Countering Denial of Information Attacks with Network Visualization

Gregory Conti

www.cc.gatech.edu/~conti

conti@acm.org

http://plus.maths.org/issue23/editorial/information.jpg

Disclaimer

The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. 

image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm

Denial of Information Attacks:

Intentional Attacks that overwhelm the human or otherwise alter their decision making

http://circadianshift.net/images/Virginia_Tech_1920s_NS5423_Y_small.jpg

http://cagle.slate.msn.com/news/EvilEmailHackers/main.asp

The Problem of Information Growth

• The surface WWW contains ~170TB (17xLOC) • IM generates five billion messages a day (750GB),

or 274 terabytes a year. • Email generates about 400,000 TB/year. • P2P file exchange on the Internet is growing

rapidly. The largest files exchanged are video files larger than 100 MB, but the most frequently exchanged files contain music (MP3 files).

http://www.sims.berkeley.edu/research/projects/how-much-info-2003/

Applying the Model & Taxonomy…

http://www.butterfly-insect.com/butterfly-insect/graphic/education-pic-worldlife-on.gif

Defense Taxonomy (Big Picture) Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04)

Federal Can Spam Legislation (Jan 04)

California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98)

http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html

First Spam Conference (Jan 03)

Defense Taxonomy (Big Picture) Microsoft, AOL, Earthlink and Yahoo file 6 antispam lawsuits (Mar 04)

Federal Can Spam Legislation (Jan 04)

California Business and Professions Code, prohibits the sending of unsolicited commercial email (September 98)

http://www.metroactive.com/papers/metro/12.04.03/booher-0349.html

First Spam Conference (Jan 03)

Human Consumer

Human Producer

CommunicationChannel

ConsumerNode

RAM

HardDrive

CPU

ProducerNode

STM

LTM

Cognition

Consumer

Producer

RAM

HardDrive

CPUSTM

LTM

Cognition

Vision

Hearing

Speech

Motor

Vision

Hearing

Speech

Motor

System Model

Human Consumer

Human Producer

CommunicationChannel

ConsumerNode

RAM

HardDrive

CPU

ProducerNode

STM

LTM

Cognition

Consumer

Producer

RAM

HardDrive

CPUSTM

LTM

Cognition

Vision

Hearing

Speech

Motor

Vision

Hearing

Speech

Motor

very small text

exploit round off algorithm

trigger many alerts

ExampleDoI

Attacks

misleadingadvertisements

spoof browser

Human Consumer

Human Producer

CommunicationChannel

ConsumerNode

RAM

HardDrive

CPU

ProducerNode

STM

LTM

Cognition

Consumer

Producer

RAM

HardDrive

CPUSTM

LTM

Cognition

Vision

Hearing

Speech

Motor

Vision

Hearing

Speech

Motor

TCP Damping

UsableSecurity

Eliza Spam Responder

Decompression Bombs

ExampleDoI

Defenses

ComputationalPuzzle Solving

Orient

Observe

Act

Decide

Scan Subject Line

SpamDelete

Confirm DeletionSuccessful

Not Spam

No Observation

No Action

OverheadNumber of Email

x Time to Decide

OverheadNumber of Spam x Time to Delete

OverheadNumber of Spam

x Time to Observe

Total Overhead= (Number of Spam x (Time to Delete + Time to Observe))+(Number of Email X (Time to Decide + Time to Scan))

OverheadNumber of Email

x Time to Scan

For more information…

G. Conti and M. Ahamad; "A Taxonomy and Framework for Countering Denial of Information Attacks;" IEEE Security and Privacy. (to be published)

email me…

DoI Countermeasures in the Network Security Domain

information visualization is the use of interactive, sensory representations, typically visual, of abstract data to reinforce cognition.

http://en.wikipedia.org/wiki/Information_visualization

rumint v.51

nmap 3 (RH8)

NMapWin 3 (XP)

SuperScan 3.0 (XP)

SuperScan 4.0 (XP)

nmap 3 UDP (RH8)

nmap 3.5 (XP)

scanline 1.01 (XP)

nikto 1.32 (XP)

For more information… G. Conti and K. Abdullah; "

Passive Visual Fingerprinting of Network Attack Tools;" ACM Conference on Computer and Communications Security's Workshop on Visualization and Data Mining for Computer Security (VizSEC); October 2004.

--Talk PPT Slides

see www.cc.gatech.edu/~conti and www.rumint.org for the tool

G. Conti; "Network Attack Visualization;" DEFCON 12; August 2004.

--Talk PPT Slides --Classical InfoVis Survey PPT Slides--Security InfoVis Survey PPT Slides

Last year at DEFCON

First question…

How do we attack it?

Malicious Visualizations…

Pokemon

http://www.miowebitalia.com/desktop/cartoni/pokemon.jpg

Visual Information Overload (perception)

Attack Fading(memory)

Image: http://www.inf.uct.cl/~amellado/gestion_en_linux/etherape.jpg

http://etherape.sourceforge.net/

Motion Induced Blindness(perception)

http://www.keck.ucsf.edu/~yoram/mib-basic.html

Optical Illusions (perception)

http://www.ritsumei.ac.jp.nyud.net:8090/~akitaoka/index-e.html

Crying Wolf…(cognitive/motor)

• Snot vs. Snort

CDX 2003 DatasetX = TimeY = Destination IPZ = Destination Port

Labeling Attack (algorithm)

AutoScale Attack/Force User to Zoom(algorithm)

Precision Attack(algorithm)

http://developers.slashdot.org/article.pl?sid=04/06/01/1747223&mode=thread&tid=126&tid=172

http://www.nersc.gov/nusers/security/Cube.jpg

Occlusion(visualization design)

Jamming (visualization design)

For more information…

G. Conti, M. Ahamad and J. Stasko; "Attacking Information Visualization System Usability: Overloading and Deceiving the Human;" Symposium on Usable Privacy and Security (SOUPS); July 2005. (submitted, under review)

See also www.rumint.org for the tool.

email me…

rumint v 1.15 beta

Net

wor

k pa

cket

s ov

er ti

me

Bit 0, Bit 1, Bit 2 Length of packet - 1

rumint 1.15 tool overview

network monitoring mode (left), clicking the small pane brings up the detailed analysis view for that visualization.

So what do you think…

Visual exploration of binary objects…

Reverse Engineering

• IDA Pro Dissassembler and Debugger

http://www.datarescue.com/idabase/

Textual vs. Visual Exploration

binaryexplorer.exe

visualexplorer.exe(visual studio)

calc.exe(unknown compiler)

rumint.exe(visual studio)

regedit.exe(unkown compiler)

Comparing Executable Binaries(1 bit per pixel)

mozillafirebird.exe(unknown compiler)

cdex.exe(unknown compiler)

apache.exe(unknown compiler)

ethereal.exe(unknown compiler)

image.bmp image.zipimage.jpg image.pae(encrypted)

Comparing Image Files(1 bit per pixel)

pash.mp3 disguises.mp3the.mp3

Comparing mp3 files(1 bit per pixel)

secvisw/Sven Krasser, Julian Grizzard, Jeff Gribschaw and Henry Owen (Georgia Tech)

Overview of Visualization

age

age

pa

cke

t si

ze

pa

cke

tsi

zecolor:protocol

color:protocol

0.0.0.0

65535255.255.255.255

0

timetime now now

Overview of Visualization

age

age

pa

cke

t si

ze

pa

cke

tsi

ze

color:protocol

color:protocol

0.0.0.0

65535255.255.255.255

0

timetime now now

Overview and Detail

Routine Honeynet Traffic(baseline)

Compromised Honeypot

Slammer Worm

Constant Bitrate UDP Traffic

Port Sweep

System Performance

For more information…

S. Krasser, G. Conti, J. Grizzard, J. Gribschaw and H. Owen; "Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization;" IEEE Information Assurance Workshop (IAW); June 2005. (submitted)

email me…

Demos

• binary exploration

• rumint 1.15

• secvis

Questions?

Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg

Gregory Conticonti@cc.gatech.eduwww.cc.gatech.edu/~conti

Backup Slides

External IP to Internal Port

6 Oct 04 13 Oct 04 20 Oct 04 27 Oct 04 30 Nov 04

One Week Snapshots One Month