Embed Size (px)
DESCRIPTION
Manual analysis of security-related events is still a necessity to investigate non-trivial cyber attacks. This task is particularly hard when the events involve slow, stealthy and large-scale activities typical of the modern cybercriminals' strategy. In this regard, visualization tools can effectively help analysts in their investigations. In this paper, we present BURN, an interactive visualization tool for displaying autonomous systems exhibiting rogue activity that helps at finding misbehaving networks through visual and interactive exploration. Up to seven values are displayed in a single visual element, while avoiding cumbersome and confusing maps. To this end, animations and alpha channels are leveraged to create simple views that highlight relevant activity patterns. In addition, BURN incorporates a simple algorithm to identify migrations of nefarious services across autonomous systems, which can support, for instance, root-cause analysis and law enforcement investigations.
Citation preview
Francesco [email protected]
Politecnico di Milano
Luca Di [email protected]
Politecnico di Milano
Federico [email protected] di Milano
Giorgio [email protected]
Politecnico di Milano
Stefano [email protected] di Milano
Paolo [email protected]
Politecnico di Milano
BURNBARING UNKNOWN ROGUE NETWORKS
La visualizzazione come strumento per analizzareil comportamento dei network malevoli
Francesco [email protected]
Politecnico di Milano
Luca Di [email protected]
Politecnico di Milano
Federico [email protected] di Milano
Giorgio [email protected]
Politecnico di Milano
Stefano [email protected] di Milano
Paolo [email protected]
Politecnico di Milano
BURNBARING UNKNOWN ROGUE NETWORKS
La visualizzazione come strumento per analizzareil comportamento dei network malevoli
Malicious Activity on the Internet
Malicious Activity on the InternetRogue or Fake Software AD/Click Fraud Targeted Attacks Phishing
Malicious Activity on the InternetRogue or Fake Software AD/Click Fraud Targeted Attacks Phishing
Exposing Malicious Hosts
. . .
FIRE: FInding RoguE Networkswww.maliciousnetworks.orgFunded by WOMBAT FP7 EU Project
Four top Internet threats
Funded by WOMBAT FP7 EU Project
Four top Internet threats
Four top Internet threatsMalware
Four top Internet threatsMalware Botnets
Four top Internet threatsMalware Botnets Phishing
Four top Internet threatsMalware Botnets Phishing Spam
Four top Internet threatsMalware Botnets Phishing Spam
Autonomous System (AS)
FIRE: Per-AS Malicious Activity
FIRE: Per-AS Malicious Activity
Activity
Data source
Malware Botnet Phishing Spam
FIRE: Per-AS Malicious Activity
Anubis Anubis PhishTank SpamHaus
Activity
Data source
Malware Botnet Phishing Spam
FIRE: Per-AS Malicious Activity
Anubis Anubis PhishTank SpamHaus
Overall Malicious Score
Many “shady” ISPs exposed Many unaware ISPs helped
Activity
Data source
Outcome
Downside?
Downside?
BURNBARING UNKNOWN ROGUE NETWORKS
La visualizzazione come strumento per analizzareil comportamento dei network malevoli
BURNBARING UNKNOWN ROGUE NETWORKS
La visualizzazione come strumento per analizzareil comportamento dei network malevoli
Visualization and Knowledge Discoveryon top of FIRE
BURNBARING UNKNOWN ROGUE NETWORKS
La visualizzazione come strumento per analizzareil comportamento dei network malevoli
Visualization and Knowledge Discoveryon top of FIRE
aim
BURNBARING UNKNOWN ROGUE NETWORKS
La visualizzazione come strumento per analizzareil comportamento dei network malevoli
Visualization and Knowledge Discoveryon top of FIRE
AcademicsPractitioners aim
BURNBARING UNKNOWN ROGUE NETWORKS
La visualizzazione come strumento per analizzareil comportamento dei network malevoli
Visualization and Knowledge Discoveryon top of FIRE
AcademicsPractitioners
InternetUsersaim
System Overview
Global view
AS view
Global view
AS view
Global viewTimeline
AS view
Global viewTimeline
Activ
ity fil
ter
AS Tracking List
Country filter
AS view
Global viewTimeline
Activ
ity fil
ter
AS Tracking List
Country filter
Bubb
le chart
Geographical map
Trend chart
AS view
Global viewTimeline
Activ
ity fil
ter
AS Tracking List
Country filter
Bubb
le chart
Geographical map
Trend chart
Global view
Bubb
le chart
Geographical map
Trend chart
Global view
Bubb
le chart
Geographical map
Trend chart
Global view
Bubb
le chart
Geographical map
Trend chart
Global view
Bubb
le chart
Geographical map
Trend chart
Global view
Bubb
le chart
Geographical map
Trend chart
Global view
Bubb
le chart
Geographical map
Trend chart
Bubble Chart
Bubble Chart
Bubble Chart
Bubble Chart
Bubble Chart
Geographical Map
Geographical Map
Geographical Map
Geographical Map
Geographical Map
Geographical Map
Trend Chart
Trend Chart
Global view
AS view
AS view
De
tails HistoryMigra
tion
Longevity
AS view
De
tails HistoryMigra
tion
Longevity
History Chart
History Chart
History Chart
Service Longevity Chart
Service Longevity Chart
Service Longevity Chart
Service Longevity Chart
Service Migration Screen
Service Migration Screen
Service Migration Screen
Service Migration Screen
Service Migration Screen
De
tails HistoryMigra
tion
Longevity
AS view
Rogue behavior analysis
Service Migration
Service Migration
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
Service Migration
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$
!"#$%&"'("
)*$"+,"-%
Shutdowns
Service Migration
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$%$&'()*+,-+,().)/$0+
12)3&-45)3&-16)*+7
85
455
!"#$
!"#$%&"'("
)*$"+,"-%
!"#$
!"#$%&"'("
)*$"+,"-%
Shutdowns
Possible Migrations
Service Migration - Details
Service Migration - Details
!"#$
!"#$%&"'("
)*$"+,"-%
!"#$
!"#$%&"'("
)*$"+,"-%Shutdowns
!"#$
!"#$%&"'("
)*$"+,"-%
Possible Migrations
Compatibility Score
Compatibility Score
Source AS Destination AS
Compatibility Score
C&C
Malware
Phishing
Spam
Source AS Destination AS
Compatibility Score
High compatibility
C&C
Malware
Phishing
Spam
Source AS Destination AS
!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0
!"#$%&%'()$$#'*+,-#.%/%$%.0
12
13
14
154
>
>
>
>
637
64
687
65
137
14
187
15
>
>
>
>
637
64
687
65
!"#$
1234562782
Compatibility Score
C&C
Malware
Phishing
Spam
Source AS Destination AS
!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0
!"#$%&%'()$$#'*+,-#.%/%$%.0
12
13
14
154
>
>
>
>
637
64
687
65
137
14
187
15
>
>
>
>
637
64
687
65
!"#$
1234562782
Low compatibility
Compatibility Score
C&C
Malware
Phishing
Spam
Source AS Destination AS
!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0
!"#$%&%'()$$#'*+,-#.%/%$%.0
12
13
14
154
>
>
>
>
637
64
687
65
137
14
187
15
>
>
>
>
637
64
687
65
!"#$
1234562782
Low compatibility
Mi C(j) : Si�AS ⌅⇥ [0, 1]
j ⇤ J =
{phishing,malware, spam, bot}
C(j)(s, d) :=mina�{s,d} �
(j)(a)
maxa�{s,d} �(j)(a),
�(j)min �(j)max �(j)(·)
j
J
Cs,d :=
�j�J C(j)(s, d) · �(j)(s)
�j�J �(j)(s)
Si
j 2 {C&C, Malware, Spam, Phishing}
Compatibility Score
C&C
Malware
Phishing
Spam
Source AS Destination AS
!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0
!"#$%&%'()$$#'*+,-#.%/%$%.0
12
13
14
154
>
>
>
>
637
64
687
65
137
14
187
15
>
>
>
>
637
64
687
65
!"#$
1234562782
Low compatibility
Mi C(j) : Si�AS ⌅⇥ [0, 1]
j ⇤ J =
{phishing,malware, spam, bot}
C(j)(s, d) :=mina�{s,d} �
(j)(a)
maxa�{s,d} �(j)(a),
�(j)min �(j)max �(j)(·)
j
J
Cs,d :=
�j�J C(j)(s, d) · �(j)(s)
�j�J �(j)(s)
Si
j 2 {C&C, Malware, Spam, Phishing}
Mi C(j) : Si�AS ⌅⇥ [0, 1]
j ⇤ J =
{phishing,malware, spam, bot}
C(j)(s, d) :=mina�{s,d} �
(j)(a)
maxa�{s,d} �(j)(a),
�(j)min �(j)max �(j)(·)
j
J
Cs,d :=
�j�J C(j)(s, d) · �(j)(s)
�j�J �(j)(s)
Si
Tolerance to long-living rogue hosts
Tolerance to long-living rogue hosts
Tolerance to long-living rogue hosts
Tolerance to long-living rogue hosts
AS view
Global viewTimeline
Activ
ity fil
ter
AS Tracking List
Country filter
Timeline and Time Range selection
Timeline and Time Range selection
Activity Filter
Activity Filter
Country Filter
Country Filter
Autonomous System Tracking List
Autonomous System Tracking List
Conclusions
Limitations
Future Work
BURN improves FIRE
Knowledge discovery through data exploration
Academics / Practitioners / Internet users
Conclusions
Limitations
Future Work
BURN improves FIRE
Knowledge discovery through data exploration
Academics / Practitioners / Internet users
Conclusions
Migrations are difficult to validate
Stress feature to avoid cluttered bubble map
Limitations
Future Work
BURN improves FIRE
Knowledge discovery through data exploration
Academics / Practitioners / Internet users
Conclusions
Migrations are difficult to validate
Stress feature to avoid cluttered bubble map
Limitations
BURN is in private beta — DEMO available
Future Work
Bot meta-data from Anubis for migration analysis
Usability study with three target users
Francesco [email protected]
Politecnico di Milano
Luca Di [email protected]
Politecnico di Milano
Federico [email protected] di Milano
Giorgio [email protected]
Politecnico di Milano
Stefano [email protected] di Milano
Paolo [email protected]
Politecnico di Milano
BURNBARING UNKNOWN ROGUE NETWORKS
La visualizzazione come strumento per analizzareil comportamento dei network malevoli
