Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Visualization Techniques for Intrusion Detection
William Wright and Peter Clarke Point of Contact: William Wright
Oculus Info Inc. 572 King Street West, Suite 200
Toronto, Ontario M5V 1M3 CANADA
INTRODUCTION This paper reports on the experiences of using interactive animated 2D and 3D graphics in an Intrusion Detection (ID) Analysts Workbench prototype. Visualization techniques allow people to see and comprehend large amounts of complex data. Graphics are used to assist with the ID investigation and reporting process by helping the analyst identify significant incidents and reduce false conditions (positives, negatives and alarms). Visualization is then used in reporting incidents to a broader senior level audience. Complex patterns are clearly displayed over time in an easy to understand and compelling manner. Initial evaluations of the prototype have been positive, and a second development stage has been initiated.
ID ISSUES Large numbers of events are generated by network intrusion detection sensors; however not all these events are malicious in nature, not all malicious events are applicable to a given network environment and, perhaps of even more concern, certain malicious events can be missed.
There are several emerging trends in enterprise networking that are making traditional signature based intrusion detection more challenging. The increase use of very high-speed lines and more prevalent use of encryption technology are a challenge for the intrusion detection community. As the data collected becomes larger in volume, or the increasing dependence on traffic pattern anomaly detection as a workaround for payload encryption becomes more widespread, the amount of data the analyst must cope with increases.
Through the use of various types of detection tools and techniques, including signature based network intrusion detection, anomaly based network intrusion detection, and full packet capture, a better picture can be formed. The analyst is able to fuse this data and gain a more comprehensive insight into what is truly of malicious nature.
The massive amounts of data involved in this type of thorough multi-source analysis make it infeasible for most organizations. The significance of the events contained within the data can often only be determined by scanning the huge amounts of data looking for subtle and sometimes unexpected patterns and correlations.
This investigative process is required in order to place the events around an alarm in context and to assess if further action is required, but the process is labor intensive. Fused logs for a short period can easily contain tens to hundreds of thousands of records. Tools are needed to help accomplish this investigative task in less time.
RTO-MP
Paper presented at the RTO IST Workshop on “Massive Military Data Fusion and Visualisation: Users Talk with Developers”, held in Halden, Norway, 10-13 September 2002, and published in RTO-MP-105.
-105 15 - 1
Report Documentation Page Form ApprovedOMB No. 0704-0188
Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.
1. REPORT DATE 00 APR 2004
2. REPORT TYPE N/A
3. DATES COVERED -
4. TITLE AND SUBTITLE Visualization Techniques for Intrusion Detection
5a. CONTRACT NUMBER
5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S) 5d. PROJECT NUMBER
5e. TASK NUMBER
5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Point of Contact: William Wright Oculus Info Inc. 572 King Street West,Suite 200 Toronto, Ontario M5V 1M3 CANADA
8. PERFORMING ORGANIZATIONREPORT NUMBER
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)
11. SPONSOR/MONITOR’S REPORT NUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited
13. SUPPLEMENTARY NOTES See also ADM001665, RTO-MP-105 Massive Military Data Fusion and Visualization: Users Talk withDevelopers., The original document contains color images.
14. ABSTRACT
15. SUBJECT TERMS
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT
UU
18. NUMBEROF PAGES
26
19a. NAME OFRESPONSIBLE PERSON
a. REPORT unclassified
b. ABSTRACT unclassified
c. THIS PAGE unclassified
Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18
Visualization Techniques for Intrusion Detection
Another issue is that network ID sensors are not always effective for detecting new exploits or for activities that span many weeks and / or multiple network systems. To detect and investigate these types of activities requires the analyst to review extremely large amounts of packet level data.
A related problem is in reporting the attacks and the nature of those attacks to senior managers. This is important in order to raise awareness and provide an understanding of the need for information technology security in industry and government. Without this senior level understanding and support, obtaining security funding can be challenging. The output of most ID processes can be cryptic, and inaccessible to non-experts.
SOLUTIONS
Two graphical consoles have been built to evaluate the usefulness of visualizing intrusion data. Figure 1 shows the Intrusion Detection Analysts Workbench. Up to 2,000,000 event records or more can be displayed and analyzed in multiple concurrent dynamic charts. Each event record includes fields such as source and destination IP, port ID, alarm code, date, time. The charts are scaleable so that, for example, a bar chart showing number of events by destination IPs can easily display ten’s of thousands of IP addresses. The charts are also linked. Selecting events in one chart will highlight those events in all the other charts. So for example, selecting events associated with one type of alarm will cross reference those events in the source IP bar chart, and the destination IP bar chart. The analyst workbench is used to investigate, isolate and prioritize events. It was evaluated in a side-by-side test with existing methods and proved to be a significantly faster method. The workbench makes use of the commercial off-the-shelf Advizor product.
Figure 1: Intrusion Detection Workbench with 2M TCP and UDP Records.
The Analysts Workbench graphical tool can concurrently display the raw packet or alarm data as well as output from analytical tools that, for example, filter events or compute statistical metrics.
Figure 2 shows the Animated Incident Reporting component. It is used to report intrusion activity to senior management, and is designed to show the significance and nature of the events without overwhelming the viewer. The objective is to clearly see who did what to whom and when. A number of interactions are supported including filtering and an adjustable playback speed. This component was evaluated in a series of presentations to senior levels of government and industry.
15 - 2 RTO-MP-105
Visualization Techniques for Intrusion Detection
Figure 2: Animated Incident Reporting.
FUTURE DEVELOPMENT
Future work involves two separate but related streams:
The first is the expansion and integration of the two visualization tools to create a seamless intrusion detection visualization workflow environment. Given that intrusion detection analysis is often only part of a systems administration function, time is a consideration. The more effectively the visualization tools can be adapted to fit, and enhance, the human decision making process (orient, observe, decide and act), the more incidents can be effectively assessed and escalated or discarded in a shorter time period.
The second is work on migrating the tools towards an anomaly detection capability through the use of raw network data along with the fused intrusion detection alarms to gain a more comprehensive view into the network.
CONCLUSION
People excel in detecting patterns and identifying relationships when data is presented visually. Extremely large amounts of data can be viewed and compared. This is a useful ability for the ID analyst.
Experience with the visualization methods used in this work has lead to observations and recommendations for developing new methods.
Initial evaluations of the prototype have been positive, and a second development stage has been initiated. The objectives of this second stage will be discussed in the paper.
RTO-MP-105 15 - 3
OTAN
Visualization Techniques for Intrusion Detection
15 - 4 RTO-MP-105
SYMPOSIA DISCUSSION – PAPER NO: 15
Author’s Name:
Mr. William Wright, Oculus Info Inc, Canada Presented by Ms. Pascale Proulx, Oculus Info Inc, Canada
Question: What type of methodology was applied in the design of the visualisation?
Author’s Response: User consultations.
Comment: The system is ten times faster than the previous system that did not use any visual display at all.
Comment: These display techniques would be useful for all statistical data such as traffic jams.
Question: Is it possible to transfer the knowledge of the operator into rules for the system to automate the process?
Author’s Response: It may be possible to recognize the patterns, but it is important to investigate more to see what is generating the pattern. For example, a pattern that initially appears dangerous may only be a virus definition update.
Question: In advance of developing this system, was there consideration of mathematical methods that maybe amenable to clustering and statistical analysis?
Author’s Response: There is a trade off between the math and the visual analysis, as well as between implementation time of the math and algorithms and human interaction. There is research going on in this area right now.
Comment: Change detection might be important to an analyst.
Question: There are clustering techniques that could be applied, but require a large amount of training data to make the systems work well. How much data is available for training?
Author’s Response: There currently are not many full data sets. There is a conference in LA that puts hackers against professions, but that produces a data set that is not necessarily typical. Also, networks are dynamic, so constant retraining is required.
^^rrrrfTTTTTTTraJ
Custom Solutions
15-1
Visualization Techniquesfor
Intrusion Detection
William Wright, Sr. Partner, Oculus, [email protected]
andPeter Clarke, DND, Canada
Presented byPascale Proulx, Visualization Consultant, Oculus
Paper first given at: Workshop on Statistical and Machine Learning Techniques inComputer Intrusion Detection, Johns Hopkins University, June 11-13, 2002.
Increasing Visibility into Intrusion Detection
oculus
2
Confidential and © 2002 Oculus Info Inc. and Others
15-2
What is Covered?
• Intrusion detection issues• Using visualization as a solution• Current visualization tools developed• Future development of visualization in
intrusion detection
oculus
3
Confidential and © 2002 Oculus Info Inc. and Others
15-3
Intrusion Detection Issues
• Large amounts of IDS (Intrusion Detection Sensor) data– 1 gigabyte of information will fill a pickup truck with printed paper
• Bad signal/noise ratio on most un-tuned IDS– Worse than TV filled with “snow”
• If alarms are removed, harmful events may slip throughunnoticed
• Event Correlation (IDS, routers, firewalls)– Very important to gaining a complete picture, but makes data
handling even more difficult
oculus
4
Confidential and © 2002 Oculus Info Inc. and Others
15-4
Intrusion Detection Issues
• Reporting incidents to senior management orother non-experts
• The problems are getting worse astechnology progresses and network speeds(i.e. bandwidth) increase
oculus
5
Confidential and © 2002 Oculus Info Inc. and Others
15-5
Visualization as a Solution
• Visualization allows people to see and comprehendlarge amounts of complex data in a short period oftime
• Helps the analyst to identify significant incidents andreduce time wasted with false positives
• Report incidents to a broader, non-expert audience• Ability to cue the analyst through the use of colour,
shape, patterns, or motion
oculus
6
Confidential and © 2002 Oculus Info Inc. and Others
15-6
Visualization Tool Development
• Two graphical applications have been built forevaluation– Intrusion Detection Analyst Workbench– Animated Incident Explanation Engine
• Each displays data visually, but currently havetwo separate audiences
oculus
7
Confidential and © 2002 Oculus Info Inc. and Others
15-7
Intrusion Detection Analyst Workbench
• More than 2 million events can be displayed andanalyzed in multiple concurrent dynamic charts
• Each chart is linked, allowing the analyst to selectsomething in one chart, and it will highlight therelevant details in the other charts
• High performance interactive analysis possible for 2Mrecords on high end Windows / Intel machine – 2GHz, 1 GB RAM and good graphics card.
oculus
8
Confidential and © 2002 Oculus Info Inc. and Others
15-8
Intrusion Detection Analyst Workbench
• Assists in isolating, investigating andprioritizing events
• Evaluated side-by-side with existing methodsand proved to be significantly faster andeasier
• Run by commercial off-the-shelf Advizor™product
oculus
9
Confidential and © 2002 Oculus Info Inc. and Others
15-9
Log Data Fields
• Date• Time• Direction out-in, in-out,
out-out, in-in• Alarm Code (alarms and/or normal traffic)• Alarm Name• Source IP• Destination IP• Port ID - Source• Port ID - Destination• Port Name ~10 well known,
65,000 possible• Sensor ID
oculus
10
Confidential and © 2002 Oculus Info Inc. and Others
15-10
Intrusion Detection Analysts WorkbenchLayout consists of multiple charts.
Each chart has all the records.All TCP UDP – 2M records in each chart(And that’s only for a two person network for five days!!)
Records plotted over TimeDestination IPs
Count by Source IPs
Count by Source Ports
Count by Destination IPsCount by Destination Ports
List of Raw Records
oculus
Htt l**lfl*f MraUOn.'DfekwVt Ml« c»i««« »»>*». rfeb
J4i?!5in nni«i.n.iR nitnu HMtHtH rORKN 2ie.miM.ifT NUinil £tbiai 74 16T J4292Mn 2iei91MIBT 74i&:671l lib HI 74 167
IT 3iiB2iii.(9i am 212S21S 141 «108 in* JWJM am list ju.iki am iiH Jin i9i am iiM jib ICH am ms 2ini9i am
11
Confidential and © 2002 Oculus Info Inc. and Others
15-11
Linked ChartingLinked Charting
Select the 600k records associated with this Source IP and those records are highlightedwhere they occur in the other graphs.
oculus
a- -. ■S-M-i.
■ lOlxl ^iDJxJ
gja.v^.«*' ^»A* ^BA^^V^V^V**'tf*^ ^9» J!ß&7p& ^^^■^mkaam^ ^j^zi*^.*. ^a^e.^*-2^ Criunnft
-!*: iäi! -jgxj
tfT ^ tfß x&i A-0t> £jij2 ^4\ »tf» aT2* vW* 4** CtfutinsJ
4ai filiJfe
-J-»-ti.« .LM.'.'.W •.J.'.W.'.
si ttf t»» -J2Ö« 709 Cokjfin »5
Dill Vi
fltwWflfUfUfrthrymimriWIftvT^ 0k*^.1^0k* 2\*.W#«A9 zl*.«^«A9 HHLW^HI.« Z\S.«^A*Z\6>* ^fr^jtB^igB^I.^ tfiA1
z\*** tf.V*z\fttf Mm #4
ilSJ jaiti
jaat.n Oofcinw *l|Column*2| Cofcjfw *3lCMumntM|Cofcjfru gS)c&mnri pi| 4 |Clären fiiinn |*i*r>-i | -■'} |**r*' f5*itig
Court ZOe-OW 2Qt-mf> ZDe*006 2.D>»DQr> Mte«QM 2JMHM satten biso ran fat si 3 rau ei si 3 ran E»kjdsd l5e*0DG MfWft l&e-Q« MfWB l5e*0DG 14r*005
Urtfifje C1F 44)1 l« WO 1 tm 6141'j 1 551 M 1 1
NMP 1D*«0OT 211,1« I]7 Jin is» 00 UP NcOfcB« 10« «OW 21b 1856 J M IM. w UK
('MtStrtf* AIOI
WiJilfifl Cüfcjflii 92 Ctt CoJunn« I cau..1Coi.
1012331 IMSfM 1012931 iomai 1012331 1DIM3I 1012931
nziznn WH
74Z92C7DQ MM2H1I 74ZB2MH 74Z&2B711 MZ.HH11
216.191 Ml WitttMJ ZIMSI 74i 2lfc1fl174.f 210.141 74 1 ML 101.74.1 ZI&181 Mt
i i T f-7 2119 216 191 4Z109 b? 21 JO attJM 47109 ST 2139 216191.42109 ft? 2139 216 101 42.100 67 2119 216 191 4Z109 6? 1139 21b tot 47100 57 2139 216.1 91.4Z 109
■IP itr du Itp 80 dp dD up 90 Up 80 Up 90tcp
- 414 » 21 w»
12
Confidential and © 2002 Oculus Info Inc. and Others
15-12
Linked Chartingoculus
V-*otf IMHIM» ACwWOflJlte««***'* F<*4>O»
ffc td* '«"■^ "."»i*n 3a**l Cf4r» 7*>»JS« h*t>
■ ■»■wcpuill» 3 Column IE 35* M □ £ ji »e©ci a. :.:
t*Mt *s ♦vtt T«rr>e mJOJ ■-•
l?i I02IMIM I9&34.1212
202 I W 200 241 2IQH8.IRW
212.112JDG.19I 21Z74.10I.9
311.1 M.171.117 2taifli.43.1a2 2iaifli 421« 21&1Q1 42 11Ü ilO 191 42 IM 2IM91 42119 21M91.42.I22 210.191.42.t2Q
216.1 W 1273 jib i DM; =3 11fl.1M4k.43 216 I 91 *: 4b 2ib i DM; SO
216.1 ÖM2S4 2161DM;« 210 191.4102 21G.I91.42M 219.191 12m 2IG 1914274 211.1014271 216 1DM;E:2
2161 DM; M 216 IDMI'M 216 IDM;D4
216 101 41-M 21BL20&212N
2ID.HJ3Q.17a 21GTB.10R7G
4.4Q.G0LH 02.1DQ.I29 14G
DO I t 1B1M 1 W<
.
•
■
•
Cc4umn«
■
■
■
.
•
"
i •
.
■
■ • - ■ ■
■
1
i
.
Pi ;•■!
•if-
'J
ft
•tai
'
.
••
■
INK
til^jll
69<
DK- LL ^^«e*1 #*.*
4M
_ MKr— I u> a ~
4&I
a.^V*
Court S4tottod EwUded
Ur«g8M Nod* MtfftM
n
TOP
614
l.D( 1 CK
13
Confidential and © 2002 Oculus Info Inc. and Others
15-13Analysis - All TCP UDP – 2M RecordsTCP is Blue and UDP is Red. Five days. Two people.
Time
Dest IPs
Blue bands:-Sensors talking back to console-Blackberry server talking out
Red band - Port 53 DNS.(And lots of TCP web server traffic Under it)
DNS Traffic.
Vertical lines aredeliberate scans.
oculus test IPs over Time -i
12.129.203.38 28.241.101.78 132.205.18.12 61.69.212.253
192.33.4.12 93.205.77.206
198.41.0.10 99.246.67.248 4.187.152.126 205.138.3.230 6.195.131.240 207.181.101.4 07.46.230.220 07.68.176.250 208.38.45.168 209.134.161.6 209.54.53.176 210.96.73.253 213.239.42.46 6.136.131.144 6.177.109.135 16.191.42.105 16.191.42.117 216.191.42.32 216.191.42.44 216.191.42.55 216.191.42.67 216.191.42.79 216.191.42.91 6.200.201.212 16.246.19.163
216.7.64.9 24.254.60.25
3.108.181.208 63.84.246.98 64 26169 27
64.4.22.24 65.82.101.55 66.38.151.26
1 ^ i
Column #4
in ii i i
i ■
i i
>,' •■•*■
t
■ I i
I
9
— ■'■—"■ ■'■!'■■' " " ';'(' """■ " .■ ■ ■ f,|. !"»■■ ■■. J ■■■■■. ■■ M t....... ■ — ■■■■» ■ ■>■■.■■■■■ ■■>.:, . ■ ■■■■■ — — ,!.—..- I LI.,. I. >..' ■■ l.ll. .,.■,■,.»,..:,, J ..,:: .— „ . : .
•■•■■■* ■IIIIIIMII« ■iinalVliiivHBiita IIIIIIBIIHIHB1 na* * aanaai laiaBiaai iBiBtanam laBiBtamaian aiattut «iiitaaaai iaaaBaamaBM iaan ■■■■••■•tan ■■ ■■■■iBtotiaiiii ■•■ liianaa naaiaaaaai II H
! i ■ iV( II
i
i • i
* . •
•'' 11 ' *... *... ■ MI'II
^wsmmmm. Wife: life
llfeflllll» ■A; i,
ft
VM u..;
> \
j'. />
- •
i i
i 11 II n i - - II
r t hi lüii i * liltli 1.
MK 1 MK irti
14
Confidential and © 2002 Oculus Info Inc. and Others
15-14
2. Scatter Scan
Select Src - 61k Packets
Tests2M TCP and UDP Records
1. More characteristicsmade visible.
Time
Dest IPs
oculus
|igj*ce^
Hin im; ma* i 11 (-.
HI"! Hi ;o »117 .42 1K . I i ■ .: M | «in *3 I !■ «12? . 11 ■: 11231 112»
Ml« KIM
IAIM
i am M:I HZM i im I AIM I AIM I AIM I AIM i II ■
: i IM mm mx own 21 14G
■n
-iai-1
CtlifTinf2
släL ^MaE
«T ^ j^jg 4-£T> 4-£* *&. ^\ jgfi ■$& ^A ^
COUMIIJ
iäi lawk.
•qtriLj.'.j.'.ij.'.ij.ij.'.ijj.ij.ij.'.ii.ij.'.ij.'.i.'.ij.'.ij.ijj.ii.'.i.Mj.'.i
AZ^ \15* -j^J« 2^ 40» t 40« ^tfl g^?
I LTI '-' QKUI /Ih^YAfWw^ilhrrirmmriWlhwrTimmltiHmii.
«ft*«»«*«»* 2*.rttf»-W 2».»^ft-w »*•*«** ^«2i6l» ,#Vviifl' joi.^1 2\e:
3 jal£li
iClU«,»i*
. c .- :rj .ii CNdimr - .btjftis3!Cduiin*l|Cdbmi«stCiäifiiaai *
ICMOIIH
USti ■ M^H
5IBT?I tint 10*-0W Ibl-OH
:np-mf «mi
1 h*w
«48
J 1*1*1
1 lists
UM
irrt »i
ICH
1
»ifii i ir-ne
in 98 218.1 «l„ 21t ID)
1
bill i
no
.■.-•■'1'
Itm i >•[•«■
3
CMu"fifl|co»jr.n>J CM (CHiiiifiM COU ]i
CBIf* loMM EMkxMQ
UIMiP
1 1 liianMznem m n.» in iiJT.ajiJi.ajM.-. HkttUUV i("MJi7*zn6Tn ;I&HWJIP iniajij«wiia jihiauniT iDinjiMznnn HSUWJIBT
ID1JflS17429]B71l 218.14174117 ID128JI7I292M11 2IB1I174I8T
2119 215 191 12.10? JU'J JlD 1 3119 2115 191 12 109 Jim 21*10142108 2119 21U 191 12109 2110 216 Ifil 4210B 2119 210 191 12 109
1 ID 1 80 1 80 1 «0 1
N..J- H
i n N
1 dp no
801 «01 801
15
Confidential and © 2002 Oculus Info Inc. and Others
15-15
Traffic Outbound – Firewall Src
Select Firewall Src – 400k Packets
450 Dest IPs~100 are the lab
Dest IPs outsidethe lab.
Tests2M TCP and UDP Records
oculus
MM*M>nfafl.'Dei<*we>'»liJt-i»» lfe*> >»,«!■ :ovi cm.. -*»» :■*(
mi ;a
I13JSJ
7T 41.ftM n M WUM
RMM t 1014
n n '.IM 4 Uli Hin 73 Äl 142« ».IM Hl» «IM 4.'117 142» I 42M 142» I42F 142« M2H !W3I2 .UIU ■ r.Hj tar: ti M 146 M HUI
43234 .101» .111.26
ItH
-. ,< .
I* ^VMH^W^^J M —^
, .41 *:?■': ■ . ■..'.:./■.
■ *- ' ,
.. v. , • .. ■..■.■,,.■.■■,,■.,•,■,,.■■■ .. ,.".-.. • ■•* n »'■•*> H '•■**■■• ■ .,•'■"■■ •. •, . • • i •. • i ■
■
-
: !i: :
INK m
._ 'ttllillMU ..-25^1» 0**^*3» 2^1« «i»« l2»2*1%B.V^?li-^V*^Jl*'>0»*>^rt2\ft*^* &*>
-j^ ^ÜTsi
£ WT2 ^ ji&I ^ «ßT ^\ ^jT* .ja** *& Cautiri*]
Üäl BlJ 111 ,1* «^ *W \o» \t» $*& -stflO \oV> \^
CoUrru rt
- *OOK I «44114(34"
ZZnEEE * 216« 2^*5\**1 II^'BAJ*0 **** tf.** JÖ1 "V**1■&** 2t» W3^.^ «*** J^«1 i«*> #)
DUmM ü*
«<Q|xJ
C0tiTOi>l|CBUTiftr3|Ciitiifn*3icmitifi»4|CatJftn«)ca>infi*ij .*
lN««ii jöf-mr zr*-oM joe-*»* 2»-OM JOP-WP
.-witau Miffc? 103767 M27fc7 JK7t7 W1767 IHJV Dikittod Wlflfl 69HJ61 HHII 0MH1 WI6PI IMMJ1
U(MI IJ--0M 173 MM] UM? 2 IMMH M2JM t lanr; ra fc.'i : Nrtf i0f-om jioi»i Mj 2«is» . n he ■MBH IOK0U 316IW.. »47! 6&U13. MS Mb
: | lpi:fl»7:SM2<J32|:iPH1i31« |4-J |;c«Hi>G13 i Jim
lülMr7W*133gia HlttMUI 1032 307 107 II 13 Ml I
IDiar7M4WMJ7 2IH314334 1D32 307 1071113 »1 I
KII2JI7USMSW 211,141 »34 tun 307 107 11.13 MI I
■n
16
Confidential and © 2002 Oculus Info Inc. and Others
15-16
Low Port Scan?
Select Firewall Dest – 260k Packets
Src IPs
Dest Ports
Scan?
Tests2M TCP and UDP Records
oculus
*ttl«i*Pvt?0fl;Pf«fft*9lFdUM .»~ i—*™ teWi C«m *W» r>c
DAM *>-
17
Confidential and © 2002 Oculus Info Inc. and Others
15-17
Slow Scan? one Src, many ports, over time.
Src IP
Dest PortsTime
Dest IPs
Tests2M TCP and UDP Records
On the weekend
Or Microsoft virus definition file update.
Internal IP(Firewall)
oculus
»trim Mumm 'Pf .»tot wl Wtto» >"~ *--■;.
KIM 11212 ■>: >M
UM if.: | p|
MM Jl :;i ■ Kl 17 .43 IM .. IM
.«IM
.13 111
.1312? asm tun 142*
1424« 14291 I4UI MtM 142B3 : | 142« 14274 142« IA$M 1421* 142H 1J2M I II '.- 2I2H man m$M UM 211«
.-;
Iiiii1|i ■ih na« Q n
' ' "
'
Mi 7[F
^ M*V*B tf""*1 «** o**0 :««v
£)T* JTO* 4JB1 ^B& ißi1 A**1 a*^6 i Co tj im 95
MX** a«*!***«^*«-0 a«lSz*rt *»■**
C«imn#l|cu»jrTr»: n- '!:■ '-tiLi-irfi
MftKMN JllUu.'j
WL'i4Mi'j n&m tii
31 1WÄJ1M- 4M3
H tS)JUiW. 4Wä
WÜ14WÜ IltlltCJ 31 1MJSJ1W- 4H3 !
18
Confidential and © 2002 Oculus Info Inc. and Others
15-18
Animated Incident Explanation Engine
• Designed to show the significance and nature of theevents without overwhelming the viewer
• Easy to see who did what to whom and when• Excellent for explaining concepts to non-experts
• Analyst workbench identifies and isolates incidents.When an incident is isolated, all the recordsassociated with it are written out and saved. Overtime, a set of verified assessed incidents is created.
• The explanation engine works on this set of incidents.
oculus
19
Confidential and © 2002 Oculus Info Inc. and Others
15-19
Animated Incident Explanation Engine
IP Half Scan is shown.
Timeline of Incidents
-one line per incident
External IPs- sorted by frequency- and/or grouped by watchlist order
Internal IPs-grouped by function
Usage – show all records, show all records associated with one incident,animate over time all records, or animate records for one or more incidents.Playback speed is from fast fwd to very slow.
oculus
20
Confidential and © 2002 Oculus Info Inc. and Others
15-20
Future Developments
• Expansion and integration of the two currenttools
• Anomaly detection capability through the useof network traffic data along with fused IDSalarms
• Integrated time based comparisons
oculus
21
Confidential and © 2002 Oculus Info Inc. and Others
15-21
Conclusions
• Visualization has proved to be an effectiveanalyst’s tool
• Massive amounts of information are easilyunderstood by non-experts
• More development and research needed
oculus
22
Confidential and © 2002 Oculus Info Inc. and Others
15-22
Questions?
oculus