a picture is worth a thousand packets - black hat briefings · 2015-05-28 · a picture is worth a...
TRANSCRIPT
![Page 2: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/2.jpg)
The views expressed in this presentation are thoseof the author and do not reflect the official policyor position of the United States Military Academy,the Department of the Army, the Department ofDefense or the U.S. Government.
http://ehp.niehs.nih.gov/docs/2003/111-2/prison.jpg
![Page 3: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/3.jpg)
information visualization isthe use of interactive, sensoryrepresentations, typically visual,of abstract data to reinforcecognition.
http://en.wikipedia.org/wiki/Information_visualization
![Page 4: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/4.jpg)
Gartner's Hype Cycle
http://java.sun.com/features/1998/03/images/year3/original/gartner.curve.jpghttp://java.sun.com/features/1998/03/images/year3/original/gartner.curve.jpgThanks go to Kirsten Whitely for the Gartner curve idea
Where are we now?
![Page 5: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/5.jpg)
SANS Internet Storm Center
![Page 6: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/6.jpg)
Professionals: 5,905 Packets
Ethereal’s Tipping Point(for the human)
Students: 635 Packets
![Page 7: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/7.jpg)
Students: 30 Alerts
Snort’s Tipping Point(for the humans)
Professionals: 1,183 Alerts
![Page 8: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/8.jpg)
General InfoVis Research…
powerpoint of classic systems is here…http://www.rumint.org/gregconti/publications/20040731-information_visualization_survey.ppt
see InfoVis proceedings for more recent work…http://www.infovis.org/symposia.php
![Page 9: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/9.jpg)
Potential DataStreams
Traditional• packet capture• IDS/IPS logs• syslog• firewall logs• anti-virus• net flows• host processes• honeynets• network appliances
Less traditional• p0f• IANA data (illegal IP’s)• DNS• application level• extrusion detection
systems• local semantic data
(unassigned local IPs)• inverted IDS• geolocation (MaxMind?)• vulnerability assessment
nessus, nmap …• system files
![Page 10: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/10.jpg)
Rootkit Propagation(Dan Kaminsky)
http://www.doxpara.com/
![Page 11: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/11.jpg)
Firewall Data(Raffy Marty)
http://raffy.ch/blog/
![Page 12: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/12.jpg)
Firewall Data(Chris Lee)
"Visual Firewall: Real-time Network Security Monitor" Chris P. Lee, Jason Trost, Nicholas Gibbs, Raheem Beyah, John A. Copeland (Georgia Tech)
![Page 13: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/13.jpg)
IDS Alerts(Kulsoom Abdullah)
http://www.rumint.org/gregconti/publications/20050813_VizSec_IDS_Rainstorm.pdf
![Page 14: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/14.jpg)
NetflowsUniversity of Illinois at Urbana-Champaign / Bill Yurcik
http://security.ncsa.uiuc.edu/distribution/NVisionIPDownLoad.html
![Page 15: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/15.jpg)
Packet Level(John Goodall)
http://userpages.umbc.edu/~jgood/research/tnv/
![Page 16: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/16.jpg)
Host Processes and Network Traffic(Glenn Fink)
"Visual Correlation of Host Processes and Traffic" Glenn A. Fink, Paul Muessig, Chris North (Virginia Tech)
![Page 17: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/17.jpg)
MD5(Dan Kaminsky)
Hash 1 Hash 2 Diff Animationhttp://www.doxpara.com/?q=node&from=10
![Page 18: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/18.jpg)
visualexplorer.exe(visual studio)
calc.exe(unknown compiler)
rumint.exe(visual studio)
regedit.exe(unkown compiler)
Comparing Executable Binaries(Greg Conti)
mozillafirebird.exe(unknown compiler)
cdex.exe(unknown compiler)
apache.exe(unknown compiler)
ethereal.exe(unknown compiler)
![Page 19: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/19.jpg)
![Page 20: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/20.jpg)
Snort WeaknessesEthereal Weaknesses
•Too many false positives•Reliance on known signatures•Time and difficulty in selectingright set of signatures for a givennetwork.•Front end GUIs are poor
•Overwhelming detail / toomuch for human to process•Impossible to properlyvisualize a large dataset withoutgetting lost and confused•GUI too cumbersome
•Robust and configurable filtering•High quality signature database•Helps to focus human resources•Flexibility•Ability to access details ofpackets/alerts•Open source
•Full view of all packetparameters•Capture and display filters•Dissect and analyze protocols
Snort StrengthsEthereal Strengths
![Page 21: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/21.jpg)
Ethereal
http://www.pandora.nu/tempo-depot/notes/blosxom/data/PC_side/Web_Browser/Blosxom/ethereal.png
Ethereal can be found at http://www.ethereal.com/
![Page 22: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/22.jpg)
Potential DataStreams
Traditional• packet capture• IDS/IPS logs• syslog• firewall logs• anti-virus• net flows• host processes• honeynets• network appliances
Less traditional• p0f• IANA data (illegal IP’s)• DNS• application level• extrusion detection
systems• local semantic data
(unassigned local IPs)• inverted IDS• geolocation (MaxMind?)• vulnerability assessment
nessus, nmap …• system files
payloadbyte frequencypacket length
ethertypeIP versionIP header lengthIP differential servicesIP total lengthIP identificationIP flagsIP fragmentTTLIP transportIP header checksumsrc/dst IPsrc/dst TCP&UDP port
![Page 23: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/23.jpg)
RUMINT
![Page 24: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/24.jpg)
Filtering, Encoding & Interaction
![Page 25: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/25.jpg)
Multiple Coordinated Views…
![Page 26: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/26.jpg)
Text(on the fly strings)
dataset: Defcon 11 CTF
![Page 27: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/27.jpg)
Krasser Visualization
so
urc
e I
P a
ddre
ss
de
stin
atio
n p
ort
color: protocol
brightness: age
age
age
pa
cke
t siz
e
pa
cket
si z
ecolor:protocol
color:protocol
0.0.0.0
65535255.255.255.255
0
timetime now now
![Page 28: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/28.jpg)
Routine Honeynet Traffic(baseline)
![Page 29: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/29.jpg)
Compromised Honeypot
![Page 30: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/30.jpg)
Binary Rainfall Visualization(single packet)
Bits on wire…1 1 1 1 01010010101001110110
![Page 31: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/31.jpg)
Binary Rainfall Visualization(single packet)
Bits on wire…
1 1 1 1 01010010101001110110
1 1 1 1 01010010101001110110
View as a 1:1 relationship (1 bit per pixel)…
24 Pixels
![Page 32: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/32.jpg)
![Page 33: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/33.jpg)
Net
wor
k pa
cket
s ov
er ti
me
Bit 0, Bit 1, Bit 2 Length of packet - 1
Encode by Protocol
![Page 34: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/34.jpg)
On the fly disassembly?
dataset: Honeynet Project Scan of the Month 21
![Page 35: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/35.jpg)
Binary Rainfall Visualization(single packet)
Bits on wire…
1 1 1 1 01010010101001110110
1 1 1 1 01010010101001110110
View as a 1:1 relationship (1 bit per pixel)…
1 1 1 1 01010010101001110110
View as a 8:1 relationship (1 byte per pixel)…
3 Pixels
![Page 36: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/36.jpg)
Byte Visualization
![Page 37: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/37.jpg)
Open SSHDiffie-
Hellman KeyExchange
![Page 38: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/38.jpg)
Zipped Email Attachment
![Page 39: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/39.jpg)
Byte Presence
dictionary file via HTTP ssh SSL
![Page 40: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/40.jpg)
Parallel Coordinates• goal: plot any data fields• dynamic columns• change order for
different insight• intelligent lookup and
translation of fields– e.g. IP transport protocol
![Page 41: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/41.jpg)
Rapidly Characterize PacketHeader Fields
![Page 42: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/42.jpg)
traceroute/tracert(google.com)
![Page 43: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/43.jpg)
Identify and Precisely LocateFragmentation Anomaly
![Page 44: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/44.jpg)
Identify and Precisely Locatex90 Anomaly
![Page 45: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/45.jpg)
Identify and Precisely Locate PossibleRandom Payload Anomaly
![Page 46: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/46.jpg)
Task Completion Timetim
e (m
inute
s)
![Page 47: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/47.jpg)
RUMINT Tipping Point
![Page 48: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/48.jpg)
System Requirements• IP over Ethernet• Tested on Windows XP• ~256+ MB Ram• Processor 300MHZ (minimum)• The more screen real estate the better• Latest winpcap
• Development– Visual Studio 6– port to GCC and Open GL– PacketX for now
• Go direct to (win)pcap
![Page 49: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/49.jpg)
Demo
![Page 50: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/50.jpg)
Attacking the Analyst
![Page 51: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/51.jpg)
AutoScale Attack/Force User to Zoom
![Page 52: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/52.jpg)
CDX 2003 DatasetX = TimeY = Destination IPZ = Destination Port
Labeling Attack
![Page 53: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/53.jpg)
Precision Attack
http://developers.slashdot.org/article.pl?sid=04/06/01/1747223&mode=thread&tid=126&tid=172
http://www.nersc.gov/nusers/security/Cube.jpg
![Page 54: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/54.jpg)
Occlusion Jamming
![Page 55: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/55.jpg)
Attack Demo
![Page 56: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/56.jpg)
Attacking the Analyst…
G. Conti, M. Ahamad and J. Stasko;"Attacking InformationVisualization System Usability:Overloading and Deceiving theHuman;" Symposium on UsablePrivacy and Security (SOUPS);July 2005. On the CD…
G. Conti and M. Ahamad; "ATaxonomy and Framework forCountering Denial of InformationAttacks;" IEEE Security andPrivacy. (accepted, to bepublished) Website…
![Page 57: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/57.jpg)
Future Vision
![Page 58: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/58.jpg)
Directions for the Future…We are only scratching the surface of the possibilities
• attack specific community needs• plug-ins• launch network packets?• protocol specific visualizations
– including application layer (e.g. VoIP, HTTP)• Open GL• graph visualization+• screensaver/wallpaper snapshot?• work out GUI issues• database of filters / smart books• stress testing• evaluate effectiveness
![Page 59: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/59.jpg)
For more information…G. Conti, K. Abdullah, J. Grizzard, J. Stasko, J. Copeland, M. Ahamad, H. Owen and C. Lee;"Countering
Security Analyst and Network Administrator Overload Through Alert and Packet Visualization;" IEEEComputer Graphics and Applications (CG&A), March 2006.
G. Conti, J. Grizzard, M. Ahamad and H. Owen; "Visual Exploration of Malicious Network Objects UsingSemantic Zoom, Interactive Encoding and Dynamic Queries;" IEEE Symposium on InformationVisualization's Workshop on Visualization for Computer Security (VizSEC); October 2005.
G. Conti; "Beyond Ethereal: Crafting A Tivo for Security Datastreams;" Black Hat USA; July 2005.
G. Conti, M. Ahamad and J. Stasko; "Attacking Information Visualization System Usability: Overloadingand Deceiving the Human;" Symposium on Usable Privacy and Security (SOUPS); July 2005.
S. Krasser, G. Conti, J. Grizzard, J. Gribschaw and H. Owen; "Real-Time and Forensic Network DataAnalysis Using Animated and Coordinated Visualization;" IEEE Information Assurance Workshop (IAW);June 2005.
G. Conti;"Countering Denial of Information Attacks with Information Visualization;" Interz0ne 4; March2005.
G. Conti and K. Abdullah; " Passive Visual Fingerprinting of Network Attack Tools;" ACM Conference onComputer and Communications Security's Workshop on Visualization and Data Mining for ComputerSecurity (VizSEC); October 2004.
G. Conti; "Network Attack Visualization;" DEFCON 12; August 2004.
G. Conti; "Network Security Data Visualization;" Interz0ne3; April 2004.
www.cc.gatech.edu/~contiwww.rumint.org
![Page 60: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/60.jpg)
On the CD…
• Talk slides• Code
– rumint
• Papers– SOUPS Malicious Visualization
paper– Hacker conventions article– Ethereal / Snort Survey
See also: www.cc.gatech.edu/~conti and www.rumint.orgCACM
![Page 61: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/61.jpg)
Feedback Requested…• Tasks• Usage
– provide feedback on GUI– needed improvements– multiple monitor machines– performance under stress– bug reports
• Data– interesting packet traces– screenshots
• with supporting .rum and .pcap files, if possible
• Pointers to interesting related tools (viz or not)• New viz and other analysis ideas
![Page 62: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/62.jpg)
Acknowledgements
404.se2600, Kulsoom Abdullah, Sandip Agarwala,Mustaque Ahamad, Bill Cheswick, Chad, Clint, TomCross, David Dagon, DEFCON, Ron Dodge, EliO,Emma, Mr. Fuzzy, Jeff Gribschaw, Julian Grizzard,GTISC, Hacker Japan, Mike Hamelin, Hendrick,Honeynet Project, Interz0ne, Jinsuk Jun, Kenshoto,Oleg Kolesnikov, Sven Krasser, Chris Lee, WenkeLee, John Levine, Michael Lynn, David Maynor, NeelMehta, Jeff Moss, NETI@home, Henry Owen, DanRagsdale, Rockit, Byung-Uk Roho, Charles RobertSimpson, Ashish Soni, SOUPS, Jason Spence, JohnStasko, StricK, Susan, USMA ITOC, IEEE IAW,VizSEC 2004, Grant Wagner and the Yak.
![Page 63: A Picture is Worth a Thousand Packets - Black Hat Briefings · 2015-05-28 · A Picture is Worth a Thousand Packets Gregory Conti ... c e a I P a d d r e s s d e s t i n t i o n p](https://reader031.vdocument.in/reader031/viewer/2022011802/5b33d9fb7f8b9a330e8b7b97/html5/thumbnails/63.jpg)
Questions?
Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg
Greg [email protected]
www.cc.gatech.edu/~contiwww.rumint.org