Network Attack

Visualization

Greg Conti
www.cc.gatech.edu/~conti
Disclaimer

The views expressed

in this presentation
are those of the
author and do not
reflect the official
policy or position of
the United States
Military Academy,
the Department of
the Army, the
Department of
Defense or the U.S.
Government. 

image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm
information visualization is
the use of interactive, sensory
representations, typically visual,
of abstract data to reinforce
cognition.

http://en.wikipedia.org/wiki/Information_visualization
 An Art Survey…

A B C

http://www.clifford.at/cfun/progex/
http://www.muppetlabs.com/~breadbox/bf/
http://www.geocities.com/h2lee/ascii/monalisa.html
http://www.artinvest2000.com/leonardo_gioconda.htm
 Why InfoVis?
Views

• Patterns
• Anomalies
• Comparisons
• Outliers/Extremes
• Big Picture & Details
• Interaction
Replies
• Large Datasets
Packet Capture
Visualizations

EtherApe

Ethereal

Tcpdump image: http://www.bgnett.no/~giva/pcap/tcpdump.png

TCPDump can be found at http://www.tcpdump.org/

Ethereal image: http://www.linux-

france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif
Ethereal by Gerald Combs can be found at http://www.ethereal.com/

EtherApe image: http://www.solaris4you.dk/sniffersSS.html

TCP Dump Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/
 So What?
• Go Beyond the Algorithm
– Complement current systems
• Make CTF a Spectator Sport
• Enhance forensic analysis
– Mine large datasets
– Logs
• Monitor in real time
– Allow big picture, but details on demand
– Fingerprint attacks/tools (people?)
– Alerts (2-3 Million /day)
• Observe attacker behavior (example)

What tasks do you need help with?

 Recon
Destination IP

Focused
Attacks

Next Wave

Time
Classical InfoVis Research
 InfoVis Mantra

Overview First

Zoom and Filter

Details on Demand

http://www.cs.umd.edu/~ben/
 Overview and Detail

Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2002/ cs7450_spring/Talks/09-overdetail.ppt for more details.
Game shown is Civilization II
 Focus and
Context
Table Lens

Fisheye View

Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2001/ cs7450_fall/Talks/8-focuscontext.ppt for more details.
Table lens (right) is from Xerox Parc and Inxight
For more information…

•Courses (free)
•Conferences
•Systems
•Research Groups

Bookmarks on CD
Example Classical
InfoVis Systems
example 1 - data mountain

http://www1.cs.columbia.edu/~paley/spring03/assignments/HW3/gwc2001/mountain.jpg
example 2 - filmfinder

http://transcriptions.english.ucsb.edu/archive/colloquia/Kirshenbaum/filmfinder.gif
example 3 - parallel coordinates
MPG
35

0
A. Inselberg and B. Dimsdale. Parallel coordinates: A tool for visualizing
multidimensional geometry. Proc. of Visualization '90, p. 361-78, 1990.
http://davis.wpi.edu/~xmdv/images/para.gif
 example 4 -
informative art

http://www.viktoria.se/fal/projects/infoart/
 examples 5 - 72
(on CD)

Many, many untapped security applications…

 More Information
Information Visualization

• Envisioning Information by Tufte

• The Visual Display of Quantitative Information by Tufte
• Visual Explanations by Tufte
• Beautiful Evidence by Tufte (due this year)
• Information Visualization by Spence
• Information Visualization: Using Vision to Think by Card
• See also the Tufte road show, details at www.edwardtufte.com

images: www.amazon.com
Representative Security
Visualization Research
 Routing
Anomalies

Soon Tee Teoh

http://graphics.cs.ucdavis.edu/~steoh/
See also treemap basic research: http://www.cs.umd.edu/hcil/treemap-history/index.shtml
Secure Scope

http://www.securedecisions.com/main.htm
Starlight

http://starlight.pnl.gov/
Open Source Security Information
Management (OSSIM)

http://www.ossim.net/screenshots/metrics.jpg
 TCP/IP Sequence
Number Generation

Michal Zalewski

Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low.

x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1]

x[n] = s[n-2] - s[n-3]
y[n] = s[n-1] - s[n-2]
z[n] = s[n] - s [n-1]

Follow-up paper - http://lcamtuf.coredump.cx/newtcp/

Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html
Wireless Visualization

http://www.ittc.ku.edu/wlan/images_all_small.shtml
 Observing
Intruder Behavior

Dr. Rob Erbacher

– Visual Summarizing and
Analysis Techniques for
Intrusion Data
– Multi-Dimensional Data
Visualization
– A Component-Based Event-
Driven Interactive Visualization
Software Architecture

http://otherland.cs.usu.edu/~erbacher/
 Glyphs
Dr. Rob Erbacher

http://otherland.cs.usu.edu/~erbacher/
examples 9 - 45
(to be posted)
 Hot Research Areas…
• visualizing vulnerabilities
• visualizing IDS alarms (NIDS/HIDS)
• visualizing worm/virus propagation
• visualizing routing anamolies
• visualizing large volume computer network logs
• visual correlations of security events
• visualizing network traffic for security
• visualizing attacks in near-real-time
• security visualization at line speeds
• dynamic attack tree creation (graphic)
• forensic visualization

http://www.cs.fit.edu/~pkc/vizdmsec04/
More Hot Research Areas…
• feature selection and construction
• incremental/online learning
• noise in the data
• skewed data distribution
• distributed mining
• correlating multiple models
• efficient processing of large amounts of data
• correlating alerts
• signature and anomaly detection
• forensic analysis

http://www.cs.fit.edu/~pkc/vizdmsec04/
Building a System
Visual IDS
 System Architecture Ethernet

tcpdump winpcap tcpdump

(pcap, snort) Packet Capture capture
files

Perl VB Parse

Perl VB Process

Creativity
xmgrace VB Plot
(gnuplot)
rumint tool components (CD)
 parallel port views
External IP Internal IP External Port Internal Port External IP Internal Port

255.255.255.255 255.255.255.255 65,535 65,535 255.255.255.255 65,535

0.0.0.0 0.0.0.0 0 0 0.0.0.0 0

External IP External Port Internal Port Internal IP

255.255.255.255 65,535 65,535 255.255.255.255

0.0.0.0 0 0 0.0.0.0

Also a Port to IP to IP to Port View

 sara 5.0.3
(port to port view)

Light Medium Heavy

 Tool Fingerprinting
(port to port view)

nmap 3 (RH8) nmap 3 UDP (RH8) scanline 1.01 (XP) SuperScan 3.0 (XP)

NMapWin 3 (XP) nmap 3.5 (XP) nikto 1.32 (XP) SuperScan 4.0 (XP)
 time sequence data
(external port vs. packet)

nmap win superscan 3

ports
ports

packets packets

Also internal/external IP and internal port

packet length and protocol type over time

packets

ports

length
 30 days on the Georgia Tech honeynet

External IP Internal Port External Port Internal Port

 Demo’s

rumint
xmgrace
treemap
worm propagation
survey x 2 .ppt
links
classic infovis survey security infovis survey perl/linux/xmgrace demo
(on CD) (www.cc.gatech.edu/~conti) (on CD)

rumint tool bookmarks this talk

(on CD) (on CD) (on CD & www.cc.gatech.edu/~conti)
 Acknowledgements
• 404.se2600
– Clint
– Hendrick
– icer
– Rockit
– StricK
• Dr. John Stasko
– http://www.cc.gatech.edu/~john.stasko/
• Dr. Wenke Lee
– http://www.cc.gatech.edu/~wenke/
• Dr. John Levine
– http://www.eecs.usma.edu/
• Julian Grizzard
– http://www.ece.gatech.edu/
Questions?
http://carcino.gen.nz/images/index.php/04980e0b/53c55ca5