1 / 26

Real Time and Forensic Network Data Analysis Using Animated Combined Visualizations

Real Time and Forensic Network Data Analysis Using Animated Combined Visualizations. Sven Krasser Gregory Conti Julian Grizzard Jeff Gribschaw Henry Owen Georgia Institute of Technology. Overview of Visualization. Overview of Visualization. Motivation.

halla-rodriquez
Download Presentation

Real Time and Forensic Network Data Analysis Using Animated Combined Visualizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real Time and Forensic Network Data Analysis Using Animated Combined Visualizations Sven Krasser Gregory Conti Julian Grizzard Jeff Gribschaw Henry Owen Georgia Institute of Technology

  2. Overview of Visualization

  3. Overview of Visualization

  4. Motivation • High level analysis - low level discovery • Complement Ethereal by providing big picture context • TIVO for Network Traffic • Dealing with customers • Network behavior / Intruder behavior • Support Honeynet log analysis • Not real-time intrusion detection (yet)

  5. System Design • real time packet capture and forensic playback • navigate forwards and backwards in dataset • 3D and 2D views • Open GL and commodity hardware (P4 2.5GB) • Parallel coordinate plot adjacent to two animated displays

  6. Overview and Detail

  7. Routine Honeynet Traffic(baseline)

  8. Slammer Worm

  9. Constant Bitrate UDP Traffic

  10. Port Sweep

  11. Attempted HTTP Attack…

  12. Attempted HTTP Attack…(zoom)

  13. Compromised Honeypot

  14. Attacker Transfers Three Files…

  15. campus network

  16. Inbound Campus Traffic(5 seconds)

  17. Campus Network Traffic(10 msec capture) inbound outbound

  18. botnet visualization

  19. Combined botnet/honeynet traffic

  20. System Performance

  21. System Performance

  22. Conclusions • Combining of visualization techniques • Open GL and commodity hardware • Significant analyst performance gains • Interaction techniques • Distinct visual signatures • Smart Books • Tipping point on high volume networks • Honeynet /CTF analysis possible now • Prefiltering required for general purpose use

  23. Future Work • Semantic zoom • packets -> flows -> application/protocol specific • Work through slices of network traffic • allow user to focus on what is interesting • Maximize customization and interaction • Filtering and encoding • All fields • Multiple data streams • Knowledge discovery • Help highlight what is interesting • Easily drop in different windows on network traffic • look at traffic from different perspectives • Evaluation

  24. Demo of tools

  25. Acknowledgements • Charles Robert Simpson for providing NETI@home packet capture source code • David Dagon for for providing the botnet data

  26. Questions? Sven Krasser sven@ece.gatech.edu Gregory Conti conti@cc.gatech.edu Julian Grizzard grizzard@ece.gatech.edu Jeff Gribschaw jgribsch@ece.gatech.edu Henry Owen henry.owen@ece.gatech.edu Paper Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg

More Related