Security InfoVis Survey PPT Slides
advertisement
Information Visualization Security Survey Greg Conti Georgia Institute of Technology www.cc.gatech.edu/~conti Atlas of Cyber Space http://www.cybergeography.org/atlas/atlas.html 3D TraceRoute 3D TraceRoute Developer: http://www.hlembke.de/prod/3dtraceroute/ Image: http://images.webattack.com/screenfiles/3dtraceroute.gif DEFCON X www.toorcon.org/slides/rootfu-toorcon.ppt DEFCON 11 Entire slide from: www.toorcon.org/slides/rootfu-toorcon.ppt Dr. Rob Erbacher Observing Intruder Behavior – Visual Summarizing and Analysis Techniques for Intrusion Data – Multi-Dimensional Data Visualization – A Component-Based EventDriven Interactive Visualization Software Architecture http://otherland.cs.usu.edu/~erbacher/ Dr. Rob Erbacher Demo http://otherland.cs.usu.edu/~erbacher/ etherape http://etherape.sourceforge.net/ Image: http://www.inf.uct.cl/~amellado/gestion_en_linux/etherape.jpg ethereal http://www.ethereal.com/ 9/ 9/ 20 03 9/ 2/ 20 03 8/ 5/ 20 03 8/ 12 /2 00 3 8/ 19 /2 00 3 8/ 26 /2 00 3 7/ 8/ 20 03 7/ 15 /2 00 3 7/ 22 /2 00 3 7/ 29 /2 00 3 7/ 1/ 20 03 6/ 3/ 20 03 6/ 10 /2 00 3 6/ 17 /2 00 3 6/ 24 /2 00 3 5/ 20 /2 00 3 5/ 27 /2 00 3 Jul_31 3500 3000 2500 2000 Sep_10 Jun_10 Apr_20 Apr_12 Apr_04 Mar_27 Mar_19 Mar_13 Mar_07 Feb_27 Feb_20 Feb_13 Feb_05 Jan_28 Jan_22 Jan_14 Jan_06 Dec_29 Dec_21 Dec_13 Dec_05 Nov_29 Nov_21 Nov_19 Nov_09 Nov_08 Oct_20 Oct_28 Oct_04 Oct_12 Sep_24 Sep_17 Sep_09 Aug_21 Aug_29 Aug_06 Georgia Tech Honeynet 1200 John Levine 1000 800 600 400 200 0 • The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks • Interesting look at detecting zero-day attacks 1500 1000 500 0 http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/honeynet_IAW2003.pdf Date Public: 7/24/02 Date Attack: 1/25/03 Georgia Tech Honeynet Source: John Levine, Georgia Tech Sep_10 Jun_10 Apr_20 Apr_12 Apr_04 Mar_27 Mar_19 Mar_13 Mar_07 Feb_27 Feb_20 Feb_13 Feb_05 Jan_28 Jan_22 Jan_14 Jan_06 Dec_29 Dec_21 Dec_13 Dec_05 Nov_29 Nov_21 Nov_19 Nov_09 Nov_08 Oct_20 Oct_28 Oct_04 Oct_12 Sep_24 Sep_17 Sep_09 Aug_21 Aug_29 Aug_06 Jul_31 1200 Georgia Tech Honeynet Port 1434 (MS-SQL) scans 1000 800 600 400 200 0 Georgia Tech Honeynet Port 554 (RTSP) scans 40 35 30 25 20 15 10 5 03 9/ 9/ 20 03 2/ 20 3 9/ 8/ 26 /2 00 3 00 19 /2 8/ 12 /2 00 3 03 8/ 8/ 5/ 20 3 7/ 29 /2 00 3 00 22 /2 7/ 15 /2 00 3 03 7/ 7/ 8/ 20 03 7/ 1/ 20 3 6/ 24 /2 00 3 00 3 6/ 17 /2 00 10 /2 6/ 3/ 20 6/ 27 /2 00 3 03 Date Public: 8/15/2003 Date Attack: 8/22/03 Georgia Tech Honeypot Source: John Levine, Georgia Tech 5/ 5/ 20 /2 00 3 0 Georgia Tech Honeynet Port 135 MS BLASTER scans 3500 3000 2500 2000 1500 1000 500 Date Public: 7/16/03 Date Attack: 8/11/03 Georgia Tech Honeynett Source: John Levine, Georgia Tech 9/ 9/ 20 03 9/ 2/ 20 03 8/ 12 /2 00 3 8/ 19 /2 00 3 8/ 26 /2 00 3 8/ 5/ 20 03 7/ 15 /2 00 3 7/ 22 /2 00 3 7/ 29 /2 00 3 7/ 8/ 20 03 7/ 1/ 20 03 6/ 10 /2 00 3 6/ 17 /2 00 3 6/ 24 /2 00 3 6/ 3/ 20 03 5/ 20 /2 00 3 5/ 27 /2 00 3 0 Haptic and Visual Intrustion Detection NIVA System • Craig Scott • Kofi Nyarko • Tanya Capers • Jumoke LadejiOsias http://portal.acm.org/citation.cfm?id=952873&dl=ACM&coll=GUIDE Honeynet Security Console http://www.activeworx.org/images/hsc-screen9.jpg Immersive Network Monitoring http://public.lanl.gov/netsys/viz/ Internet Storm Center (SANS) http://isc.incidents.org/index.php?on=worldmap&isc=8d7e2f5478df18cae7759d3376dd13af Intrusion Detection and Visualization Using Perl Jukka Juslin 3D plot of: •Time •SDP (Source-Destination-Port) •Number of Packets Data stored in Perl hashes Output piped to GNUplot http://www.cs.hut.fi/~jtjuslin/ Intrusion Detection Toolkit (IDtk) Dr. John Goodall UMBC http://userpages.umbc.edu/~jgood/ Operating System Fingerprinting Dr. David Marchette – Passive Fingerprintin g – Statistics for intrusion detection http://www.mts.jhu.edu/~marchette/ Marchette and Wegman http://www.mts.jhu.edu/~marchette/ (images) http://www.galaxy.gmu.edu/stats/faculty/wegman.html (descriptions) netstumbler http://www.netstumbler.com/ Image: http://images.webattack.com/screenfiles/netstumbler.gif netstumbler.com http://www.netstumbler.com/nation.php Open Source Security Information Management (OSSIM) http://www.ossim.net/home.php Open Source Security Information Management (OSSIM) http://www.ossim.net/screenshots/metrics.jpg Routing Anomalies Soon Tee Teoh Demo http://graphics.cs.ucdavis.edu/~steoh/ See also treemap basic research: http://www.cs.umd.edu/hcil/treemap-history/index.shtml scanmap3d http://scanmap3d.sourceforge.net/ Secure Scope http://www.securedecisions.com/main.htm Sound (Firewall) http://developers.slashdot.org/article.pl?sid=04/06/17/135220&mode=thread&tid=126&tid=141&tid=172&tid=188 http://www.linuxgazette.com/node/view/9074 Spinning Cube of Potential Doom http://www.nersc.gov/nusers/security/Cube.jpg http://developers.slashdot.org/article.pl?sid=04/06/01/1747223&mode=thread&tid=126&tid=172 Starlight http://starlight.pnl.gov/ TCP/IP Sequence Number Generation Michal Zalewski Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1] x[n] = s[n-2] - s[n-3] y[n] = s[n-1] - s[n-2] z[n] = s[n] - s [n-1] Follow-up paper - http://lcamtuf.coredump.cx/newtcp/ Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html Therminator High Speed Data Flow Visualization Therminator technology watches the data stream and illustrates categories of data as colored bars that are proportional in height to the quantity of data at a given time. The process is repeated to form a stacked bar graph that moves across a computer screen to show current and past data traffic composition. http://www.fcw.com/fcw/articles/2002/1209/web-nsa-12-13-02.asp traceroute Visualizations 3D TraceRoute Xtraceroute basic traceroute/tracert 3D TraceRoute Developer: http://www.hlembke.de/prod/3dtraceroute/ XTraceRoute Developer: http://www.dtek.chalmers.se/~d3august/xt/ Wireless Visualization http://www.ittc.ku.edu/wlan/images_all_small.shtml Worm Propagation • CAIDA • Young Hyun • David Moore • Colleen Shannon • Bradley Huffaker http://www.caida.org/tools/visualization/walrus/examples/codered/ Worm Propagation Animation Note: for full effect see the animations at http://www.sdsc.edu/Press/03/020403_SAPPHIRE.html/ Worm Radar http://wormradar.com/ General Purpose VisTools Graphviz http://www.research.att.com/sw/tools/graphviz/ Grace “Grace is a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unixlike OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/ XP” http://plasma-gate.weizmann.ac.il/Grace/ Multi Router Traffic Grapher (MTRG) http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ SequoiaView Demo http://www.win.tue.nl/sequoiaview/ Other Real-Time DSP Development Software http://www.hyperception.com/product/ride.htm
