ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Passive visual fingerprinting of network attack tools
Full text PdfPdf (332 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security table of contents
Washington DC, USA
SESSION: VizSEC link analysis session table of contents
Pages: 45 - 54  
Year of Publication: 2004
ISBN:1-58113-974-8
Authors
Gregory Conti  Georgia Institute of Technology
Kulsoom Abdullah  Georgia Institute of Technology
Sponsors
ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 31,   Downloads (12 Months): 226,   Citation Count: 3
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
Save this Article to a Binder    Display Formats: BibTex  EndNote ACM Ref   
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1029208.1029216
What is a DOI?

ABSTRACT

This paper examines the dramatic visual fingerprints left by a wide variety of popular network attack tools in order to better understand the specific methodologies used by attackers as well as the identifiable characteristics of the tools themselves. The techniques used are entirely passive in nature and virtually undetectable by the attackers. While much work has been done on active and passive operating systems detection, little has been done on fingerprinting the specific tools used by attackers. This research explores the application of several visualization techniques and their usefulness toward identification of attack tools, without the typical automated intrusion detection system's signatures and statistical anomalies. These visualizations were tested using a wide range of popular network security tools and the results show that in many cases, the specific tool can be identified and provides intuition that many classes of zero-day attacks can be rapidly detected and analyzed using similar techniques.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Soon Tee Teoh , Kwan Liu Ma , S. Felix Wu , Xiaoliang Zhao, Case study: interactive visualization for internet security, Proceedings of the conference on Visualization '02, October 27-November 01, 2002, Boston, Massachusetts
 
2
Soon Tee Teoh , Kwan-Liu Ma , S. Felix Wu, A Visual Exploration Process for the Analysis of Internet Routing Data, Proceedings of the 14th IEEE Visualization 2003 (VIS'03), p.69, October 22-24, 2003  [doi>10.1109/VISUAL.2003.1250415]
 
3
Teoh, S. Graphical Presentation of Stepping-Stone Pairs Found. Initial Results. http://graphics.cs.ucdavis.edu/ steoh/ research/tcpdump/tcpdump.html, last accessed April 2004.
 
4
Security Incident Fusion Tool, National Center for Advanced Secure Systems Research Group. http://www.ncassr.org/projects/sift/papers/, last accessed April 2004.
 
5
Cheswick, B and Burch, H. The Internet Mapping Project. http://research.lumeta.com/ches/map/, last accessed April 2004.
 
6
An Atlas of Cyberspaces. http://www.cybergeography.org/atlas/atlas.html, last accessed April 2004.
 
7
David J. Marchette , V. Nair , M. Jordan , S. L. Lauritzen , J. Lawless, Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint, Springer-Verlag New York, Inc., Secaucus, NJ, 2001
 
8
Erbacher, R and Frincke, D. Visual Behavior Characterization for Intrusion and Misuse Detection. Proceedings of the SPIE '2001 Conference on Visual Data Exploration and Analysis VIII, CA, January 2001, pp. 210--218.
 
9
Code Red Worm Infections. Cooperative Association for Internet Data Analysis (CAIDA) http://www.caida.org/tools/visualization/walrus/examples/codered/.
 
10
Juslin, J. Intrusion Detection and Visualization Using Perl. O'Reilly Open Source Conference 2001, San Diego, California, U.S.A., 23rd - 29th of July 2001.
 
11
Zalewski, M. Strange Attractors and TCP/IP Sequence Number Analysis. http://razor.bindview.com/publish/papers/tcpseq.html, last accessed April 2004.
 
12
Zalewski, M. Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later. http://lcamtuf.coredump.cx/newtcp/, last accessed April 2004.
 
13
Kofi Nyarko , Tanya Capers , Craig Scott , Kemi Ladeji-Osias, Network Intrusion Visualization with NIVA, an Intrusion Detection Visual Analyzer with Haptic Integration, Proceedings of the 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems, p.277, March 24-25, 2002
 
14
Goodall, J. Information Visualization for Intrusion Detection. The Intrusion Detection Tool Kit (IDtk). http://userpages.umbc.edu/ jgood/idtk.php, last accessed April 2004.
 
15
SecureScope. Secure Decisions. http://www.securedecisions.com/, last accessed April 2004.
 
16
StealthWatch + Therminator. Lancope Corporation. http://www.stealthwatch.com/, last accessed April 2004.
 
17
Ethereal: A Network Protocol Analyzer. http://www.ethereal.com/, last accessed April 2004.
 
18
Etherape: A Graphical Network Monitor. http://etherape.sourceforge.net/, last accessed April 2004.
 
19
NetStumbler Homepage, <http://www.netstumbler.com/>, last accessed April 2004.
 
20
3D Traceroute Homepage, http://www.hlembke.de/prod/3dtraceroute/, last accessed April 2004.
 
21
The Xtraceroute Homepage. http://www.dtek.chalmers.se/ d3august/xt/, last accessed April 2004.
 
22
Fydor, "Top 75 Network Security Tools," http://www.insecure.org/tools.html, last accessed March 2004.
 
23
TCPDUMP Public Repository, http://www.tcpdump.org/, last accessed March 2004.
 
24
Snort Project Page. http://www.snort.org/, last accessed March 2004.
 
25
The Honeynet Project. http://project.honeynet.org/, last acccessed April 2004.
 
26
Ptacek, T and Newsham, T. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Secure Networks, Inc. January, 1998. http://www.insecure.org/stf/secnet_ids/secnet_ids.html, last accessed April 2004.
 
27
Edward R. Tufte, The visual display of quantitative information, Graphics Press, Cheshire, CT, 1986
 
28
Edward R. Tufte, Visual explanations: images and quantities, evidence and narrative, Graphics Press, Cheshire, CT, 1997
 
29
Edward Tufte, Envisioning information, Graphics Press, Cheshire, CT, 1990
 
30
Spence, R. Information Visualization. Pearson Addison Wesley, December 2000.
 
31
A. Inselberg, Multidimensional detective, Proceedings of the 1997 IEEE Symposium on Information Visualization (InfoVis '97), p.100, October 18-25, 1997
 
32
Alfred Inselberg, Parallel Coordinates, Springer-Verlag New York, Inc., Secaucus, NJ, 2005
 
33
Wegman, E. Hyperdimensional Data Analysis Using Parallel Coordinates. Journal of the American Statistical Association, 85:411, pp. 664--675.
 
34
David J. Marchette , V. Nair , M. Jordan , S. L. Lauritzen , J. Lawless, Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint, Springer-Verlag New York, Inc., Secaucus, NJ, 2001
 
35
Stephen G. Eick , Joseph L. Steffen , Eric E. Sumner, Jr., Seesoft-A Tool for Visualizing Line Oriented Software Statistics, IEEE Transactions on Software Engineering, v.18 n.11, p.957-968, November 1992  [doi>10.1109/32.177365 ]

CITED BY  3
Gregory Conti , Mustaque Ahamad , John Stasko, Attacking information visualization system usability overloading and deceiving the human, Proceedings of the 2005 symposium on Usable privacy and security, p.89-100, July 06-08, 2005, Pittsburgh, Pennsylvania
Christopher P. Lee , John A. Copeland, Flowtag: a collaborative attack-analysis, reporting, and sharing tool for security researchers, Proceedings of the 3rd international workshop on Visualization for computer security, November 03-03, 2006, Alexandria, Virginia, USA
Warren Harrop , Grenville Armitage, Real-time collaborative network monitoring and control using 3D game engines for representation and interaction, Proceedings of the 3rd international workshop on Visualization for computer security, November 03-03, 2006, Alexandria, Virginia, USA

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.5 INFORMATION INTERFACES AND PRESENTATION (I.7)
      H.5.2 User Interfaces (D.2.2, H.1.2, I.3.6)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)
      C.2.3 Network Operations
          Subjects: Network monitoring


General Terms:
Security


Keywords:
application fingerprinting, information visualization, network attack visualization, operating system fingerprinting, passive fingerprinting, visual fingerprinting

Collaborative Colleagues:
Gregory Conti: colleagues
Kulsoom Abdullah: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2008 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player