SlideShare a Scribd company logo

Network Security Data Visualization

Download as PPT, PDF
A
amiable_indian

This document discusses using data visualization techniques to analyze network security data and detect cyber attacks. It provides examples of visualizing network traffic data from tcpdump files using Perl scripts and Grace to plot graphs. Specific examples include visualizing a port scan, vulnerability scanner, and wargame traffic to identify anomalous patterns compared to normal traffic baselines. Tools mentioned include tcpdump, Ethereal, EtherApe, and research on visualizing intrusion detection systems, routing anomalies, and worm propagation.

1 of 76
Downloaded 414 times
Network Security Data Visualization Greg Conti www.cc.gatech.edu/~conti CS6262 http://www.cybergeography.org/atlas/walrus1_large.gif
http://www.interz0ne.com/
information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization
Why InfoVis? Helps find patterns Helps reduce search space Aids efficient monitoring Enables interaction (what if) Help prevent overwhelming the user
So What? Go Beyond the Algorithm Help with detecting and understand some 0 day attacks Make CTF and Root Wars a Spectator Sport Help find insider threats Help visually fingerprint attacks What tasks do you need help with?
TCP Dump image: http://www.bgnett.no/~giva/pcap/tcpdump.png
Network Traffic Viewed in Ethereal Ethereal by Gerald Combs can be found at http://www.ethereal.com/ image: http://www.linux-france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif
Network Traffic as Viewed in EtherApe Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/ screenshot: http://www.solaris4you.dk/sniffersSS.html
Outline Quick overview of Intrusion Detection Systems (IDS) Quick overview of Information Visualization What data is available on the wire Finding interesting combinations What the attacks look like
Intrusion Detection System An intrusion-detection system (IDS) is a tool used to detect attacks or other security breaches in a computer system or network. http://en.wikipedia.org/wiki/Intrusion-detection_system
Intrusion Detection System Types Host-based intrusion-detection is the art of detecting malicious activity within a single computer by using host log information system activity virus scanners A Network intrusion detection system is a system that tries to detect malicious activity such as denial of service attacks, port-scans or other attempts to hack into computers by reading all the incoming packets and trying to find suspicious patterns. http://en2.wikipedia.org/wiki/Host-based_intrusion-detection_system http://en2.wikipedia.org/wiki/Network_intrusion_detection_system
Information Visualization Mantra Overview First, Zoom & Filter, Details on Demand - Ben Shneiderman http://www.cs.umd.edu/~ben/
Overview First…
Zoom and Filter…
Details on Demand…
What Tools are at Your Disposal… Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective
What Can InfoVis Help You See? Relationships between X & Y & Z… Anomalies Outliers Extremes Patterns Comparisons and Differences Trends
User Tasks ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate http://www.siggraph.org/education/materials/HyperVis/concepts/matrx_lo.htm See also http://www1.cs.columbia.edu/~zhou/project/CHI98Title.html
Representative Current Research
Dr. Rob Erbacher Representative Research Visual Summarizing and Analysis Techniques for Intrusion Data Multi-Dimensional Data Visualization A Component-Based Event-Driven Interactive Visualization Software Architecture http://otherland.cs.usu.edu/~erbacher/
http://otherland.cs.usu.edu/~erbacher/ Demo
Dr. David Marchette Passive Fingerprinting Statistics for intrusion detection http://www.mts.jhu.edu/~marchette/
http://www.mts.jhu.edu/~marchette/ (images) http://www.galaxy.gmu.edu/stats/faculty/wegman.html (descriptions)
Soon Tee Teoh Visualizing Internet Routing Data http://graphics.cs.ucdavis.edu/~steoh/
CAIDA Code Red Worm Propagation Young Hyun David Moore Colleen Shannon Bradley Huffaker http://www.caida.org/tools/visualization/walrus/examples/codered/
Jukka Juslin http://www.cs.hut.fi/~jtjuslin/ Intrustion Detection and Visualization Using Perl
Michal Zalewski TCP/IP Sequence Number Generation Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html Follow-up paper - http://lcamtuf.coredump.cx/newtcp/ Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low.
Atlas of Cyber Space http://www.cybergeography.org/atlas/atlas.html
John Levine The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks Interesting look at detecting zero-day attacks http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/honeynet_IAW2003.pdf
Port 135 MS BLASTER scans Date Public: 7/16/03 Date Attack: 8/11/03 Georgia Tech Honeynett Source: John Levine, Georgia Tech
Port 1434 (MS-SQL) scans Date Public: 7/24/02 Date Attack: 1/25/03 Georgia Tech Honeynet Source: John Levine, Georgia Tech
Port 554 (RTSP) scans Date Public: 8/15/2003 Date Attack: 8/22/03 Georgia Tech Honeypot Source: John Levine, Georgia Tech
Hot Research Areas… visualizing vulnerabilities visualizing IDS alarms (NIDS/HIDS) visualizing worm/virus propagation visualizing routing anamolies visualizing large volume computer network logs visual correlations of security events visualizing network traffic for security visualizing attacks in near-real-time security visualization at line speeds dynamic attack tree creation (graphic) forensic visualization http://www.cs.fit.edu/~pkc/vizdmsec04/
More Hot Research Areas… feature selection feature construction incremental/online learning noise in the data skewed data distribution distributed mining correlating multiple models efficient processing of large amounts of data correlating alerts signature detection anomaly detection forensic analysis http://www.cs.fit.edu/~pkc/vizdmsec04/
One Approach… Look at TCP/IP Protocol Stack Data (particularly header information) Find interesting visualizations Throw some interesting traffic at them See what they can detect Refine
TCP/IP Protocol Stack http://ai3.asti.dost.gov.ph/sat/levels.jpg
Information Available On and Off the Wire Levels of analysis External data Time Size Protocol compliance Real vs. Actual Values Matrices of options Header slides http://ai3.asti.dost.gov.ph/sat/levels.jpg
Link Layer (Ethernet) http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif Physical Link Network Transport Application Presentation Session
Network Layer (IP) http://www.ietf.org/rfc/rfc0791.txt Physical Link Network Transport Application Presentation Session
Transport Layer (TCP) http://www.ietf.org/rfc/rfc793.txt Physical Link Network Transport Application Presentation Session
Transport Layer (UDP) http://www.ietf.org/rfc/rfc0768.txt Physical Link Network Transport Application Presentation Session
 
Exploitation Pattern of Typical Internet Worm Target Vulnerabilities on Specific Operating Systems Localized Scanning to Propagate (Code Red) 3/8 of time within same Class B (/16 network) 1/2 of time within same Class A (/8 network) 1/8 of time random address Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts ? Source: John Levine, Georgia Tech
Ethernet Packet Capture Parse Process Plot tcpdump (pcap, winpcap, snort) Perl (c/c++) Perl (c/c++) xmgrace (GNU plotutils gtk+/opengl html) tcpdump capture files
Grace “ Grace is a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unix-like OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/XP” http://plasma-gate.weizmann.ac.il/Grace/
Required Files Perl, tcpdump and grace need to be installed. - http://www.tcpdump.org/ - http://www.perl.org/ - http://plasma-gate.weizmann.ac.il/Grace/ to install grace... Download RPMs (or source) ftp://plasma-gate.weizmann.ac.il/pub/grace/contrib/RPMS The files you want grace-5.1.14-1.i386.rpm pdflib-4.0.3-1.i386.rpm Install #rpm -i pdflib-4.0.3-1.i386.rpm #rpm -i grace-5.1.14-1.i386.rpm
Hello World Example # tcpdump -lnnq -c10 | perl parse.pl | perl analyze.pl |outfile.dat # xmgrace outfile.dat & Optionally you can run xmgrace with an external format language file… # xmgrace outfile.dat -batch formatfile
Hello World Example (cont) Optionally you can run xmgrace with an external format language file… xmgrace outfile.dat -batch formatfile formatfile is a text file that pre-configures Grace e.g. title "Port Scan Against Single Host" subtitle "Superscan w/ports 1-1024" yaxis label "Port" yaxis label place both yaxis ticklabel place both xaxis ticklabel off xaxis tick major off xaxis tick minor off autoscale
Data Format tcpdump outputs somewhat verbose output 09:02:01.858240 0:6:5b:4:20:14 0:5:9a:50:70:9 62: 10.100.1.120.4532 > 10.1.3.0.1080: tcp 0 (DF) parse.pl cleans up output 09 02 01 858240 0:6:5b:4:20:14 0:5:9a:50:70:9 10.100.1.120.4532 10.100.1.120 4532 10.1.3.0.1080 10.1.3.0 1080 tcp analyze.pl extracts/formats for Grace. 0 4532 1 1080 0 4537 1 1080 0 2370 1 1080
Results Example 1 - Baseline with Normal Traffic Example 2 - Port Scan Example 3 - Port Scan “Fingerprinting” Example 4 - Vulnerability Scanner Example 5 - Wargame
Example 1 - Baseline Normal network traffic FTP, HTTP, SSH, ICMP… Command Line Capture Raw Data tcpdump -l -nnqe -c 1000 tcp or udp | perl parse.pl > exp1_outfile.txt Run through Analysis Script cat exp1_outfile.txt | perl analyze_1a.pl > output1a.dat Open in Grace xmgrace output1a.dat &
 
 
Example 2 - PortScan Light “normal” network traffic (HTTP) Command Line Run 2a.bat (chmod +x 2a.bat) echo running experiment 2 echo 1-1024 port scan tcpdump -l -nnqe -c 1200 tcp or udp > raw_outfile_2.txt cat raw_outfile_2.txt | perl parse_2a.pl > exp2_outfile.txt cat exp2_outfile.txt | perl analyze_2a.pl > output_2a.dat xmgrace output_2a.dat & echo experiment 2 completed
 
Attacker
Defender
Example 3- PortScan “Fingerprinting” Tools Examined: Nmap Win 1.3.1 (on top of Nmap 3.00) XP Attacker (http://www.insecure.org/nmap/) Nmap 3.00 RH 8.0 Attacker (http://www.insecure.org/nmap/) Superscan 3.0 RH 8.0 Attacker ( http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm)
nmap 3.00 default (RH 8.0) nmap 3.00 udp scan (RH 8.0) Superscan 3.0 Nmap Win 1.3.1
Three Parallel Scans
Example 4: Vulnerability Scanner Attacker: RH 8.0 running Nessus 2.0.10 Target: RH 9.0
 
Example 5: Wargame Attackers: NSA Red Team Defenders: US Service Academies Defenders lock down network, but must provide certain services Dataset - http://www.itoc.usma.edu/cdx/2003/logs.zip
 
 
 
 
Zooming in on port 8080
 
Port 135 CAN-2003-0605 tcp any 135 The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CAN-2003-0352 6 any 135 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN worm. http://isc.incidents.org/port_details.html?port=135
Conclusions Limited fingerprinting of tools is possible Visualization can help drive better algorithms Some attacker techniques can be identified Some vulnerabilities can be identified
Demo See readme.txt Two demo scripts… runme.bat (uses sample dataset) runme_sniff.bat (performs live capture, must be root) Note: you must modify the IP address variable in the Analyzer script. (See analyzer2.pl for example)
Future Distributed NIDS Visualization Real-time vs. Offline Interesting datasets 3D Other visualization techniques Visualization of protocol attacks Visualization of application layer attacks Visualization of physical layer attacks (?) Code up some stand-alone tools
Questions? http://carcino.gen.nz/images/index.php/04980e0b/53c55ca5
Who are your users: 1. 2. 3. What are their tasks? 1. 2. 3. ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective
 
Ad

Recommended

VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
vtunotesbysree
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffing
Bhavya Chawla
 
Information visualization - introduction
Information visualization - introductionInformation visualization - introduction
Information visualization - introduction
Katrien Verbert
 
Ubiquitous Computing
Ubiquitous ComputingUbiquitous Computing
Ubiquitous Computing
u065932
 
Unit iv -Transactions
Unit iv -TransactionsUnit iv -Transactions
Unit iv -Transactions
Dhivyaa C.R
 
Vlan
Vlan Vlan
Vlan
sanss40
 
Opetating System Memory management
Opetating System Memory managementOpetating System Memory management
Opetating System Memory management
Johan Granados Montero
 
Tutorial on IEEE 802.15.4e standard
Tutorial on IEEE 802.15.4e standardTutorial on IEEE 802.15.4e standard
Tutorial on IEEE 802.15.4e standard
Giuseppe Anastasi
 
Data Mining: Outlier analysis
Data Mining: Outlier analysisData Mining: Outlier analysis
Data Mining: Outlier analysis
DataminingTools Inc
 
Network programming
Network programmingNetwork programming
Network programming
Krasimir Berov (Красимир Беров)
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Akhil Kumar
 
Introduction to Hadoop
Introduction to HadoopIntroduction to Hadoop
Introduction to Hadoop
Apache Apex
 
Firewall basics
Firewall basicsFirewall basics
Firewall basics
Fredrick Hall
 
Introduction to IETF and Standardisation Process
Introduction to IETF and Standardisation ProcessIntroduction to IETF and Standardisation Process
Introduction to IETF and Standardisation Process
Vinayak Hegde
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Roshan Ranabhat
 
Footprinting
FootprintingFootprinting
Footprinting
Duah John
 
Ad-Hoc Networks
Ad-Hoc NetworksAd-Hoc Networks
Ad-Hoc Networks
Mshari Alabdulkarim
 
Computer networks lan
Computer networks lanComputer networks lan
Computer networks lan
Deepak John
 
Wireshark
WiresharkWireshark
Wireshark
Sourav Roy
 
Ad hoc networks
Ad hoc networksAd hoc networks
Ad hoc networks
Darpan Dekivadiya
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Wireshark
Wireshark Wireshark
Wireshark
antivirusspam
 
Internetworking devices
Internetworking devicesInternetworking devices
Internetworking devices
Online
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 
Recognition-of-tokens
Recognition-of-tokensRecognition-of-tokens
Recognition-of-tokens
Dattatray Gandhmal
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection tool
Issar Kapadia
 
ISOC (internet society)
ISOC (internet society)ISOC (internet society)
ISOC (internet society)
Himasha Shalini Perera
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
ssusercb4686
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Ad

More Related Content

What's hot (20)

Data Mining: Outlier analysis
Data Mining: Outlier analysisData Mining: Outlier analysis
Data Mining: Outlier analysis
DataminingTools Inc
 
Network programming
Network programmingNetwork programming
Network programming
Krasimir Berov (Красимир Беров)
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Akhil Kumar
 
Introduction to Hadoop
Introduction to HadoopIntroduction to Hadoop
Introduction to Hadoop
Apache Apex
 
Firewall basics
Firewall basicsFirewall basics
Firewall basics
Fredrick Hall
 
Introduction to IETF and Standardisation Process
Introduction to IETF and Standardisation ProcessIntroduction to IETF and Standardisation Process
Introduction to IETF and Standardisation Process
Vinayak Hegde
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Roshan Ranabhat
 
Footprinting
FootprintingFootprinting
Footprinting
Duah John
 
Ad-Hoc Networks
Ad-Hoc NetworksAd-Hoc Networks
Ad-Hoc Networks
Mshari Alabdulkarim
 
Computer networks lan
Computer networks lanComputer networks lan
Computer networks lan
Deepak John
 
Wireshark
WiresharkWireshark
Wireshark
Sourav Roy
 
Ad hoc networks
Ad hoc networksAd hoc networks
Ad hoc networks
Darpan Dekivadiya
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Wireshark
Wireshark Wireshark
Wireshark
antivirusspam
 
Internetworking devices
Internetworking devicesInternetworking devices
Internetworking devices
Online
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 
Recognition-of-tokens
Recognition-of-tokensRecognition-of-tokens
Recognition-of-tokens
Dattatray Gandhmal
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection tool
Issar Kapadia
 
ISOC (internet society)
ISOC (internet society)ISOC (internet society)
ISOC (internet society)
Himasha Shalini Perera
 
Data Mining: Outlier analysis
Data Mining: Outlier analysisData Mining: Outlier analysis
Data Mining: Outlier analysis
DataminingTools Inc
 
Network programming
Network programmingNetwork programming
Network programming
Krasimir Berov (Красимир Беров)
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Akhil Kumar
 
Introduction to Hadoop
Introduction to HadoopIntroduction to Hadoop
Introduction to Hadoop
Apache Apex
 
Firewall basics
Firewall basicsFirewall basics
Firewall basics
Fredrick Hall
 
Introduction to IETF and Standardisation Process
Introduction to IETF and Standardisation ProcessIntroduction to IETF and Standardisation Process
Introduction to IETF and Standardisation Process
Vinayak Hegde
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Roshan Ranabhat
 
Footprinting
FootprintingFootprinting
Footprinting
Duah John
 
Ad-Hoc Networks
Ad-Hoc NetworksAd-Hoc Networks
Ad-Hoc Networks
Mshari Alabdulkarim
 
Computer networks lan
Computer networks lanComputer networks lan
Computer networks lan
Deepak John
 
Wireshark
WiresharkWireshark
Wireshark
Sourav Roy
 
Ad hoc networks
Ad hoc networksAd hoc networks
Ad hoc networks
Darpan Dekivadiya
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Wireshark
Wireshark Wireshark
Wireshark
antivirusspam
 
Internetworking devices
Internetworking devicesInternetworking devices
Internetworking devices
Online
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 
Recognition-of-tokens
Recognition-of-tokensRecognition-of-tokens
Recognition-of-tokens
Dattatray Gandhmal
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection tool
Issar Kapadia
 
ISOC (internet society)
ISOC (internet society)ISOC (internet society)
ISOC (internet society)
Himasha Shalini Perera
 

Similar to Network Security Data Visualization (20)

Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
ssusercb4686
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012
Jaime Restrepo
 
DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]
Websec México
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...
James A. Savage
 
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
Alejandro Hernández
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
uisgslide
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
Rod Soto
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworks
Joe Levy
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
MarketingArrowECS_CZ
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection final
Akshay Bansal
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, Incidents
Anton Chuvakin
 
J_McConnell_LabReconnaissance
J_McConnell_LabReconnaissanceJ_McConnell_LabReconnaissance
J_McConnell_LabReconnaissance
Juanita McConnell
 
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
A New Way of Identifying DOS Attack Using Multivariate Correlation AnalysisA New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
ijceronline
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
Practical Tips for Mobile Widget development
Practical Tips for Mobile Widget developmentPractical Tips for Mobile Widget development
Practical Tips for Mobile Widget development
brucelawson
 
Practical Tips for developing W3C Mobile Widgets
Practical Tips for developing W3C Mobile WidgetsPractical Tips for developing W3C Mobile Widgets
Practical Tips for developing W3C Mobile Widgets
guestd427df
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
Martin Holovský
 
Collecting and analyzing network-based evidence
Collecting and analyzing network-based evidenceCollecting and analyzing network-based evidence
Collecting and analyzing network-based evidence
CSITiaesprime
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
ssusercb4686
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012
Jaime Restrepo
 
DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]
Websec México
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...
James A. Savage
 
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
Alejandro Hernández
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
uisgslide
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
Rod Soto
 
SoleraNetworks
SoleraNetworksSoleraNetworks
SoleraNetworks
Joe Levy
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
MarketingArrowECS_CZ
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection final
Akshay Bansal
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, Incidents
Anton Chuvakin
 
J_McConnell_LabReconnaissance
J_McConnell_LabReconnaissanceJ_McConnell_LabReconnaissance
J_McConnell_LabReconnaissance
Juanita McConnell
 
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
A New Way of Identifying DOS Attack Using Multivariate Correlation AnalysisA New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysis
ijceronline
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
Practical Tips for Mobile Widget development
Practical Tips for Mobile Widget developmentPractical Tips for Mobile Widget development
Practical Tips for Mobile Widget development
brucelawson
 
Practical Tips for developing W3C Mobile Widgets
Practical Tips for developing W3C Mobile WidgetsPractical Tips for developing W3C Mobile Widgets
Practical Tips for developing W3C Mobile Widgets
guestd427df
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
Martin Holovský
 
Collecting and analyzing network-based evidence
Collecting and analyzing network-based evidenceCollecting and analyzing network-based evidence
Collecting and analyzing network-based evidence
CSITiaesprime
 
Ad

More from amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
amiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
amiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
amiable_indian
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-TellingNo Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
amiable_indian
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
amiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
amiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
amiable_indian
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-TellingNo Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
amiable_indian
 
Ad

Recently uploaded (20)

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 

Network Security Data Visualization

  • 1. Network Security Data Visualization Greg Conti www.cc.gatech.edu/~conti CS6262 http://www.cybergeography.org/atlas/walrus1_large.gif
  • 3. information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition. http://en.wikipedia.org/wiki/Information_visualization
  • 4. Why InfoVis? Helps find patterns Helps reduce search space Aids efficient monitoring Enables interaction (what if) Help prevent overwhelming the user
  • 5. So What? Go Beyond the Algorithm Help with detecting and understand some 0 day attacks Make CTF and Root Wars a Spectator Sport Help find insider threats Help visually fingerprint attacks What tasks do you need help with?
  • 6. TCP Dump image: http://www.bgnett.no/~giva/pcap/tcpdump.png
  • 7. Network Traffic Viewed in Ethereal Ethereal by Gerald Combs can be found at http://www.ethereal.com/ image: http://www.linux-france.org/prj/edu/archinet/AMSI/index/images/ethereal.gif
  • 8. Network Traffic as Viewed in EtherApe Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/ screenshot: http://www.solaris4you.dk/sniffersSS.html
  • 9. Outline Quick overview of Intrusion Detection Systems (IDS) Quick overview of Information Visualization What data is available on the wire Finding interesting combinations What the attacks look like
  • 10. Intrusion Detection System An intrusion-detection system (IDS) is a tool used to detect attacks or other security breaches in a computer system or network. http://en.wikipedia.org/wiki/Intrusion-detection_system
  • 11. Intrusion Detection System Types Host-based intrusion-detection is the art of detecting malicious activity within a single computer by using host log information system activity virus scanners A Network intrusion detection system is a system that tries to detect malicious activity such as denial of service attacks, port-scans or other attempts to hack into computers by reading all the incoming packets and trying to find suspicious patterns. http://en2.wikipedia.org/wiki/Host-based_intrusion-detection_system http://en2.wikipedia.org/wiki/Network_intrusion_detection_system
  • 12. Information Visualization Mantra Overview First, Zoom & Filter, Details on Demand - Ben Shneiderman http://www.cs.umd.edu/~ben/
  • 15. Details on Demand…
  • 16. What Tools are at Your Disposal… Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective
  • 17. What Can InfoVis Help You See? Relationships between X & Y & Z… Anomalies Outliers Extremes Patterns Comparisons and Differences Trends
  • 18. User Tasks ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate http://www.siggraph.org/education/materials/HyperVis/concepts/matrx_lo.htm See also http://www1.cs.columbia.edu/~zhou/project/CHI98Title.html
  • 20. Dr. Rob Erbacher Representative Research Visual Summarizing and Analysis Techniques for Intrusion Data Multi-Dimensional Data Visualization A Component-Based Event-Driven Interactive Visualization Software Architecture http://otherland.cs.usu.edu/~erbacher/
  • 22. Dr. David Marchette Passive Fingerprinting Statistics for intrusion detection http://www.mts.jhu.edu/~marchette/
  • 24. Soon Tee Teoh Visualizing Internet Routing Data http://graphics.cs.ucdavis.edu/~steoh/
  • 25. CAIDA Code Red Worm Propagation Young Hyun David Moore Colleen Shannon Bradley Huffaker http://www.caida.org/tools/visualization/walrus/examples/codered/
  • 26. Jukka Juslin http://www.cs.hut.fi/~jtjuslin/ Intrustion Detection and Visualization Using Perl
  • 27. Michal Zalewski TCP/IP Sequence Number Generation Initial paper - http://razor.bindview.com/publish/papers/tcpseq/print.html Follow-up paper - http://lcamtuf.coredump.cx/newtcp/ Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low. Linux 2.2 TCP/IP sequence numbers are not as good as they might be, but are certainly adequate, and attack feasibility is very low.
  • 28. Atlas of Cyber Space http://www.cybergeography.org/atlas/atlas.html
  • 29. John Levine The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks Interesting look at detecting zero-day attacks http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/honeynet_IAW2003.pdf
  • 30. Port 135 MS BLASTER scans Date Public: 7/16/03 Date Attack: 8/11/03 Georgia Tech Honeynett Source: John Levine, Georgia Tech
  • 31. Port 1434 (MS-SQL) scans Date Public: 7/24/02 Date Attack: 1/25/03 Georgia Tech Honeynet Source: John Levine, Georgia Tech
  • 32. Port 554 (RTSP) scans Date Public: 8/15/2003 Date Attack: 8/22/03 Georgia Tech Honeypot Source: John Levine, Georgia Tech
  • 33. Hot Research Areas… visualizing vulnerabilities visualizing IDS alarms (NIDS/HIDS) visualizing worm/virus propagation visualizing routing anamolies visualizing large volume computer network logs visual correlations of security events visualizing network traffic for security visualizing attacks in near-real-time security visualization at line speeds dynamic attack tree creation (graphic) forensic visualization http://www.cs.fit.edu/~pkc/vizdmsec04/
  • 34. More Hot Research Areas… feature selection feature construction incremental/online learning noise in the data skewed data distribution distributed mining correlating multiple models efficient processing of large amounts of data correlating alerts signature detection anomaly detection forensic analysis http://www.cs.fit.edu/~pkc/vizdmsec04/
  • 35. One Approach… Look at TCP/IP Protocol Stack Data (particularly header information) Find interesting visualizations Throw some interesting traffic at them See what they can detect Refine
  • 36. TCP/IP Protocol Stack http://ai3.asti.dost.gov.ph/sat/levels.jpg
  • 37. Information Available On and Off the Wire Levels of analysis External data Time Size Protocol compliance Real vs. Actual Values Matrices of options Header slides http://ai3.asti.dost.gov.ph/sat/levels.jpg
  • 38. Link Layer (Ethernet) http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif Physical Link Network Transport Application Presentation Session
  • 39. Network Layer (IP) http://www.ietf.org/rfc/rfc0791.txt Physical Link Network Transport Application Presentation Session
  • 40. Transport Layer (TCP) http://www.ietf.org/rfc/rfc793.txt Physical Link Network Transport Application Presentation Session
  • 41. Transport Layer (UDP) http://www.ietf.org/rfc/rfc0768.txt Physical Link Network Transport Application Presentation Session
  • 42.  
  • 43. Exploitation Pattern of Typical Internet Worm Target Vulnerabilities on Specific Operating Systems Localized Scanning to Propagate (Code Red) 3/8 of time within same Class B (/16 network) 1/2 of time within same Class A (/8 network) 1/8 of time random address Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts ? Source: John Levine, Georgia Tech
  • 44. Ethernet Packet Capture Parse Process Plot tcpdump (pcap, winpcap, snort) Perl (c/c++) Perl (c/c++) xmgrace (GNU plotutils gtk+/opengl html) tcpdump capture files
  • 45. Grace “ Grace is a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unix-like OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/XP” http://plasma-gate.weizmann.ac.il/Grace/
  • 46. Required Files Perl, tcpdump and grace need to be installed. - http://www.tcpdump.org/ - http://www.perl.org/ - http://plasma-gate.weizmann.ac.il/Grace/ to install grace... Download RPMs (or source) ftp://plasma-gate.weizmann.ac.il/pub/grace/contrib/RPMS The files you want grace-5.1.14-1.i386.rpm pdflib-4.0.3-1.i386.rpm Install #rpm -i pdflib-4.0.3-1.i386.rpm #rpm -i grace-5.1.14-1.i386.rpm
  • 47. Hello World Example # tcpdump -lnnq -c10 | perl parse.pl | perl analyze.pl |outfile.dat # xmgrace outfile.dat & Optionally you can run xmgrace with an external format language file… # xmgrace outfile.dat -batch formatfile
  • 48. Hello World Example (cont) Optionally you can run xmgrace with an external format language file… xmgrace outfile.dat -batch formatfile formatfile is a text file that pre-configures Grace e.g. title "Port Scan Against Single Host" subtitle "Superscan w/ports 1-1024" yaxis label "Port" yaxis label place both yaxis ticklabel place both xaxis ticklabel off xaxis tick major off xaxis tick minor off autoscale
  • 49. Data Format tcpdump outputs somewhat verbose output 09:02:01.858240 0:6:5b:4:20:14 0:5:9a:50:70:9 62: 10.100.1.120.4532 > 10.1.3.0.1080: tcp 0 (DF) parse.pl cleans up output 09 02 01 858240 0:6:5b:4:20:14 0:5:9a:50:70:9 10.100.1.120.4532 10.100.1.120 4532 10.1.3.0.1080 10.1.3.0 1080 tcp analyze.pl extracts/formats for Grace. 0 4532 1 1080 0 4537 1 1080 0 2370 1 1080
  • 50. Results Example 1 - Baseline with Normal Traffic Example 2 - Port Scan Example 3 - Port Scan “Fingerprinting” Example 4 - Vulnerability Scanner Example 5 - Wargame
  • 51. Example 1 - Baseline Normal network traffic FTP, HTTP, SSH, ICMP… Command Line Capture Raw Data tcpdump -l -nnqe -c 1000 tcp or udp | perl parse.pl > exp1_outfile.txt Run through Analysis Script cat exp1_outfile.txt | perl analyze_1a.pl > output1a.dat Open in Grace xmgrace output1a.dat &
  • 52.  
  • 53.  
  • 54. Example 2 - PortScan Light “normal” network traffic (HTTP) Command Line Run 2a.bat (chmod +x 2a.bat) echo running experiment 2 echo 1-1024 port scan tcpdump -l -nnqe -c 1200 tcp or udp > raw_outfile_2.txt cat raw_outfile_2.txt | perl parse_2a.pl > exp2_outfile.txt cat exp2_outfile.txt | perl analyze_2a.pl > output_2a.dat xmgrace output_2a.dat & echo experiment 2 completed
  • 55.  
  • 58. Example 3- PortScan “Fingerprinting” Tools Examined: Nmap Win 1.3.1 (on top of Nmap 3.00) XP Attacker (http://www.insecure.org/nmap/) Nmap 3.00 RH 8.0 Attacker (http://www.insecure.org/nmap/) Superscan 3.0 RH 8.0 Attacker ( http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm)
  • 59. nmap 3.00 default (RH 8.0) nmap 3.00 udp scan (RH 8.0) Superscan 3.0 Nmap Win 1.3.1
  • 61. Example 4: Vulnerability Scanner Attacker: RH 8.0 running Nessus 2.0.10 Target: RH 9.0
  • 62.  
  • 63. Example 5: Wargame Attackers: NSA Red Team Defenders: US Service Academies Defenders lock down network, but must provide certain services Dataset - http://www.itoc.usma.edu/cdx/2003/logs.zip
  • 64.  
  • 65.  
  • 66.  
  • 67.  
  • 68. Zooming in on port 8080
  • 69.  
  • 70. Port 135 CAN-2003-0605 tcp any 135 The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CAN-2003-0352 6 any 135 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN worm. http://isc.incidents.org/port_details.html?port=135
  • 71. Conclusions Limited fingerprinting of tools is possible Visualization can help drive better algorithms Some attacker techniques can be identified Some vulnerabilities can be identified
  • 72. Demo See readme.txt Two demo scripts… runme.bat (uses sample dataset) runme_sniff.bat (performs live capture, must be root) Note: you must modify the IP address variable in the Analyzer script. (See analyzer2.pl for example)
  • 73. Future Distributed NIDS Visualization Real-time vs. Offline Interesting datasets 3D Other visualization techniques Visualization of protocol attacks Visualization of application layer attacks Visualization of physical layer attacks (?) Code up some stand-alone tools
  • 75. Who are your users: 1. 2. 3. What are their tasks? 1. 2. 3. ID Locate Distinguish Categorize Cluster Distribution Rank Compare Associate Correlate Color Size Shape Orientation Scale Interactivity Sequence Filtering Perspective
  • 76.  

Editor's Notes

  • #2: “ These striking images are 3D hyperbolic graphs of Internet topology. They are created using the Walrus visualisation tool developed by Young Hyun at the Cooperative Association for Internet Data Analysis ( CAIDA ). The underlying data on the topological structure of the Internet is gathered by skitter , a CAIDA tool for large-scale collection and analysis of Internet traffic path data.” -http://www.cybergeography.org/atlas/topology.html