Visual Analysis of Security Data Flows

About This Presentation

Title:

Visual Analysis of Security Data Flows

Description:

Visual Analysis of Security Data Flows – PowerPoint PPT presentation

Number of Views:44

Avg rating:3.0/5.0

Slides: 60

Provided by: rum2

Learn more at: http://www.rumint.org

more less

Transcript and Presenter's Notes

Title: Visual Analysis of Security Data Flows

1
Visual Analysisof SecurityData Flows

Gregory Conti
www.cc.gatech.edu/conti
conti_at_cc.gatech.edu

image source http//mileshotel.blogspot.com/2006/
01/four-eyes-mind-fucking-pic.html, original
author unknown
2
Visual Analysisof SecurityData Flows

Gregory Conti
www.cc.gatech.edu/conti
conti_at_cc.gatech.edu

image source http//mileshotel.blogspot.com/2006/
01/four-eyes-mind-fucking-pic.html, original
author unknown
3

The views expressed in this presentation are
those of the author and do not reflect the
official policy or position of the United States
Military Academy, the Department of the Army, the
Department of Defense or the U.S. Government.

http//ehp.niehs.nih.gov/docs/2003/111-2/prison.jp
g
4
information visualization is the use of
interactive, sensory representations, typically
visual, of abstract data to reinforce cognition.
http//en.wikipedia.org/wiki/Information_visualiza
tion
5
SANS Internet Storm Center
6
Ethereals Tipping Point(for the human)
Professionals 5,905 Packets
Students 635 Packets
7
Potential DataStreams

Traditional
packet capture
IDS/IPS logs
syslog
firewall logs
anti-virus
net flows
host processes
honeynets
network appliances

Less traditional
p0f
IANA data (illegal IPs)
DNS
application level
extrusion detection systems
local semantic data (unassigned local IPs)
inverted IDS
geolocation (MaxMind?)
vulnerability assessment
nessus, nmap
system files

8
General InfoVis Research

powerpoint of classic systems is here
http//www.rumint.org/gregconti/publications/20040
731-information_visualization_survey.ppt
see InfoVis proceedings for more recent work
http//www.infovis.org/symposia.php

9
Rootkit Propagation(Dan Kaminsky)
http//www.doxpara.com/
10
Firewall Data(Raffy Marty)
http//raffy.ch/blog/
11
IDS Alerts(Kulsoom Abdullah)
http//www.rumint.org/gregconti/publications/20050
813_VizSec_IDS_Rainstorm.pdf
12
Packet Level(John Goodall)
http//userpages.umbc.edu/jgood/research/tnv/
13
Packet Level(John Goodall)
Zoom Filter
Overview
Detail
http//userpages.umbc.edu/jgood/research/tnv/
14
(No Transcript)
15
More results on CD
16
Ethereal
Ethereal can be found at http//www.ethereal.com/
http//www.pandora.nu/tempo-depot/notes/blosxom/da
ta/PC_side/Web_Browser/Blosxom/ethereal.png
17
Potential DataStreams
payload byte frequency packet length ethertype IP
version IP header length IP differential
services IP total length IP identification IP
flags IP fragment TTL IP transport IP header
checksum src/dst IP src/dst TCPUDP port

Traditional
packet capture
IDS/IPS logs
syslog
firewall logs
anti-virus
net flows
host processes
honeynets
network appliances

Less traditional
p0f
IANA data (illegal IPs)
DNS
application level
extrusion detection systems
local semantic data (unassigned local IPs)
inverted IDS
geolocation (MaxMind?)
vulnerability assessment
nessus, nmap
system files

18
RUMINT
19
Filtering, Encoding Interaction
20
Text(on the fly strings)
dataset Defcon 11 CTF
21
Krasser Visualization
22
Routine Honeynet Traffic(baseline)
23
Compromised Honeypot
24
Binary Rainfall Visualization(single packet)
Bits on wire
25
Binary Rainfall Visualization(single packet)
Bits on wire
View as a 11 relationship (1 bit per pixel)
24 Pixels
26
(No Transcript)
27
Encode by Protocol
Network packets over time
Bit 0, Bit 1, Bit 2
Length of packet - 1
28
On the fly disassembly?
dataset Honeynet Project Scan of the Month 21
29
Binary Rainfall Visualization(single packet)
Bits on wire
View as a 11 relationship (1 bit per pixel)
View as a 81 relationship (1 byte per pixel)
3 Pixels
30
Byte Visualization
31
Open SSHDiffie-Hellman Key Exchange
32
Zipped Email Attachment
33
Byte Presence

dictionary file via HTTP ssh
SSL

34
Parallel Coordinates

goal plot any data fields
dynamic columns
change order for different insight
intelligent lookup and translation of fields
e.g. IP transport protocol

35
Rapidly Characterize Packet Header Fields
(Context)
36
Identify and Precisely Locate Fragmentation
Anomaly
37
Identify and Precisely Locate x90 Anomaly
38
Identify and Precisely Locate Possible Random
Payload Anomaly
39
Task Completion Time
8 min
time (minutes)
40
Task Completion Time
16 min
5 min
time (minutes)
2.5 min
41
RUMINT Tipping Point
RUMINT 9,000 Packets
Ethereal 635 Packets
42
Demo
43
System Requirements

IP over Ethernet
Tested on Windows XP
256 MB Ram
Processor 300MHZ (minimum)
The more screen real estate the better
Latest winpcap

44
Binary Visualization(sendmail)
printable ASCII in blue
original
45
Color Encode by Opcode(ls)
46
CALL/RET
JMP
NOP
ASCII
47
Color Encode by Disassembly?(ls)
ls file format elf32-i386 Disassembly of
section .init 0804917c lt.initgt 804917c 55
push ebp 804917d 89 e5
mov esp,ebp 804917f 83 ec 08
sub 0x8,esp 8049182 e8 8d 05 00 00
call 0x8049714 8049187 e8 f4 05 00 00
call 0x8049780 804918c e8 9f c0 00 00
call 0x8055230 8049191 c9
leave 8049192 c3 ret
48
empty word document
text
full word document (truncated)
49
binary fileanalysis
bmp
tiff
jpg
gif
png
original image
50
Dissecting a Word document(text image)
Word document
defcar tiff

header text content
hex dump
51
with modify password
original
with open password
AES
52
Apply Image Filtering Algorithms(sendmail)
stained glass
colored pencil
dry brush
glowing edges
original
53
Uses