slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Instit PowerPoint Presentation
Download Presentation
Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Instit

Loading in 2 Seconds...

play fullscreen
1 / 29

Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Instit - PowerPoint PPT Presentation


  • 347 Views
  • Uploaded on

Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology. Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology. Motivation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Instit' - niveditha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Passive Visual Fingerprinting of Network Attack ToolsGregory ContiKulsoom AbdullahCollege of ComputingGeorgia Institute of Technology

Passive Visual Fingerprinting of Network Attack ToolsGregory ContiKulsoom AbdullahCollege of ComputingGeorgia Institute of Technology

motivation
Motivation

Common network reconnaissance and vulnerability assessment tools can be visualized in such a way as to identify the attack tool used.

  • Law enforcement forensics
  • Identify characteristics of new tools/worms
  • Provide insight into attacker’s methodology & experience level
  • Help network defender to initiate appropriate response
slide3

System Architecture

Ethernet

tcpdump

(pcap, snort)

Perl

Perl

xmgrace

(gnuplot)

tcpdump

capture

files

winpcap

VS

VS

VS

Packet Capture

Parse

Process

Plot

Interact

link layer ethernet

Examining Available Data…

Link Layer (Ethernet)

All raw data available on the wire:

  • Application layer data
  • Transport layer header
  • Network layer header
  • Link layer header

Network Layer (IP)

  • Focused on:
  • Source / Destination Port
  • Source / Destination IP
  • Timestamp
  • Length of raw packet
  • Protocol Type

Transport Layer (TCP)

IP: http://www.ietf.org/rfc/rfc0791.txt

UDP: http://www.ietf.org/rfc/rfc0768.txt

TCP: http://www.ietf.org/rfc/rfc793.txt

Transport Layer (UDP)

Ethernet: http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif

attacks fingerprinted
Attacks Fingerprinted

http://www.insecure.org/tools.html

visualizations
Visualizations
  • Time Sequence Data
    • Sequence of Source/Destination Ports and IP’s
    • Sequence of Packet Lengths
    • Sequence of Packet Protocols
  • Port and IP Mapping
    • Source Port to Destination Port
    • Source IP to Destination IP
    • Source IP to Destination Port
    • Source Port/IP to Destination IP/Port
    • Source IP/Port to Destination Port/IP
  • Characterization of home/external network
parallel plot views
parallel plot views

External Port Internal Port

65,535 65,535

0 0

External IP Internal Port

255.255.255.255 65,535

0.0.0.0 0

External IP Internal IP

255.255.255.255 255.255.255.255

0.0.0.0 0.0.0.0

baseline
Baseline

External Port

Internal Port

External IP

Internal IP

slide9

nmap 3 UDP (RH8)

scanline 1.01 (XP)

SuperScan 3.0 (XP)

nmap 3 (RH8)

NMapWin 3 (XP)

nmap 3.5 (XP)

nikto 1.32 (XP)

SuperScan 4.0 (XP)

slide10

Sara 5.0.3(port to port)

Medium

Heavy

Light

georgia tech honeynet
Georgia Tech Honeynet

External IP Internal Port

External Port Internal Port

External IP Internal IP

slide12

External IP External Port Internal Port Internal IP

255.255.255.255 65,535 65,535 255.255.255.255

0.0.0.0 0 0 0.0.0.0

Also a Port to IP to IP to Port View

exploring nmap 3 0 in depth port to ip to ip to port
Exploring nmap 3.0 in depth(port to IP to IP to port)

default (root)

stealth FIN (-sF)

NULL (-sN)

UDP (-sU)

SYN (-sS -O)

stealth SYN (-sS)

CONNECT (-sT)

XMAS (-sX)

nmap within nessus port to ip to ip to port
nmap within Nessus (port to IP to IP to port)

CONNECT (-sT)

Nessus 2.0.10

UDP (-sU)

superscan evolution port to ip to ip to port
SuperScan Evolution (port to IP to IP to port)

SuperScan 3.0

SuperScan 4.0

scanline 1.01

time sequence data external port vs packet
time sequence data(external port vs. packet)

nmap win

superscan 3

ports

ports

packets

packets

Also internal/external IP and internal port

findings weaknesses
Findings (Weaknesses)
  • Interaction with personal firewalls
  • Countermeasures
  • Scale / labeling are issues
  • Occlusion is a problem
  • Greater interactivity required for forensics and less aggressive attacks
  • Some tools are very flexible
  • Source code not available for some tools
findings strengths
Findings (Strengths)
  • Aggressive tools have distinct visual signatures
  • Threading / multiple processes may be visible
  • Some source code lineage may be visible
  • Some OS/Application features are visible
  • Some classes of stealthy attack are visible
findings strengths24
Findings (Strengths)
  • Sequence of ports scanned visible
  • Frequently attacked ports visible
  • Resistant to high volume network traffic
  • Viable in the presence of routine traffic
  • Useful against slow scans (hours-weeks)
  • Useful against distributed scans
future work
Future Work
  • Add forensic capability
  • Task driven interactivity (Zoom & filter, details on demand)
  • Smart books (images & movies)
  • Usability studies
  • Stress test
  • Explore less aggressive attack classes
slide27

classic infovis survey

www.cc.gatech.edu/~conti

security infovis survey

www.cc.gatech.edu/~conti

rumint tool

http://www.rumint.com/software.html

Kulsoom’s Research

http://users.ece.gatech.edu/~kulsoom/research.html

Visual Security Community

http://www.ninjabi.net/index.php?option=com_nxtlinks&catid=41&Itemid=47

VizSEC Paper/Slides

http://users.ece.gatech.edu/~kulsoom/research.html

www.cc.gatech.edu/~conti

acknowledgements
Acknowledgements
  • Dr. John Stasko
    • http://www.cc.gatech.edu/~john.stasko/
  • Dr. Wenke Lee
    • http://www.cc.gatech.edu/~wenke/
  • Dr. John Levine
    • http://www.eecs.usma.edu/
  • Julian Grizzard
    • http://www.ece.gatech.edu/
  • 404.se2600
    • Clint
    • Hendrick
    • icer
    • Rockit
    • StricK
slide29
Questions?

Greg Conti

conti@cc.gatech.edu

www.cc.gatech.edu/~conti

Kulsoom Abdullah

gte369k@mail.gatech.edu

http://users.ece.gatech.edu/~kulsoom/research.html

Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg