Russell Handorf

Attack Visualizations Using GraphViz and Google Earth

There is a saying, a picture is worth more than a thousand words. This certainly holds true, especially with determining the source of network attacks and what kind of network attacks are at your edge or internal networks. We are going to explore two kinds of visualizations that use the same data source, but convey very different messages. The sources of data is the net-flow traffic summary that can be generated by Argus or network devices and security event logs that are generated from your SIEM (in my case, OSSIM). From the net-flow traffic summary, we’re only interested in the source and destination IP addresses and ports, as this is all in which is required for matching threats identified by the SIEM.

The first tool that we will employ to help create the first visualization is GraphViz (http://www.graphviz.org/). GraphViz uses a relationship language called DOT, whose grammar is easy to understand and interpret by two easy steps: define a graph and create relationships. For our purpose, we want to create a flow graph that helps us visualize attackers, and possibly further define attack types. To do so, we simple write a script that will parse the net-flow data from our network, and query those IP addresses against our SIEM’s threat database. If there is a match on the IP address, we can change the context of the relationship in the visualization. For instance, if the source is an internal IP address going out, we can color the bubble red based on the assumption that it is infected. The lines that radiate from that host can have two relationships, a solid for TCP protocols and dotted for UDP with a label on the line for the communicating port. If there is a virus infection running amok in the network, you can then imagine the visualization that is rendered, and further more if there is a Command and Control in use it may become more easily identifiable. With the discussion above, you would have the following DOT syntax, and once rendered the following graph snippet that shows a spoofed UDP communication going to my DNS server, along with hosts attacking it.

The second tool we will use is Google Earth. The technique used above to extract the information will be slightly modified; we wont use source or destination ports, and we also wont be as fancy with our line classifications. What we will add to the information is a Geo Location database so that we can lookup the IP address and get a latitude and longitude, and we’ll only consider three forms of communications: clean (green), hostile (red), and live hostile (purple).

2 Comments

  1. Travis Schack Sep 29, 2008 at 10:56 am | Permalink

    Have you seen this tool: http://code.google.com/p/cosight/

  2. Russell Handorf Sep 29, 2008 at 4:23 pm | Permalink

    @Travis-

    No, I haven’t seen that tool. But it certainly seems that we’ve done the same thing.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*