Gregory J. Conti

Visualizing network data for intrusion detection

As the trend of successful network attacks continue to rise, better forms of intrusion detection and prevention are needed. This paper addresses network traffic visualization techniques that aid an administrator in recognizing attacks in real time. Our approach improves upon current techniques that lack effectiveness due to an overemphasis on flow, nodes, or assumed familiarity with the attack tool, causing either late reaction or missed detection. A port-based overview of network activity produces a improved representation for detecting and responding to malicious activity. We have found that presenting an overview using stacked histograms of aggregate port activity, combined with the ability to drill-down for finer details allows small, yet important details to be noticed and investigated without being obscured by large, usual traffic. Due to the amount of traffic as well as the range of possible port numbers and IP addresses, scaling techniques are necessary to help provide this overview. We provide graphs with examples of forensic findings. Finally, we describe our future plans for using live traffic in addition to our forensic visualization techniques.

IDS rainStorm: visualizing IDS alarms

The massive amount of alarm data generated from intrusion detection systems is cumbersome for network system administrators to analyze. Often, important details are overlooked and it is difficult to get an overall picture of what is occurring in the network by manually traversing textual alarm logs. We have designed a novel visualization to address this problem by showing alarm activity within a network. Alarm data is presented in an overview where system administrators can get a general sense of network activity and easily detect anomalies. They then have the option of zooming and drilling down for details. The information is presented with local network IP (Internet Protocol) addresses plotted over multiple yaxes to represent the location of alarms. Time on the x-axis is used to show the pattern of the alarms and variations in color encode the severity and amount of alarms. Based on our system administrator requirements study, this graphical layout addresses what system administrators need to see, is faster and easier than analyzing text logs, and uses visualization techniques to effectively scale and display the data. With this design, we have built a tool that effectively uses operational alarm log data generated on the Georgia Tech campus network. The motivation and background of our design is presented along with examples that illustrate its usefulness.

Passive visual fingerprinting of network attack tools

This paper examines the dramatic visual fingerprints left by a wide variety of popular network attack tools in order to better understand the specific methodologies used by attackers as well as the identifiable characteristics of the tools themselves. The techniques used are entirely passive in nature and virtually undetectable by the attackers. While much work has been done on active and passive operating systems detection, little has been done on fingerprinting the specific tools used by attackers. This research explores the application of several visualization techniques and their usefulness toward identification of attack tools, without the typical automated intrusion detection systems signatures and statistical anomalies. These visualizations were tested using a wide range of popular network security tools and the results show that in many cases, the specific tool can be identified and provides intuition that many classes of zero-day attacks can be rapidly detected and analyzed using similar techniques.

Real-time and forensic network data analysis using animated and coordinated visualization

Rapidly detecting and classifying malicious activity contained within network traffic is a challenging problem exacerbated by large datasets and functionally limited manual analysis tools. Even on a small network, manual analysis of network traffic is inefficient and extremely time consuming. Current machine processing techniques, while fast, suffer from an unacceptable percentage of false positives and false negatives. To complement both manual and automated analysis of network traffic, we applied information visualization techniques to appropriately and effectively bring the human into the analytic loop. This paper describes the implementation and lessons learned from the creation of a novel network traffic visualization system capable of both realtime and forensic data analysis. Combining the strength of link analysis using parallel coordinate plots with the time-sequence animation of scatter plots, we examine a 2D and 3D coordinated display that provides insight into both legitimate and malicious network activity. Our results indicate that analysts can rapidly examine network traffic and detect anomalies far more quickly than with manual tools.

Visual Reverse Engineering of Binary and Data Files

The analysis of computer files poses a difficult problem for security researchers seeking to detect and analyze malicious content, software developers stress testing file formats for their products, and for other researchers seeking to understand the behavior and structure of undocumented file formats. Traditional tools, including hex editors, disassemblers and debuggers, while powerful, constrain analysis to primarily text based approaches. In this paper, we present design principles for file analysis which support meaningful investigation when there is little or no knowledge of the underlying file format, but are flexible enough to allow integration of additional semantic information, when available. We also present results from the implementation of a visual reverse engineering system based on our analysis. We validate the efficacy of both our analysis and our system with case studies depicting analysis use cases where a hex editor would be of limited value. Our results indicate that visual approaches help analysts rapidly identify files, analyze unfamiliar file structures, and gain insights that inform and complement the current suite of tools currently in use.

Countering security information overload through alert and packet visualization

This article presents a framework for designing network security visualization systems as well as results from the end-to-end design and implementation of two highly interactive systems. In this article, we provide multiple contributions: we present the results of our survey of security professionals, the design framework, and lessons learned from the design of our systems as well as an evaluation of their effectiveness. Our results indicate that both systems effectively present significantly more information when compared to traditional textual approaches. We believe that the interactive, graphical techniques that we present will have broad applications in other domains seeking to deal with information overload.

Visual exploration of malicious network objects using semantic zoom, interactive encoding and dynamic queries

This paper explores the application of visualization techniques to aid in the analysis of malicious and non-malicious binary objects. These objects may include any logically distinct chunks of binary data such as image files, word processing documents and network packets. To facilitate this analysis, we present a novel visualization technique for comparing and navigating among 600-1000+ such objects at one time. While the visualization technique alone has powerful application for both directed and undirected exploration of many classes of binary objects, we chose to study network packets. To increase effectiveness, we strengthened the visualization technique with novel, domain-specific semantic zooming, interactive encoding and dynamic querying capabilities. We present results and lessons learned from implementing these techniques and from studying both malicious and non-malicious network packets. Our results indicate that the information visualization system we present is an efficient and effective way to compare large numbers of network packets, visually examine their payloads and navigate to areas of interest within large network datasets.

Malicious interface design: exploiting the user

In an ideal world, interface design is the art and science of helping users accomplish tasks in a timely, efficient, and pleasurable manner. This paper studies the inverse situation, the vast emergence of deliberately constructed malicious interfaces that violate design best practices in order to accomplish goals counter to those of the user. This has become a commonplace occurrence both on and off the desktop, particularly on the web. A primary objective of this paper is to formally define this problem, including construction of a taxonomy of malicious interface techniques and a preliminary analysis of their impact on users. Findings are presented that gauge the self-reported tolerance and expectation levels of users with regard to malicious interfaces as well as the effectiveness and ease of use of existing countermeasures. A second objective of this paper is to increase awareness, dialogue, and research in a domain that we consider largely unexplored but critical to future usability of the WWW. Our results were accomplished through significant compilation of malicious interface techniques based on review of thousands of web sites and by conducting three surveys. Ultimately, this paper concludes that malicious interfaces are a ubiquitous problem that demands intervention by the security and human computer interaction communities in order to reduce the negative impact on the global user population.

Why computer scientists should attend hacker conferences

Along with the intellectual challenge, scientists may appreciate the technical insight, especially about security, ethical honesty, and common computing interests.

Googling considered harmful

Virtually every Internet user on the planet uses the powerful free tools offered by a handful of information service providers in many aspects of their personal and professional lives. As a result, users and organizations are freely providing unprecedented amounts of sensitive information in return for such services as Internet search, email, mapping, blog hosting, instant messaging and language translation. Traditional security measures, such as cryptography and network firewalls, are largely ineffective because of the implicit trust paradigm with the service provider. In this paper, we directly address this problem by providing a threat analysis framework of information disclosure vectors, including fingerprinting of individuals and groups based on their online activities, examine the effectiveness of existing privacy countermeasures and clearly outline the critical future work required to protect our corporate, organizational and individual privacy when using these services.