Add to collection(s) Add to saved
  1. Science
  2. Health Science
  3. Gerontology

Real Time and Forensic Network Data Analysis Using Animated Combined Visualizations Sven Krasser

advertisement 
Real Time and Forensic
Network Data Analysis Using
Animated Combined Visualizations
Sven Krasser
Gregory Conti
Julian Grizzard
Jeff Gribschaw
Henry Owen
Georgia Institute of Technology
Overview of Visualization
packet
size
255.255.255.255
65535
color:
protocol
time
now
age
destination port
source IP address
ol
oc e
ot ag
p r ss:
r:
lo ne
co i g h t
br
0.0.0.0
color:
protocol
0
now
time
packet size
age
Overview of Visualization
packet
size
255.255.255.255
65535
color:
protocol
time
now
age
destination port
source IP address
ol
oc e
ot ag
p r ss:
r:
lo ne
co i g h t
br
0.0.0.0
color:
protocol
0
now
time
packet size
age
Motivation
• High level analysis - low level discovery
• Complement Ethereal by providing big picture
context
• TIVO for Network Traffic
• Dealing with customers
• Network behavior / Intruder behavior
• Support Honeynet log analysis
• Not real-time intrusion detection (yet)
System Design
• real time packet capture and
forensic playback
• navigate forwards and backwards in dataset
• 3D and 2D views
• Open GL and commodity hardware
(P4 2.5GB)
• Parallel coordinate plot adjacent to two
animated displays
Overview and Detail
Routine Honeynet Traffic
(baseline)
Slammer Worm
Constant Bitrate UDP Traffic
Port Sweep
Attempted HTTP Attack…
Attempted HTTP Attack…
(zoom)
Compromised Honeypot
Attacker Transfers Three Files…
campus network
Inbound Campus Traffic
(5 seconds)
Campus Network Traffic
(10 msec capture)
inbound
outbound
botnet visualization
Combined botnet/honeynet traffic
System Performance
System Performance
Conclusions
•
•
•
•
•
Combining of visualization techniques
Open GL and commodity hardware
Significant analyst performance gains
Interaction techniques
Distinct visual signatures
– Smart Books
• Tipping point on high volume networks
– Honeynet /CTF analysis possible now
– Prefiltering required for general purpose use
Future Work
• Semantic zoom
– packets -> flows -> application/protocol specific
• Work through slices of network traffic
– allow user to focus on what is interesting
• Maximize customization and interaction
– Filtering and encoding
– All fields
• Multiple data streams
• Knowledge discovery
• Help highlight what is interesting
• Easily drop in different windows on network traffic
– look at traffic from different perspectives
• Evaluation
Demo of tools
Acknowledgements
• Charles Robert Simpson for providing NETI@home
packet capture source code
• David Dagon for for providing the botnet data
Questions?
Sven Krasser
sven@ece.gatech.edu
Gregory Conti
conti@cc.gatech.edu
Julian Grizzard
grizzard@ece.gatech.edu
Jeff Gribschaw
jgribsch@ece.gatech.edu
Paper
Henry Owen
henry.owen@ece.gatech.edu
Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg
Related documents
Optimizing the Extraction of Flow Features through
Optimizing the Extraction of Flow Features through
Beyond Ethereal: Crafting A Tivo for Security Datastreams
Beyond Ethereal: Crafting A Tivo for Security Datastreams
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
AP Biology –
AP Biology –
Download
advertisement