passive visual fingerprinting of network attack tools gregory conti kulsoom abdullah college of...
TRANSCRIPT
![Page 1: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/1.jpg)
Passive Visual Fingerprinting of Network Attack Tools
Gregory ContiKulsoom Abdullah
College of ComputingGeorgia Institute of Technology
Passive Visual Fingerprinting of Network Attack Tools
Gregory ContiKulsoom Abdullah
College of ComputingGeorgia Institute of Technology
![Page 2: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/2.jpg)
Motivation
Common network reconnaissance and vulnerability assessment tools can be visualized in such a way as to identify the attack tool used.
•Law enforcement forensics
•Identify characteristics of new tools/worms
•Provide insight into attacker’s methodology & experience level
•Help network defender to initiate appropriate response
![Page 3: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/3.jpg)
Ethernet
Packet Capture
Parse
Process
Plot
tcpdump(pcap, snort)
Perl
Perl
xmgrace(gnuplot)
tcpdumpcapturefiles
winpcap
VS
VS
VS Interact
System Architecture
![Page 4: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/4.jpg)
Ethernet: http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif
Link Layer (Ethernet)
Network Layer (IP)
Examining Available Data…
Transport Layer (TCP)
Transport Layer (UDP)
IP: http://www.ietf.org/rfc/rfc0791.txt
TCP: http://www.ietf.org/rfc/rfc793.txtUDP: http://www.ietf.org/rfc/rfc0768.txt
All raw data available on the wire:
• Application layer data
• Transport layer header
• Network layer header
• Link layer header
Focused on: • Source / Destination Port• Source / Destination IP• Timestamp• Length of raw packet• Protocol Type
![Page 5: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/5.jpg)
Attacks Fingerprintednessus 2.0.10
nmap 3.0
nmap 3.5
nmapwin 1.3.1
Superscan 3.0
Superscan 4.0
nessus 2.0.10
nikto 1.32
scanline 1.01
sara 5.0.3
NSA CDX dataset 2003
http://www.insecure.org/tools.html
![Page 6: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/6.jpg)
Visualizations• Time Sequence Data
– Sequence of Source/Destination Ports and IP’s– Sequence of Packet Lengths– Sequence of Packet Protocols
• Port and IP Mapping– Source Port to Destination Port – Source IP to Destination IP – Source IP to Destination Port– Source Port/IP to Destination IP/Port – Source IP/Port to Destination Port/IP
• Characterization of home/external network
![Page 7: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/7.jpg)
External Port Internal Port
65,535 65,535
0 0
External IP Internal IP
255.255.255.255 255.255.255.255
0.0.0.0 0.0.0.0
External IP Internal Port
255.255.255.255 65,535
0.0.0.0 0
parallel plot views
![Page 8: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/8.jpg)
Baseline
External Port Internal Port External IP Internal IP
![Page 9: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/9.jpg)
nmap 3 (RH8)
NMapWin 3 (XP)
SuperScan 3.0 (XP)
SuperScan 4.0 (XP)
nmap 3 UDP (RH8)
nmap 3.5 (XP)
scanline 1.01 (XP)
nikto 1.32 (XP)
![Page 10: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/10.jpg)
Sara 5.0.3(port to port)
Light Medium Heavy
![Page 11: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/11.jpg)
Georgia Tech Honeynet
External IP Internal Port External Port Internal Port External IP Internal IP
![Page 12: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/12.jpg)
External IP External Port Internal Port Internal IP
255.255.255.255 65,535 65,535 255.255.255.255
0.0.0.0 0 0 0.0.0.0
Also a Port to IP to IP to Port View
![Page 13: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/13.jpg)
Exploring nmap 3.0 in depth(port to IP to IP to port)
default (root) stealth FIN (-sF) NULL (-sN)
SYN (-sS -O) stealth SYN (-sS) CONNECT (-sT)
UDP (-sU)
XMAS (-sX)
![Page 14: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/14.jpg)
nmap within Nessus (port to IP to IP to port)
CONNECT (-sT)
UDP (-sU)
Nessus 2.0.10
![Page 15: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/15.jpg)
SuperScan Evolution (port to IP to IP to port)
SuperScan 3.0
scanline 1.01
SuperScan 4.0
![Page 16: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/16.jpg)
packet length and protocol type over time
port
s
packe
tslength
![Page 17: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/17.jpg)
WinNMap
![Page 18: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/18.jpg)
SuperScan 4.0
![Page 19: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/19.jpg)
time sequence data(external port vs. packet)
nmap win superscan 3
port
s
port
spackets packets
Also internal/external IP and internal port
![Page 20: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/20.jpg)
tool interface
![Page 21: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/21.jpg)
![Page 22: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/22.jpg)
Findings (Weaknesses)
• Interaction with personal firewalls• Countermeasures• Scale / labeling are issues• Occlusion is a problem• Greater interactivity required for forensics and less
aggressive attacks• Some tools are very flexible• Source code not available for some tools
![Page 23: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/23.jpg)
Findings (Strengths)
• Aggressive tools have distinct visual signatures• Threading / multiple processes may be visible• Some source code lineage may be visible• Some OS/Application features are visible • Some classes of stealthy attack are visible
![Page 24: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/24.jpg)
Findings (Strengths)
• Sequence of ports scanned visible• Frequently attacked ports visible• Resistant to high volume network traffic• Viable in the presence of routine traffic• Useful against slow scans (hours-weeks)• Useful against distributed scans
![Page 25: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/25.jpg)
Future Work
• Add forensic capability
• Task driven interactivity (Zoom & filter, details on demand)
• Smart books (images & movies)
• Usability studies
• Stress test
• Explore less aggressive attack classes
![Page 26: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/26.jpg)
Demo
![Page 27: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/27.jpg)
classic infovis surveywww.cc.gatech.edu/~conti
security infovis surveywww.cc.gatech.edu/~conti
rumint toolhttp://www.rumint.com/software.html
Visual Security Communityhttp://www.ninjabi.net/index.php?option=com_nxtlinks&
catid=41&Itemid=47
Kulsoom’s Researchhttp://users.ece.gatech.edu/~kulsoom/research.html
VizSEC Paper/Slideshttp://users.ece.gatech.edu/~kulsoom/research.html
www.cc.gatech.edu/~conti
![Page 28: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/28.jpg)
Acknowledgements
• Dr. John Stasko– http://www.cc.gatech.edu/~john.stasko/
• Dr. Wenke Lee– http://www.cc.gatech.edu/~wenke/
• Dr. John Levine– http://www.eecs.usma.edu/
• Julian Grizzard– http://www.ece.gatech.edu/
• 404.se2600– Clint– Hendrick– icer– Rockit– StricK
![Page 29: Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062804/56649e585503460f94b5150f/html5/thumbnails/29.jpg)
Questions?
Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg
Greg [email protected]/~conti
Kulsoom [email protected]://users.ece.gatech.edu/~kulsoom/research.html