Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Data Visualization Greg Conti CS6262

Published byAsher Oliver Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security Data Visualization Greg Conti CS6262"— Presentation transcript:

1 Network Security Data Visualization Greg Conti www.cc.gatech.edu/~conti CS6262 http://www.cybergeography.org/atlas/walrus1_large.gif

2 http://www.interz0ne.com/

3 information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization

4 Why InfoVis? Helps find patterns Helps reduce search space Aids efficient monitoring Enables interaction (what if) Help prevent overwhelming the user

5 So What? Go Beyond the Algorithm Help with detecting and understand some 0 day attacks Make CTF and Root Wars a Spectator Sport Help find insider threats Help visually fingerprint attacks What tasks do you need help with?

6 TCP Dump image: http://www.bgnett.no/~giva/pcap/tcpdump.png

7 Network Traffic Viewed in Ethereal Ethereal by Gerald Combs can be found at http://www.ethereal.com/ image: http://www.linux-france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif

8 Network Traffic as Viewed in EtherApe Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/ screenshot: http://www.solaris4you.dk/sniffersSS.html

9 Outline Quick overview of Intrusion Detection Systems (IDS) Quick overview of Information Visualization What data is available on the wire Finding interesting combinations What the attacks look like

10 Intrusion Detection System An intrusion-detection system (IDS) is a tool used to detect attacks or other security breaches in a computer system or network. http://en.wikipedia.org/wiki/Intrusion-detection_system

11 Intrusion Detection System Types Host-based intrusion-detection is the art of detecting malicious activity within a single computer by using –host log information –system activity –virus scanners A Network intrusion detection system is a system that tries to detect malicious activity such as denial of service attacks, port-scans or other attempts to hack into computers by reading all the incoming packets and trying to find suspicious patterns. http://en2.wikipedia.org/wiki/Host-based_intrusion-detection_system http://en2.wikipedia.org/wiki/Network_intrusion_detection_system

12 Information Visualization Mantra Overview First, Zoom & Filter, Details on Demand - Ben Shneiderman http://www.cs.umd.edu/~ben/

13 Overview First…

14 Zoom and Filter…

15 Details on Demand…

16 What Tools are at Your Disposal… Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective

17 What Can InfoVis Help You See? Relationships between X & Y & Z… Anomalies Outliers Extremes Patterns Comparisons and Differences Trends

18 User Tasks ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate http://www.siggraph.org/education/materials/HyperVis/concepts/matrx_lo.htm See also http://www1.cs.columbia.edu/~zhou/project/CHI98Title.html

19 Representative Current Research

20 Dr. Rob Erbacher Representative Research –Visual Summarizing and Analysis Techniques for Intrusion Data –Multi-Dimensional Data Visualization –A Component-Based Event- Driven Interactive Visualization Software Architecture http://otherland.cs.usu.edu/~erbacher/

21 Demo

22 Dr. David Marchette Passive Fingerprinting Statistics for intrusion detection http://www.mts.jhu.edu/~marchette/

23 http://www.mts.jhu.edu/~marchette/ (images) http://www.galaxy.gmu.edu/stats/faculty/wegman.html (descriptions)

24 Soon Tee Teoh Visualizing Internet Routing Data http://graphics.cs.ucdavis.edu/~steoh/

25 CAIDA Code Red Worm Propagation Young Hyun David Moore Colleen Shannon Bradley Huffaker http://www.caida.org/tools/visualization/walrus/examples/codered/

26 Jukka Juslin http://www.cs.hut.fi/~jtjuslin/ Intrustion Detection and Visualization Using Perl

27 Michal Zalewski Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html Follow-up paper - http://lcamtuf.coredump.cx/newtcp/ Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. TCP/IP Sequence Number Generation

28 Atlas of Cyber Space http://www.cybergeography.org/atlas/atlas.html

29 John Levine The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks Interesting look at detecting zero-day attacks http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/honeynet_IAW2003.pdf

30 Port 135 MS BLASTER scans Date Public: 7/16/03 Date Attack: 8/11/03 Georgia Tech Honeynett Source: John Levine, Georgia Tech

31 Port 1434 (MS-SQL) scans Date Public: 7/24/02 Date Attack: 1/25/03 Georgia Tech Honeynet Source: John Levine, Georgia Tech

32 Port 554 (RTSP) scans Date Public: 8/15/2003 Date Attack: 8/22/03 Georgia Tech Honeypot Source: John Levine, Georgia Tech

33 Hot Research Areas… visualizing vulnerabilities visualizing IDS alarms (NIDS/HIDS) visualizing worm/virus propagation visualizing routing anamolies visualizing large volume computer network logs visual correlations of security events visualizing network traffic for security visualizing attacks in near-real-time security visualization at line speeds dynamic attack tree creation (graphic) forensic visualization http://www.cs.fit.edu/~pkc/vizdmsec04/

34 More Hot Research Areas… feature selection feature construction incremental/online learning noise in the data skewed data distribution distributed mining correlating multiple models efficient processing of large amounts of data correlating alerts signature detection anomaly detection forensic analysis http://www.cs.fit.edu/~pkc/vizdmsec04/

35 One Approach… Look at TCP/IP Protocol Stack Data (particularly header information) Find interesting visualizations Throw some interesting traffic at them See what they can detect Refine

36 TCP/IP Protocol Stack http://ai3.asti.dost.gov.ph/sat/levels.jpg

37 Information Available On and Off the Wire Levels of analysis External data –Time –Size –Protocol compliance –Real vs. Actual Values Matrices of options Header slides http://ai3.asti.dost.gov.ph/sat/levels.jpg

38 Link Layer (Ethernet) Application Presentation Session Transport Network Link Physical http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif

39 Network Layer (IP) Application Presentation Session Transport Network Link Physical http://www.ietf.org/rfc/rfc0791.txt

40 Transport Layer (TCP) Application Presentation Session Transport Network Link Physical http://www.ietf.org/rfc/rfc793.txt

41 Transport Layer (UDP) Application Presentation Session Transport Network Link Physical http://www.ietf.org/rfc/rfc0768.txt

42

43 Exploitation Pattern of Typical Internet Worm Target Vulnerabilities on Specific Operating Systems Localized Scanning to Propagate (Code Red) –3/8 of time within same Class B (/16 network) –1/2 of time within same Class A (/8 network) –1/8 of time random address Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts ? Source: John Levine, Georgia Tech

44 Ethernet Packet Capture Parse Process Plot tcpdump (pcap, winpcap, snort) Perl (c/c++) Perl (c/c++) xmgrace (GNU plotutils gtk+/opengl html) tcpdump capture files

45 Grace “Grace is a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unix-like OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/XP” http://plasma-gate.weizmann.ac.il/Grace/

46 Required Files Perl, tcpdump and grace need to be installed. - http://www.tcpdump.org/ - http://www.perl.org/ - http://plasma-gate.weizmann.ac.il/Grace/ to install grace... Download RPMs (or source) ftp://plasma-gate.weizmann.ac.il/pub/grace/contrib/RPMS The files you want grace-5.1.14-1.i386.rpm pdflib-4.0.3-1.i386.rpm Install #rpm -i pdflib-4.0.3-1.i386.rpm #rpm -i grace-5.1.14-1.i386.rpm

47 Hello World Example # tcpdump -lnnq -c10 | perl parse.pl | perl analyze.pl |outfile.dat # xmgrace outfile.dat & Optionally you can run xmgrace with an external format language file… # xmgrace outfile.dat -batch formatfile

48 Hello World Example (cont) Optionally you can run xmgrace with an external format language file… xmgrace outfile.dat -batch formatfile formatfile is a text file that pre-configures Grace e.g. title "Port Scan Against Single Host" subtitle "Superscan w/ports 1-1024" yaxis label "Port" yaxis label place both yaxis ticklabel place both xaxis ticklabel off xaxis tick major off xaxis tick minor off autoscale

49 Data Format tcpdump outputs somewhat verbose output 09:02:01.858240 0:6:5b:4:20:14 0:5:9a:50:70:9 62: 10.100.1.120.4532 > 10.1.3.0.1080: tcp 0 (DF) parse.pl cleans up output 09 02 01 858240 0:6:5b:4:20:14 0:5:9a:50:70:9 10.100.1.120.4532 10.100.1.120 4532 10.1.3.0.1080 10.1.3.0 1080 tcp analyze.pl extracts/formats for Grace. 0 4532 1 1080 0 4537 1 1080 0 2370 1 1080

50 Results Example 1 - Baseline with Normal Traffic Example 2 - Port Scan Example 3 - Port Scan “Fingerprinting” Example 4 - Vulnerability Scanner Example 5 - Wargame

51 Example 1 - Baseline Normal network traffic –FTP, HTTP, SSH, ICMP… Command Line –Capture Raw Data tcpdump -l -nnqe -c 1000 tcp or udp | perl parse.pl > exp1_outfile.txt –Run through Analysis Script cat exp1_outfile.txt | perl analyze_1a.pl > output1a.dat –Open in Grace xmgrace output1a.dat &

52

53

54 Example 2 - PortScan Light “normal” network traffic (HTTP) Command Line –Run 2a.bat (chmod +x 2a.bat) echo running experiment 2 echo 1-1024 port scan tcpdump -l -nnqe -c 1200 tcp or udp > raw_outfile_2.txt cat raw_outfile_2.txt | perl parse_2a.pl > exp2_outfile.txt cat exp2_outfile.txt | perl analyze_2a.pl > output_2a.dat xmgrace output_2a.dat & echo experiment 2 completed

55

56 Attacker

57 Defender

58 Example 3- PortScan “Fingerprinting” Tools Examined: Nmap Win 1.3.1 (on top of Nmap 3.00) XP Attacker (http://www.insecure.org/nmap/) Nmap 3.00 RH 8.0 Attacker (http://www.insecure.org/nmap/) Superscan 3.0 RH 8.0 Attacker ( http://www.foundstone.com/index.htm?subnav=resources/navigation.htm &subcontent=/resources/proddesc/superscan.htm)

59 nmap 3.00 default (RH 8.0) nmap 3.00 udp scan (RH 8.0) Superscan 3.0 Nmap Win 1.3.1

60 Three Parallel Scans

61 Example 4: Vulnerability Scanner Attacker: RH 8.0 running Nessus 2.0.10 Target: RH 9.0

62

63 Example 5: Wargame Attackers: NSA Red Team Defenders: US Service Academies Defenders lock down network, but must provide certain services Dataset - http://www.itoc.usma.edu/cdx/2003/logs.zip

64

65

66

67

68 Zooming in on port 8080

69

70 Port 135 CAN-2003-0605tcpany135 The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CAN-2003-03526any135 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN worm. http://isc.incidents.org/port_details.html?port=135

71 Conclusions Limited fingerprinting of tools is possible Visualization can help drive better algorithms Some attacker techniques can be identified Some vulnerabilities can be identified

72 Demo See readme.txt Two demo scripts… –runme.bat (uses sample dataset) –runme_sniff.bat (performs live capture, must be root) Note: you must modify the IP address variable in the Analyzer script. (See analyzer2.pl for example)

73 Future Distributed NIDS Visualization Real-time vs. Offline Interesting datasets 3D Other visualization techniques Visualization of protocol attacks Visualization of application layer attacks Visualization of physical layer attacks (?) Code up some stand-alone tools

74 Questions? http://carcino.gen.nz/images/index.php/04980e0b/53c55ca5

75 Who are your users: 1. 2. 3. What are their tasks? 1. 2. 3. ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective

76

Download ppt "Network Security Data Visualization Greg Conti CS6262"

Similar presentations

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Ana Chanaba Robert Huylo

Ana Chanaba Robert Huylo
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Similar presentations

Ads by Google