visflowconnect ip
play

VisFlowConnect-IP: A Link-Based Visualization of Netflows for - PowerPoint PPT Presentation

VisFlowConnect-IP: A Link-Based Visualization of Netflows for Security Monitoring William Yurcik <byurcik@ncsa.uiuc.edu > National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign FIRST06


  1. VisFlowConnect-IP: A Link-Based Visualization of Netflows for Security Monitoring William Yurcik <byurcik@ncsa.uiuc.edu > National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign FIRST’06 Baltimore Maryland USA

  2. Slide 2/58 • Motivation • Network Visualization for Security • Our Approach: VisFlowConnect-IP • Use Examples • Future Work: Link-Based Clustering • Summary

  3. Slide 3/58 • Motivation Motivation • • Network Visualization for Security • Our Approach: VisFlowConnect-IP • Use Examples • Future Work: Link-Based Clustering • Summary

  4. Slide 6/58 More Lessons Learned from Castles • Even medieval castles have monitoring systems for their innermost keeps • Internet security should be designed like a castle, with multiple layers of defenses for an attacker to avoid detection – Reduces the space of actions that an attacker can take and remain undetected – Components of a security monitoring framework can monitor each other • Have clear observation points – Internet analogy are data source and process

  5. Fort McHenry

  6. Slide 8/58 OODA Loop

  7. Slide 9/58 OODA Loop for Internet Security Data Sources Human Collaboration (empirical, simulation, analytical) (virtual presence, transparent) Inferences for Action Storage Processing (distributed, fast, convenient) (computation, data analysis, discovery)

  8. Slide 10/58 Visualization in OODA Loop Data Sources Human Collaboration (empirical, simulation, analytical) (virtual presence, transparent) visualization visualization Inferences for Action display systems display systems Storage Processing (distributed, fast, convenient) (computation, data analysis, discovery)

  9. Slide 11/58 What is Visualization? Visual 1.235 4.351 Visual 2.981 7.989 Representation 7.112 5.231 Representation 9.722 7.111 Model Model 1.562 7.544 Data Image

  10. Slide 12/58 Visualization Can Help Empirical Data: Visual vs Numerical (Visual Wins!)* Visual vs Auditory (Visual Wins)* Visual vs Tactile (Visual Wins)* Visual Spatial vs Visual Color (Visual Spatial Wins!)* [Chris Wickens, National Academy of Sciences Workshop on Visualizing Uncertainty, March 3, 2005]

  11. Slide 13/58 Visualization Can Help Empirical Data: Visual vs Numerical (Visual Wins!)* Visual vs Auditory (Visual Wins)* Visual vs Tactile (Visual Wins)* Visual Spatial vs Visual Color (Visual Spatial Wins!)* [Chris Wickens, National Academy of Sciences Workshop on Visualizing Uncertainty, March 3, 2005] How? 1) See Previously Obscured Things 2) See New Things Faster (I never saw that before) 3) Share Insights (Do you see what I mean?)

  12. Slide 14/58 • Motivation • Network Visualization for Security Network Visualization for Security • • Our Approach: VisFlowConnect-IP • Use Examples • Future Work: Link-Based Clustering • Summary

  13. Slide 15/58 Current Net Vis Security Ops Tools

  14. Slide 16/58 Etherape by Juan Toledo can be found at http://etherape.sourceforge.net/ screenshot: http://www.solaris4you.dk/sniffersSS.html

  15. Slide 17/58 Lumeta’s Peacock Diagrams

  16. Slide 18/58 Caida’s Walrus

  17. Slide 19/58 Research: Network Viz for Security • Link-based approaches • Host-based approaches – Represent each host by – Represent each host by a a point point – Fix each host at a certain – Fix each host at a certain position according to its position according to its IP IP – Visualize traffic between – Visualize statistics of hosts by linkages each host (NVisionIP- NCSA) (Teoh et al, 2004) (Elisha-Teoh et al)

  18. Slide 20/58 AT&T’s Graphiz

  19. Slide 21/58 Graphviz again

  20. Slide 22/58 • Motivation • Network Visualization for Security • Our Approach: Our Approach: VisFlowConnect VisFlowConnect- -IP IP • • Use Examples • Future Work: Link-Based Clustering • Summary

  21. Slide 23/58 Our Design Goals • Traffic dynamics over time • Filtering • Scalability • Expose hidden structures & patterns for further investigation

  22. Slide 24/58 System Architecture Visualization Netflow Traffic Statistics Logs Host 1 agent Host 2 …… …… Host k Host Traffic Statistics

  23. Slide 25/58 Reading Netflow Logs • An agent reads records log (or streaming) – send record to VisFlowConnect-IP when requested • Reorder NetFlow records with record buffer – records are not strictly sorted by time stamps – use a record buffer

  24. Slide 26/58 VisFlowConnect- -IP IP VisFlowConnect

  25. Slide 27/58 VisFlowConnect- -IP IP VisFlowConnect Main View Main View inside inside outside outside outside outside hosts hosts domains domains domains domains axis axis axis axis axis axis

  26. Slide 28/58 VisFlowConnect- -IP IP VisFlowConnect Internal View Internal View Internal Internal Internal Internal network network network network receivers receivers sources sources

  27. Slide 29/58 VisFlowConnect- -IP IP VisFlowConnect VisFlowConnect-IP NVisionIP Domain View Domain View see see activity activity within an within an external external network network domain domain

  28. Slide 30/58 Creating Dynamic Animation • Visualizing traffic statistics with time – update visualization after each time unit • How to arrange domains/hosts? – 100s of domains/hosts; added/removed in time – fairly stable positioning • Solution: sort by IP – domain/hosts move up or down

  29. Slide 31/58 Time Window • User is usually interested in most recent traffic (e.g., in last minute or last hour) • VisFlowConnect-IP only visualizes traffic in a user adjustable time window – Update traffic statistics when • A record comes into time window • A record goes out of time window

  30. Slide 32/58 Time Dynamics analog analog clock clock time window time window time axis time axis timestamp timestamp

  31. Slide 33/58 Filtering/Highlighting Capability • Approach – Filter out “good” traffic • User specifies a list of filters: + : (SrcIP=141.142.0.0 − 141.142.255.255), (SrcPort=1 − 1000) //keep all records from domain 141.142.x.x, from port 1 – 1000 − : (SrcPort=80) − : (DstPort=80) //discard records of http traffic – Highlight “traffic of interest” • traffic colored by port

  32. Slide 34/58 Highlighting “Traffic of Interest” File I/O File I/O Net Net highlighted highlighted Domain Domain ports ports VCR controls VCR controls highlighted flow highlighted flow

  33. Slide 35/58 Storing Traffic Statistics • Store traffic statistics Sorted tree of domains involving each domain by a sorted tree – only necessary information for visualization is stored – statistics for every Host statistics domain or host can be updated efficiently

  34. Slide 36/58 Scalability Experiments Runtime & Memory wrt records Runtime & Memory wrt time window size

  35. Slide 37/58 • Motivation • Network Visualization for Security • Our Approach: VisFlowConnect-IP • Use Examples Use Examples • • Future Work: Link-Based Clustering • Summary

  36. Slide 38/58 Example 1: MS Blaster • MS Blaster virus causes machines to send out 92 byte pakcets to many machines

  37. Slide 39/58 Example 2: ? multiple connections to NCSA multiple connections to NCSA cluster from same domain cluster from same domain (scan?, DoS (scan?, DoS?) ?)

  38. Slide 40/58 Example 2: ? Destination: Source: Destination: Source: multiple connections to NCSA multiple connections to NCSA consecutive consecutive consecutive consecutive cluster from same domain cluster from same domain IP addresses IP addresses IP addresses IP addresses (scan?, DoS (scan?, DoS?) ?)

  39. Slide 41/58 Example 2: Grid Networking cluster- cluster -to to- -cluster communications cluster communications Destination: Source: Destination: Source: multiple connections to NCSA multiple connections to NCSA consecutive consecutive consecutive consecutive cluster from same domain cluster from same domain IP addresses IP addresses IP addresses IP addresses (scan?, DoS (scan?, DoS?) ?)

  40. Slide 42/58 Example 3: ?

  41. Slide 43/58 Example 3: ? NCSA web servers NCSA web servers

  42. Slide 44/58 Example 3: Web Crawlers muitiple crawlers indexing NCSA web server content muitiple crawlers indexing NCSA web server content Web crawlers Web crawlers NCSA web servers NCSA web servers

  43. Slide 45/58 • Motivation • Network Visualization for Security • Our Approach: VisFlowConnect-IP • Use Examples • Future Work: Link Future Work: Link- -Based Clustering Based Clustering • • Summary

  44. Slide 46/58 Visual Clustering of Hosts • Visual clustering of hosts by link analysis – represent each host by a point – arrange hosts so related hosts are clustered

  45. Slide 47/58 Relationships between Hosts • Direct communications – traffic intensity between two hosts NBA • Indirect communications NCAA – eg two basketball fans ESPN • Port Activity (Services) IRC – Eg web servers/surfers, IRC IRC

  46. Slide 48/58 Initialization of Nodes Colored points represent internal hosts, and gray points represent external ones. Size of a point is proportional to logarithm of traffic volume involving this host.

Recommend


More recommend