Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.

 


 

Geolocation Map

Geolocation Map

In the snapshot above, the administrator has created a "Top Peers" statistics based on filtered log entries and decided to view the outcome as a Geolocation Map. You can monitor network traffic with the help of Geolocation Maps in real-time too. Here is a video that describes more closely how StoneGate Management Center's Geolocation feature works in practice: http://stoneblog.stonesoft.com/2009/07/smc-videos-geolocations/.

Money Mule, Phishing and AFF SPAMclouds

Mainly as a bit of fun, I thought it would be interesting to sort some of our SPAM into distinct groups and make some wordclouds, or more specifically SPAMclouds from the content of the spam.
Attached is the cloud for SPAM attempting to recruit Money Mules.

You can see the Phishing and Advance Fee Fraud (AFF) clouds and the full story here http://honeynet.org.au/?q=spamclouds

ben

Money Mule SPAMcloud

Money Mule SPAMcloud

Money Mule SPAMcloud

Visualizing OS X Threat Internet Distribution

Visualizing OS X Threat Internet Distribution

I have captured few examples for visualization to show internet distribution of OS X threat. This has been discussed here.

Malicious IP

Malicious IP

Just one malicious IP address leads you to variety of threats that maximizes the use of it.
I have blogged about this here. and here

A video of botnet IRC joins

A video of botnet IRC joins

Some time ago F-Secure collected a bunch of log data on about 700 000 botnet IRC channel joins. They then asked us to visualize the joins as a time lapse on a world map using geomapping. The results are available here: https://www.clarifiednetworks.com/Blog/2009-01-01%2018-15.

CISSE Working Group Outcomes - Security Visualization Challenges

At the CISSE 2009 conference, we held a workshop on Security Visualization, during which we identified a number of research problems associated with security visualization. You can find them listed below. Tomorrow, we will identify use-cases for security visualization. If you have any use-cases that you want us to consider, comment on here!

Security Visualization Research Problems


Important Realization: Visualization is generally an add-on to a specific problem or task. This dilutes the research community, since there are data visualizations of many different areas of interest.

Data Acquisition

  • Data normalization: aggregation, filter, and augmentation. Common formats are needed that span the requirements.

  • Accessing data (transport problems)

  • Data security issues (confidentiality, integrity)

  • Context collection

  • Real-time processing (collection and visualization)

  • Data disposal / destruction

  • What to do with missing data / gaps?

  • “Cleaning” data

Visual Representations

  • Time series representations instead of snap-shots

  • Are three-dimensional / interactive visualizations more intuitive / easier to use than, for example, a set of two dimensional representations?
  • Education of Expert Witnesses: how to present scientific data and explain visualizations in terms that are understandable by juries, prosecutors, and judges

  • The challenge of transitioning data into evidence is an on-going problem. The starting point is raw data, which is then transformed into a visual representation, which is then contextually interpreted as information. There are many issues with this process, including appropriate representation of actual or relational time sequence and the provability of the linkage between the raw data and the interpreted information.

  • Photo classification: A challenge is the emerging area of photo-realistic cartoons or imagined figures, which are getting so life-like that they are crossing the boundary from good to evil when used inappropriately.

  • Extremely large data set analyses, focusing on making them faster while maintaining accuracy

  • Integration of many variables into a useful visualization, where many means 4 or more variables.

Visual Interpretations

  • “Bridging the Gap”: creating visualizations that are intuitively interpretable by non-trained people. This implies needed integration of knowledge from the fields of sociology, cultural anthropology, learning theory, neuroscience, psychology, disability amelioration, etc.

  • Understanding visual representations: interpreting actual meaning from the visualization can be challenging. Research into how to make this more intuitive is needed, as is research in how to best educate analysts. Additionally, better human-interpretable visualizations are needed.

  • Visualization as an accelerator of identification of anomaly judgment (OK versus Not OK)

  • Interpretative visualization tools

  • Enable a better interpretation of complexities in relationships and interactions in data sets.

Overall Problems

  • Scientific validation of tools (Type 1 and Type 2 error rates; perhaps tool certification as being built with “pure” software, perhaps Common Criteria type certification)

  • Need to create an inter-disciplinary community of visualization researchers that talk to each other and share methods so that the wheel does not need to re-invented between communities

Mapping the Australian honeypot network using circos.

Mapping the Australian honeypot network using circos.

This was done using the circos tool. It is a very useful map style, this one shows some location attributes of malware captured by our nepenthes malware sensors at the Australian Honeynet Project.
For full story and maps of other attributes http://honeynet.org.au/?q=node/42
ben

help debugging tcpdump2csv.pl?

I'm trying to use afterglow 1.5 on a gentoo system and running into an issue that I hope you can help me figure out.
When I read a dump file into tcpdump2csv.pl, using the switches documented, I get absolutely no output. If I turn on debug, I get my tcpdump lines, preceded by "ERROR:" as below:
ERROR: 2009-05-04 18:37:28.332949 In ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 77)
ERROR: 74.63.208.3.53 > 216.245.196.14.56383: 14710 1/0/0 mail.lab.spb.ru. A 77.234.201.82 (49)
If I run with tcpdump -ttnnlr, I get a little closer to the lines in your documentation, in that the timestamp is on the same line as the capture info:
ERROR: 1241462458.413252 In ethertype IPv4 (0x0800), length 93: 74.63.208.3.53 > 216.245.196.14.43954: 7712 1/0/0 A 195.128.50.36 (49)

There is no description of what the error is, and still no CSV output is appearing.
If it makes a difference, I am running with tcpdump 4.0. If I can add an ebuild for afterglow 2.0 for the gentoo world, I will give that a try and see if I get a little further.

Firewall Log in a Treemap

Firewall Log in a Treemap

This treemap was generated with the Treemap 4.1 tool from University of Maryland. This is a tutorial that I wrote on how to get to the output, step by step.