Presentation is loading. Please wait.

Presentation is loading. Please wait.

Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology Passive.

Published byDwain Lyons Modified over 9 years ago

Similar presentations

Presentation on theme: "Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology Passive."— Presentation transcript:

1 Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology Nessus , IP to Port to Port to IP

2 Motivation Common network reconnaissance and vulnerability assessment tools can be visualized in such a way as to identify the attack tool used. Law enforcement forensics Identify characteristics of new tools/worms Provide insight into attacker’s methodology & experience level Help network defender to initiate appropriate response

3 System Architecture Ethernet Packet Capture Parse Process Plot
tcpdump (pcap, snort) Perl xmgrace (gnuplot) winpcap VS tcpdump capture files Packet Capture Parse Process Plot Interact

4 Examining Available Data…
Link Layer (Ethernet) All raw data available on the wire: Application layer data Transport layer header Network layer header Link layer header Network Layer (IP) Focused on: Source / Destination Port Source / Destination IP Timestamp Length of raw packet Protocol Type Transport Layer (TCP) IP: UDP: TCP: Transport Layer (UDP) Ethernet:

5 Attacks Fingerprinted
nessus nmap 3.0 nmap 3.5 nmapwin 1.3.1 Superscan 3.0 Superscan 4.0 nikto 1.32 scanline 1.01 sara 5.0.3 NSA CDX dataset 2003

6 Visualizations Time Sequence Data Port and IP Mapping
Sequence of Source/Destination Ports and IP’s Sequence of Packet Lengths Sequence of Packet Protocols Port and IP Mapping Source Port to Destination Port Source IP to Destination IP Source IP to Destination Port Source Port/IP to Destination IP/Port Source IP/Port to Destination Port/IP Characterization of home/external network Fixed memory requirements

7 parallel plot views External IP Internal IP
External Port Internal Port 65, ,535 External IP Internal Port ,535

8 Baseline External Port Internal Port External IP Internal IP

9 nmap 3 (RH8) nmap 3 UDP (RH8) scanline 1.01 (XP) SuperScan 3.0 (XP)
Using (mostly) default scan options TCP = Green UDP = Orange Foundstone… superscan family, scanline NMapWin… runs on an nmap 3 engine NMapWin 3 (XP) nmap 3.5 (XP) nikto 1.32 (XP) SuperScan 4.0 (XP)

10 Sara (port to port) Light Medium Heavy

11 Georgia Tech Honeynet External IP Internal Port
External Port Internal Port External IP Internal IP

12 Also a Port to IP to IP to Port View
External IP External Port Internal Port Internal IP , , Also a Port to IP to IP to Port View

13 Exploring nmap 3.0 in depth (port to IP to IP to port)
default (root) stealth FIN (-sF) NULL (-sN) UDP (-sU) SYN (-sS -O) stealth SYN (-sS) CONNECT (-sT) XMAS (-sX)

14 nmap within Nessus (port to IP to IP to port)
CONNECT (-sT) Nessus UDP (-sU)

15 SuperScan Evolution (port to IP to IP to port)
scanline 1.01

16 packet length and protocol type over time
packets ports length

17 WinNMap Compress the time domain to distill sequence

18 SuperScan 4.0

19 time sequence data (external port vs. packet)
nmap win superscan 3 ports ports packets packets Also internal/external IP and internal port

20 tool interface

21

22 Findings (Weaknesses)
Interaction with personal firewalls Countermeasures Scale / labeling are issues Occlusion is a problem Greater interactivity required for forensics and less aggressive attacks Some tools are very flexible Source code not available for some tools

23 Findings (Strengths) Aggressive tools have distinct visual signatures
Threading / multiple processes may be visible Some source code lineage may be visible Some OS/Application features are visible Some classes of stealthy attack are visible

24 Findings (Strengths) Sequence of ports scanned visible
Frequently attacked ports visible Resistant to high volume network traffic Viable in the presence of routine traffic Useful against slow scans (hours-weeks) Useful against distributed scans

25 Future Work Add forensic capability
Task driven interactivity (Zoom & filter, details on demand) Smart books (images & movies) Usability studies Stress test Explore less aggressive attack classes

26 Demo

27 classic infovis survey security infovis survey
rumint tool classic infovis survey security infovis survey VizSEC Paper/Slides Visual Security Community catid=41&Itemid=47 Kulsoom’s Research

28 Acknowledgements Dr. John Stasko Dr. Wenke Lee Dr. John Levine
Dr. Wenke Lee Dr. John Levine Julian Grizzard 404.se2600 Clint Hendrick icer Rockit StricK

29 Questions? Greg Conti conti@cc.gatech.edu www.cc.gatech.edu/~conti
Kulsoom Abdullah Image:

Download ppt "Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology Passive."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Computer Security Fundamentals

Computer Security Fundamentals
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Three-Layer Model Distributed data communications involves three primary components: Networks Computers Applications Three corresponding layers Network.

Three-Layer Model Distributed data communications involves three primary components: Networks Computers Applications Three corresponding layers Network.
Copyright © 2005 Department of Computer Science CPSC 641 Winter 20111 WAN Traffic Measurements There have been several studies of wide area network traffic.

Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.

Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.

1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How TCP/IP Works INTRO v2.0—4-1.

Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How TCP/IP Works INTRO v2.0—4-1.

Similar presentations

Ads by Google