Passive Visual Fingerprinting of Network Attack Tools

Gregory ContiKulsoom Abdullah

College of ComputingGeorgia Institute of Technology

Passive Visual Fingerprinting of Network Attack Tools

Gregory ContiKulsoom Abdullah

College of ComputingGeorgia Institute of Technology

Motivation

Common network reconnaissance and vulnerability assessment tools can be visualized in such a way as to identify the attack tool used.

•Law enforcement forensics

•Identify characteristics of new tools/worms

•Provide insight into attacker’s methodology & experience level

•Help network defender to initiate appropriate response

Ethernet

Packet Capture

Parse

Process

Plot

tcpdump(pcap, snort)

Perl

Perl

xmgrace(gnuplot)

tcpdumpcapturefiles

winpcap

VS

VS

VS Interact

System Architecture

Ethernet: http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif

Link Layer (Ethernet)

Network Layer (IP)

Examining Available Data…

Transport Layer (TCP)

Transport Layer (UDP)

IP: http://www.ietf.org/rfc/rfc0791.txt

TCP: http://www.ietf.org/rfc/rfc793.txtUDP: http://www.ietf.org/rfc/rfc0768.txt

All raw data available on the wire:

• Application layer data

• Transport layer header

• Network layer header

• Link layer header

Focused on: • Source / Destination Port• Source / Destination IP• Timestamp• Length of raw packet• Protocol Type

Attacks Fingerprintednessus 2.0.10

nmap 3.0

nmap 3.5

nmapwin 1.3.1

Superscan 3.0

Superscan 4.0

nessus 2.0.10

nikto 1.32

scanline 1.01

sara 5.0.3

NSA CDX dataset 2003

http://www.insecure.org/tools.html

Visualizations• Time Sequence Data

– Sequence of Source/Destination Ports and IP’s– Sequence of Packet Lengths– Sequence of Packet Protocols

• Port and IP Mapping– Source Port to Destination Port – Source IP to Destination IP – Source IP to Destination Port– Source Port/IP to Destination IP/Port – Source IP/Port to Destination Port/IP

• Characterization of home/external network

External Port Internal Port

65,535 65,535

0 0

External IP Internal IP

255.255.255.255 255.255.255.255

0.0.0.0 0.0.0.0

External IP Internal Port

255.255.255.255 65,535

0.0.0.0 0

parallel plot views

Baseline

External Port Internal Port External IP Internal IP

nmap 3 (RH8)

NMapWin 3 (XP)

SuperScan 3.0 (XP)

SuperScan 4.0 (XP)

nmap 3 UDP (RH8)

nmap 3.5 (XP)

scanline 1.01 (XP)

nikto 1.32 (XP)

Sara 5.0.3(port to port)

Light Medium Heavy

Georgia Tech Honeynet

External IP Internal Port External Port Internal Port External IP Internal IP

External IP External Port Internal Port Internal IP

255.255.255.255 65,535 65,535 255.255.255.255

0.0.0.0 0 0 0.0.0.0

Also a Port to IP to IP to Port View

Exploring nmap 3.0 in depth(port to IP to IP to port)

default (root) stealth FIN (-sF) NULL (-sN)

SYN (-sS -O) stealth SYN (-sS) CONNECT (-sT)

UDP (-sU)

XMAS (-sX)

nmap within Nessus (port to IP to IP to port)

CONNECT (-sT)

UDP (-sU)

Nessus 2.0.10

SuperScan Evolution (port to IP to IP to port)

SuperScan 3.0

scanline 1.01

SuperScan 4.0

packet length and protocol type over time

port

s

packe

tslength

WinNMap

SuperScan 4.0

time sequence data(external port vs. packet)

nmap win superscan 3

port

s

port

spackets packets

Also internal/external IP and internal port

tool interface

Findings (Weaknesses)

• Interaction with personal firewalls• Countermeasures• Scale / labeling are issues• Occlusion is a problem• Greater interactivity required for forensics and less

aggressive attacks• Some tools are very flexible• Source code not available for some tools

Findings (Strengths)

• Aggressive tools have distinct visual signatures• Threading / multiple processes may be visible• Some source code lineage may be visible• Some OS/Application features are visible • Some classes of stealthy attack are visible

Findings (Strengths)

• Sequence of ports scanned visible• Frequently attacked ports visible• Resistant to high volume network traffic• Viable in the presence of routine traffic• Useful against slow scans (hours-weeks)• Useful against distributed scans

Future Work

• Add forensic capability

• Task driven interactivity (Zoom & filter, details on demand)

• Smart books (images & movies)

• Usability studies

• Stress test

• Explore less aggressive attack classes

Demo

classic infovis surveywww.cc.gatech.edu/~conti

security infovis surveywww.cc.gatech.edu/~conti

rumint toolhttp://www.rumint.com/software.html

Visual Security Communityhttp://www.ninjabi.net/index.php?option=com_nxtlinks&

catid=41&Itemid=47

Kulsoom’s Researchhttp://users.ece.gatech.edu/~kulsoom/research.html

VizSEC Paper/Slideshttp://users.ece.gatech.edu/~kulsoom/research.html

www.cc.gatech.edu/~conti

Acknowledgements

• Dr. John Stasko– http://www.cc.gatech.edu/~john.stasko/

• Dr. Wenke Lee– http://www.cc.gatech.edu/~wenke/

• Dr. John Levine– http://www.eecs.usma.edu/

• Julian Grizzard– http://www.ece.gatech.edu/

• 404.se2600– Clint– Hendrick– icer– Rockit– StricK

Questions?

Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg

Greg Conticonti@cc.gatech.eduwww.cc.gatech.edu/~conti

Kulsoom Abdullahgte369k@mail.gatech.eduhttp://users.ece.gatech.edu/~kulsoom/research.html