to Port View

  13. Exploring nmap 3.0 in depth(port to IP to IP to port) default (root) stealth FIN (-sF) NULL (-sN) UDP (-sU) SYN (-sS -O) stealth SYN (-sS) CONNECT (-sT) XMAS (-sX)

  14. nmap within Nessus (port to IP to IP to port) CONNECT (-sT) Nessus 2.0.10 UDP (-sU)

  15. SuperScan Evolution (port to IP to IP to port) SuperScan 3.0 SuperScan 4.0 scanline 1.01

  16. packet length and protocol type over time packets ports length

  17. WinNMap

  18. SuperScan 4.0

  19. time sequence data(external port vs. packet) nmap win superscan 3 ports ports packets packets Also internal/external IP and internal port

  20. tool interface

  21. Findings (Weaknesses) • Interaction with personal firewalls • Countermeasures • Scale / labeling are issues • Occlusion is a problem • Greater interactivity required for forensics and less aggressive attacks • Some tools are very flexible • Source code not available for some tools

  22. Findings (Strengths) • Aggressive tools have distinct visual signatures • Threading / multiple processes may be visible • Some source code lineage may be visible • Some OS/Application features are visible • Some classes of stealthy attack are visible

  23. Findings (Strengths) • Sequence of ports scanned visible • Frequently attacked ports visible • Resistant to high volume network traffic • Viable in the presence of routine traffic • Useful against slow scans (hours-weeks) • Useful against distributed scans

  24. Future Work • Add forensic capability • Task driven interactivity (Zoom & filter, details on demand) • Smart books (images & movies) • Usability studies • Stress test • Explore less aggressive attack classes

  25. Demo

  26. classic infovis survey www.cc.gatech.edu/~conti security infovis survey www.cc.gatech.edu/~conti rumint tool http://www.rumint.com/software.html Kulsoom’s Research http://users.ece.gatech.edu/~kulsoom/research.html Visual Security Community http://www.ninjabi.net/index.php?option=com_nxtlinks&catid=41&Itemid=47 VizSEC Paper/Slides http://users.ece.gatech.edu/~kulsoom/research.html www.cc.gatech.edu/~conti

  27. Acknowledgements • Dr. John Stasko • http://www.cc.gatech.edu/~john.stasko/ • Dr. Wenke Lee • http://www.cc.gatech.edu/~wenke/ • Dr. John Levine • http://www.eecs.usma.edu/ • Julian Grizzard • http://www.ece.gatech.edu/ • 404.se2600 • Clint • Hendrick • icer • Rockit • StricK

  28. Questions? Greg Conti conti@cc.gatech.edu www.cc.gatech.edu/~conti Kulsoom Abdullah gte369k@mail.gatech.edu http://users.ece.gatech.edu/~kulsoom/research.html Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg

More Related