Embed Size (px)
Citation preview
Countering Denial of Information Attacks with Network Visualization
Gregory Conti
www.cc.gatech.edu/~conti
http://plus.maths.org/issue23/editorial/information.jpg
Disclaimer
The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government.
image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm
Denial of Information Attacks:
Intentional Attacks that overwhelm the human or otherwise alter their decision making
http://circadianshift.net/images/Virginia_Tech_1920s_NS5423_Y_small.jpg
http://cagle.slate.msn.com/news/EvilEmailHackers/main.asp
The Problem of Information Growth
• The surface WWW contains ~170TB (17xLOC) • IM generates five billion messages a day (750GB),
or 274 terabytes a year. • Email generates about 400,000 TB/year. • P2P file exchange on the Internet is growing
rapidly. The largest files exchanged are video files larger than 100 MB, but the most frequently exchanged files contain music (MP3 files).
http://www.sims.berkeley.edu/research/projects/how-much-info-2003/
Applying the Model & Taxonomy…
http://www.butterfly-insect.com/butterfly-insect/graphic/education-pic-worldlife-on.gif
Defense Taxonomy (Big Picture) Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04)
Federal Can Spam Legislation (Jan 04)
California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98)
http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html
First Spam Conference (Jan 03)
Defense Taxonomy (Big Picture) Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04)
Federal Can Spam Legislation (Jan 04)
California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98)
http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html
First Spam Conference (Jan 03)
Human Consumer
Human Producer
CommunicationChannel
ConsumerNode
RAM
HardDrive
CPU
ProducerNode
STM
LTM
Cognition
Consumer
Producer
RAM
HardDrive
CPUSTM
LTM
Cognition
Vision
Hearing
Speech
Motor
Vision
Hearing
Speech
Motor
System Model
Human Consumer
Human Producer
CommunicationChannel
ConsumerNode
RAM
HardDrive
CPU
ProducerNode
STM
LTM
Cognition
Consumer
Producer
RAM
HardDrive
CPUSTM
LTM
Cognition
Vision
Hearing
Speech
Motor
Vision
Hearing
Speech
Motor
very small text
exploit round off algorithm
trigger many alerts
ExampleDoI
Attacks
misleadingadvertisements
spoof browser
Human Consumer
Human Producer
CommunicationChannel
ConsumerNode
RAM
HardDrive
CPU
ProducerNode
STM
LTM
Cognition
Consumer
Producer
RAM
HardDrive
CPUSTM
LTM
Cognition
Vision
Hearing
Speech
Motor
Vision
Hearing
Speech
Motor
TCP Damping
UsableSecurity
Eliza Spam Responder
Decompression Bombs
ExampleDoI
Defenses
ComputationalPuzzle Solving
Orient
Observe
Act
Decide
Scan Subject Line
SpamDelete
Confirm DeletionSuccessful
Not Spam
No Observation
No Action
OverheadNumber of Email
x Time to Decide
OverheadNumber of Spam x Time to Delete
OverheadNumber of Spam
x Time to Observe
Total Overhead= (Number of Spam x (Time to Delete + Time to Observe))+(Number of Email X (Time to Decide + Time to Scan))
OverheadNumber of Email
x Time to Scan
For more information…
G. Conti and M. Ahamad; "A Taxonomy and Framework for Countering Denial of Information Attacks;" IEEE Security and Privacy. (to be published)
email me…
DoI Countermeasures in the Network Security Domain
information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition.
http://en.wikipedia.org/wiki/Information_visualization
rumint v.51
nmap 3 (RH8)
NMapWin 3 (XP)
SuperScan 3.0 (XP)
SuperScan 4.0 (XP)
nmap 3 UDP (RH8)
nmap 3.5 (XP)
scanline 1.01 (XP)
nikto 1.32 (XP)
For more information… G. Conti and K. Abdullah; "
Passive Visual Fingerprinting of Network Attack Tools;" ACM Conference on Computer and Communications Security's Workshop on Visualization and Data Mining for Computer Security (VizSEC); October 2004.
--Talk PPT Slides
see www.cc.gatech.edu/~conti and www.rumint.org for the tool
G. Conti; "Network Attack Visualization;" DEFCON 12; August 2004.
--Talk PPT Slides --Classical InfoVis Survey PPT Slides--Security InfoVis Survey PPT Slides
Last year at DEFCON
First question…
How do we attack it?
Malicious Visualizations…
Pokemon
http://www.miowebitalia.com/desktop/cartoni/pokemon.jpg
Visual Information Overload (perception)
Attack Fading(memory)
Image: http://www.inf.uct.cl/~amellado/gestion_en_linux/etherape.jpg
http://etherape.sourceforge.net/
Motion Induced Blindness(perception)
http://www.keck.ucsf.edu/~yoram/mib-basic.html
Optical Illusions (perception)
http://www.ritsumei.ac.jp.nyud.net:8090/~akitaoka/index-e.html
Crying Wolf…(cognitive/motor)
• Snot vs. Snort
CDX 2003 DatasetX = TimeY = Destination IPZ = Destination Port
Labeling Attack (algorithm)
AutoScale Attack/Force User to Zoom(algorithm)
Precision Attack(algorithm)
http://developers.slashdot.org/article.pl?sid=04/06/01/1747223&mode=thread&tid=126&tid=172
http://www.nersc.gov/nusers/security/Cube.jpg
Occlusion(visualization design)
Jamming (visualization design)
For more information…
G. Conti, M. Ahamad and J. Stasko; "Attacking Information Visualization System Usability: Overloading and Deceiving the Human;" Symposium on Usable Privacy and Security (SOUPS); July 2005. (submitted, under review)
See also www.rumint.org for the tool.
email me…
rumint v 1.15 beta
Net
wor
k pa
cket
s ov
er ti
me
Bit 0, Bit 1, Bit 2 Length of packet - 1
rumint 1.15 tool overview
network monitoring mode (left), clicking the small pane brings up the detailed analysis view for that visualization.
So what do you think…
Visual exploration of binary objects…
Reverse Engineering
• IDA Pro Dissassembler and Debugger
http://www.datarescue.com/idabase/
Textual vs. Visual Exploration
binaryexplorer.exe
visualexplorer.exe(visual studio)
calc.exe(unknown compiler)
rumint.exe(visual studio)
regedit.exe(unkown compiler)
Comparing Executable Binaries(1 bit per pixel)
mozillafirebird.exe(unknown compiler)
cdex.exe(unknown compiler)
apache.exe(unknown compiler)
ethereal.exe(unknown compiler)
image.bmp image.zipimage.jpg image.pae(encrypted)
Comparing Image Files(1 bit per pixel)
pash.mp3 disguises.mp3the.mp3
Comparing mp3 files(1 bit per pixel)
secvisw/Sven Krasser, Julian Grizzard, Jeff Gribschaw and Henry Owen (Georgia Tech)
Overview of Visualization
age
age
pa
cke
t si
ze
pa
cke
tsi
zecolor:protocol
color:protocol
0.0.0.0
65535255.255.255.255
0
timetime now now
Overview of Visualization
age
age
pa
cke
t si
ze
pa
cke
tsi
ze
color:protocol
color:protocol
0.0.0.0
65535255.255.255.255
0
timetime now now
Overview and Detail
Routine Honeynet Traffic(baseline)
Compromised Honeypot
Slammer Worm
Constant Bitrate UDP Traffic
Port Sweep
System Performance
For more information…
S. Krasser, G. Conti, J. Grizzard, J. Gribschaw and H. Owen; "Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization;" IEEE Information Assurance Workshop (IAW); June 2005. (submitted)
email me…
Demos
• binary exploration
• rumint 1.15
• secvis
Questions?
Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg
Gregory [email protected]/~conti
Backup Slides
External IP to Internal Port
6 Oct 04 13 Oct 04 20 Oct 04 27 Oct 04 30 Nov 04
One Week Snapshots One Month
