Transcript Document

Passive Visual Fingerprinting
of Network Attack Tools
Gregory Conti
Kulsoom Abdullah
College of Computing
Georgia Institute of Technology
Motivation
Common network reconnaissance and
vulnerability assessment tools can be
visualized in such a way as to identify the
attack tool used.
•Law enforcement forensics
•Identify characteristics of new tools/worms
•Provide insight into attacker’s methodology & experience level
•Help network defender to initiate appropriate response
System Architecture
Ethernet
tcpdump
(pcap, snort)
winpcap
Perl
VS
Parse
Perl
VS
Process
xmgrace
(gnuplot)
VS
Plot
Packet Capture
tcpdump
capture
files
Interact
Examining Available Data…
Link Layer (Ethernet)
All raw data available on the wire:
• Application layer data
• Transport layer header
• Network layer header
• Link layer header
Focused on:
• Source / Destination Port
• Source / Destination IP
• Timestamp
• Length of raw packet
• Protocol Type
IP: http://www.ietf.org/rfc/rfc0791.txt
UDP: http://www.ietf.org/rfc/rfc0768.txt
TCP: http://www.ietf.org/rfc/rfc793.txt
Ethernet: http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif
Network Layer (IP)
Transport Layer (TCP)
Transport Layer (UDP)
Attacks Fingerprinted
http://www.insecure.org/tools.html
nessus 2.0.10
nmap 3.0
nmap 3.5
nmapwin 1.3.1
Superscan 3.0
Superscan 4.0
nessus 2.0.10
nikto 1.32
scanline 1.01
sara 5.0.3
NSA CDX dataset 2003
Visualizations
• Time Sequence Data
– Sequence of Source/Destination Ports and IP’s
– Sequence of Packet Lengths
– Sequence of Packet Protocols
• Port and IP Mapping
–
–
–
–
–
Source Port to Destination Port
Source IP to Destination IP
Source IP to Destination Port
Source Port/IP to Destination IP/Port
Source IP/Port to Destination Port/IP
• Characterization of home/external network
parallel plot views
External IP
255.255.255.255
0.0.0.0
Internal IP
255.255.255.255
0.0.0.0
External Port
65,535
0
Internal Port
65,535
0
External IP
255.255.255.255
0.0.0.0
Internal Port
65,535
0
Baseline
External Port Internal Port
External IP
Internal IP
nmap 3 (RH8)
nmap 3 UDP (RH8)
scanline 1.01 (XP)
NMapWin 3 (XP)
nmap 3.5 (XP)
nikto 1.32 (XP)
SuperScan 3.0 (XP)
SuperScan 4.0 (XP)
Sara 5.0.3
(port to port)
Light
Medium
Heavy
Georgia Tech Honeynet
External IP
Internal Port
External Port Internal Port
External IP
Internal IP
External IP
255.255.255.255
0.0.0.0
External Port
Internal Port
Internal IP
65,535
65,535
255.255.255.255
0
0
0.0.0.0
Also a Port to IP to IP to Port View
Exploring nmap 3.0 in depth
(port to IP to IP to port)
default (root)
stealth FIN (-sF)
SYN (-sS -O)
stealth SYN (-sS)
NULL (-sN)
CONNECT (-sT)
UDP (-sU)
XMAS (-sX)
nmap within Nessus
(port to IP to IP to port)
CONNECT (-sT)
Nessus 2.0.10
UDP (-sU)
SuperScan Evolution
(port to IP to IP to port)
SuperScan 3.0
SuperScan 4.0
scanline 1.01
packet length and protocol type over time
ports
packets
length
WinNMap
SuperScan 4.0
time sequence data
(external port vs. packet)
superscan 3
ports
ports
nmap win
packets
packets
Also internal/external IP and internal port
tool interface
Findings (Weaknesses)
•
•
•
•
•
Interaction with personal firewalls
Countermeasures
Scale / labeling are issues
Occlusion is a problem
Greater interactivity required for forensics and less
aggressive attacks
• Some tools are very flexible
• Source code not available for some tools
Findings (Strengths)
•
•
•
•
•
Aggressive tools have distinct visual signatures
Threading / multiple processes may be visible
Some source code lineage may be visible
Some OS/Application features are visible
Some classes of stealthy attack are visible
Findings (Strengths)
•
•
•
•
•
•
Sequence of ports scanned visible
Frequently attacked ports visible
Resistant to high volume network traffic
Viable in the presence of routine traffic
Useful against slow scans (hours-weeks)
Useful against distributed scans
Future Work
• Add forensic capability
• Task driven interactivity (Zoom & filter,
details on demand)
• Smart books (images & movies)
• Usability studies
• Stress test
• Explore less aggressive attack classes
Demo
rumint tool
classic infovis survey
security infovis survey
http://www.rumint.com/software.html
www.cc.gatech.edu/~conti
www.cc.gatech.edu/~conti
VizSEC Paper/Slides
Visual Security Community
Kulsoom’s Research
http://users.ece.gatech.edu/~kulsoom/research.html
www.cc.gatech.edu/~conti
http://www.ninjabi.net/index.php?option=com_nxtlinks&
catid=41&Itemid=47
http://users.ece.gatech.edu/~kulsoom/research.html
Acknowledgements
• Dr. John Stasko
– http://www.cc.gatech.edu/~john.stasko/
• Dr. Wenke Lee
– http://www.cc.gatech.edu/~wenke/
• Dr. John Levine
– http://www.eecs.usma.edu/
• Julian Grizzard
– http://www.ece.gatech.edu/
• 404.se2600
–
–
–
–
–
Clint
Hendrick
icer
Rockit
StricK
Questions?
Greg Conti
[email protected]
www.cc.gatech.edu/~conti
Kulsoom Abdullah
[email protected]
http://users.ece.gatech.edu/~kulsoom/research.html
Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg