1 / 60

Countering Denial of Information Attacks with Network Visualization

Countering Denial of Information Attacks with Network Visualization. Gregory Conti www.cc.gatech.edu/~conti conti@acm.org. http://plus.maths.org/issue23/editorial/information.jpg. Disclaimer.

vickieruiz
Download Presentation

Countering Denial of Information Attacks with Network Visualization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Countering Denial of Information Attacks with Network Visualization Gregory Conti www.cc.gatech.edu/~conti conti@acm.org http://plus.maths.org/issue23/editorial/information.jpg

  2. Disclaimer The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm

  3. Denial of Information Attacks: Intentional Attacks that overwhelm the human or otherwise alter their decision making http://circadianshift.net/images/Virginia_Tech_1920s_NS5423_Y_small.jpg

  4. http://cagle.slate.msn.com/news/EvilEmailHackers/main.asp

  5. The Problem of Information Growth • The surface WWW contains ~170TB (17xLOC) • IM generates five billion messages a day (750GB), or 274 terabytes a year. • Email generates about 400,000 TB/year. • P2P file exchange on the Internet is growing rapidly. The largest files exchanged are video files larger than 100 MB, but the most frequently exchanged files contain music (MP3 files). http://www.sims.berkeley.edu/research/projects/how-much-info-2003/

  6. Applying the Model & Taxonomy… http://www.butterfly-insect.com/butterfly-insect/graphic/education-pic-worldlife-on.gif

  7. Defense Taxonomy (Big Picture) Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04) Federal Can Spam Legislation (Jan 04) California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98) First Spam Conference (Jan 03) http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html

  8. Defense Taxonomy (Big Picture) Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04) Federal Can Spam Legislation (Jan 04) California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98) First Spam Conference (Jan 03) http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html

  9. System Model Consumer Vision STM CPU RAM Hearing Cognition Speech Consumer Node Hard Drive LTM Motor Human Consumer Communication Channel Vision STM CPU RAM Hearing Cognition Speech Producer Node Hard Drive LTM Human Producer Motor Producer

  10. Consumer very small text Vision STM CPU RAM Hearing Cognition Speech Consumer Node Hard Drive LTM Motor Human Consumer misleading advertisements spoof browser exploit round off algorithm Communication Channel trigger many alerts Vision STM CPU RAM Example DoI Attacks Hearing Cognition Speech Producer Node Hard Drive LTM Human Producer Motor Producer

  11. Consumer Vision STM CPU RAM Hearing Example DoI Defenses Cognition Speech Consumer Node Hard Drive LTM Motor Human Consumer Usable Security TCP Damping Communication Channel Eliza Spam Responder Computational Puzzle Solving Vision STM CPU RAM Hearing Cognition Speech Producer Node Hard Drive LTM Human Producer Motor Producer Decompression Bombs

  12. Total Overhead= (Number of Spam x (Time to Delete + Time to Observe))+(Number of Email X (Time to Decide + Time to Scan)) Orient Overhead Number of Spam x Time to Observe Scan Subject Line Overhead Number of Email x Time to Scan Confirm Deletion Successful No Observation Observe Decide Not Spam No Action Act Overhead Number of Spam x Time to Delete Delete Spam Overhead Number of Email x Time to Decide

  13. For more information… G. Conti and M. Ahamad; "A Taxonomy and Framework for Countering Denial of Information Attacks;" IEEE Security and Privacy. (to be published) email me…

  14. DoI Countermeasures in the Network Security Domain

  15. information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization

  16. rumint v.51

  17. nmap 3 UDP (RH8) scanline 1.01 (XP) SuperScan 3.0 (XP) nmap 3 (RH8) NMapWin 3 (XP) nmap 3.5 (XP) nikto 1.32 (XP) SuperScan 4.0 (XP)

  18. For more information… G. Conti; "Network Attack Visualization;" DEFCON 12; August 2004. --Talk PPT Slides --Classical InfoVis Survey PPT Slides--Security InfoVis Survey PPT Slides G. Conti and K. Abdullah; " Passive Visual Fingerprinting of Network Attack Tools;" ACM Conference on Computer and Communications Security's Workshop on Visualization and Data Mining for Computer Security (VizSEC); October 2004. --Talk PPT Slides see www.cc.gatech.edu/~conti and www.rumint.org for the tool

  19. Last year at DEFCON First question… How do we attack it?

  20. Malicious Visualizations…

  21. Pokemon http://www.miowebitalia.com/desktop/cartoni/pokemon.jpg

  22. Visual Information Overload (perception)

  23. Attack Fading(memory) http://etherape.sourceforge.net/ Image: http://www.inf.uct.cl/~amellado/gestion_en_linux/etherape.jpg

  24. Motion Induced Blindness(perception) http://www.keck.ucsf.edu/~yoram/mib-basic.html

  25. Optical Illusions (perception) http://www.ritsumei.ac.jp.nyud.net:8090/~akitaoka/index-e.html

  26. Crying Wolf…(cognitive/motor) • Snot vs. Snort

  27. Labeling Attack (algorithm) CDX 2003 Dataset X = Time Y = Destination IP Z = Destination Port

  28. AutoScale Attack/Force User to Zoom(algorithm)

  29. Precision Attack(algorithm) http://www.nersc.gov/nusers/security/Cube.jpg http://developers.slashdot.org/article.pl?sid=04/06/01/1747223&mode=thread&tid=126&tid=172

  30. Occlusion(visualization design)

  31. Jamming (visualization design)

  32. For more information… G. Conti, M. Ahamad and J. Stasko; "Attacking Information Visualization System Usability: Overloading and Deceiving the Human;" Symposium on Usable Privacy and Security (SOUPS); July 2005. (submitted, under review) See also www.rumint.org for the tool. email me…

  33. rumint v 1.15 beta

  34. Network packets over time Bit 0, Bit 1, Bit 2 Length of packet - 1

  35. rumint 1.15 tool overview network monitoring mode (left), clicking the small pane brings up the detailed analysis view for that visualization.

  36. So what do you think…

  37. Visual exploration of binary objects…

  38. Reverse Engineering • IDA Pro Dissassembler and Debugger http://www.datarescue.com/idabase/

  39. Textual vs. Visual Exploration

  40. binaryexplorer.exe

  41. visualexplorer.exe(visual studio) Comparing Executable Binaries (1 bit per pixel) rumint.exe (visual studio) calc.exe (unknown compiler) regedit.exe (unkown compiler) mozillafirebird.exe (unknown compiler) cdex.exe (unknown compiler) apache.exe (unknown compiler) ethereal.exe (unknown compiler)

  42. image.bmp Comparing Image Files (1 bit per pixel) image.jpg image.zip image.pae (encrypted)

  43. pash.mp3 Comparing mp3 files (1 bit per pixel) the.mp3 disguises.mp3

  44. secvisw/Sven Krasser, Julian Grizzard, Jeff Gribschaw and Henry Owen (Georgia Tech)

  45. Overview of Visualization

  46. Overview of Visualization

  47. Overview and Detail

  48. Routine Honeynet Traffic(baseline)

More Related