Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.

 


 

VAST: AS9121 leakage 1

VAST: AS9121 leakage 1

An image showing the pre-AS9121 leakage connectivity.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

VAST: AS core

VAST: AS core

A view of the interconnections of a few of the core autonomous systems.

For more on VAST: http://jon.oberheide.org/files/vast-vizsec.pdf

Flamingo: Port scan

Flamingo: Port scan

The above image shows traffic flows on a small /24 subnet. The source IP address is represented on the left, and the destination IP addresses are on the right. Each square represents one unique host. The lines indicate traffic flows between source and destination IP addresses. The fan-out from left to right indicates a network scan, which created a flows from a single source host attempting to connect to a large number of hosts in the destination subnet.

For more on Flamingo, see http://flamingo.merit.edu.

Flamingo: Dabber worm

Flamingo: Dabber worm

This image represents a 10 second snapshot of traffic as seen at a busy Internet router. The image shows an interesting traffic pattern that shows a lot of flows destined towards a single large IP address prefix on 3 specific destination ports.

For more on Flamingo, see http://flamingo.merit.edu.

Flamingo: Zotob worm 2

Flamingo: Zotob worm 2

Same dataset as the Zotob worm 1 image but from an overhead view, showing the fan-out of destination hosts.

For more on Flamingo, see http://flamingo.merit.edu.

Flamingo: Zotob worm 1

Flamingo: Zotob worm 1

This series of images shows flows originating from a single source IP address going to different destination IP addresses on destination port 445. The traffic indicates suspicious traffic, related with the Zotob series of worms. The figures show flows over a 60 second period.

For more on Flamingo, see http://flamingo.merit.edu.

Nachi Worm traffic against Honeynet

Nachi Worm traffic against Honeynet

This graph was generated with psad (http://www.cipherdyne.org/psad/) running in --CSV mode against the iptables logfile that is distributed as a part of the Scan34 Honeynet challenge (see http://www.honeynet.org/scans/scan34/). The graph shows 92-byte ICMP type 8 packets directed against the Honeynet subnet 11.11.79.0/24. These packets are most likely associated with the Nachi worm (see http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html). Here is the specific command used to add the 92-byte search criteria:

# psad --CSV -m iptablessyslog --CSV-fields "src dst ip_len:92" --CSV-max 300 \
--CSV-regex "PROTO=ICMP.*TYPE=8" | perl afterglow.pl -c color.properties |neato -Tgif -o nachi_worm.gif

Outbound traffic from Honeynet

Outbound traffic from Honeynet

This graph was generated by using psad in --CSV mode against the Honeynet Scan34 challenge iptables logfile (see http://www.honeynet.org/scans/scan34/). This shows outbound traffic from the Honeynet subnet 11.11.79.0/24, and clearly shown are suspicious connections from the host 11.11.79.67 to external SSH and IRC servers; these are good indications that the system has been compromised.

NEXThink - Visualizing Endpoint Activity

NEXThink is a small Swiss startup which sells a solution in the security/visualization space. They are deploying an agent on the endpoints (machines) and record network activity from them (at least that's whay I understood). The network activity is then visualized with parallel coordinates and starfields.
I was reading a paper about some of the visualization approaches they are taking. To summarize a couple of interesting points from the paper:


  • In order to visualize a huge amount of connections, they are using hierarchies for the attributes to summarize them. You can on demand expand those. The collapsing and expanding of the attributes is done automatically based on the number of lines on the screen. I thought this is a pretty interesting idea.
  • To visualize activity from hosts, one of the methods they are using is parallel coordinates with user, application, source host, target host, and target port in the graph. They omit time as it would clutter the graph. I wonder whether they have the capability to show time anyways and aggregate by hour, day, etc. That would be interesting.
  • To visualize activity with regrads to time, they are using starfields. I have heard other names for this type of visualization. Advizor calls them time-series, which is a bad term in my opinion as it alludes to a type of data.
  • What I was a bit confused about was the use of the term alarm in the paper. I am not sure if the author just meant to talk about the connections or there is some kind of a sub-system that actually generates alarms. I guess the latter because he mentions anomaly detection very briefly. I would be interested to read more about that.

The next thing I hope to see from them is that they post some graphs here!

Swivel

I just heard about Swivel, a new data analysis Web site which will be launched later this week. This article talks about some of the features available. I am curious to try it out and see what they will do with my security data.