NetGrok

From Cmsc734_08
Jump to: navigation, search

New project site: http://www.cs.umd.edu/projects/netgrok/

VizSEC Camera Ready TODO

Paper

  • Abstract
  • Introduction
  • Related Work (Aaron, Kyle, Cody)
  • Visualizations
    • Network View (Kyle)
    • TreeMap (Aaron)
  • Interface
    • Filtering (Blue)
    • Searching (Blue)
    • Timeline histogram (Adam)
  • Infrastructure
    • Backend Data Model (Adam)
    • Network Packet Collection (Adam)
    • Group Configuration (Cody)
  • Evaluation (Blue)
    • Who the customer is and what his needs are
    • Experiment design
    • Results
    • Analysis of results
  • Future Work (Adam, Kyle)
  • Conclusion (Cody)
  • Acknowledgements
  • References

Goals

Extend computer network visualization to real time applications.

  1. Local hosts and destinations
    1. Monitor bandwidth usage
    2. Monitor branching factor
      1. Branches should indicate the number of connections to a node
  1. Filtering
    1. Ability to filter valid and secure systems
    2. Adjustable thresholds for detection
  1. Monitor network for DOS
  2. Monitor network topology and changes over time
  3. Monitor IP packet connections over time
  4. Characterize recent behavior of (IP) nodes. Cluster/classify that behavior.
  5. Monitor internal/external connections with respect to changes over time
  6. Monitor incoming vs outgoing packets
  7. Monitor router logs with respect to their history
  8. Look for network policy violations (too broad?)
  9. Early detection of broken network
  10. Attack detection (short or long period of attack)
  11. Spam detection on network layer?

We intend to visualize the behavior of users on a large, local network. This would include, for example, clustering data based on the users that generate those data, and classification of network data as due to administrators, students, or other types of users. The overarching goal of this project is to be able to more effectively visualize time series network packet traces.

Customer

Brad Plecs, UMD CS staff

Data Sets

We hope to collect packet data from several points within the UMD CS network, including the bridge between the CS network and the rest of the university.

Downloads

The LBNL/ICSI Enterprise Tracing Project has partially anonymized traces in tcpdump/pcap save format.

Anonymization

They also provide the tcmpkpub header anonymization tool which is discussed in The Devil and Packet Trace Anonymization and empirically in Toward Trusted Sharing of Network Packet Traces Using Anonymization: Single-Field Privacy/Analysis Tradeoffs.

Other anonymization software found so far includes FLAIM and SCRUB-tcpdump.

Project Members

  • Ryan Blue
  • Adam Fuchs
  • Kyle King
  • Aaron Schulman
  • Cody Dunne

Deadlines

  • May 1 - Draft paper due for class
  • May 9 - Short paper submissions at SECviz

Prototypes

References

TODO: Existing techniques, even text tools that we plan on comparing our tool to. We need these evaluations.

TODO: Add network visualizations for semantic substrates

Mapping and Visualizing the Internet, Bill Cheswick, Hal Burch, and Steve Branigan, in USENIX, San Diego, CA, June 2000.

This paper is about visualizing a database of Internet traceroutes from 1998 to 2000. Their motivation was to recognize large changes in the internet that reflect world events, such as natural disasters or terrorist attacks. This is much like what we are trying to do: recognize interesting changes to a local network. There is a large section on how to do Internet mapping without setting off IDSes, but our collection is passive, so that section was not really relevant.

Their initial visualization is the famous poster-sized force-directed map of the internet. Details of optimizing the force-directed algorithm to internet-sized data-sets was a big contribution of this paper. This map shows all edges, but they also produced graphs that only show edges on the shortest path between nodes, which made for a much cleaner graph. This is the only way to really see what's happening at the highly connected backbone.

The maps are colored by IP address where the first three octets of the IP are red, green, and blue color values respectivily. If we can spare the dimension, I think that would be an excellent way to color nodes in our project. They also tried coloring based on DNS name, which gives a better geographic coloring.

The visualization is static, so there is no way interact with it. The graph is really only useful to those that know how to navigate the underlying data-set well. He believes visualization is most useful on the intranet network. Their technique has been useful for finding routing leaks, new hardware, etc. on local networks. -Kyle


A Visual Exploration Process for the Analysis of Internet Routing Data, Soon Tee Teoh, Kwan-Liu Ma, and Felix Wu, in Proceedings of IEEE Visualization 2003 Conference.


Network intrusion visualization with NIVA, an intrusion detectionvisual analyzer with haptic integration, Craig Scott, Kofi Nyarko, Tanya Capers, Jumoke Ladeji-Osias, in Information Visualization 2003


An eye on network intruder-administrator shootouts Girardin, L. In Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring 1999.

Maps high dimensional packet data into two dimensions using a self-organizing map. Clusters on the map are groups of related data. Problems with the analysis: Old paper from 1999, using a dataset from 1997. The dataset was anonymized poorly - all internal nodes given the same ip andall external nodes randomized w/o matching between traces. Generating the maps from the 20min packet capture took 15min to 2 hours on a 400mhz machine, using Java. --Cody


Graph Visualization and Navigation in Information Visualization: A Survey I. Herman, G. Melancon, and M. S. Marshall. IEEE Transactions on Visualization and Computer Graphics, 2000.


Home-Centric Visualization of Network Traffic for Security Administration Robert Ball, Glenn A. Fink, Chris North: IEEE Workshop on Visualization for Computer Security 2003



A Visual Approach for Monitoring Logs, Girardin, Luc; Brodbeck, Dominique: Proc. 12 th Usenix System Administration conference, Boston, Massachusetts, USA, 1998.


Svision: Visual Identification of Scanning and Denial of Service Attacks, osif-Viorel Onut and Ali A. Ghorbani, Computers & Security, Elsevier, May 2007


Real-time collaborative network monitoring and control using 3D game engines for representation and interaction In: VizSEC: Proceedings of the 3rd international workshop on Visualization for computer security. ACM, New York, NY, USA,, pages 31–40.


VisFlowConnect-IP: An Animated Link Analysis Tool For Visualizing Netflows 3rd IEEE Int'l. Workshop on Information Assurance (IWIA), 2005.


Links

Starlight

The Spinning Cube of Potential Doom

Graphviz

NVSS

NetADHICT: A Tool for Understanding Network Traffic

the prefuse visualization toolkit

Etherape

NVisionIP