Date post: | 16-Jan-2016 |
Category: |
Documents |
Upload: | dwain-lyons |
View: | 213 times |
Download: | 0 times |
Passive Visual Fingerprinting of Network Attack Tools
Gregory ContiKulsoom Abdullah
College of ComputingGeorgia Institute of Technology
Passive Visual Fingerprinting of Network Attack Tools
Gregory ContiKulsoom Abdullah
College of ComputingGeorgia Institute of Technology
Motivation
Common network reconnaissance and vulnerability assessment tools can be visualized in such a way as to identify the attack tool used.
•Law enforcement forensics
•Identify characteristics of new tools/worms
•Provide insight into attacker’s methodology & experience level
•Help network defender to initiate appropriate response
Ethernet
Packet Capture
Parse
Process
Plot
tcpdump(pcap, snort)
Perl
Perl
xmgrace(gnuplot)
tcpdumpcapturefiles
winpcap
VS
VS
VS Interact
System Architecture
Ethernet: http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif
Link Layer (Ethernet)
Network Layer (IP)
Examining Available Data…
Transport Layer (TCP)
Transport Layer (UDP)
IP: http://www.ietf.org/rfc/rfc0791.txt
TCP: http://www.ietf.org/rfc/rfc793.txtUDP: http://www.ietf.org/rfc/rfc0768.txt
All raw data available on the wire:
• Application layer data
• Transport layer header
• Network layer header
• Link layer header
Focused on: • Source / Destination Port• Source / Destination IP• Timestamp• Length of raw packet• Protocol Type
Attacks Fingerprintednessus 2.0.10
nmap 3.0
nmap 3.5
nmapwin 1.3.1
Superscan 3.0
Superscan 4.0
nessus 2.0.10
nikto 1.32
scanline 1.01
sara 5.0.3
NSA CDX dataset 2003
http://www.insecure.org/tools.html
Visualizations• Time Sequence Data
– Sequence of Source/Destination Ports and IP’s– Sequence of Packet Lengths– Sequence of Packet Protocols
• Port and IP Mapping– Source Port to Destination Port – Source IP to Destination IP – Source IP to Destination Port– Source Port/IP to Destination IP/Port – Source IP/Port to Destination Port/IP
• Characterization of home/external network
External Port Internal Port
65,535 65,535
0 0
External IP Internal IP
255.255.255.255 255.255.255.255
0.0.0.0 0.0.0.0
External IP Internal Port
255.255.255.255 65,535
0.0.0.0 0
parallel plot views
Baseline
External Port Internal Port External IP Internal IP
nmap 3 (RH8)
NMapWin 3 (XP)
SuperScan 3.0 (XP)
SuperScan 4.0 (XP)
nmap 3 UDP (RH8)
nmap 3.5 (XP)
scanline 1.01 (XP)
nikto 1.32 (XP)
Sara 5.0.3(port to port)
Light Medium Heavy
Georgia Tech Honeynet
External IP Internal Port External Port Internal Port External IP Internal IP
External IP External Port Internal Port Internal IP
255.255.255.255 65,535 65,535 255.255.255.255
0.0.0.0 0 0 0.0.0.0
Also a Port to IP to IP to Port View
Exploring nmap 3.0 in depth(port to IP to IP to port)
default (root) stealth FIN (-sF) NULL (-sN)
SYN (-sS -O) stealth SYN (-sS) CONNECT (-sT)
UDP (-sU)
XMAS (-sX)
nmap within Nessus (port to IP to IP to port)
CONNECT (-sT)
UDP (-sU)
Nessus 2.0.10
SuperScan Evolution (port to IP to IP to port)
SuperScan 3.0
scanline 1.01
SuperScan 4.0
packet length and protocol type over time
port
s
packe
tslength
WinNMap
SuperScan 4.0
time sequence data(external port vs. packet)
nmap win superscan 3
port
s
port
spackets packets
Also internal/external IP and internal port
tool interface
Findings (Weaknesses)
• Interaction with personal firewalls• Countermeasures• Scale / labeling are issues• Occlusion is a problem• Greater interactivity required for forensics and less
aggressive attacks• Some tools are very flexible• Source code not available for some tools
Findings (Strengths)
• Aggressive tools have distinct visual signatures• Threading / multiple processes may be visible• Some source code lineage may be visible• Some OS/Application features are visible • Some classes of stealthy attack are visible
Findings (Strengths)
• Sequence of ports scanned visible• Frequently attacked ports visible• Resistant to high volume network traffic• Viable in the presence of routine traffic• Useful against slow scans (hours-weeks)• Useful against distributed scans
Future Work
• Add forensic capability
• Task driven interactivity (Zoom & filter, details on demand)
• Smart books (images & movies)
• Usability studies
• Stress test
• Explore less aggressive attack classes
Demo
classic infovis surveywww.cc.gatech.edu/~conti
security infovis surveywww.cc.gatech.edu/~conti
rumint toolhttp://www.rumint.com/software.html
Visual Security Communityhttp://www.ninjabi.net/index.php?option=com_nxtlinks&
catid=41&Itemid=47
Kulsoom’s Researchhttp://users.ece.gatech.edu/~kulsoom/research.html
VizSEC Paper/Slideshttp://users.ece.gatech.edu/~kulsoom/research.html
www.cc.gatech.edu/~conti
Acknowledgements
• Dr. John Stasko– http://www.cc.gatech.edu/~john.stasko/
• Dr. Wenke Lee– http://www.cc.gatech.edu/~wenke/
• Dr. John Levine– http://www.eecs.usma.edu/
• Julian Grizzard– http://www.ece.gatech.edu/
• 404.se2600– Clint– Hendrick– icer– Rockit– StricK
Questions?
Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg
Greg [email protected]/~conti
Kulsoom [email protected]://users.ece.gatech.edu/~kulsoom/research.html