Transcript Document
Network Attack
Visualization
Greg Conti
www.cc.gatech.edu/~conti
Disclaimer
The views expressed
in this presentation
are those of the
author and do not
reflect the official
policy or position of
the United States
Military Academy,
the Department of
the Army, the
Department of
Defense or the U.S.
Government.
image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm
information visualization is
the use of interactive, sensory
representations, typically visual,
of abstract data to reinforce
cognition.
http://en.wikipedia.org/wiki/Information_visualization
An Art Survey…
A
B
C
http://www.clifford.at/cfun/progex/
http://www.muppetlabs.com/~breadbox/bf/
http://www.geocities.com/h2lee/ascii/monalisa.html
http://www.artinvest2000.com/leonardo_gioconda.htm
Why InfoVis?
Views
•
•
•
•
•
•
•
Patterns
Anomalies
Comparisons
Outliers/Extremes
Big Picture & Details
Interaction
Large Datasets
Replies
Packet Capture
Visualizations
EtherApe
Ethereal
Tcpdump image: http://www.bgnett.no/~giva/pcap/tcpdump.png
TCPDump can be found at http://www.tcpdump.org/
Ethereal image: http://www.linuxfrance.org/prj/edu/archinet/AMSI/index/images/ethereal.gif
Ethereal by Gerald Combs can be found at http://www.ethereal.com/
TCP Dump
EtherApe image: http://www.solaris4you.dk/sniffersSS.html
Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/
So What?
• Go Beyond the Algorithm
– Complement current systems
• Make CTF a Spectator Sport
• Enhance forensic analysis
– Mine large datasets
– Logs
• Monitor in real time
– Allow big picture, but details on demand
– Fingerprint attacks/tools (people?)
– Alerts (2-3 Million /day)
• Observe attacker behavior (example)
What tasks do you need help with?
Destination IP
Recon
Focused
Attacks
Next Wave
Time
Classical InfoVis Research
InfoVis Mantra
Overview First
Zoom and Filter
Details on Demand
http://www.cs.umd.edu/~ben/
Overview and Detail
Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2002/ cs7450_spring/Talks/09-overdetail.ppt for more details.
Game shown is Civilization II
Focus and
Context
Table Lens
Fisheye View
Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2001/ cs7450_fall/Talks/8-focuscontext.ppt for more details.
Table lens (right) is from Xerox Parc and Inxight
For more information…
•Courses (free)
•Conferences
•Systems
•Research Groups
Bookmarks on CD
Example Classical
InfoVis Systems
example 1 - data mountain
http://www1.cs.columbia.edu/~paley/spring03/assignments/HW3/gwc2001/mountain.jpg
example 2 - filmfinder
http://transcriptions.english.ucsb.edu/archive/colloquia/Kirshenbaum/filmfinder.gif
example 3 - parallel coordinates
MPG
35
0
A. Inselberg and B. Dimsdale. Parallel coordinates: A tool for visualizing
multidimensional geometry. Proc. of Visualization '90, p. 361-78, 1990.
http://davis.wpi.edu/~xmdv/images/para.gif
example 4 informative art
http://www.viktoria.se/fal/projects/infoart/
examples 5 - 72
(on CD)
Many, many untapped security applications…
More Information
Information Visualization
•
•
•
•
•
•
•
Envisioning Information by Tufte
The Visual Display of Quantitative Information by Tufte
Visual Explanations by Tufte
Beautiful Evidence by Tufte (due this year)
Information Visualization by Spence
Information Visualization: Using Vision to Think by Card
See also the Tufte road show, details at
www.edwardtufte.com
images: www.amazon.com
Representative Security
Visualization Research
Routing
Anomalies
Soon Tee Teoh
http://graphics.cs.ucdavis.edu/~steoh/
See also treemap basic research: http://www.cs.umd.edu/hcil/treemap-history/index.shtml
Secure Scope
http://www.securedecisions.com/main.htm
Starlight
http://starlight.pnl.gov/
Open Source Security Information
Management (OSSIM)
http://www.ossim.net/screenshots/metrics.jpg
TCP/IP Sequence
Number Generation
Michal Zalewski
Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low.
x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1]
x[n] = s[n-2] - s[n-3]
y[n] = s[n-1] - s[n-2]
z[n] = s[n] - s [n-1]
Follow-up paper - http://lcamtuf.coredump.cx/newtcp/
Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html
Wireless Visualization
http://www.ittc.ku.edu/wlan/images_all_small.shtml
Observing
Intruder Behavior
Dr. Rob Erbacher
– Visual Summarizing and
Analysis Techniques for
Intrusion Data
– Multi-Dimensional Data
Visualization
– A Component-Based EventDriven Interactive Visualization
Software Architecture
http://otherland.cs.usu.edu/~erbacher/
Glyphs
Dr. Rob Erbacher
http://otherland.cs.usu.edu/~erbacher/
examples 9 - 45
(to be posted)
Hot Research Areas…
•
•
•
•
•
•
•
•
•
•
•
visualizing vulnerabilities
visualizing IDS alarms (NIDS/HIDS)
visualizing worm/virus propagation
visualizing routing anamolies
visualizing large volume computer network logs
visual correlations of security events
visualizing network traffic for security
visualizing attacks in near-real-time
security visualization at line speeds
dynamic attack tree creation (graphic)
forensic visualization
http://www.cs.fit.edu/~pkc/vizdmsec04/
More Hot Research Areas…
•
•
•
•
•
•
•
•
•
•
feature selection and construction
incremental/online learning
noise in the data
skewed data distribution
distributed mining
correlating multiple models
efficient processing of large amounts of data
correlating alerts
signature and anomaly detection
forensic analysis
http://www.cs.fit.edu/~pkc/vizdmsec04/
Building a System
Visual IDS
System Architecture
Ethernet
tcpdump
(pcap, snort)
winpcap
Perl
VB
Parse
Perl
VB
Process
Packet Capture
tcpdump
capture
files
Creativity
xmgrace
(gnuplot)
VB
Plot
rumint tool components (CD)
parallel port views
External IP
255.255.255.255
0.0.0.0
Internal IP
255.255.255.255
0.0.0.0
External Port
65,535
0
Internal Port
65,535
0
External IP
255.255.255.255
0.0.0.0
Internal Port
65,535
0
External IP
255.255.255.255
0.0.0.0
External Port
Internal Port
Internal IP
65,535
65,535
255.255.255.255
0
0
0.0.0.0
Also a Port to IP to IP to Port View
sara 5.0.3
(port to port view)
Light
Medium
Heavy
Tool Fingerprinting
(port to port view)
nmap 3 (RH8)
nmap 3 UDP (RH8)
scanline 1.01 (XP)
NMapWin 3 (XP)
nmap 3.5 (XP)
nikto 1.32 (XP)
SuperScan 3.0 (XP)
SuperScan 4.0 (XP)
time sequence data
(external port vs. packet)
superscan 3
ports
ports
nmap win
packets
packets
Also internal/external IP and internal port
packet length and protocol type over time
ports
packets
length
30 days on the Georgia Tech honeynet
External IP
Internal Port
External Port Internal Port
Demo’s
rumint
xmgrace
treemap
worm propagation
survey x 2 .ppt
links
classic infovis survey
(on CD)
rumint tool
(on CD)
security infovis survey
(www.cc.gatech.edu/~conti)
bookmarks
(on CD)
perl/linux/xmgrace demo
(on CD)
this talk
(on CD & www.cc.gatech.edu/~conti)
Acknowledgements
• 404.se2600
–
–
–
–
–
Clint
Hendrick
icer
Rockit
StricK
• Dr. John Stasko
– http://www.cc.gatech.edu/~john.stasko/
• Dr. Wenke Lee
– http://www.cc.gatech.edu/~wenke/
• Dr. John Levine
– http://www.eecs.usma.edu/
• Julian Grizzard
– http://www.ece.gatech.edu/
Questions?
http://carcino.gen.nz/images/index.php/04980e0b/53c55ca5