We've been playing around with augmented reality for a time now, the technology seems to be on a tipping point with iphone (not just the overlay - not truly AR, but they do have true AR apps) , android and other forms of capture and processing. To me this is the future of security visualization. I know it is a bold statement to make, but when you start to develop and delve deeper the possiblilities are endless. If you look at my site you will see the direction of our research. ( http://www.manntechcomputersinc.com/Researching_Now.html ) Im going to release a video asap of where we are with our AR. I think the subject of security AR is too important to completely commercialize. With that respect any "breakthrough's" that we are having will be made open source. If some of you are new to the AR scene there is a good open source tool called artoolkit. Google it and you will see it doesn't take an hour to start playing and testing with AR. For those of you interested please drop me a line at email@example.com.
So I'm almost ready to release a tool that reads/parses ascii tcpdump logs and animates visualizations the structure of the packets in the file in sequence. You can find a video of it here:
(Try it HD, full screen)
The packets are laid out left to right, from byte 0 to byte 1500ish. The Y axis is based on the value seen in a given position in the packet (0-255). Colors are based on a combination of "value in position difference from average" and "first byte of the source IP". (Although this will eventually be somewhat customizable...it's just what I have in there now.) The app then displays the packets over time....using a window of 1-N packets at a time (depending on the dataset, different windows help you see patterns you wouldnt otherwise). The further back in the window a packet is, the more transparent/faded it is.....this helps distinguish between newer/older packets being seen as well as to help with smoother animations of patterns seen. The app will let you stop the animation at a given point, change how many packets are seen on the fly (so, if you want to see 1 at a time, you can), step manually through the packets (backward or forward). At some point, I hope to be able to show what value/position combination each of the dots represent if you hover over them.
For me, I use this to get in idea of the boundaries of protocols I dont know, look for "unusual" packets, and look for correlations I wasnt previously aware of between values.
(In this set, the far left will be the TCP/IP headers, but the bulk right of that is payload...you can tell most of the payload is human-headable...the values fall into ASCII ranges more than anything else)
Team Cymru launched a Mac OS X screensaver that displays a global infection map on a rotating globe, together with a RSS and Twitter Feed. http://www.team-cymru.org/News/Screensaver/
Hi all, Team Cymru has posted a movie of some of the visualizations we've made on youtube. www.youtube.com/watch?v=8IBy87mVpcw
This movie shows DDoS attacks, botnet command and control servers, malware relationships and similar visualizations.
Other visualizations that might be of interest :
Heatmap animation of worldwide compromised machines
Mapping links between users sending inappropriate content via emails using Circos
This tool walks the line of being a parser but it is a pretty handy way of converting Windows logins to something useful to graph. Put this in your login scripts and point it at your syslog infrastructure and you get all the gory details about windows who is logging into what system and the IP/NETBIOSNAME/MAC of the system is in a single log line.
Im just about to launch 2.1 version of Sphere Of Influence. I have added a summary page. Here I took a typical 800X600 window and made each pixel represent appx 164 ports. I wanted to visualize the entire port spectrum so that an anaylist can drill down on spotted patterns. I have included a screenshot of the new window...in this shot you can see some peer to peer activity at work. The new version will also have a "hourly wrap up" summary which is pretty extensive in its details, also I added a world map for snort. It should be launched in the next few weeks. Remember this is free for state, federal and educational establishments (worldwide)..companies have to pay, but for $89 I think you get a bargain. Im also working on a very cool project for VOIP systems.....stay tuned
Note: I have a new video out on youtube (http://www.youtube.com/watch?v=ekOXjrF9enI) that you can see the new visuals....release is very soon!!! (and we added the Cisco IPS into the mix as well)
A 3d map of my network with nmap and mysql. We made it by using VRML.
So, the blue color is Windows computer and the red one is linux, the others in yellow are the printers (the eight is the number of the open ports)
It is very easy to compare two different scan (different days or weeks). When the cylinder is blue (microsoft computer) with a black cylinder, it is the different of port between the two scan, there is in this some new ports.
It possible to see it from fornt, up, left, right using vrml player.