Countering%20Denial%20of%20Information%20Attacks%20with%20Network%20Visualization

1
Countering Denial of Information Attacks with
Network Visualization

• Gregory Conti
• www.cc.gatech.edu/conti
• conti_at_acm.org

http//plus.maths.org/issue23/editorial/informatio
n.jpg
2
Disclaimer

• The views expressed in this presentation are
  those of the author and do not reflect the
  official policy or position of the United States
  Military Academy, the Department of the Army, the
  Department of Defense or the U.S. Government. 

image http//www.leavenworth.army.mil/usdb/stand
ard20products/vtdefault.htm
3
Denial of Information Attacks Intentional
Attacks that overwhelm the human or otherwise
alter their decision making
http//circadianshift.net/images/Virginia_Tech_192
0s_NS5423_Y_small.jpg
4
http//cagle.slate.msn.com/news/EvilEmailHackers/m
ain.asp
5
The Problem of Information Growth

• The surface WWW contains 170TB (17xLOC)
• IM generates five billion messages a day (750GB),
  or 274 terabytes a year.
• Email generates about 400,000 TB/year.
• P2P file exchange on the Internet is growing
  rapidly. The largest files exchanged are video
  files larger than 100 MB, but the most frequently
  exchanged files contain music (MP3 files).

http//www.sims.berkeley.edu/research/projects/how
-much-info-2003/
6
Applying the Model Taxonomy
http//www.butterfly-insect.com/butterfly-insect/g
raphic/education-pic-worldlife-on.gif
7
Defense Taxonomy (Big Picture)
Microsoft, AOL, Earthlink and Yahoo file 6
antispam lawsuits (Mar 04)
Federal Can Spam Legislation (Jan 04)
California Business and Professions Code,
prohibits the sending of unsolicited commercial
email (September 98)
First Spam Conference (Jan 03)
http//www.metroactive.com/papers/metro/12.04.03/b
ooher-0349.html
8
Defense Taxonomy (Big Picture)
Microsoft, AOL, Earthlink and Yahoo file 6
antispam lawsuits (Mar 04)
Federal Can Spam Legislation (Jan 04)
California Business and Professions Code,
prohibits the sending of unsolicited commercial
email (September 98)
First Spam Conference (Jan 03)
http//www.metroactive.com/papers/metro/12.04.03/b
ooher-0349.html
9
System Model
Consumer
Vision
CPU
STM
RAM
Hearing
Cognition
Speech
Consumer Node
Hard Drive
LTM
Motor
Human Consumer
Communication Channel
Vision
STM
CPU
RAM
Hearing
Cognition
Speech
Producer Node
Hard Drive
LTM
Human Producer
Motor
Producer
10
Consumer
very small text
Vision
STM
CPU
RAM
Hearing
Cognition
Speech
Consumer Node
Hard Drive
LTM
Motor
Human Consumer
misleading advertisements
spoof browser
exploit round off algorithm
Communication Channel
trigger many alerts
Vision
STM
CPU
RAM
Example DoI Attacks
Hearing
Cognition
Speech
Producer Node
Hard Drive
LTM
Human Producer
Motor
Producer
11
Consumer
Vision
STM
CPU
RAM
Hearing
Example DoI Defenses
Cognition
Speech
Consumer Node
Hard Drive
LTM
Motor
Human Consumer
Usable Security
Communication Channel
TCP Damping
Eliza Spam Responder
Computational Puzzle Solving
Vision
STM
CPU
RAM
Hearing
Cognition
Speech
Producer Node
Hard Drive
LTM
Human Producer
Motor
Producer
Decompression Bombs
12
Total Overhead (Number of Spam x (Time to Delete
Time to Observe))(Number of Email X (Time to
Decide Time to Scan))
Orient
Overhead Number of Spam x Time to Observe
Scan Subject Line
Overhead Number of Email x Time to Scan
Confirm Deletion Successful
No Observation
Observe
Decide
Not Spam
No Action
Act
Overhead Number of Spam x Time to Delete
Delete
Spam
Overhead Number of Email x Time to Decide
13
For more information

• G. Conti and M. Ahamad "A Taxonomy and
  Framework for Countering Denial of Information
  Attacks" IEEE Security and Privacy. (to be
  published)

email me
14
DoI Countermeasures in the Network Security Domain
15
information visualization is the use of
interactive, sensory representations, typically
visual, of abstract data to reinforce cognition.
http//en.wikipedia.org/wiki/Information_visualiza
tion
16
rumint v.51
17
(No Transcript)
18
SuperScan 3.0 (XP)
nmap 3 UDP (RH8)
scanline 1.01 (XP)
nmap 3 (RH8)
NMapWin 3 (XP)
SuperScan 4.0 (XP)
nmap 3.5 (XP)
nikto 1.32 (XP)
19
For more information
G. Conti "Network Attack Visualization" DEFCON
12 August 2004. --Talk PPT Slides --Classical
InfoVis Survey PPT Slides--Security InfoVis
Survey PPT Slides

• G. Conti and K. Abdullah " Passive Visual
  Fingerprinting of Network Attack Tools" ACM
  Conference on Computer and Communications
  Security's Workshop on Visualization and Data
  Mining for Computer Security (VizSEC) October
  2004. --Talk PPT Slides

see www.cc.gatech.edu/conti and www.rumint.org
for the tool
20
Last year at DEFCON

• First question
• How do we attack it?

21
Malicious Visualizations
22
Pokemon
http//www.miowebitalia.com/desktop/cartoni/pokemo
n.jpg
23
Visual Information Overload (perception)
24
Attack Fading(memory)
http//etherape.sourceforge.net/
Image http//www.inf.uct.cl/amellado/gestion_e
n_linux/etherape.jpg
25
Motion Induced Blindness(perception)
http//www.keck.ucsf.edu/yoram/mib-basic.html
26
Optical Illusions (perception)
http//www.ritsumei.ac.jp.nyud.net8090/akitaoka/
index-e.html
27
Crying Wolf(cognitive/motor)

• Snot vs. Snort

28
Labeling Attack (algorithm)
CDX 2003 Dataset X Time Y Destination IP Z
Destination Port
29
AutoScale Attack/Force User to Zoom(algorithm)
30
Precision Attack(algorithm)
http//www.nersc.gov/nusers/security/Cube.jpg
http//developers.slashdot.org/article.pl?sid04/0
6/01/1747223modethreadtid126tid172
31
Occlusion(visualization design)
32
Jamming (visualization design)
33
For more information

• G. Conti, M. Ahamad and J. Stasko "Attacking
  Information Visualization System Usability
  Overloading and Deceiving the Human" Symposium
  on Usable Privacy and Security (SOUPS) July
  2005. (submitted, under review)
• See also www.rumint.org
• for the tool.

email me
34
rumint v 1.15 beta
35
Network packets over time
Bit 0, Bit 1, Bit 2
Length of packet - 1
36
rumint 1.15 tool overview
network monitoring mode (left), clicking the
small pane brings up the detailed analysis view
for that visualization.
37
So what do you think
38
(No Transcript)
39
Visual exploration of binary objects
40
Reverse Engineering

• IDA Pro Dissassembler and Debugger

http//www.datarescue.com/idabase/
41
Textual vs. Visual Exploration
42
binaryexplorer.exe
43
visualexplorer.exe(visual studio)
Comparing Executable Binaries (1 bit per pixel)
calc.exe (unknown compiler)
rumint.exe (visual studio)
regedit.exe (unkown compiler)
mozillafirebird.exe (unknown compiler)
cdex.exe (unknown compiler)
apache.exe (unknown compiler)
ethereal.exe (unknown compiler)
44
image.bmp
Comparing Image Files (1 bit per pixel)
image.zip
image.jpg
image.pae (encrypted)
45
pash.mp3
Comparing mp3 files (1 bit per pixel)
disguises.mp3
the.mp3
46
secvisw/Sven Krasser, Julian Grizzard, Jeff
Gribschaw and Henry Owen (Georgia Tech)
47
Overview of Visualization
48
Overview of Visualization
49
Overview and Detail
50
Routine Honeynet Traffic(baseline)
51
Compromised Honeypot
52
Slammer Worm
53
Constant Bitrate UDP Traffic
54
Port Sweep
55
System Performance
56
For more information

• S. Krasser, G. Conti, J. Grizzard, J.
  Gribschaw and H. Owen "Real-Time and Forensic
  Network Data Analysis Using Animated and
  Coordinated Visualization" IEEE Information
  Assurance Workshop (IAW) June 2005. (submitted)

email me
57
Demos

• binary exploration
• rumint 1.15
• secvis

58

• Questions?

Gregory Conti conti_at_cc.gatech.edu www.cc.gatech.ed
u/conti
Image http//altura.speedera.net/ccimg.catalogcit
y.com/210000/211700/211780/Products/6203927.jpg
59
Backup Slides
60
External IP to Internal Port
One Week Snapshots
One Month

• 6 Oct 04 13 Oct 04 20 Oct 04
  27 Oct 04 30 Nov 04