enhancing computer security via end-to-end communication visualization
DESCRIPTION
Enhancing Computer Security via End-to-End Communication VisualizationTRANSCRIPT
Network Eye: Enhancing Computer Security via End-to-End Communication Visualization
Glenn Fink
Chris North
Department of Computer Science
Virginia Polytechnic Institute and State University
2
This presentation focuses on a novel computer security visualization technology: Network Eye
End-to-End communication visualization concept
Network Eye’s place as a tool for computer security visualization
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture. Partnership opportunities involving Network Eye
3
Network Eye occupies new territory in the computer security tool landscape
Charts &
Grap
hs
Charts &
Grap
hs
Narrow BroadCOMMUNICATION CONTEXT
Line
arSp
atia
lPR
ESEN
TATI
ON
MO
DE
Internal Host View
Text-B
ased
Text-B
ased
Dashboard
s
Dashboard
s
Visuali
zatio
ns
Visuali
zatio
ns
Log scanners, Antivirus, ps, top,
Tripwire HIDS
Networked Host View
netstat, lsof, tcpview, host
firewalls, vulner-ability checkers,
HIDS
Spectrum, Orcallator
End-to-End ViewNetwork View
tcpdump, Ethereal,Network Firewalls,
NIDS
S-Net, NVisionIP (small multiple and
machine views), AutoFocus, MRTG
VisFlowConnect, NVisionIP (Galaxy View),
EtherApe, RumInt,
Rivet(Visible Computer)
Big Brother, Nagios NVisionCC? Sguil
The Visible Computer applet NETWORK EYE
4
Source & Destination Port Maps
Source & Destination Network Maps
Client Host View Server Host ViewNetwork View
End-to-End View
Network Eye provides End-to-End visualization by correlating network and host activities
23:04:22.813882 10.0.1.2.50128 > 239.255.255.253.svrloc: udp 4923:04:22.988068 10.0.1.2.50130 > 10.0.1.1.osu-nms: udp 423:04:22.989256 10.0.1.1.osu-nms > 10.0.1.2.50130: udp 10823:04:23.038353 10.0.1.2.50128 > 239.255.255.253.svrloc: udp 4923:04:23.084775 10.0.1.3.52750 > 10.0.1.1.osu-nms: udp 423:04:27.988076 10.0.1.2.50131 > 10.0.1.1.osu-nms: udp 423:04:27.989258 10.0.1.1.osu-nms > 10.0.1.2.50131: udp 10823:04:29.656096 10.0.1.1.domain > 10.0.1.3.60857: 6852 NXDomain*
0/0/0 (39)23:04:27.988076 10.0.1.2.50131 > 10.0.1.1.osu-nms: udp 423:04:27.989258 10.0.1.1.osu-nms > 10.0.1.2.50131: udp 10823:04:29.656096 10.0.1.1.domain > 10.0.1.3.60857: 6852 NXDomain*
0/0/0 (39)23:04:35.614864 10.0.1.3.52754 > 10.0.1.1.osu-nms: udp 423:04:35.614864 10.0.1.3.52754 > 10.0.1.1.osu-nms: udp 423:04:27.988076 10.0.1.2.50131 > 10.0.1.1.osu-nms: udp 423:04:27.989258 10.0.1.1.osu-nms > 10.0.1.2.50131: udp 10823:04:29.656096 10.0.1.1.domain > 10.0.1.3.60857: 6852 NXDomain*
0/0/0 (39)23:04:35.614864 10.0.1.3.52754 > 10.0.1.1.osu-nms: udp 423:04:35.617335 10.0.1.1.osu-nms > 10.0.1.3.52754: udp 10823:04:37.142782 10.0.1.3.ipp > 10.0.1.255.ipp: udp 100
23:04:22.813882 10.0.1.2.50128 > 239.255.255.253.svrloc: udp 4923:04:22.988068 10.0.1.2.50130 > 10.0.1.1.osu-nms: udp 423:04:22.989256 10.0.1.1.osu-nms > 10.0.1.2.50130: udp 10823:04:23.038353 10.0.1.2.50128 > 239.255.255.253.svrloc: udp 4923:04:23.084775 10.0.1.3.52750 > 10.0.1.1.osu-nms: udp 423:04:27.988076 10.0.1.2.50131 > 10.0.1.1.osu-nms: udp 423:04:27.989258 10.0.1.1.osu-nms > 10.0.1.2.50131: udp 10823:04:29.656096 10.0.1.1.domain > 10.0.1.3.60857: 6852 NXDomain*
0/0/0 (39)23:04:27.988076 10.0.1.2.50131 > 10.0.1.1.osu-nms: udp 423:04:27.989258 10.0.1.1.osu-nms > 10.0.1.2.50131: udp 10823:04:29.656096 10.0.1.1.domain > 10.0.1.3.60857: 6852 NXDomain*
0/0/0 (39)23:04:35.614864 10.0.1.3.52754 > 10.0.1.1.osu-nms: udp 423:04:35.614864 10.0.1.3.52754 > 10.0.1.1.osu-nms: udp 423:04:27.988076 10.0.1.2.50131 > 10.0.1.1.osu-nms: udp 423:04:27.989258 10.0.1.1.osu-nms > 10.0.1.2.50131: udp 10823:04:29.656096 10.0.1.1.domain > 10.0.1.3.60857: 6852 NXDomain*
0/0/0 (39)23:04:35.614864 10.0.1.3.52754 > 10.0.1.1.osu-nms: udp 423:04:35.617335 10.0.1.1.osu-nms > 10.0.1.3.52754: udp 10823:04:37.142782 10.0.1.3.ipp > 10.0.1.255.ipp: udp 100
Text-only Packet Traces
PID TT STAT TIME COMMAND 1 ?? Ss 0:00.03 /sbin/init 2 ?? Ss 0:28.26 /sbin/mach_init 51 ?? Ss 0:02.39 kextd 77 ?? Ss 0:56.27 update 81 ?? Ss 0:00.00 dynamic_pager -H 40000000 -L 160000000 -S
80000000 -F 112 ?? Ss 20:43.98 configd 135 ?? Ss 0:01.26
/System/Library/CoreServices/SecurityServer -X
187 ?? Ss 0:02.39 /sbin/autodiskmount -va 280 ?? Ss 0:01.61 syslogd 291 ?? Ss 0:00.01 /usr/libexec/crashreporterd 522 ?? S 0:00.71 /usr/sbin/httpd 635 ?? S 0:00.59 /usr/sbin/httpd 750 ?? S 0:01.48
/System/Library/CoreServices/SecurityAgent.app/Conten
1437 ?? Ss 0:07.20 slpd -f /etc/slpsa.conf 1477 ?? Ss 0:05.56 /usr/sbin/lookupd 1588 ?? S 0:02.51 /Applications/Library/BBEdit Lite 6.1/Bee
bee Edit /A 1579 std Ss 0:00.45 login -pf glenn 1580 std S 0:00.06 -tcsh (tcsh)
PID TT STAT TIME COMMAND 1 ?? Ss 0:00.03 /sbin/init 2 ?? Ss 0:28.26 /sbin/mach_init 51 ?? Ss 0:02.39 kextd 77 ?? Ss 0:56.27 update 81 ?? Ss 0:00.00 dynamic_pager -H 40000000 -L 160000000 -S
80000000 -F 112 ?? Ss 20:43.98 configd 135 ?? Ss 0:01.26
/System/Library/CoreServices/SecurityServer -X
187 ?? Ss 0:02.39 /sbin/autodiskmount -va 280 ?? Ss 0:01.61 syslogd 291 ?? Ss 0:00.01 /usr/libexec/crashreporterd 522 ?? S 0:00.71 /usr/sbin/httpd 635 ?? S 0:00.59 /usr/sbin/httpd 750 ?? S 0:01.48
/System/Library/CoreServices/SecurityAgent.app/Conten
1437 ?? Ss 0:07.20 slpd -f /etc/slpsa.conf 1477 ?? Ss 0:05.56 /usr/sbin/lookupd 1588 ?? S 0:02.51 /Applications/Library/BBEdit Lite 6.1/Bee
bee Edit /A 1579 std Ss 0:00.45 login -pf glenn 1580 std S 0:00.06 -tcsh (tcsh)
Text-onlyProcess Listings
5
Portall shows clients and servers
It shows each process’s network connections
Portall can display packet dumps
Portall is a prototype of Network Eye’s “networked host view”
6
Network Eye GL is a “Network View” prototype written in OpenGL
Each dot represents a host machine
On the left are clients, on the right are servers
Most trusted hosts appear near the center
Lines of various colors illustrate connections
QuickTime™ and aMPEG-4 Video decompressor
are needed to see this picture.
7
Network Eye presents mutually beneficial opportunities for research partnership
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.Business partnership provides relevance
and experience for academics
Qu
ickTim
e™
an
d a
TIF
F (U
ncom
pre
ssed) d
ecom
pre
sso
rare
nee
de
d to
see
this
pic
ture
.
Partnership is a win-win proposition
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.Academic partnership provides business with cutting-edge research
8
In summary, Network Eye provides insight-enhancing security and partnership opportunities
Network Eye integrates views of communications data
Reduces training costs while making administrators more effective
May be a conduit for ongoing business-academic partnership
Questions?