Why InfoVis? • Helps find patterns • Helps reduce search space • Aids efficient monitoring • Enables interaction (what if) • Help prevent overwhelming the user
So What? • Go Beyond the Algorithm • Help with detecting and understand some 0 day attacks • Make CTF and Root Wars a Spectator Sport • Help find insider threats • Help visually fingerprint attacks What tasks do you need help with?
Outline • Quick overview of Intrusion Detection Systems (IDS) • Quick overview of Information Visualization • What data is available on the wire • Finding interesting combinations • What the attacks look like
Intrusion Detection System An intrusion-detection system (IDS) is a tool used to detect attacks or other security breaches in a computer system or network.
Intrusion Detection System Types • Host-based intrusion-detection is the art of detecting malicious activity within a single computer by using – host log information – system activity – virus scanners • A Network intrusion detection system is a system that tries to detect malicious activity such as denial of service attacks, port-scans or other attempts to hack into computers by reading all the incoming packets and trying to find suspicious patterns.
Dr. Rob Erbacher Representative Research – Visual Summarizing and Analysis Techniques for Intrusion Data – Multi-Dimensional Data Visualization – A Component-Based Event- Driven Interactive Visualization Software Architecture
Jukka Juslin Intrustion Detection and Visualization Using Perl
Michal Zalewski TCP/IP Sequence Number Generation Linux x 2 .2 T CP C /I/P P se s qu q ence numbers r are not a s go g od as they y m igh g t tbe, but tare certa rt inly y adequ q ate t , and atta t ck f easibility y is v e v ry ry l ow. w . Follow-up paper - http://lcamtuf.coredump.cx/newtcp/
John Levine 1200 1000 • The Use of Honeynets 800 600 to Detect Exploited 400 Systems Across Large 200 Enterprise Networks 0 8 31 _21 24 06 14 c_05 _29 _10 ar_07 ar_13 ar_19 ar_27 r_12 r_20 Jul_ ug_06 ug_29 ug ep_09 ep_17 ep_ ct_12 ct_04 ct_28 ct_20 ov_08 ov_09 ov_19 ov_21 ov_29 e ec_13 ec_21 ec eb_05 eb_13 eb_20 eb_27 pr_04 p p un_10 ep A A A S S S O O O O N N N N N D D D D Jan_ Jan_ Jan_22 Jan_2 F F F F M M M M A A A J S • Interesting look at 3500 detecting zero day 3000 2500 attacks 2000 1500 1000 500 0 http://users.ece.gat
Port 135 MS BLASTER scans 3500 3000 2500 2000 1500 1000 500 0 Date Public: 7/16/03 Date Attack: 8/11/03 Georgia Tech Honeynett Source: John Levine, Georgia Tech
Port 1434 (MS-SQL) scans 1200 1000 800 600 400 200 0 ar_07 ar_13 ar_19 ar_27 Jul_31 ug_06 ug_29 ug_21 ep_09 ep_17 ep_24 ct_12 ct_04 ct_28 ct_20 ov_08 ov_09 ov_19 ov_21 ov_29 ec_05 ec_13 ec_21 ec_29 eb_05 eb_13 eb_20 eb_27 pr_04 pr_12 pr_20 ep_10 A A A S S S O O O O N N N N N D D D D Jan_06 Jan_14 Jan_22 Jan_28 F F F F M M M M A A A Jun_10 S Date Public: 7/24/02 Date Attack: 1/25/03 Georgia Tech Honeynet Source: John Levine, Georgia Tech
Port 554 (RTSP) scans 40 35 30 25 20 15 10 5 0 Date Public: 8/15/2003 Date Attack: 8/22/03 Georgia Tech Honeypot Source: John Levine, Georgia Tech
Hot Research Areas… • visualizing vulnerabilities • visualizing IDS alarms (NIDS/HIDS) • visualizing worm/virus propagation • visualizing routing anamolies • visualizing large volume computer network logs • visual correlations of security events • visualizing network traffic for security • visualizing attacks in near-real-time • security visualization at line speeds • dynamic attack tree creation (graphic) • forensic visualization
More Hot Research Areas… • feature selection • feature construction • incremental/online learning • noise in the data • skewed data distribution • distributed mining • correlating multiple models • efficient processing of large amounts of data • correlating alerts • signature detection • anomaly detection • forensic analysis
Exploitation Pattern of Typical Internet Worm • Target Vulnerabilities on Specific Operating Systems • Localized Scanning to Propagate (Code Red) – 3/8 of time within same Class B (/16 network) ? –1/2 of time within same Class A (/8 network) – 1/8 of time random address • Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts
Grace “Grace is a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unix-like OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/XP”
Hello World Example # tcpdump -lnnq -c10 | perl parse.pl | perl analyze.pl |outfile.dat # xmgrace outfile.dat & Optionally you can run xmgrace with an external format language file… # xmgrace outfile.dat -batch formatfile
Hello World Example (cont) Optionally you can run xmgrace with an external format language file… xmgrace outfile.dat -batch formatfile formatfile is a text file that pre-configures Grace e.g. title "Port Scan Against Single Host" subtitle "Superscan w/ports 1-1024" yaxis label "Port" yaxis label place both yaxis ticklabel place both xaxis ticklabel off xaxis tick major off xaxis tick minor off autoscale
Port 135 CAN-2003-0605 tcp any 135 The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CAN-2003-0352 6 any 135 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN worm.
Conclusions • Limited fingerprinting of tools is possible • Visualization can help drive better algorithms • Some attacker techniques can be identified • Some vulnerabilities can be identified
Demo See readme.txt Two demo scripts… – runme.bat (uses sample dataset) – runme_sniff.bat (performs live capture, must be root) Note: you must modify the IP address variable in the Analyzer script. (See analyzer2.pl for example)
Future • Distributed NIDS Visualization • Real-time vs. Offline • Interesting datasets • 3D • Other visualization techniques • Visualization of protocol attacks • Visualization of application layer attacks • Visualization of physical layer attacks (?) • Code up some stand-alone tools