Title: Countering%20Denial%20of%20Information%20Attacks%20with%20Network%20Visualization
1Countering Denial of Information Attacks with
Network Visualization
- Gregory Conti
- www.cc.gatech.edu/conti
- conti_at_acm.org
http//plus.maths.org/issue23/editorial/informatio
n.jpg
2Disclaimer
- The views expressed in this presentation are
those of the author and do not reflect the
official policy or position of the United States
Military Academy, the Department of the Army, the
Department of Defense or the U.S. Government.
image http//www.leavenworth.army.mil/usdb/stand
ard20products/vtdefault.htm
3Denial of Information Attacks Intentional
Attacks that overwhelm the human or otherwise
alter their decision making
http//circadianshift.net/images/Virginia_Tech_192
0s_NS5423_Y_small.jpg
4http//cagle.slate.msn.com/news/EvilEmailHackers/m
ain.asp
5The Problem of Information Growth
- The surface WWW contains 170TB (17xLOC)
- IM generates five billion messages a day (750GB),
or 274 terabytes a year. - Email generates about 400,000 TB/year.
- P2P file exchange on the Internet is growing
rapidly. The largest files exchanged are video
files larger than 100 MB, but the most frequently
exchanged files contain music (MP3 files). -
http//www.sims.berkeley.edu/research/projects/how
-much-info-2003/
6Applying the Model Taxonomy
http//www.butterfly-insect.com/butterfly-insect/g
raphic/education-pic-worldlife-on.gif
7Defense Taxonomy (Big Picture)
Microsoft, AOL, Earthlink and Yahoo file 6
antispam lawsuits (Mar 04)
Federal Can Spam Legislation (Jan 04)
California Business and Professions Code,
prohibits the sending of unsolicited commercial
email (September 98)
First Spam Conference (Jan 03)
http//www.metroactive.com/papers/metro/12.04.03/b
ooher-0349.html
8Defense Taxonomy (Big Picture)
Microsoft, AOL, Earthlink and Yahoo file 6
antispam lawsuits (Mar 04)
Federal Can Spam Legislation (Jan 04)
California Business and Professions Code,
prohibits the sending of unsolicited commercial
email (September 98)
First Spam Conference (Jan 03)
http//www.metroactive.com/papers/metro/12.04.03/b
ooher-0349.html
9System Model
Consumer
Vision
CPU
STM
RAM
Hearing
Cognition
Speech
Consumer Node
Hard Drive
LTM
Motor
Human Consumer
Communication Channel
Vision
STM
CPU
RAM
Hearing
Cognition
Speech
Producer Node
Hard Drive
LTM
Human Producer
Motor
Producer
10Consumer
very small text
Vision
STM
CPU
RAM
Hearing
Cognition
Speech
Consumer Node
Hard Drive
LTM
Motor
Human Consumer
misleading advertisements
spoof browser
exploit round off algorithm
Communication Channel
trigger many alerts
Vision
STM
CPU
RAM
Example DoI Attacks
Hearing
Cognition
Speech
Producer Node
Hard Drive
LTM
Human Producer
Motor
Producer
11Consumer
Vision
STM
CPU
RAM
Hearing
Example DoI Defenses
Cognition
Speech
Consumer Node
Hard Drive
LTM
Motor
Human Consumer
Usable Security
Communication Channel
TCP Damping
Eliza Spam Responder
Computational Puzzle Solving
Vision
STM
CPU
RAM
Hearing
Cognition
Speech
Producer Node
Hard Drive
LTM
Human Producer
Motor
Producer
Decompression Bombs
12Total Overhead (Number of Spam x (Time to Delete
Time to Observe))(Number of Email X (Time to
Decide Time to Scan))
Orient
Overhead Number of Spam x Time to Observe
Scan Subject Line
Overhead Number of Email x Time to Scan
Confirm Deletion Successful
No Observation
Observe
Decide
Not Spam
No Action
Act
Overhead Number of Spam x Time to Delete
Delete
Spam
Overhead Number of Email x Time to Decide
13For more information
- G. Conti and M. Ahamad "A Taxonomy and
Framework for Countering Denial of Information
Attacks" IEEE Security and Privacy. (to be
published)
email me
14DoI Countermeasures in the Network Security Domain
15information visualization is the use of
interactive, sensory representations, typically
visual, of abstract data to reinforce cognition.
http//en.wikipedia.org/wiki/Information_visualiza
tion
16rumint v.51
17(No Transcript)
18SuperScan 3.0 (XP)
nmap 3 UDP (RH8)
scanline 1.01 (XP)
nmap 3 (RH8)
NMapWin 3 (XP)
SuperScan 4.0 (XP)
nmap 3.5 (XP)
nikto 1.32 (XP)
19For more information
G. Conti "Network Attack Visualization" DEFCON
12 August 2004. --Talk PPT Slides --Classical
InfoVis Survey PPT Slides--Security InfoVis
Survey PPT Slides
- G. Conti and K. Abdullah " Passive Visual
Fingerprinting of Network Attack Tools" ACM
Conference on Computer and Communications
Security's Workshop on Visualization and Data
Mining for Computer Security (VizSEC) October
2004. --Talk PPT Slides -
see www.cc.gatech.edu/conti and www.rumint.org
for the tool
20Last year at DEFCON
- First question
- How do we attack it?
21Malicious Visualizations
22Pokemon
http//www.miowebitalia.com/desktop/cartoni/pokemo
n.jpg
23Visual Information Overload (perception)
24Attack Fading(memory)
http//etherape.sourceforge.net/
Image http//www.inf.uct.cl/amellado/gestion_e
n_linux/etherape.jpg
25Motion Induced Blindness(perception)
http//www.keck.ucsf.edu/yoram/mib-basic.html
26Optical Illusions (perception)
http//www.ritsumei.ac.jp.nyud.net8090/akitaoka/
index-e.html
27Crying Wolf(cognitive/motor)
28Labeling Attack (algorithm)
CDX 2003 Dataset X Time Y Destination IP Z
Destination Port
29AutoScale Attack/Force User to Zoom(algorithm)
30Precision Attack(algorithm)
http//www.nersc.gov/nusers/security/Cube.jpg
http//developers.slashdot.org/article.pl?sid04/0
6/01/1747223modethreadtid126tid172
31Occlusion(visualization design)
32Jamming (visualization design)
33For more information
- G. Conti, M. Ahamad and J. Stasko "Attacking
Information Visualization System Usability
Overloading and Deceiving the Human" Symposium
on Usable Privacy and Security (SOUPS) July
2005. (submitted, under review) - See also www.rumint.org
- for the tool.
email me
34rumint v 1.15 beta
35Network packets over time
Bit 0, Bit 1, Bit 2
Length of packet - 1
36rumint 1.15 tool overview
network monitoring mode (left), clicking the
small pane brings up the detailed analysis view
for that visualization.
37So what do you think
38(No Transcript)
39Visual exploration of binary objects
40Reverse Engineering
- IDA Pro Dissassembler and Debugger
http//www.datarescue.com/idabase/
41Textual vs. Visual Exploration
42binaryexplorer.exe
43visualexplorer.exe(visual studio)
Comparing Executable Binaries (1 bit per pixel)
calc.exe (unknown compiler)
rumint.exe (visual studio)
regedit.exe (unkown compiler)
mozillafirebird.exe (unknown compiler)
cdex.exe (unknown compiler)
apache.exe (unknown compiler)
ethereal.exe (unknown compiler)
44image.bmp
Comparing Image Files (1 bit per pixel)
image.zip
image.jpg
image.pae (encrypted)
45pash.mp3
Comparing mp3 files (1 bit per pixel)
disguises.mp3
the.mp3
46secvisw/Sven Krasser, Julian Grizzard, Jeff
Gribschaw and Henry Owen (Georgia Tech)
47Overview of Visualization
48Overview of Visualization
49Overview and Detail
50Routine Honeynet Traffic(baseline)
51Compromised Honeypot
52Slammer Worm
53Constant Bitrate UDP Traffic
54Port Sweep
55System Performance
56For more information
- S. Krasser, G. Conti, J. Grizzard, J.
Gribschaw and H. Owen "Real-Time and Forensic
Network Data Analysis Using Animated and
Coordinated Visualization" IEEE Information
Assurance Workshop (IAW) June 2005. (submitted) -
email me
57Demos
- binary exploration
- rumint 1.15
- secvis
58Gregory Conti conti_at_cc.gatech.edu www.cc.gatech.ed
u/conti
Image http//altura.speedera.net/ccimg.catalogcit
y.com/210000/211700/211780/Products/6203927.jpg
59Backup Slides
60External IP to Internal Port
One Week Snapshots
One Month
- 6 Oct 04 13 Oct 04 20 Oct 04
27 Oct 04 30 Nov 04