Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Attack Visualization Greg Conti www.cc.gatech.edu/~conti.

Published byCuthbert Neal Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Attack Visualization Greg Conti www.cc.gatech.edu/~conti."— Presentation transcript:

1 Network Attack Visualization Greg Conti www.cc.gatech.edu/~conti

2 Disclaimer The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm

3 information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization

4 An Art Survey… http://www.artinvest2000.com/leonardo_gioconda.htm http://www.geocities.com/h2lee/ascii/monalisa.html http://www.muppetlabs.com/~breadbox/bf/ http://www.clifford.at/cfun/progex/ A B C

5 Patterns Anomalies Comparisons Outliers/Extremes Big Picture & Details Interaction Large Datasets Why InfoVis? Replies Views

6 TCP Dump Tcpdump image: http://www.bgnett.no/~giva/pcap/tcpdump.png TCPDump can be found at http://www.tcpdump.org/ Ethereal image: http://www.linux- france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif Ethereal by Gerald Combs can be found at http://www.ethereal.com/ EtherApe image: http://www.solaris4you.dk/sniffersSS.html Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/ Ethereal EtherApe Packet Capture Visualizations

7 So What? Go Beyond the Algorithm –Complement current systems Make CTF a Spectator Sport Enhance forensic analysis –Mine large datasets –Logs Monitor in real time –Allow big picture, but details on demand –Fingerprint attacks/tools (people?) –Alerts (2-3 Million /day) Observe attacker behavior (example) What tasks do you need help with?

8 Recon Focused Attacks Next Wave Destination IP Time

9 Classical InfoVis Research

10 InfoVis Mantra http://www.cs.umd.edu/~ben/ Overview First Zoom and Filter Details on Demand

11 Overview and Detail Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2002/ cs7450_spring/Talks/09-overdetail.ppt for more details. Game shown is Civilization II

12 Focus and Context Examples by Dr. John Stasko, see www.cc.gatech.edu/classes/AY2001/ cs7450_fall/Talks/8-focuscontext.ppt for more details. Table lens (right) is from Xerox Parc and Inxight Fisheye View Table Lens

13 For more information… Courses (free) Conferences Systems Research Groups Bookmarks on CD

14 Example Classical InfoVis Systems

15 example 1 - data mountain http://www1.cs.columbia.edu/~paley/spring03/assignments/HW3/gwc2001/mountain.jpg

16 example 2 - filmfinder http://transcriptions.english.ucsb.edu/archive/colloquia/Kirshenbaum/filmfinder.gif

17 example 3 - parallel coordinates A. Inselberg and B. Dimsdale. Parallel coordinates: A tool for visualizing multidimensional geometry. Proc. of Visualization '90, p. 361-78, 1990. http://davis.wpi.edu/~xmdv/images/para.gif MPG 35 0

18 example 4 - informative art http://www.viktoria.se/fal/projects/infoart/

19 Many, many untapped security applications… examples 5 - 72 (on CD)

20 More Information Information Visualization Envisioning Information by Tufte The Visual Display of Quantitative Information by Tufte Visual Explanations by Tufte Beautiful Evidence by Tufte (due this year) Information Visualization by Spence Information Visualization: Using Vision to Think by Card See also the Tufte road show, details at www.edwardtufte.com images: www.amazon.com

21 Representative Security Visualization Research

22 Soon Tee Teoh Routing Anomalies http://graphics.cs.ucdavis.edu/~steoh/ See also treemap basic research: http://www.cs.umd.edu/hcil/treemap-history/index.shtml

23 Secure Scope http://www.securedecisions.com/main.htm

24 Starlight http://starlight.pnl.gov/

25 Open Source Security Information Management (OSSIM) http://www.ossim.net/screenshots/metrics.jpg

26 TCP/IP Sequence Number Generation Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html Follow-up paper - http://lcamtuf.coredump.cx/newtcp/ Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Michal Zalewski x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1] x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1]

27 Wireless Visualization http://www.ittc.ku.edu/wlan/images_all_small.shtml

28 Observing Intruder Behavior Dr. Rob Erbacher –Visual Summarizing and Analysis Techniques for Intrusion Data –Multi-Dimensional Data Visualization –A Component-Based Event- Driven Interactive Visualization Software Architecture http://otherland.cs.usu.edu/~erbacher/

29 Glyphs Dr. Rob Erbacher

30 examples 9 - 45 (to be posted)

31 Hot Research Areas… visualizing vulnerabilities visualizing IDS alarms (NIDS/HIDS) visualizing worm/virus propagation visualizing routing anamolies visualizing large volume computer network logs visual correlations of security events visualizing network traffic for security visualizing attacks in near-real-time security visualization at line speeds dynamic attack tree creation (graphic) forensic visualization http://www.cs.fit.edu/~pkc/vizdmsec04/

32 More Hot Research Areas… feature selection and construction incremental/online learning noise in the data skewed data distribution distributed mining correlating multiple models efficient processing of large amounts of data correlating alerts signature and anomaly detection forensic analysis http://www.cs.fit.edu/~pkc/vizdmsec04/

33 Building a System

34 Visual IDS

35 Ethernet Packet Capture Parse Process Plot tcpdump (pcap, snort) Perl xmgrace (gnuplot) tcpdump capture files winpcap VB System Architecture Creativity

36 rumint tool components (CD)

37

38 External Port Internal Port 65,535 0 External IP Internal IP 255.255.255.255 0.0.0.0 External IP Internal Port 255.255.255.255 65,535 0.0.0.0 0 parallel port views

39 External IP External Port Internal Port Internal IP 255.255.255.255 65,535 65,535 255.255.255.255 0.0.0.0 0 0 0.0.0.0 Also a Port to IP to IP to Port View

40 sara 5.0.3 (port to port view) Light MediumHeavy

41 nmap 3 (RH8) NMapWin 3 (XP) SuperScan 3.0 (XP) SuperScan 4.0 (XP) nmap 3 UDP (RH8) nmap 3.5 (XP) scanline 1.01 (XP) nikto 1.32 (XP) Tool Fingerprinting (port to port view)

42 time sequence data (external port vs. packet) nmap winsuperscan 3 ports packets Also internal/external IP and internal port

43 packet length and protocol type over time ports packets length

44 30 days on the Georgia Tech honeynet External IP Internal PortExternal Port Internal Port

45 Demo’s rumint xmgrace treemap worm propagation survey x 2.ppt links

46 classic infovis survey (on CD) security infovis survey (www.cc.gatech.edu/~conti) perl/linux/xmgrace demo (on CD) rumint tool (on CD) bookmarks (on CD) this talk (on CD & www.cc.gatech.edu/~conti)

47 Acknowledgements 404.se2600 –Clint –Hendrick –icer –Rockit –StricK Dr. John Stasko –http://www.cc.gatech.edu/~john.stasko/ Dr. Wenke Lee –http://www.cc.gatech.edu/~wenke/ Dr. John Levine –http://www.eecs.usma.edu/ Julian Grizzard –http://www.ece.gatech.edu/

48 Questions? http://carcino.gen.nz/images/index.php/04980e0b/53c55ca5

Download ppt "Network Attack Visualization Greg Conti www.cc.gatech.edu/~conti."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Intrusion Detection/Prevention Systems Charles Poff Bearing Point.

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
6/1/2014FLOCON 2009, Scottsdale, AZ. DoD Disclaimer 6/1/2014FLOCON 2009, Scottsdale, AZ This document was prepared as a service to the DoD community.

6/1/2014FLOCON 2009, Scottsdale, AZ. DoD Disclaimer 6/1/2014FLOCON 2009, Scottsdale, AZ This document was prepared as a service to the DoD community.
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
Information Visualization Survey

Information Visualization Survey
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
1 Visualizing Network Attacks Eric Conrad April 2009.

1 Visualizing Network Attacks Eric Conrad April 2009.
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Williams, Tokunbo Olojo, John Smet,

Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Williams, Tokunbo Olojo, John Smet,
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
NAV Project Update By: Meghan Allen and Peter McLachlan.

NAV Project Update By: Meghan Allen and Peter McLachlan.
02/06/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.

02/06/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
Security administrators The experts need better tools too!

Security administrators The experts need better tools too!

Similar presentations

Ads by Google