SlideShare a Scribd company logo

Network Security Data Visualization

Download as PPT, PDF
A
amiable_indian

This document discusses using data visualization techniques to analyze network security data and detect cyber attacks. It provides examples of visualizing network traffic data from tcpdump files using Perl scripts and Grace to plot graphs. Specific examples include visualizing a port scan, vulnerability scanner, and wargame traffic to identify anomalous patterns compared to normal traffic baselines. Tools mentioned include tcpdump, Ethereal, EtherApe, and research on visualizing intrusion detection systems, routing anomalies, and worm propagation.

Technology
1 of 76
Downloaded 414 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
Network Security Data Visualization Greg Conti www.cc.gatech.edu/~conti CS6262 http://www.cybergeography.org/atlas/walrus1_large.gif
http://www.interz0ne.com/
information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization
Why InfoVis? Helps find patterns Helps reduce search space Aids efficient monitoring Enables interaction (what if) Help prevent overwhelming the user
So What? Go Beyond the Algorithm Help with detecting and understand some 0 day attacks Make CTF and Root Wars a Spectator Sport Help find insider threats Help visually fingerprint attacks What tasks do you need help with?
TCP Dump image: http://www.bgnett.no/~giva/pcap/tcpdump.png
Network Traffic Viewed in Ethereal Ethereal by Gerald Combs can be found at http://www.ethereal.com/ image: http://www.linux-france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif
Network Traffic as Viewed in EtherApe Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/ screenshot: http://www.solaris4you.dk/sniffersSS.html
Outline Quick overview of Intrusion Detection Systems (IDS) Quick overview of Information Visualization What data is available on the wire Finding interesting combinations What the attacks look like
Intrusion Detection System An intrusion-detection system (IDS) is a tool used to detect attacks or other security breaches in a computer system or network. http://en.wikipedia.org/wiki/Intrusion-detection_system
Intrusion Detection System Types Host-based intrusion-detection is the art of detecting malicious activity within a single computer by using host log information system activity virus scanners A Network intrusion detection system is a system that tries to detect malicious activity such as denial of service attacks, port-scans or other attempts to hack into computers by reading all the incoming packets and trying to find suspicious patterns. http://en2.wikipedia.org/wiki/Host-based_intrusion-detection_system http://en2.wikipedia.org/wiki/Network_intrusion_detection_system
Information Visualization Mantra Overview First, Zoom & Filter, Details on Demand - Ben Shneiderman http://www.cs.umd.edu/~ben/
Overview First…
Zoom and Filter…
Details on Demand…
What Tools are at Your Disposal… Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective
What Can InfoVis Help You See? Relationships between X & Y & Z… Anomalies Outliers Extremes Patterns Comparisons and Differences Trends
User Tasks ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate http://www.siggraph.org/education/materials/HyperVis/concepts/matrx_lo.htm See also http://www1.cs.columbia.edu/~zhou/project/CHI98Title.html
Representative Current Research
Dr. Rob Erbacher Representative Research Visual Summarizing and Analysis Techniques for Intrusion Data Multi-Dimensional Data Visualization A Component-Based Event-Driven Interactive Visualization Software Architecture http://otherland.cs.usu.edu/~erbacher/
http://otherland.cs.usu.edu/~erbacher/ Demo
Dr. David Marchette Passive Fingerprinting Statistics for intrusion detection http://www.mts.jhu.edu/~marchette/
http://www.mts.jhu.edu/~marchette/ (images) http://www.galaxy.gmu.edu/stats/faculty/wegman.html (descriptions)
Soon Tee Teoh Visualizing Internet Routing Data http://graphics.cs.ucdavis.edu/~steoh/
CAIDA Code Red Worm Propagation Young Hyun David Moore Colleen Shannon Bradley Huffaker http://www.caida.org/tools/visualization/walrus/examples/codered/
Jukka Juslin http://www.cs.hut.fi/~jtjuslin/ Intrustion Detection and Visualization Using Perl
Michal Zalewski TCP/IP Sequence Number Generation Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html Follow-up paper - http://lcamtuf.coredump.cx/newtcp/ Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low.
Atlas of Cyber Space http://www.cybergeography.org/atlas/atlas.html
John Levine The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks Interesting look at detecting zero-day attacks http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/honeynet_IAW2003.pdf
Port 135 MS BLASTER scans Date Public: 7/16/03 Date Attack: 8/11/03 Georgia Tech Honeynett Source: John Levine, Georgia Tech
Port 1434 (MS-SQL) scans Date Public: 7/24/02 Date Attack: 1/25/03 Georgia Tech Honeynet Source: John Levine, Georgia Tech
Port 554 (RTSP) scans Date Public: 8/15/2003 Date Attack: 8/22/03 Georgia Tech Honeypot Source: John Levine, Georgia Tech
Hot Research Areas… visualizing vulnerabilities visualizing IDS alarms (NIDS/HIDS) visualizing worm/virus propagation visualizing routing anamolies visualizing large volume computer network logs visual correlations of security events visualizing network traffic for security visualizing attacks in near-real-time security visualization at line speeds dynamic attack tree creation (graphic) forensic visualization http://www.cs.fit.edu/~pkc/vizdmsec04/
More Hot Research Areas… feature selection feature construction incremental/online learning noise in the data skewed data distribution distributed mining correlating multiple models efficient processing of large amounts of data correlating alerts signature detection anomaly detection forensic analysis http://www.cs.fit.edu/~pkc/vizdmsec04/
One Approach… Look at TCP/IP Protocol Stack Data (particularly header information) Find interesting visualizations Throw some interesting traffic at them See what they can detect Refine
TCP/IP Protocol Stack http://ai3.asti.dost.gov.ph/sat/levels.jpg
Information Available On and Off the Wire Levels of analysis External data Time Size Protocol compliance Real vs. Actual Values Matrices of options Header slides http://ai3.asti.dost.gov.ph/sat/levels.jpg
Link Layer (Ethernet) http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif Physical Link Network Transport Application Presentation Session
Network Layer (IP) http://www.ietf.org/rfc/rfc0791.txt Physical Link Network Transport Application Presentation Session
Transport Layer (TCP) http://www.ietf.org/rfc/rfc793.txt Physical Link Network Transport Application Presentation Session
Transport Layer (UDP) http://www.ietf.org/rfc/rfc0768.txt Physical Link Network Transport Application Presentation Session
 
Exploitation Pattern of Typical Internet Worm Target Vulnerabilities on Specific Operating Systems Localized Scanning to Propagate (Code Red) 3/8 of time within same Class B (/16 network) 1/2 of time within same Class A (/8 network) 1/8 of time random address Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts ? Source: John Levine, Georgia Tech
Ethernet Packet Capture Parse Process Plot tcpdump (pcap, winpcap, snort) Perl (c/c++) Perl (c/c++) xmgrace (GNU plotutils gtk+/opengl html) tcpdump capture files
Grace “ Grace is a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unix-like OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/XP” http://plasma-gate.weizmann.ac.il/Grace/
Required Files Perl, tcpdump and grace need to be installed. - http://www.tcpdump.org/ - http://www.perl.org/ - http://plasma-gate.weizmann.ac.il/Grace/ to install grace... Download RPMs (or source) ftp://plasma-gate.weizmann.ac.il/pub/grace/contrib/RPMS The files you want grace-5.1.14-1.i386.rpm pdflib-4.0.3-1.i386.rpm Install #rpm -i pdflib-4.0.3-1.i386.rpm #rpm -i grace-5.1.14-1.i386.rpm
Hello World Example # tcpdump -lnnq -c10 | perl parse.pl | perl analyze.pl |outfile.dat # xmgrace outfile.dat & Optionally you can run xmgrace with an external format language file… # xmgrace outfile.dat -batch formatfile
Hello World Example (cont) Optionally you can run xmgrace with an external format language file… xmgrace outfile.dat -batch formatfile formatfile is a text file that pre-configures Grace e.g. title "Port Scan Against Single Host" subtitle "Superscan w/ports 1-1024" yaxis label "Port" yaxis label place both yaxis ticklabel place both xaxis ticklabel off xaxis tick major off xaxis tick minor off autoscale
Data Format tcpdump outputs somewhat verbose output 09:02:01.858240 0:6:5b:4:20:14 0:5:9a:50:70:9 62: 10.100.1.120.4532 > 10.1.3.0.1080: tcp 0 (DF) parse.pl cleans up output 09 02 01 858240 0:6:5b:4:20:14 0:5:9a:50:70:9 10.100.1.120.4532 10.100.1.120 4532 10.1.3.0.1080 10.1.3.0 1080 tcp analyze.pl extracts/formats for Grace. 0 4532 1 1080 0 4537 1 1080 0 2370 1 1080
Results Example 1 - Baseline with Normal Traffic Example 2 - Port Scan Example 3 - Port Scan “Fingerprinting” Example 4 - Vulnerability Scanner Example 5 - Wargame
Example 1 - Baseline Normal network traffic FTP, HTTP, SSH, ICMP… Command Line Capture Raw Data tcpdump -l -nnqe -c 1000 tcp or udp | perl parse.pl > exp1_outfile.txt Run through Analysis Script cat exp1_outfile.txt | perl analyze_1a.pl > output1a.dat Open in Grace xmgrace output1a.dat &
 
 
Example 2 - PortScan Light “normal” network traffic (HTTP) Command Line Run 2a.bat (chmod +x 2a.bat) echo running experiment 2 echo 1-1024 port scan tcpdump -l -nnqe -c 1200 tcp or udp > raw_outfile_2.txt cat raw_outfile_2.txt | perl parse_2a.pl > exp2_outfile.txt cat exp2_outfile.txt | perl analyze_2a.pl > output_2a.dat xmgrace output_2a.dat & echo experiment 2 completed
 
Attacker
Defender
Example 3- PortScan “Fingerprinting” Tools Examined: Nmap Win 1.3.1 (on top of Nmap 3.00) XP Attacker (http://www.insecure.org/nmap/) Nmap 3.00 RH 8.0 Attacker (http://www.insecure.org/nmap/) Superscan 3.0 RH 8.0 Attacker ( http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm)
nmap 3.00 default (RH 8.0) nmap 3.00 udp scan (RH 8.0) Superscan 3.0 Nmap Win 1.3.1
Three Parallel Scans
Example 4: Vulnerability Scanner Attacker: RH 8.0 running Nessus 2.0.10 Target: RH 9.0
 
Example 5: Wargame Attackers: NSA Red Team Defenders: US Service Academies Defenders lock down network, but must provide certain services Dataset - http://www.itoc.usma.edu/cdx/2003/logs.zip
 
 
 
 
Zooming in on port 8080
 
Port 135 CAN-2003-0605 tcp any 135 The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CAN-2003-0352 6 any 135 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN worm. http://isc.incidents.org/port_details.html?port=135
Conclusions Limited fingerprinting of tools is possible Visualization can help drive better algorithms Some attacker techniques can be identified Some vulnerabilities can be identified
Demo See readme.txt Two demo scripts… runme.bat (uses sample dataset) runme_sniff.bat (performs live capture, must be root) Note: you must modify the IP address variable in the Analyzer script. (See analyzer2.pl for example)
Future Distributed NIDS Visualization Real-time vs. Offline Interesting datasets 3D Other visualization techniques Visualization of protocol attacks Visualization of application layer attacks Visualization of physical layer attacks (?) Code up some stand-alone tools
Questions? http://carcino.gen.nz/images/index.php/04980e0b/53c55ca5
Who are your users: 1. 2. 3. What are their tasks? 1. 2. 3. ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective
 

More Related Content

What's hot (20)

PPT
Log Analysis
n|u - The Open Security Community
 
PPTX
Introduction To Exploitation & Metasploit
Raghav Bisht
 
PDF
MITRE ATT&CK Framework
n|u - The Open Security Community
 
PDF
CS8791 Cloud Computing - Question Bank
pkaviya
 
PPTX
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
PPTX
Malware Detection Approaches using Data Mining Techniques.pptx
Alamgir Hossain
 
PPTX
Network attacks
Manjushree Mashal
 
PPTX
Firewall ppt
OECLIB Odisha Electronics Control Library
 
PPTX
Kali Linux
Chanchal Dabriya
 
PPTX
An introduction to Jupyter notebooks and the Noteable service
Jisc
 
PDF
Introduction to data mining and machine learning
Tilani Gunawardena PhD(UNIBAS), BSc(Pera), FHEA(UK), CEng, MIESL
 
PDF
Malware detection-using-machine-learning
Security Bootcamp
 
PPTX
Honeypots
SARANYA S
 
PDF
Loan Approval Prediction Using Machine Learning
Souma Maiti
 
PPTX
Password craking techniques
أحلام انصارى
 
PPT
Intro to Deep learning - Autoencoders
Akash Goel
 
PPT
A study on biometric authentication techniques
Subhash Basistha
 
PDF
Biometrics for Payment Authentication
FIDO Alliance
 
PDF
Classification and Clustering
Eng Teong Cheah
 
PPT
Dmz
أحلام انصارى
 
Log Analysis
n|u - The Open Security Community
 
Introduction To Exploitation & Metasploit
Raghav Bisht
 
MITRE ATT&CK Framework
n|u - The Open Security Community
 
CS8791 Cloud Computing - Question Bank
pkaviya
 
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Malware Detection Approaches using Data Mining Techniques.pptx
Alamgir Hossain
 
Network attacks
Manjushree Mashal
 
Firewall ppt
OECLIB Odisha Electronics Control Library
 
Kali Linux
Chanchal Dabriya
 
An introduction to Jupyter notebooks and the Noteable service
Jisc
 
Introduction to data mining and machine learning
Tilani Gunawardena PhD(UNIBAS), BSc(Pera), FHEA(UK), CEng, MIESL
 
Malware detection-using-machine-learning
Security Bootcamp
 
Honeypots
SARANYA S
 
Loan Approval Prediction Using Machine Learning
Souma Maiti
 
Password craking techniques
أحلام انصارى
 
Intro to Deep learning - Autoencoders
Akash Goel
 
A study on biometric authentication techniques
Subhash Basistha
 
Biometrics for Payment Authentication
FIDO Alliance
 
Classification and Clustering
Eng Teong Cheah
 
Dmz
أحلام انصارى
 

Similar to Network Security Data Visualization (20)

PDF
Network Security Data Visualization
ssusercb4686
 
PDF
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
PDF
DotDotPwn v3.0 [GuadalajaraCON 2012]
Websec México
 
PDF
Guadalajara con 2012
Jaime Restrepo
 
PPTX
Detecting virtual machine co residency in cloud computing with active traffic...
James A. Savage
 
PDF
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
Alejandro Hernández
 
PPTX
Sandbox kiev
uisgslide
 
PPTX
Detection of webshells in compromised perimeter assets using ML algorithms
Rod Soto
 
PPT
SoleraNetworks
Joe Levy
 
PPTX
Cyber warfare introduction
jagadeesh katla
 
PDF
Modern Malware and Threats
MarketingArrowECS_CZ
 
PPTX
Anomaly detection final
Akshay Bansal
 
DOC
Days of the Honeynet: Attacks, Tools, Incidents
Anton Chuvakin
 
PPTX
J_McConnell_LabReconnaissance
Juanita McConnell
 
PDF
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
ijceronline
 
PDF
Romulus OWASP
Grupo Gesfor I+D+i
 
ODP
Practical Tips for Mobile Widget development
brucelawson
 
ODP
Practical Tips for developing W3C Mobile Widgets
guestd427df
 
PDF
Modern malware and threats
Martin Holovský
 
PDF
Collecting and analyzing network-based evidence
CSITiaesprime
 
Network Security Data Visualization
ssusercb4686
 
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
DotDotPwn v3.0 [GuadalajaraCON 2012]
Websec México
 
Guadalajara con 2012
Jaime Restrepo
 
Detecting virtual machine co residency in cloud computing with active traffic...
James A. Savage
 
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
Alejandro Hernández
 
Sandbox kiev
uisgslide
 
Detection of webshells in compromised perimeter assets using ML algorithms
Rod Soto
 
SoleraNetworks
Joe Levy
 
Cyber warfare introduction
jagadeesh katla
 
Modern Malware and Threats
MarketingArrowECS_CZ
 
Anomaly detection final
Akshay Bansal
 
Days of the Honeynet: Attacks, Tools, Incidents
Anton Chuvakin
 
J_McConnell_LabReconnaissance
Juanita McConnell
 
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
ijceronline
 
Romulus OWASP
Grupo Gesfor I+D+i
 
Practical Tips for Mobile Widget development
brucelawson
 
Practical Tips for developing W3C Mobile Widgets
guestd427df
 
Modern malware and threats
Martin Holovský
 
Collecting and analyzing network-based evidence
CSITiaesprime
 
Ad

More from amiable_indian (20)

PDF
Phishing As Tragedy of the Commons
amiable_indian
 
PDF
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
PDF
Secrets of Top Pentesters
amiable_indian
 
PPS
Workshop on Wireless Security
amiable_indian
 
PDF
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
PPS
Workshop on BackTrack live CD
amiable_indian
 
PPS
Reverse Engineering for exploit writers
amiable_indian
 
PPS
State of Cyber Law in India
amiable_indian
 
PPS
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
PPS
Reverse Engineering v/s Secure Coding
amiable_indian
 
PPS
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
PPS
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
PPS
Immune IT: Moving from Security to Immunity
amiable_indian
 
PPS
Reverse Engineering for exploit writers
amiable_indian
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PDF
Web Exploit Finder Presentation
amiable_indian
 
PPT
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
PDF
Top Network Vulnerabilities Over Time
amiable_indian
 
PDF
What are the Business Security Metrics?
amiable_indian
 
PPT
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
amiable_indian
 
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
amiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
Top Network Vulnerabilities Over Time
amiable_indian
 
What are the Business Security Metrics?
amiable_indian
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
amiable_indian
 
Ad

Recently uploaded (20)

PDF
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
PDF
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
PDF
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
PDF
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
UiPath DevConnect 2025: Agentic Automation Community User Group Meeting
DianaGray10
 
PDF
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
PDF
Staying Human in a Machine- Accelerated World
Catalin Jora
 
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
SIZING YOUR AIR CONDITIONER---A PRACTICAL GUIDE.pdf
Muhammad Rizwan Akram
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
UiPath DevConnect 2025: Agentic Automation Community User Group Meeting
DianaGray10
 
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
Staying Human in a Machine- Accelerated World
Catalin Jora
 

Network Security Data Visualization

  • 1. Network Security Data Visualization Greg Conti www.cc.gatech.edu/~conti CS6262 http://www.cybergeography.org/atlas/walrus1_large.gif
  • 3. information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization
  • 4. Why InfoVis? Helps find patterns Helps reduce search space Aids efficient monitoring Enables interaction (what if) Help prevent overwhelming the user
  • 5. So What? Go Beyond the Algorithm Help with detecting and understand some 0 day attacks Make CTF and Root Wars a Spectator Sport Help find insider threats Help visually fingerprint attacks What tasks do you need help with?
  • 6. TCP Dump image: http://www.bgnett.no/~giva/pcap/tcpdump.png
  • 7. Network Traffic Viewed in Ethereal Ethereal by Gerald Combs can be found at http://www.ethereal.com/ image: http://www.linux-france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif
  • 8. Network Traffic as Viewed in EtherApe Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/ screenshot: http://www.solaris4you.dk/sniffersSS.html
  • 9. Outline Quick overview of Intrusion Detection Systems (IDS) Quick overview of Information Visualization What data is available on the wire Finding interesting combinations What the attacks look like
  • 10. Intrusion Detection System An intrusion-detection system (IDS) is a tool used to detect attacks or other security breaches in a computer system or network. http://en.wikipedia.org/wiki/Intrusion-detection_system
  • 11. Intrusion Detection System Types Host-based intrusion-detection is the art of detecting malicious activity within a single computer by using host log information system activity virus scanners A Network intrusion detection system is a system that tries to detect malicious activity such as denial of service attacks, port-scans or other attempts to hack into computers by reading all the incoming packets and trying to find suspicious patterns. http://en2.wikipedia.org/wiki/Host-based_intrusion-detection_system http://en2.wikipedia.org/wiki/Network_intrusion_detection_system
  • 12. Information Visualization Mantra Overview First, Zoom & Filter, Details on Demand - Ben Shneiderman http://www.cs.umd.edu/~ben/
  • 15. Details on Demand…
  • 16. What Tools are at Your Disposal… Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective
  • 17. What Can InfoVis Help You See? Relationships between X & Y & Z… Anomalies Outliers Extremes Patterns Comparisons and Differences Trends
  • 18. User Tasks ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate http://www.siggraph.org/education/materials/HyperVis/concepts/matrx_lo.htm See also http://www1.cs.columbia.edu/~zhou/project/CHI98Title.html
  • 20. Dr. Rob Erbacher Representative Research Visual Summarizing and Analysis Techniques for Intrusion Data Multi-Dimensional Data Visualization A Component-Based Event-Driven Interactive Visualization Software Architecture http://otherland.cs.usu.edu/~erbacher/
  • 22. Dr. David Marchette Passive Fingerprinting Statistics for intrusion detection http://www.mts.jhu.edu/~marchette/
  • 24. Soon Tee Teoh Visualizing Internet Routing Data http://graphics.cs.ucdavis.edu/~steoh/
  • 25. CAIDA Code Red Worm Propagation Young Hyun David Moore Colleen Shannon Bradley Huffaker http://www.caida.org/tools/visualization/walrus/examples/codered/
  • 27. Michal Zalewski TCP/IP Sequence Number Generation Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html Follow-up paper - http://lcamtuf.coredump.cx/newtcp/ Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low.
  • 28. Atlas of Cyber Space http://www.cybergeography.org/atlas/atlas.html
  • 29. John Levine The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks Interesting look at detecting zero-day attacks http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/honeynet_IAW2003.pdf
  • 30. Port 135 MS BLASTER scans Date Public: 7/16/03 Date Attack: 8/11/03 Georgia Tech Honeynett Source: John Levine, Georgia Tech
  • 31. Port 1434 (MS-SQL) scans Date Public: 7/24/02 Date Attack: 1/25/03 Georgia Tech Honeynet Source: John Levine, Georgia Tech
  • 32. Port 554 (RTSP) scans Date Public: 8/15/2003 Date Attack: 8/22/03 Georgia Tech Honeypot Source: John Levine, Georgia Tech
  • 33. Hot Research Areas… visualizing vulnerabilities visualizing IDS alarms (NIDS/HIDS) visualizing worm/virus propagation visualizing routing anamolies visualizing large volume computer network logs visual correlations of security events visualizing network traffic for security visualizing attacks in near-real-time security visualization at line speeds dynamic attack tree creation (graphic) forensic visualization http://www.cs.fit.edu/~pkc/vizdmsec04/
  • 34. More Hot Research Areas… feature selection feature construction incremental/online learning noise in the data skewed data distribution distributed mining correlating multiple models efficient processing of large amounts of data correlating alerts signature detection anomaly detection forensic analysis http://www.cs.fit.edu/~pkc/vizdmsec04/
  • 35. One Approach… Look at TCP/IP Protocol Stack Data (particularly header information) Find interesting visualizations Throw some interesting traffic at them See what they can detect Refine
  • 36. TCP/IP Protocol Stack http://ai3.asti.dost.gov.ph/sat/levels.jpg
  • 37. Information Available On and Off the Wire Levels of analysis External data Time Size Protocol compliance Real vs. Actual Values Matrices of options Header slides http://ai3.asti.dost.gov.ph/sat/levels.jpg
  • 38. Link Layer (Ethernet) http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif Physical Link Network Transport Application Presentation Session
  • 39. Network Layer (IP) http://www.ietf.org/rfc/rfc0791.txt Physical Link Network Transport Application Presentation Session
  • 40. Transport Layer (TCP) http://www.ietf.org/rfc/rfc793.txt Physical Link Network Transport Application Presentation Session
  • 41. Transport Layer (UDP) http://www.ietf.org/rfc/rfc0768.txt Physical Link Network Transport Application Presentation Session
  • 42.  
  • 43. Exploitation Pattern of Typical Internet Worm Target Vulnerabilities on Specific Operating Systems Localized Scanning to Propagate (Code Red) 3/8 of time within same Class B (/16 network) 1/2 of time within same Class A (/8 network) 1/8 of time random address Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts ? Source: John Levine, Georgia Tech
  • 44. Ethernet Packet Capture Parse Process Plot tcpdump (pcap, winpcap, snort) Perl (c/c++) Perl (c/c++) xmgrace (GNU plotutils gtk+/opengl html) tcpdump capture files
  • 45. Grace “ Grace is a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unix-like OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/XP” http://plasma-gate.weizmann.ac.il/Grace/
  • 46. Required Files Perl, tcpdump and grace need to be installed. - http://www.tcpdump.org/ - http://www.perl.org/ - http://plasma-gate.weizmann.ac.il/Grace/ to install grace... Download RPMs (or source) ftp://plasma-gate.weizmann.ac.il/pub/grace/contrib/RPMS The files you want grace-5.1.14-1.i386.rpm pdflib-4.0.3-1.i386.rpm Install #rpm -i pdflib-4.0.3-1.i386.rpm #rpm -i grace-5.1.14-1.i386.rpm
  • 47. Hello World Example # tcpdump -lnnq -c10 | perl parse.pl | perl analyze.pl |outfile.dat # xmgrace outfile.dat & Optionally you can run xmgrace with an external format language file… # xmgrace outfile.dat -batch formatfile
  • 48. Hello World Example (cont) Optionally you can run xmgrace with an external format language file… xmgrace outfile.dat -batch formatfile formatfile is a text file that pre-configures Grace e.g. title "Port Scan Against Single Host" subtitle "Superscan w/ports 1-1024" yaxis label "Port" yaxis label place both yaxis ticklabel place both xaxis ticklabel off xaxis tick major off xaxis tick minor off autoscale
  • 49. Data Format tcpdump outputs somewhat verbose output 09:02:01.858240 0:6:5b:4:20:14 0:5:9a:50:70:9 62: 10.100.1.120.4532 > 10.1.3.0.1080: tcp 0 (DF) parse.pl cleans up output 09 02 01 858240 0:6:5b:4:20:14 0:5:9a:50:70:9 10.100.1.120.4532 10.100.1.120 4532 10.1.3.0.1080 10.1.3.0 1080 tcp analyze.pl extracts/formats for Grace. 0 4532 1 1080 0 4537 1 1080 0 2370 1 1080
  • 50. Results Example 1 - Baseline with Normal Traffic Example 2 - Port Scan Example 3 - Port Scan “Fingerprinting” Example 4 - Vulnerability Scanner Example 5 - Wargame
  • 51. Example 1 - Baseline Normal network traffic FTP, HTTP, SSH, ICMP… Command Line Capture Raw Data tcpdump -l -nnqe -c 1000 tcp or udp | perl parse.pl > exp1_outfile.txt Run through Analysis Script cat exp1_outfile.txt | perl analyze_1a.pl > output1a.dat Open in Grace xmgrace output1a.dat &
  • 52.  
  • 53.  
  • 54. Example 2 - PortScan Light “normal” network traffic (HTTP) Command Line Run 2a.bat (chmod +x 2a.bat) echo running experiment 2 echo 1-1024 port scan tcpdump -l -nnqe -c 1200 tcp or udp > raw_outfile_2.txt cat raw_outfile_2.txt | perl parse_2a.pl > exp2_outfile.txt cat exp2_outfile.txt | perl analyze_2a.pl > output_2a.dat xmgrace output_2a.dat & echo experiment 2 completed
  • 55.  
  • 58. Example 3- PortScan “Fingerprinting” Tools Examined: Nmap Win 1.3.1 (on top of Nmap 3.00) XP Attacker (http://www.insecure.org/nmap/) Nmap 3.00 RH 8.0 Attacker (http://www.insecure.org/nmap/) Superscan 3.0 RH 8.0 Attacker ( http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm)
  • 59. nmap 3.00 default (RH 8.0) nmap 3.00 udp scan (RH 8.0) Superscan 3.0 Nmap Win 1.3.1
  • 61. Example 4: Vulnerability Scanner Attacker: RH 8.0 running Nessus 2.0.10 Target: RH 9.0
  • 62.  
  • 63. Example 5: Wargame Attackers: NSA Red Team Defenders: US Service Academies Defenders lock down network, but must provide certain services Dataset - http://www.itoc.usma.edu/cdx/2003/logs.zip
  • 64.  
  • 65.  
  • 66.  
  • 67.  
  • 68. Zooming in on port 8080
  • 69.  
  • 70. Port 135 CAN-2003-0605 tcp any 135 The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CAN-2003-0352 6 any 135 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN worm. http://isc.incidents.org/port_details.html?port=135
  • 71. Conclusions Limited fingerprinting of tools is possible Visualization can help drive better algorithms Some attacker techniques can be identified Some vulnerabilities can be identified
  • 72. Demo See readme.txt Two demo scripts… runme.bat (uses sample dataset) runme_sniff.bat (performs live capture, must be root) Note: you must modify the IP address variable in the Analyzer script. (See analyzer2.pl for example)
  • 73. Future Distributed NIDS Visualization Real-time vs. Offline Interesting datasets 3D Other visualization techniques Visualization of protocol attacks Visualization of application layer attacks Visualization of physical layer attacks (?) Code up some stand-alone tools
  • 75. Who are your users: 1. 2. 3. What are their tasks? 1. 2. 3. ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective
  • 76.  

Editor's Notes

  • #2: “ These striking images are 3D hyperbolic graphs of Internet topology. They are created using the Walrus visualisation tool developed by Young Hyun at the Cooperative Association for Internet Data Analysis ( CAIDA ). The underlying data on the topological structure of the Internet is gathered by skitter , a CAIDA tool for large-scale collection and analysis of Internet traffic path data.” -http://www.cybergeography.org/atlas/topology.html