Professional Documents
Culture Documents
Network Attack Visualization: Greg Conti WWW - Cc.gatech - Edu/ Conti
Network Attack Visualization: Greg Conti WWW - Cc.gatech - Edu/ Conti
Visualization
Greg Conti
www.cc.gatech.edu/~conti
Disclaimer
image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm
information visualization is
the use of interactive, sensory
representations, typically visual,
of abstract data to reinforce
cognition.
http://en.wikipedia.org/wiki/Information_visualization
An Art Survey…
A B C
http://www.clifford.at/cfun/progex/
http://www.muppetlabs.com/~breadbox/bf/
http://www.geocities.com/h2lee/ascii/monalisa.html
http://www.artinvest2000.com/leonardo_gioconda.htm
Why InfoVis?
Views
• Patterns
• Anomalies
• Comparisons
• Outliers/Extremes
• Big Picture & Details
• Interaction
Replies
• Large Datasets
Packet Capture
Visualizations
EtherApe
Ethereal
Focused
Attacks
Next Wave
Time
Classical InfoVis Research
InfoVis Mantra
Overview First
Details on Demand
http://www.cs.umd.edu/~ben/
Overview and Detail
Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2002/ cs7450_spring/Talks/09-overdetail.ppt for more details.
Game shown is Civilization II
Focus and
Context
Table Lens
Fisheye View
Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2001/ cs7450_fall/Talks/8-focuscontext.ppt for more details.
Table lens (right) is from Xerox Parc and Inxight
For more information…
•Courses (free)
•Conferences
•Systems
•Research Groups
Bookmarks on CD
Example Classical
InfoVis Systems
example 1 - data mountain
http://www1.cs.columbia.edu/~paley/spring03/assignments/HW3/gwc2001/mountain.jpg
example 2 - filmfinder
http://transcriptions.english.ucsb.edu/archive/colloquia/Kirshenbaum/filmfinder.gif
example 3 - parallel coordinates
MPG
35
0
A. Inselberg and B. Dimsdale. Parallel coordinates: A tool for visualizing
multidimensional geometry. Proc. of Visualization '90, p. 361-78, 1990.
http://davis.wpi.edu/~xmdv/images/para.gif
example 4 -
informative art
http://www.viktoria.se/fal/projects/infoart/
examples 5 - 72
(on CD)
images: www.amazon.com
Representative Security
Visualization Research
Routing
Anomalies
http://graphics.cs.ucdavis.edu/~steoh/
See also treemap basic research: http://www.cs.umd.edu/hcil/treemap-history/index.shtml
Secure Scope
http://www.securedecisions.com/main.htm
Starlight
http://starlight.pnl.gov/
Open Source Security Information
Management (OSSIM)
http://www.ossim.net/screenshots/metrics.jpg
TCP/IP Sequence
Number Generation
Michal Zalewski
Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low.
http://www.ittc.ku.edu/wlan/images_all_small.shtml
Observing
Intruder Behavior
http://otherland.cs.usu.edu/~erbacher/
Glyphs
Dr. Rob Erbacher
http://otherland.cs.usu.edu/~erbacher/
examples 9 - 45
(to be posted)
Hot Research Areas…
• visualizing vulnerabilities
• visualizing IDS alarms (NIDS/HIDS)
• visualizing worm/virus propagation
• visualizing routing anamolies
• visualizing large volume computer network logs
• visual correlations of security events
• visualizing network traffic for security
• visualizing attacks in near-real-time
• security visualization at line speeds
• dynamic attack tree creation (graphic)
• forensic visualization
http://www.cs.fit.edu/~pkc/vizdmsec04/
More Hot Research Areas…
• feature selection and construction
• incremental/online learning
• noise in the data
• skewed data distribution
• distributed mining
• correlating multiple models
• efficient processing of large amounts of data
• correlating alerts
• signature and anomaly detection
• forensic analysis
http://www.cs.fit.edu/~pkc/vizdmsec04/
Building a System
Visual IDS
System Architecture Ethernet
Perl VB Parse
Perl VB Process
Creativity
xmgrace VB Plot
(gnuplot)
rumint tool components (CD)
parallel port views
External IP Internal IP External Port Internal Port External IP Internal Port
0.0.0.0 0 0 0.0.0.0
nmap 3 (RH8) nmap 3 UDP (RH8) scanline 1.01 (XP) SuperScan 3.0 (XP)
NMapWin 3 (XP) nmap 3.5 (XP) nikto 1.32 (XP) SuperScan 4.0 (XP)
time sequence data
(external port vs. packet)
ports
ports
packets packets
packets
ports
length
30 days on the Georgia Tech honeynet
rumint
xmgrace
treemap
worm propagation
survey x 2 .ppt
links
classic infovis survey security infovis survey perl/linux/xmgrace demo
(on CD) (www.cc.gatech.edu/~conti) (on CD)