Network Attack Visualization Greg Conti

Disclaimer The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. image:

information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition.

An Art Survey… A B C

Patterns Anomalies Comparisons Outliers/Extremes Big Picture & Details Interaction Large Datasets Why InfoVis? Replies Views

TCP Dump Tcpdump image: TCPDump can be found at Ethereal image: france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif Ethereal by Gerald Combs can be found at EtherApe image: Etherape by Juan Toledo can be found at Ethereal EtherApe Packet Capture Visualizations

So What? Go Beyond the Algorithm –Complement current systems Make CTF a Spectator Sport Enhance forensic analysis –Mine large datasets –Logs Monitor in real time –Allow big picture, but details on demand –Fingerprint attacks/tools (people?) –Alerts (2-3 Million /day) Observe attacker behavior (example) What tasks do you need help with?

Recon Focused Attacks Next Wave Destination IP Time

Classical InfoVis Research

InfoVis Mantra Overview First Zoom and Filter Details on Demand

Overview and Detail Examples by Dr. John Stasko, see cs7450_spring/Talks/09-overdetail.ppt for more details. Game shown is Civilization II

Focus and Context Examples by Dr. John Stasko, see cs7450_fall/Talks/8-focuscontext.ppt for more details. Table lens (right) is from Xerox Parc and Inxight Fisheye View Table Lens

For more information… Courses (free) Conferences Systems Research Groups Bookmarks on CD

Example Classical InfoVis Systems

example 1 - data mountain

example 2 - filmfinder

example 3 - parallel coordinates A. Inselberg and B. Dimsdale. Parallel coordinates: A tool for visualizing multidimensional geometry. Proc. of Visualization '90, p , MPG 35 0

example 4 - informative art

Many, many untapped security applications… examples (on CD)

More Information Information Visualization Envisioning Information by Tufte The Visual Display of Quantitative Information by Tufte Visual Explanations by Tufte Beautiful Evidence by Tufte (due this year) Information Visualization by Spence Information Visualization: Using Vision to Think by Card See also the Tufte road show, details at images:

Representative Security Visualization Research

Soon Tee Teoh Routing Anomalies See also treemap basic research:

Secure Scope

Starlight

Open Source Security Information Management (OSSIM)

TCP/IP Sequence Number Generation Initial paper - Follow-up paper - Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Michal Zalewski x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1] x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1]

Wireless Visualization

Observing Intruder Behavior Dr. Rob Erbacher –Visual Summarizing and Analysis Techniques for Intrusion Data –Multi-Dimensional Data Visualization –A Component-Based Event- Driven Interactive Visualization Software Architecture

Glyphs Dr. Rob Erbacher

examples (to be posted)

Hot Research Areas… visualizing vulnerabilities visualizing IDS alarms (NIDS/HIDS) visualizing worm/virus propagation visualizing routing anamolies visualizing large volume computer network logs visual correlations of security events visualizing network traffic for security visualizing attacks in near-real-time security visualization at line speeds dynamic attack tree creation (graphic) forensic visualization

More Hot Research Areas… feature selection and construction incremental/online learning noise in the data skewed data distribution distributed mining correlating multiple models efficient processing of large amounts of data correlating alerts signature and anomaly detection forensic analysis

Building a System

Visual IDS

Ethernet Packet Capture Parse Process Plot tcpdump (pcap, snort) Perl xmgrace (gnuplot) tcpdump capture files winpcap VB System Architecture Creativity

rumint tool components (CD)

External Port Internal Port 65,535 0 External IP Internal IP External IP Internal Port , parallel port views

External IP External Port Internal Port Internal IP ,535 65, Also a Port to IP to IP to Port View

sara (port to port view) Light MediumHeavy

nmap 3 (RH8) NMapWin 3 (XP) SuperScan 3.0 (XP) SuperScan 4.0 (XP) nmap 3 UDP (RH8) nmap 3.5 (XP) scanline 1.01 (XP) nikto 1.32 (XP) Tool Fingerprinting (port to port view)

time sequence data (external port vs. packet) nmap winsuperscan 3 ports packets Also internal/external IP and internal port

packet length and protocol type over time ports packets length

30 days on the Georgia Tech honeynet External IP Internal PortExternal Port Internal Port

Demo’s rumint xmgrace treemap worm propagation survey x 2.ppt links

classic infovis survey (on CD) security infovis survey ( perl/linux/xmgrace demo (on CD) rumint tool (on CD) bookmarks (on CD) this talk (on CD &

Acknowledgements 404.se2600 –Clint –Hendrick –icer –Rockit –StricK Dr. John Stasko – Dr. Wenke Lee – Dr. John Levine – Julian Grizzard –

Questions?