This is where you can start discussions around security visualization topics.
NOTE: If you want to submit an image, post it in the graph exchange library!
You might also want to consider posting your question or comment on the SecViz Mailinglist!
I was culling through the logs on one of my systems the other day and realized that I was getting a fair amount of alerts from my Symantec A/V servers. At first, I was not interested in what malware was being detected and cleaned but it got me thinking about what interesting patterns existed. I suspected that the majority of malware infections were caused by a minority of users as most malware these days require some user action. To test this theory I wrote a simple parser
to convert the logs to something that I could push into a visualizer and started looking for interesting patterns.
As announced on the Picviz mailing list, the new GUI is out. This is not a new release of the engine (libpicviz) but the GUI.
There is a lot of new feature that came from the Google summer of code, since Picviz was a project proposed by the Honeynet project. It is mostly about interaction that a graphical interface can give you to deal with parallel coordinates.
You can download it there: http://www.wallinfire.net/files/picviz
As promised once I managed to get 2.0 out I would make 1.0 a free download. 2.0 we've added the world map, timeline and organizational data. What was interesting was we started to look for "soft" targets, home users, colleges etc. The places that hackers tend to "train" on...( I know that some colleges and home users are built like fort Knox : )
When we started to use the filters on the timeline, specifically looking for universites it opened up a whole new avenue for exploration. I found a couple of systems with possible "interesting" traffic not detected by my snort, Cisco IPS or symantec software. We're in the process of adding an hourly report. I wanted this to be similar to the hourly wrap conducted by most organizations..ie looking for "strange" traffic (low port to low port, multiple connections to new ip addresses but source port remaining the same etc etc...anything that we would consider "crafted" or maybe unusual.) I think the timeline gives an interesting filter approach to visually looking at the data...we have some other stuff up our sleeve (especially with the timeline...but also about displaying the hourly datasets....I thought about a "virus" like approach with "cells" representing events, but turning darker and mutating if they meet preconditions...i know it sounds strange but in my head it seems to work :) )
you can download the free "lite" version (no timeline, no world map, no organizational data etc but should give you an idea how easy it is to set up)
and yes we will update the demo page to include the new stuff.....:)
Mainly as a bit of fun, I thought it would be interesting to sort some of our SPAM into distinct groups and make some wordclouds, or more specifically SPAMclouds from the content of the spam.
Attached is the cloud for SPAM attempting to recruit Money Mules.
You can see the Phishing and Advance Fee Fraud (AFF) clouds and the full story here http://honeynet.org.au/?q=spamclouds
At the CISSE 2009 conference, we held a workshop on Security Visualization, during which we identified a number of research problems associated with security visualization. You can find them listed below. Tomorrow, we will identify use-cases for security visualization. If you have any use-cases that you want us to consider, comment on here!
I'm trying to use afterglow 1.5 on a gentoo system and running into an issue that I hope you can help me figure out.
When I read a dump file into tcpdump2csv.pl, using the switches documented, I get absolutely no output. If I turn on debug, I get my tcpdump lines, preceded by "ERROR:" as below:
ERROR: 2009-05-04 18:37:28.332949 In ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 77)
ERROR: 22.214.171.124.53 > 126.96.36.199.56383: 14710 1/0/0 mail.lab.spb.ru. A 188.8.131.52 (49)
If I run with tcpdump -ttnnlr, I get a little closer to the lines in your documentation, in that the timestamp is on the same line as the capture info:
ERROR: 1241462458.413252 In ethertype IPv4 (0x0800), length 93: 184.108.40.206.53 > 220.127.116.11.43954: 7712 1/0/0 A 18.104.22.168 (49)
There is no description of what the error is, and still no CSV output is appearing.
If it makes a difference, I am running with tcpdump 4.0. If I can add an ebuild for afterglow 2.0 for the gentoo world, I will give that a try and see if I get a little further.
The 6th International Workshop on Visualization for Cyber Security (VizSec) will be held October 11, 2009 in Atlantic City, NJ, USA in conjunction with VisWeek 2009.
The deadline for full papers (12 pages) is May 8, 2009. The deadline for short papers (6 pages) is May 22, 2009.
Please see the web site for formatting instructions, templates and information on how to submit your paper.
Take a look at my site www.manntechcomputersinc.com We have developed a visualization tool for pix/asa and snort. It maps ip to geographical locations countries (source or destination), anonymous proxies , sat providers, regions etc. We repsent countries by flags and provide users to add their own icons. I'd be interested to hear what people think....
The chart represent several hours of conficker's P2P Udp activity, it relates destination address with dest UDP used.
This is my smart analysis about the first 20days of April 2009 ccTLD (country code top level domain) generated by the algorithm used by worm for pseudo random domain name generation.
The following chart show the frequency for each ccTLD. As you can see there is a sort of attractor for some ccTLD such as AG, BO, LC, HN, PE, and TW. A singular point is for DJ ccTLD domain. For more information http://extraexploit.blogspot.com. This kind of analysis I think that is usefull for get evidence as indicator of conficker.c activities inside your corporate network.
Feedback are well come.