Overview The Thin Blue Line: Security SysAdmins • Current state of Internet Security � Better Tools for System Administration: – all metrics show bad -> worse – unpatched software vulnerabilities Enhancing the Human-Computer • Security System Administration – point-and-click attack software requires little skill Interface with Visualization – surveys show insider attacks greatest threat • Visualization (short) N-Dimensional Security Solution Space: • NCSA Approach: Three Working Tools • large networks • Class B IP address space, 65,000 devices Bill Yurcik • complex networks: <byurcik@ncsa.uiuc.edu> • 130K ports per computer (tcp/udp) Manager, NCSA Security Research • heterogeneous hw platforms (intel,mac,sgi,sun) • heterogeneous sw (OSs, applications) National Center for Advanced Secure Systems Research (NCASSR) • many services & protocols (web, mail, ftp, streaming,..) • many types & dynamic nature of both National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign • vulnerabilities (hw, sw (OS/application), network…) • attacks (worms, viruses, DoS, intrusions, …) 1 2 3 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science System Administration Security System Administration More Specifically… • High stress (interrupt driven) • Security policy development • Reporting of security state • Constantly changing • Security Incidence Response Team (IRT) • Vulnerability analysis results; progress on addressing • Takes years to master vulnerabilities • Different Styles • Surveillance for known patterns • Asset Management • Discovery of unknown patterns – “The Knob Tuners” • Authentication Systems • Security policy enforcement – “The Developers” • Backup* • Presentation of security architectures – “The Guru” • Security Monitoring (traffic, systems, IDS, firewall) • Detection of security events • Patch coordination • Current Security SysAdmin Tools from “The • Explanation of event correlation/fusion Developers” • Vulnerability assessment (proactive scanning) • Mission impact of security breaches – Command line and cryptic • Course-Of-Action (COA) selection • Special system security administration – Specific (seeing an elephant via many microscopes) • COA Justification – webserver, mailer, ftp, firewall, IDS – Dynamic (relearn) – Little or no interoperability between tools 4 5 6 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science 1
Current Security Monitoring Current Network Monitoring Visualization • Humans learn visually – 150 MB/sec – just-noticeable-difference – time dimension via animation “MTV generation” – leverage intuition “ecological design” • Compact graphical representation • Encourages exploration to make discoveries, decisions, explanations about – items – groups of items – patterns (trend, cluster, gap, outlier...) • Direct manipulation strategies – immediate query with visual feedback, mouse pointing, reducing errors 7 8 9 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science Visual Tool Design NCSA Approach The SIFT Approach “overview, zoom & filter, details-on-demand” “Know Thy Network” 1) Overview Gain an overview of the entire collection Tool1 • SIFT = Security Incident Fusion Tools 2) Zoom Zoom in on items of interest Tool2 3) Filter Filter out uninteresting items • Proposal – Increase Situational Awareness 4) Details-on-demand Select an item or group and – How? get details when needed – Visualization 5) Relate View relationships among items – Profiling 6) History Keep a history of actions to support – Data mining for discovery undo, replay, and progressive refinement 7) Extract Allow extraction of sub-collections and of the query parameters 10 11 12 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science 2
Three Working Security SysAdmin Tools The Specific Cluster Security Problem • Cluster becomes larger and thus harder to control – Titan (160 Nodes) 1. High Performance Cluster Computing: NVisionCC – Mercury (256 Nodes) Tool 1 – Platinum (512 Nodes) – Tungsten (1450 Nodes) 2. System State View: NVisionIP • Current state of protecting cluster is dangerous High Performance Cluster Security – Most of cluster nodes are publicly accessible 3. Link Analysis View: VisFlowConnect – Limited protection from border router “NVisionCC” – IDS not installed – Different hardware and software overview, zoom & filter, details-on-demand • Little research on cluster security and no tool tailored for cluster security Know Thy Network! – all existing cluster monitor tools are focused on performance monitoring 13 14 15 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science What Could Go Wrong? A Backend Cluster Security Systems NVisionCC Data Source Web Access TYPICAL LOGICAL VIEW OF A CLUSTER Data Analyzer Cluster Nodes One or more compute nodes User Interface Internet could be compromised from Internet directly. (Public Mgmt Nodes Host Info User Nodes accessible) Monitor Node Collector Process Ports Cluster node is compromised Mgmt Node from internal network. (Without even passing router) Database Compute Node ? Network Apache / PHP Some nodes communicate Logs Log with machines outside cluster. (Is it suspicious?) Storage Nodes Security Event Views Storage Storage Analyzer Alert Host Suspicious Suspicious Offline GigEthernet Myrinet Fibre 100Base-T Information Problem 16 17 18 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science 3
Prioritized GUI Individual Host Details Tool 2 System State View “NVisionIP” 19 20 21 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science NVisionIP Drill-Down Views Our SIFT Approach Small Multiple View 22 23 24 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science 4
Our SIFT Approach NVisionIP Tool 3 Link Analysis View “VisFlowConnect” 25 26 27 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science VisFlowConnect Domain View Internal View 28 29 30 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science 5
Our SIFT Approach Insights So Far… Conclusions • System Administrators are users too! • Humans are good at processing visual patterns (known) • No expert knowledge required! {maybe more important to consider than end users} • Abstraction – finding the appropriate level of observation • Security system administration is a natural • “Visual Debugging (problem-solving) application for better tools using visualization • Holistic Macro/Micro Views vs Divide-and-Conquer – Complex multi-dimensional space • Though we think in pictures, we are no good at describing – Current security sysadmin tools are poorly designed pictures (save functions) • Rough Consensus and Working Code • Capturing the time dimension of high-dimension data via animation is incredibly engaging to humans – no more visualization design theory but rather lets bake-off • Success depends on effective HCI and see what works best now – Looking at new ways to augment systems • Visualization tools are hard to develop but can administration in complex environments… quickly become impossible to live without (anti-autonomic) 31 32 33 University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science University of Illinois at Urbana-Champaign National Computational Science URL htttp://www.ncassr.org/projects/sift/ also Google “vizsec” for ACM CCS Workshop 34 University of Illinois at Urbana-Champaign National Computational Science 6
Recommend
More recommend