Countering Denial of Information Attacks with Network Visualization Gregory Conti
advertisement
Countering Denial of Information Attacks with Network Visualization Gregory Conti www.cc.gatech.edu/~conti conti@acm.org http://plus.maths.org/issue23/editorial/information.jpg Disclaimer The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm Denial of Information Attacks: Intentional Attacks that overwhelm the human or otherwise alter their decision making http://circadianshift.net/images/Virginia_Tech_1920s_NS5423_Y_small.jpg http://cagle.slate.msn.com/news/EvilEmailHackers/main.asp The Problem of Information Growth • The surface WWW contains ~170TB (17xLOC) • IM generates five billion messages a day (750GB), or 274 terabytes a year. • Email generates about 400,000 TB/year. • P2P file exchange on the Internet is growing rapidly. The largest files exchanged are video files larger than 100 MB, but the most frequently exchanged files contain music (MP3 files). http://www.sims.berkeley.edu/research/projects/how-much-info-2003/ Applying the Model & Taxonomy… http://www.butterfly-insect.com/butterfly-insect/graphic/education-pic-worldlife-on.gif Defense Taxonomy (Big Picture) Legal Federal Can Spam Legislation (Jan 04) Lawsuits New Laws Regulatory Government Regulation Moral PR Campaign Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04) California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98) Code of Ethics First Spam Conference (Jan 03) Cultural Communities Organizational Topical counter-DoI groups Financial Increasing cost of DoI operations Violence Violence against DoI perpetrators Technology (see next slide) http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html Defense Taxonomy (Big Picture) Legal Federal Can Spam Legislation (Jan 04) Lawsuits New Laws Regulatory Government Regulation Moral PR Campaign Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04) California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98) Code of Ethics First Spam Conference (Jan 03) Cultural Communities Organizational Topical counter-DoI groups Financial Increasing cost of DoI operations Violence Violence against DoI perpetrators Technology (see next slide) http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html System Model Consumer Vision STM Cognition CPU Hearing RAM Speech LTM Consumer Node Motor Hard Drive Human Consumer Communication Channel Vision CPU Producer Node RAM Hearing STM Cognition Speech Hard Drive Motor Human Producer LTM Producer Consumer very small text Vision STM CPU Hearing Cognition RAM Speech LTM Consumer Node Motor Hard Drive Human Consumer misleading advertisements spoof browser Communication Channel exploit round off algorithm trigger many alerts Vision Example DoI Attacks CPU Producer Node RAM Hearing STM Cognition Speech Hard Drive Motor Human Producer LTM Producer Consumer Vision STM CPU Hearing Cognition RAM Example DoI Defenses Speech LTM Consumer Node Motor Hard Drive Human Consumer Usable Security Communication Channel TCP Damping Eliza Spam Responder Computational Puzzle Solving Vision CPU Producer Node RAM Hearing STM Cognition Speech Hard Drive Motor Human Producer LTM Producer Decompression Bombs Total Overhead= (Number of Spam x (Time to Delete + Time to Observe))+(Number of Email X (Time to Decide + Time to Scan)) Overhead Number of Spam Orient Scan Subject Line x Time to Observe Confirm Deletion Successful Overhead Number of Email x Time to Scan No Observation Observe Decide Not Spam No Action Overhead Number of Spam x Time to Delete Delete Spam Act Overhead Number of Email x Time to Decide For more information… G. Conti and M. Ahamad; "A Taxonomy and Framework for Countering Denial of Information Attacks;" IEEE Security and Privacy. (to be published) email me… DoI Countermeasures in the Network Security Domain information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization rumint v.51 rumint tool components (CD) nmap 3 (RH8) nmap 3 UDP (RH8) scanline 1.01 (XP) NMapWin 3 (XP) nmap 3.5 (XP) nikto 1.32 (XP) SuperScan 3.0 (XP) SuperScan 4.0 (XP) For more information… G. Conti and K. Abdullah; " Passive Visual Fingerprinting of Network Attack Tools;" ACM Conference on Computer and Communications Security's Workshop on Visualization and Data Mining for Computer Security (VizSEC); October 2004. G. Conti; "Network Attack Visualization;" DEFCON 12; August 2004. --Talk PPT Slides --Classical InfoVis Survey PPT Slides --Security InfoVis Survey PPT Slides --Talk PPT Slides see www.cc.gatech.edu/~conti and www.rumint.org for the tool Last year at DEFCON First question… How do we attack it? Malicious Visualizations… Pokemon http://www.miowebitalia.com/desktop/cartoni/pokemon.jpg Visual Information Overload (perception) rumint tool components (CD) Attack Fading (memory) http://etherape.sourceforge.net/ Image: http://www.inf.uct.cl/~amellado/gestion_en_linux/etherape.jpg Motion Induced Blindness (perception) http://www.keck.ucsf.edu/~yoram/mib-basic.html Optical Illusions (perception) http://www.ritsumei.ac.jp.nyud.net:8090/~akitaoka/index-e.html Crying Wolf… (cognitive/motor) • Snot vs. Snort Labeling Attack (algorithm) CDX 2003 Dataset X = Time Y = Destination IP Z = Destination Port AutoScale Attack/Force User to Zoom (algorithm) Precision Attack (algorithm) http://www.nersc.gov/nusers/security/Cube.jpg http://developers.slashdot.org/article.pl?sid=04/06/01/1747223&mode=thread&tid=126&tid=172 Occlusion (visualization design) Jamming (visualization design) For more information… G. Conti, M. Ahamad and J. Stasko; "Attacking Information Visualization System Usability: Overloading and Deceiving the Human;" Symposium on Usable Privacy and Security (SOUPS); July 2005. (submitted, under review) See also www.rumint.org for the tool. email me… rumint v 1.15 beta Network packets over time Bit 0, Bit 1, Bit 2 Length of packet - 1 rumint 1.15 tool overview network monitoring mode (left), clicking the small pane brings up the detailed analysis view for that visualization. So what do you think… Visual exploration of binary objects… Reverse Engineering • IDA Pro Dissassembler and Debugger http://www.datarescue.com/idabase/ Textual vs. Visual Exploration binaryexplorer.exe Comparing Executable Binaries (1 bit per pixel) rumint.exe visualexplorer.exe calc.exe regedit.exe (visual studio) (visual studio) (unknown compiler) (unkown compiler) mozillafirebird.exe cdex.exe apache.exe ethereal.exe (unknown compiler) (unknown compiler) (unknown compiler) (unknown compiler) Comparing Image Files (1 bit per pixel) image.jpg image.bmp image.zip image.pae (encrypted) Comparing mp3 files (1 bit per pixel) the.mp3 pash.mp3 disguises.mp3 secvis w/Sven Krasser, Julian Grizzard, Jeff Gribschaw and Henry Owen (Georgia Tech) Overview of Visualization packet size 255.255.255.255 65535 color: protocol time now age destination port source IP address ol oc e ot ag p r ss: r: lo ne co i g h t br 0.0.0.0 color: protocol 0 now time packet size age Overview of Visualization packet size 255.255.255.255 65535 color: protocol time now age destination port source IP address ol oc e ot ag p r ss: r: lo ne co i g h t br 0.0.0.0 color: protocol 0 now time packet size age Overview and Detail Routine Honeynet Traffic (baseline) Compromised Honeypot Slammer Worm Constant Bitrate UDP Traffic Port Sweep System Performance For more information… S. Krasser, G. Conti, J. Grizzard, J. Gribschaw and H. Owen; "Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization;" IEEE Information Assurance Workshop (IAW); June 2005. (submitted) email me… Demos • binary exploration • rumint 1.15 • secvis Questions? Gregory Conti conti@cc.gatech.edu www.cc.gatech.edu/~conti Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg Backup Slides External IP to Internal Port One Week Snapshots 6 Oct 04 13 Oct 04 One Month 20 Oct 04 27 Oct 04 30 Nov 04
