countering denial of information attacks with network visualization gregory conti conti...
TRANSCRIPT
Countering Denial of Information Attacks with Network Visualization
Gregory Conti
www.cc.gatech.edu/~conti
http://plus.maths.org/issue23/editorial/information.jpg
Disclaimer
The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government.
image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm
Denial of Information Attacks:
Intentional Attacks that overwhelm the human or otherwise alter their decision making
http://circadianshift.net/images/Virginia_Tech_1920s_NS5423_Y_small.jpg
The Problem of Information Growth
• The surface WWW contains ~170TB (17xLOC) • IM generates five billion messages a day (750GB),
or 274 terabytes a year. • Email generates about 400,000 TB/year. • P2P file exchange on the Internet is growing
rapidly. The largest files exchanged are video files larger than 100 MB, but the most frequently exchanged files contain music (MP3 files).
http://www.sims.berkeley.edu/research/projects/how-much-info-2003/
Applying the Model & Taxonomy…
http://www.butterfly-insect.com/butterfly-insect/graphic/education-pic-worldlife-on.gif
Defense Taxonomy (Big Picture) Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04)
Federal Can Spam Legislation (Jan 04)
California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98)
http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html
First Spam Conference (Jan 03)
Defense Taxonomy (Big Picture) Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04)
Federal Can Spam Legislation (Jan 04)
California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98)
http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html
First Spam Conference (Jan 03)
Human Consumer
Human Producer
CommunicationChannel
ConsumerNode
RAM
HardDrive
CPU
ProducerNode
STM
LTM
Cognition
Consumer
Producer
RAM
HardDrive
CPUSTM
LTM
Cognition
Vision
Hearing
Speech
Motor
Vision
Hearing
Speech
Motor
System Model
Human Consumer
Human Producer
CommunicationChannel
ConsumerNode
RAM
HardDrive
CPU
ProducerNode
STM
LTM
Cognition
Consumer
Producer
RAM
HardDrive
CPUSTM
LTM
Cognition
Vision
Hearing
Speech
Motor
Vision
Hearing
Speech
Motor
very small text
exploit round off algorithm
trigger many alerts
ExampleDoI
Attacks
misleadingadvertisements
spoof browser
Human Consumer
Human Producer
CommunicationChannel
ConsumerNode
RAM
HardDrive
CPU
ProducerNode
STM
LTM
Cognition
Consumer
Producer
RAM
HardDrive
CPUSTM
LTM
Cognition
Vision
Hearing
Speech
Motor
Vision
Hearing
Speech
Motor
TCP Damping
UsableSecurity
Eliza Spam Responder
Decompression Bombs
ExampleDoI
Defenses
ComputationalPuzzle Solving
Orient
Observe
Act
Decide
Scan Subject Line
SpamDelete
Confirm DeletionSuccessful
Not Spam
No Observation
No Action
OverheadNumber of Email
x Time to Decide
OverheadNumber of Spam x Time to Delete
OverheadNumber of Spam
x Time to Observe
Total Overhead= (Number of Spam x (Time to Delete + Time to Observe))+(Number of Email X (Time to Decide + Time to Scan))
OverheadNumber of Email
x Time to Scan
For more information…
G. Conti and M. Ahamad; "A Taxonomy and Framework for Countering Denial of Information Attacks;" IEEE Security and Privacy. (to be published)
email me…
information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition.
http://en.wikipedia.org/wiki/Information_visualization
nmap 3 (RH8)
NMapWin 3 (XP)
SuperScan 3.0 (XP)
SuperScan 4.0 (XP)
nmap 3 UDP (RH8)
nmap 3.5 (XP)
scanline 1.01 (XP)
nikto 1.32 (XP)
For more information… G. Conti and K. Abdullah; "
Passive Visual Fingerprinting of Network Attack Tools;" ACM Conference on Computer and Communications Security's Workshop on Visualization and Data Mining for Computer Security (VizSEC); October 2004.
--Talk PPT Slides
see www.cc.gatech.edu/~conti and www.rumint.org for the tool
G. Conti; "Network Attack Visualization;" DEFCON 12; August 2004.
--Talk PPT Slides --Classical InfoVis Survey PPT Slides--Security InfoVis Survey PPT Slides
Attack Fading(memory)
Image: http://www.inf.uct.cl/~amellado/gestion_en_linux/etherape.jpg
http://etherape.sourceforge.net/
Precision Attack(algorithm)
http://developers.slashdot.org/article.pl?sid=04/06/01/1747223&mode=thread&tid=126&tid=172
http://www.nersc.gov/nusers/security/Cube.jpg
For more information…
G. Conti, M. Ahamad and J. Stasko; "Attacking Information Visualization System Usability: Overloading and Deceiving the Human;" Symposium on Usable Privacy and Security (SOUPS); July 2005. (submitted, under review)
See also www.rumint.org for the tool.
email me…
rumint 1.15 tool overview
network monitoring mode (left), clicking the small pane brings up the detailed analysis view for that visualization.
visualexplorer.exe(visual studio)
calc.exe(unknown compiler)
rumint.exe(visual studio)
regedit.exe(unkown compiler)
Comparing Executable Binaries(1 bit per pixel)
mozillafirebird.exe(unknown compiler)
cdex.exe(unknown compiler)
apache.exe(unknown compiler)
ethereal.exe(unknown compiler)
Overview of Visualization
age
age
pa
cke
t si
ze
pa
cke
tsi
zecolor:protocol
color:protocol
0.0.0.0
65535255.255.255.255
0
timetime now now
Overview of Visualization
age
age
pa
cke
t si
ze
pa
cke
tsi
ze
color:protocol
color:protocol
0.0.0.0
65535255.255.255.255
0
timetime now now
For more information…
S. Krasser, G. Conti, J. Grizzard, J. Gribschaw and H. Owen; "Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization;" IEEE Information Assurance Workshop (IAW); June 2005. (submitted)
email me…
Questions?
Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg
Gregory [email protected]/~conti