 Your next presenter will be Greg Conti, who will be talking about network attack visualization. Can you hear me in the back? Reasonably well? Okay. Hi, I'm Greg Conti. Welcome to network attack visualization. Thanks for coming. I think it's a very cool subject that has a great deal of potential that hasn't been tapped in the security world. So I hope to do several things during this talk. One is give you a feel for the classic info of this research area because it's, people have been working on it for the last 25 or 30 years, but it's largely untapped in the security research area. So then give you a feel for what people are doing in security research. Third, to build a system that's on your CD, kind of a proof of concept, to go over that and some of the lessons learned and what it looks like with some real world results. And finally to help motivate you. I believe this has a great deal of potential. Just walking around, capturing the flag, it's all text. And if you can tie into what the human mind can do through the visual processing system, a great deal of potential. So I hope to motivate you to consider using some of these techniques in the future. That's a picture of someone I know with their eyes blacked out, DEF CON 2C, New Las Vegas, Lunar Penal Colony. I was just looking into the future as we explore other planets where DEF CON might end up. I'm currently at Georgia Tech, but I'm also in the Army and I'm here as a free citizen and not as a representative of the government. Okay, just to get us all on the same sheet of music, this is the classic definition of information visualization. And the key notion here is that you're taking advantage of the capabilities of all your senses. Typically vision is what comes to mind in a way that you can find insights and data that you couldn't see otherwise. So we're going to look at how people address that through a variety of techniques. And why is there such great potential here in the security area? Let's do a little survey and find out. So what I'm going to ask you to do is you get to vote once at the end which of these A, B, or C, or I know there's nothing up there now, but which of these you think is R? So there's Mona Lisa. That's ASCII Mona Lisa. Or the BF programming language that will generate ASCII Mona Lisa. So who thinks A? Okay, you can only vote once. So who thinks B? Who thinks C? Who knows what BF stands for? Someone? Yes, that would be correct. Thank you. This goes to a lot of the classic info of those people have been doing great work. They fall into the A category. A lot of the security people fall into the B and C category, and the two worlds haven't overlapped. But I think they're beginning to now as people see what it can do. And hopefully we'll address that a little today. So why info of those? Just by glancing at data, information can pop out at you that you can't get from just textual output. So you can see patterns, anomalies. And what this example here is the DEF CON forms, and in there there's two columns, in the top left from the website about a month ago, replies and views. And you could look and you guys saw different numbers, but you really didn't have a feel for what the data was about. So I put it used a scatterplot technique, plotting replies on the x-axis and views on the vertical axis, and you can see it gives you a feel for what the discussion was all about. I also encoded, used color to encode the heat, or how much activity there was, as well as, so it went from a cool blue to a hot red. And I also mapped it to the size of the square so that more replies times views, the hotter it was, as well as the larger the square. So you can see that at that time, colonel female geeks generated a great deal of interest, followed by making friends, and then other events like the toxic barbecue and that type of thing. And you can see all the way down there at the bottom is someone wanted to play as a DJ. It was hard to get that when you've got a great deal of tabular information. This scales really well. So I just want to give you another hopefully motivating example. You can think TCP dump, you know, it's a little bit down, but another level up from that is ethereal, which I saw a lot of people using on Capture the Flag, which is a very useful tool for what it does. It's extremely well-designed, but if that's your task, it's great. If you want to see other graphical visualizations, it's a lot harder. And then ether ape is an example of what you can do with real-time packet capture. I get a feel, and what that is is a circle network addresses and then the connections between them. They map the width to the bandwidth, so it gets wider as if there's more activity and it also decays over time, so that's a technique you can use to care over time. Map different data values to different ranges or colors. So what this helps you do is get beyond the algorithm. You're using the human brain instead of trying to code stuff up so it's an entirely different problem. So things that you're very good at, the computer may be very bad at, so that's where the power of this lies. The second making, Capture the Flag, a spectator sport, I think it'd be very... I know it's a bit tongue-in-cheek, but the idea is if you can look at a network activity visually and see what's going on and people can wander by and really see what's going on, you could do the same thing when you're monitoring your networks. And you can really do this in two ways. You can do it in the forensics based on data sets that you've collected that you can mine, or you can do it in real time and Capture. There's issues associated with both techniques that we'll try and cover a little bit. And what I'd like you to think about is what tasks do you need help with? If you're in here you probably think, hey, there's something to this, so I'd ask at the end if you've got some ideas on areas that have potential, it'd shout it out because I think it'd be a pretty cool discussion. So here's another example. Capture data from a cyber defense exercise with an NSA red team going after one of the military academy, the defensive network, so basically the red team attacked their defensive network, plotted IP addresses on vertical access, access and the time was a number of seconds during the attack. So at a glance you can see that they did a wide range of reconnaissance across a large number of IP addresses, and then they did some focus attacks, and it's very clear from the data that it might not be as obvious if you're looking at textual data. So you can see the focus attacks, and then later they did another wave across the board. So again, it just pops out at you what's going on. So like I said, Classic InfoVis research has been going on in earnest for 25, 30 years, and it goes way back, you think of map making and the like. The reason why I'm presenting it to you is it's largely untapped. There's some great work out there, but these weren't security people. So they were thinking about bus schedules or, I don't know, all sorts of off the wall stuff, but none of it involving security. But there's a great deal of untapped potential hopefully could inspire you to do some really cool stuff. Let's start off with a couple of the core concepts that came out of this. The InfoVis mantra is by Ben Schneiderman out of the University of Maryland. And the idea is you give whoever's working with the data, give them an overview first so they can see what's going on. So in a theory you can think, you get an overview of all your packets. Then you provide the ability to zoom and filter. This could be on any InfoVis system. These are the key ideas. You give an overview, you give people the ability to zoom and filter into what they're interested in, and then ideally get them down to the details so they can see that. Ethereal provides all three, and it really I think illustrates in a textual way, but the same applies to a visual system. The second main concept, kind of similar, is the idea of overview and detail, that you can have different visualizations combined into the same window. Oftentimes this is called a multiple coordinated display in that the three panes or two panes or whatever all interact. The activity will affect how the others show what's going on, and so this is from Civilization 2. And you can see there's an overview, you have a world map, and you can picture how could you apply this to networks, for example. That could be your large scale network. Then it has a great deal of focus area, a detail area where you can get in more, and if this was your network it could be your local subnet or something. You can click on the links and then click on the right. I thought this was just a good example of overview and detail. Another idea is that of focus and context, being that you can see the detail at the center, but you get a feel for how it relates with the rest of the data. So using the fisheye view, and that's a Washington DC Metro map, it expands out and magnifies the center of the map, so you can see what's going on, and the context around it. Now, granted, this might not be the best example because it distorts it a little bit, but that's a technique to consider. So you can see it amidst the context. And then the right is an interesting technique, extremely powerful. That's about 500 major league baseball players and their data all visualized on one screen. The vertical columns that you see are, think of them as bar charts, and they're on the side, so they're histograms, what they're formerly called. But that shows about 500 baseball players, and they're just highlighting the purple columns that's average, career average, and salary. So you can just look at what's their batting average, and you can get a feel for if they're highly paid, and you can look at it and say most of the players at the top with the highest batting averages are some of the highest paid players. But it also provides the overview, but it also shows the, you can provide focus. So by clicking on it, it would give, on a given line, it would show you the exact details and the statistics, and that's the green area. Okay, so that's a, what I wanted to give you is links to more information, and this is on your CD. So just to have some example systems, you can take a look at it. But really the one thing I'd point you towards is the information visualization courses. Most of these links will take you to courses with excellent slides, all condensed, all free, and really do a nice job of linking to example systems. So if you want to leave here and find out more about this stuff, that's where I'd start first with those course links. And again, it's on your CD. Or should be. Okay, just wanted to give you an example of some classic info systems. These are all pictures essentially. This stuff's out there. I'm not saying any given technique is applicable, but I wanted to give you a feel for the wide range of techniques that are out there. This is called Data Mountain, which these are, think your bookmarks, another way to look at your bookmarks. These are snapshots of web pages that you can arrange on this virtual desktop any way you want, and you can double click on them and give you the web page you want to go to. So this is one technique that I took a look at. This is called Film Finder. It came out again out of University of Maryland. What it shows are a large number of movies. I believe there's 210 movies being displayed here, the dots. But what's neat about it is on the right, the sliders allow you to do dynamic queries. And that means if you want to, for example, there's a double-ended slider that allows you to set the minimum and maximum length of the movie that you're interested in. And by adjusting that, movies will disappear off there or reappear. So you can interactively explore the data. And there's other sliders that allow you to change other variables. And again, I think this would be interesting to put something like this together on the network side. This is a very powerful technique called Parallel Coordinates, and it's a bit like an ink blot. It takes a little bit of time to get used to. But what's interesting about it is you may have many, many fields of data you're trying to display. Some techniques scale better than others. This will scale out to, say, records with 20 to 30 data fields. So the main idea is each vertical axis is a scale. So this is data on cars. The first vertical axis is miles per gallon. The next vertical axis is cylinder and horsepower and so on. Anyway, what you do is you plot for miles per gallon, say this 30-mile per gallon car on the vertical axis. Four cylinders, low horsepower, low weight, and you essentially connect the dots for each field. And you can get a field. This is a very powerful technique, but it's also useful if you rearrange the columns. Because you're looking for insights into the data and dependencies between data values. By rearranging the columns, you can get different insights. And the tool will take a look at the end, uses this a little bit. This is a little bit out there. This is information art. The idea is this is on the wall, it's an ambient display. So it's not in their blinking red lights. And some of these systems will give you, throw you into an epileptic seizure or something if you look at them too much. So this is art. It's on the wall. This represents, based on modern art, a bus schedule. Each of the squares represents a given destination. And the color coding addressed how long until the shuttle would leave. So again, people could just glance at it. That's loosely on a map metaphor. So people learned where each of those squares, what they represented. Again, just a few examples. And I put together 72 examples for you. And those are on your CD. Let me show you quick. What I tried to do for each of the examples was give you good links as well. So lots and lots of cool stuff out there. So I'd ask you, if you're interested in this, flip through that. Really, really cool things. We only have 50 minutes, so I couldn't cover it all. Another thing I'd recommend to you is these are some books. The first three are works by Edward Tufty. These were really nicely done. I have no affiliation with them. But I think they're very nicely done. They're on the order of $40 to $50. He also has a fourth coming out called Beautiful Evidence. The fourth book I'd recommend to you is a survey of the field. It's relatively thin, about 350 pages or so. But it covers the whole InfoViz area in a very accessible way across the board. And that's InfoViz by Robert Spence. And the fifth is a highly regarded textbook as well. And finally, if you're interested, Edward Tufty has a traveling roadshow that he goes around the country. It costs about $300 to attend. But he leads it. It's extremely well done, condenses it all down, and you get all three books with it. So if your company is paying or something like that, it's a good way, perhaps, to get some of the books. Okay, so let's look at how people have taken some of those techniques and then applied them to security. In my experience, it's only about 5-10% of the techniques have actually been applied to security. And that's why it has such great potential. So this is a technique. This is showing routing data out of a UC Davis. And I have a better example first to show you how a tree map works. So this is a space-filling algorithm. And this is a tree map of my hard drive. And think of it as nested directory. So within one directory you can see the files that are in there, the things in there. You have the ability to get an overview. And then if I want to zoom, I can just click on a button in the background region. And you can use color to encode file types. I think this would be very cool to show the security data on your file permissions or something like that. Or even if this was a front end for network scanning or something like that, constantly probing a network, you could see, hey, a SSH server or something popped up, and you could look at huge network spaces using something like this. But anyway, if you want to highlight an area and you can get in closer, you can hover over. It gives you the details on demand that you can see at a glance. Well, what's my largest DLL here? And this is shell32.dll. And you may say, well, what's this huge purple file? It's a driver.cap file, that type of thing. At a glance you can see the outliers. You can see patterns in there. I have a USB key ring I would back up regularly. And you can see that each of the very identical images between them. So it's a very cool way to get a feel for a large data set. So that's what he did with different routing messages, trying to get a feel for anomalies in the routing data. It's a little messy. It's a little complicated how he put it together, and I'll not go into it today. But there's a great paper. If you do a search on his name, he's got several papers on this that explain the technique he used. Again, these are tree maps. And what's interesting is you can see a histogram at the bottom. So you're not just tied to one visualization technique. You can combine them. You can link them together. The smaller squares on the left-hand side represent detail views. And it's kind of hard to see. It's kind of hard to see on this, but each of those squares has a pair of lines going to a little white rectangle on the two large squares in the center. So you can slide those around and it provides you detail on that area. So you have this slider, kind of sliding zoom thing that you can move around and see the detail on the side. So it's a pretty cool technique. So another technique you can use is the 3D space. And when you use 3D space, that typically means things will be in front of other things. So you generally have to look at being able to rotate the object and make some math a little bit funkier. But what this shows is the type of workstation in the front. So it's workstation network a mission server or project server. So that's one of the coordinates on the bottom. And then the coordinates on the side are their physical location. So which you can see at a glance where are all my project servers. They're all located on the second floor. Then they use the third dimension to tie in to network alerts. So the different severities of the alerts. And you can see at a glance where are my alerts, where are they located, and what type of mission are they performing. So I thought it was an interesting technique. So I'm going to show you how to use up secure scope secure decisions. This is Starlight. It can be on one of the national labs. It uses the small picture on the top just shows you the 3D space that it uses. And I thought this was very cool because it combines you can throw into this workspace multiple visualization techniques. So they tie a map of terrorists or whatever. A geographic map several data sets. And you can see the interrelationships between them. It's a very interesting technique. It can be very cool to see open source something like this going on. This is open source security information management system. I haven't had a chance to take a look at it, but a couple of people I highly regard recommended it to me. The idea here is it takes multiple sources of data, network security related data, and it correlates them and presents them all on one screen. So you get a glance, you can see what your network is doing. And when I was at Black Hat I went around to the vendors and many of the vendors had something like this. One of them I asked them how much it cost and they told me it was $250. And silly me, I thought he meant $250, but he meant $250,000 for the starter kit. So there's probably some money to be made in this as well. Now think, if you were looking how you'd normally see sequence numbers in a, you know, in theory or something. This is a very cool technique using attractor theory to plot X, Y, and Z dimensions and get a feel for the randomness of the data. So these are two data sets. Which one do you think is random? The other top, that gray diffuse cloud is the random data set. Which one do you think is a Microsoft product? Yeah, the bottom, the very detectable, you can see a distinct pattern there. So again, you can have this huge number of sequence numbers. You can see them at a glance. And what he did, there's two papers here. They're both very cool with lots of pictures that show the randomness of the data. It was very obvious if it was random or not. And then he did a paper a year later where most of the vendors had addressed the issue. So you can see kind of a before and after. Another technique you can use is, you know, plotting things on geographic terrain. This is what a satellite image showed that from the University of Kansas. And this is wireless activity. But I have also another example that I want to show you. This is a little bit on the simpler side, but I want to show you something that showed the power of animation. This shows the propagation of code red. And you can see it evolve and you can see when the tipping point is when it explores. So I'll go ahead and show you. So again, animation very powerful tool. See what I mean? And if you're looking at log files you want to get that impact. So very, very cool stuff. This is another researcher's spin on observing and shooter behavior. And I won't go into all the details, but in the center, that small circle when the center represents a central server and then the lines coming in represent connections. The closer in lines where it present closer positions on the network and then the farther out lines represent much farther away. So you can just at a glance see who's connecting from a distance and who's connecting close. He used glyphs that I'll cover in a second that represent different types of connections. So you can monitor this. He uses animations, and I have a video clip I'll show you in a second. This animates this. You can kind of see at a glance what's going on on the network. So he used the different types of arrows or glyphs to encode, for example the solid arrow is telemet and it's cousins. The dotted lines are FTPs and the like. And he used port scanned red arrows. In the lower right you can see tick marks for multiple connections from a given remote host or something like that. And then the center, the black donut in the middle of the centralized server shows the server load, the processing load. So I'll show you a video clip of this. And he has several papers on the subject as well if you're interested in this. So again, you can picture monitor, being able to monitor your network. Okay, I think you get the basic idea. But that's out there on the web if you want to download it as well. Oh, goodie. Well, that's bad. Okay, that's better. Let's just hope it doesn't put the screen adept the whole computer. And as I was putting this together I have like 45 examples I wanted to show you and I didn't think there would be time. So I put together a PowerPoint presentation that has all the examples. But it was after I submitted my materials for the CD. So on my front page of the slides that you do have that's my website at school. And I'll go ahead and post this out there when I get back. But it's got examples of some of the 45 examples of security systems. This I wanted to just give you a feel and the presentation you have on your disk has two slides of these. They're having the first ever really formal workshop in visualization security at an association with the ACM CCS. So that's Computer and Communication Security Conference. It's a big conference. And they're having a one day workshop on this stuff. But I thought this is from their call for papers and I thought it was really interesting to see what they were looking for, what they were trying to deal with. And there are ideas on areas that are untapped where the research is going in academia. These are some ideas. Just to throw out a couple, visualizing routing anomalies. So that was that one researcher. Visualizing attacks in near real time. Line speeds. Can processors keep, can you visualize stuff at gigabit ethernet speeds? That's a whole issue that you, that networking is outpacing the processing capability that you need to do some of this. And I'm not going to say this is your rock solid commercial product or anything, but it's, I think insightful and fun to play around with and I welcome any feedback that you can give me down the road where you think it would be useful. This falls more into the, that overview first details on demand. I've gotten pretty much as far as overview first. It takes a while to put something together that's pretty solid. What I was going for is you have your classic automated intrusion detection system. So on the top left I have the signature based IDS and then you have your anomaly based IDS. So what I, where I was going with this is that I'd like to augment those two with properly designed visualizations that bring the human into the loop in the smart way in a right way. So an attacker has to not just defeat the computer algorithm, but they also have to fool the human who's observing the network activity. So basically what I'm doing is performing real-time packet capture, parsing it and I think you'll run into this. I mean any visualization system starts off with getting a feel for the data that you have at your disposal that you want to visualize. Getting a feel for the tasks you're trying to solve and then you'll need to go through some process like this. Well, how do you clean up the data? What processing do you need to perform on it and then how do you visualize it? As you go down that process it's more interesting. It's less textbook and more creativity as you go down as how can you present this in cool and useful ways. Another design decision you'll need to make is do you want to just present it in a straightforward way or do you want to embed artificial intelligence or other processing techniques into your system? And it's a trade-off. If you want to embed more intelligence into your visualization system then that comes at a cost of processing capability and then you're back to the idea that you can fool the algorithms or something. So there's this spectrum of very... you offload it or the human carries the burden all the way over to the machine carries most of the processing lies. So I tried different prototypes I started building it in C on top of PCAP I tried another version using TCP dump Pipe to Pearl type 2 XM Grace which was the best open source visualization tool that I found. It's pretty good. It wasn't exactly what I was looking for but at Interzone this past April I have I gave a demo and it's also on your CD with a little white paper how to of that track of piping it through through to the visualization tool to see what's going on. It wasn't real time really what I was going for. So I used Visual Studio on top of WinPcap and yes I know that there are security vulnerabilities in WinPcap but it's on the right now. What I put together is this tool and that stands for rumor intelligence versus signals intelligence or imagery intelligence and what it does is and I'll go through this. The idea is it takes it captures the packets pulls out different fields and plots them in different ways hopefully in insightful and useful ways. So this is the main control panel you enter in your IP address here it needs to know the IP address it understands the notion of what you consider your home network or what you want to filter. It's really just a simple left string so if you want to monitor a class C network or whatever you just chop off the 100 and it'll capture that. I had it running the Georgia Tech Honey Net as well as a commercial ISP outside the firewall and it found it's pretty cool what I did is remove the on Windows XP removed all the network protocols so it can still sniff the packets without having any protocols installed in Windows. So just start and stop buttons and there's a lot of 11 11 different visualizations and then some variants which bring up to about 15 different windows on your network data. Also have the ability to change color settings different things you're trying to highlight require different colors and if you click save or it basically takes snapshots of all the visualizations and throws them into the directory. So it's not a polished thing but I think it would be pretty fun to play around with. So it uses that concept of parallel port view that connect the dots that we took a look at earlier. So these three the first one on the left that range is the whole internet all the way up to 255.255 and so on. So that's external people connecting to me. So you can see that a variety of internet addresses I was connected to and I mapped bright green, rain bound, darker green or outbound TCP and then orange represents VDP and I don't know if there's really any on here on this example. So again you can see at a glance like where on the internet am I connecting to and who's connecting to me. So this example takes a look at external ports with the same color mapping so 0 at the bottom and 65, 535 on the top what external ports are connecting to me. And if you do this enough different port allocation algorithms embedded in different operating systems so you can get a feel that when I was doing activity much of the windows network and it's kind of hard to see but basically form a square or an X at the bottom XP to XP type activity and then when I was doing things with Linux it would be much higher poor allocation and obviously that can be spoof but just naively that has some potential. And then on the right that visualization shows the external IP address range mapped to the internal ports so I found that useful if someone was doing distributed scan you could see distributed scans where they were coming from and what ports they were hitting so I have some snapshots of the Georgia Tech honey net that give you a little bit of feel for that. Like I mentioned before you can have multiple sets of data in the parallel plot so I have two other visualizations on there this does external IP to external port to internal port to internal IP so just a different way to get a feel for the data and then I have another variant of as well so you can play around with it and see what it looks like so I tried it with that port external port to internal port view using CERA which is a successor to you Satan so using the light setting which they say will probably miss the will be missed by the intrusion detection system you can see very little activity just a line or two at the bottom medium activity which they say will probably be missed by the intrusion detection system and then heavy activity so you can really see that there's visual fingerprints falling out of this and I envision perhaps a smart book of what some of these things look like before some people who own code up randomizers and things like that obviously this stuff can be spoofed but not any of you, it pops right through so I did the same thing using a variety of other tools several variants of NMAP found stone scan line and super scan couple more NMAP variants 4.0 and super scan 4.0 each one of them had a distinct visual signature that's shown through and you can get a feel for the port activity the super scan on the bottom right looks massively I haven't seen the source code but it looks like a great deal of multi-threading going on or something like that and what doesn't show through is the timing, each of these executed at different speeds so for future work it would be interesting to see over time how fast each of these occur and you can also see the orange UDP mixed in with the green TCP so to try and get a feel for the time sequence of the data I made a different visualization that this plots on the Y axis ports so these are external ports and then each packet and just as an example I thought it was interesting just to look at NMAP which has this kind of diffuse randomness sort of on the packets and then super scan 3 there's a very distinct curve so you can run this and I ran this as I was just surfing the web and had it set for external IP what IPs was I talking to so I went to a web page and I thought a nice solid line of all these same external IP and then as I as it downloaded the ads you could see it hop around to different ads so I thought that was something for each of these visualizations by something something going on in the network something going on in the data I was surprised by so it's kind of that's the whole idea of visualizations getting to those surprises finding things out you wouldn't have known it's also good for seeing how chatty your computer is because this works I did a port scan out you can see the fan going out I did a port scan and see it going in so it's useful as a drop down box so I want to take a look at the data another way and this draws packets horizontally so each packet comes in it drops down one, drops down one and what this is is packet length as a fraction of the maximum ethernet frame so you can get a feel for you can see the large maximum size green ethernet packets and then a number of smaller orange UDP packets and as you do different activities you're getting a feel for what's normal and what's not normal so I let it run another technique is one of the problems with this is occlusion things put on top of other things so ideally there'd be a buffer and a little time slider we could float through the data this is the Georgia Tech Honey Net and we let it run for 30 days we could really get by looking at the left one you can see external IPs you could see where was the most activity coming from something down I mean at a glance you can see where the activity was the way and what ports they were going after so that's external IP to internal internal port and you can see all the lines going down to the low ports the next one is what operating systems, what external ports were in use so you can see a wide range across the whole spectrum but I thought it was useful for 30 days and then you can see that they went again for the low ports but also what jumps out at you is hey what's this these other ports where there's activity going on if you're monitoring this in real time you start seeing activity make clear that something's going on out there they would just have gotten lost if you weren't looking for otherwise okay so I'll go ahead and give you a demo of the tool and we'll take your questions I think that's enough to get us started but so I'm going to go ahead and enter the IP address that I want to monitor click start and then I'm over here this is from Linux I'm going to go ahead and do a port scan and for whatever reason the crossover cable there's a few about 15 seconds or so delay as it does whatever it does but it's going to do a port scan in a second you don't get this delay in real time okay you don't get this delay in real time but hopefully it will come up in a moment okay there we go so you can see the port scan going on so if you're sitting there at your computer it starts doing this something's wrong and you can resize each of these windows if you do the snapshots it will do the it'll make the image in the directory to whatever size that you click that you're using at the time so okay let's go ahead and stop this we already did most of those so let me just go ahead just rehash what we covered the classic InfoViz stuff I think there's a pretty cool survey on your CD there's a security InfoViz survey which I'll go ahead and post to my website then there's on the right that's xngrace and there's a demo of that on the CD the moment tool which runs on top of a winpcap is on your CD bookmarks are on your CD and then I'll have the latest version of this talk out on my website so I have a lot of people thank, I want to thank the 404.2600 people who looked at this and really gave a great deal of feedback as well as several of the Georgia Tech researchers so with that in mind what are your questions go ahead could you come down here to be the mic have you given just about like your tool for drawing data points and things like that or just doing the general drawing are you doing any sort of optimization or using any sort of like efficient line drawing algorithms or efficient visualization things like that for dealing with very large data sets because one thing that I've noticed for a lot of the open source tools or even some commercial tools out there is that they're very naive in the way that they actually do the drawing of the data and I've seen just even with a couple hundred nodes on a network which any enterprise size land would have will bring just your average Windows laptop or desktop completely to its knees because there is so much stuff to draw so I was wondering if you're doing any of that in your application and if you're not to kind of suggest it that's a good question this stuff's process are intensive so that's when it's useful to go back to the graphics domain, the computer graphics domain and look at some of their efficient implementations again I'm doing this on XP which might not be the wisest thing but that's a good point that you want to tie in and get the smartest algorithms out there this won't scale up I wouldn't recommend putting it on a gigabit ethernet network I don't really know what would happen but I'd put it more on like the a hundred or ten and it works reasonably well okay other questions yes I think are any of these visualization tools standard enough that if you need people are running honeypots, you know they're running them and you can spell out messages to them in the displays that's a good question can you attack these visualizations and actually I think a deeper question can you attack the data streams that feed into any of these systems if you can get into the data stream where my research was going next is attacking visualizations and attacking the data going into kind of all this stuff I had one person talking about at one end you can do a buffer overflow and just knock out ethereal or whatever their packet capture altogether all the way through can you manipulate people can you trick them, can you fool them and I know you've probably seen the spinning cube of impending doom or something that was on slash dot just recently it was a 3D space and it plotted packet headers it plotted packet headers and you saw these different 3D pictures came out of it and then on slash dot what they started talking about is hmm if we make design packets the right way we could have 3D pornographic objects rotating in space and if we timed it to when the supervisor of the system administrator was walking through with his teenage daughter fired and then they'd have to get a less well-versed system administrator so yeah this stuff's vulnerable and that would be a very good hack but I think what this has put more so this shows that it's really naive people are doing this stuff and every packet is visible so it's almost like you need electronic countermeasures out there to obscure what's going on random noise or carefully crafted packets or whatever what are some of the best commercial or open source or security visualization tools right now in the market so what are the best commercial and security visualization tools including like the security information managers like ArcSight and NetFriends etc I haven't had as much experience as I would like on those tools because that's why I use the time at Black Hat to take a look they generally are on the order of 3 to 6 zeros or 5 zeros after them I can talk to you more on the general purpose systems well XM Grace on the open source side Excel is kind of at the lowest end of the food chain on the whole Viz thing but up in the upper end each of the researchers that you saw on those like 75 or whatever InfoViz examples each of those researchers has a system many of them are free that you can download their spotfire is a good general purpose system spotfire it's a scatterplot has the dynamic sliders it's very well regarded that's one to take a look at but the stuff's not cheap InfoViz people are getting like 5 to 20 thousand dollars a seat for this stuff so I can't say there's a low cost effective option yes it's stupid it's simple but it's open source and it's free and it was designed by AT&T to visualize large scale networks GraphViz it's an output language for visualizing networks it does directed and undirected graphs so you can do networks that have associations and not and like I said it's kind of stupid it's simple but it's cheap it's open source and it's hackable it's called GraphViz GraphViz.org and it's the output is like post script so you can just go in if you have a pro script