Upgrade to Pro — share decks privately, control downloads, hide ads and more …

When a Picture is Worth a Thousand Network Packets and System Logs

Data Intelligence
June 28, 2017
1
170

When a Picture is Worth a Thousand Network Packets and System Logs

Awalin Sopan FireEye Inc
Audience level: Intermediate
Topic area: Misc

Description

A typical Security Operation Center (SOC) employs security analysts who monitor security log from heterogeneous devices. The analysts identify whether there is a security threat and how to respond to that threat by analyzing that data. Visualizing this large-scale data to a succinct human digestible form can reduce their cognitive load and enable them to operate more efficiently.

Data Intelligence

June 28, 2017
Tweet

More Decks by Data Intelligence

See All by Data Intelligence
Building a Gigaword Corpus: Data Ingestion, Management, and Processing for NLP
dataintelligence
1
460
Data Version Control: Tool for Iterative Machine Learning
dataintelligence
0
920
Pomegranate: Fast and Flexible Probabilistic Modeling in Python
dataintelligence
0
360
Machine Learning & Election Campaigns
dataintelligence
0
270
Visual Pipelines for Text Analysis
dataintelligence
3
1.1k
ENCASE
dataintelligence
0
83

Featured

See All Featured
How to name files
jennybc
51
79k
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Music & Morning Musume
bryan
37
4.8k
We Have a Design System, Now What?
morganepeng
38
6.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
RailsConf 2023
tenderlove
0
89
Documentation Writing (for coders)
carmenintech
52
3.1k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Building Your Own Lightsaber
phodgson
96
5k
Mobile First: as difficult as doing things right
swwweet
213
8k

Transcript

  1. Awalin Sopan
    @awalinsopan
    Senior Software Engineer,
    Analysis Team, FireEye, Inc

    View Slide

  2. Over 200 attacks on major industrial
    control systems in 2013.
    “Cyber threat is one of the most serious
    economic and national security
    challenges we face as a nation”- White
    House Press release, May 29, 2009

    View Slide

  3. FireEye Report 2014

    View Slide

  4. Cyber Attack
    Lifecycle
    FireEye Report 2017

    View Slide

  5. View Slide

  6. DEFENSE AGAINST CYBER ATTACK:
    Role of a Human (Cyber Analyst)
    • Detect intrusion
    • Recommend solution
    • Threat insight
    • Gather evidence
    • Prevent intrusion
    • Find vulnerability in the system
    • Block suspected traffic
    • Forensic analysis:
    • Create rules to detect future attack
    • Nature of attack

    View Slide

  7. ▪Multivariate:
    ▪Packet Capture/TCP dump, (ip, port, pkt size, time, etc.
    multiple features) from network sensors.
    ▪Logs
    ▪ OS
    ▪ Servers
    ▪ Applications
    ▪ Firewalls
    SECURITY DATA:
    DATA CAPTURED THROUGH SENSORS

    View Slide

  8. View Slide

  9. ▪Relational:
    ▪Flow data through Network: can be collected from routers:
    connection between IPs, hosts.
    SECURITY DATA:
    DATA CAPTURED THROUGH SENSORS

    View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. ▪Temporal:
    ▪Log Files/Activity/Events: Host/endpoint events over time
    SECURITY DATA:
    DATA CAPTURED THROUGH SENSORS

    View Slide

  14. • Communicate findings
    • Overview
    • Analyze:
    • Compare and Relate
    • Find trend/ pattern
    • Predict
    • Find anomaly
    WHY VISUALIZATION

    View Slide

  15. VISUAL ANALYTICS:
    INTERACTIVE VISUAL INTERFACE
    FOR DECISION MAKING

    View Slide

  16. Visual Information Seeking “Mantra”
    -Ben Shneiderman
    • Overview data using charts, dashboard, tables: see all
    relevant data
    • Find pattern, trend, outlier, correlation
    • Sort by rank
    • Group similar features
    • Zoom and filter: select only interesting ones
    • Details on Demand: details of the selected alert

    View Slide

  17. DATA -> VISUALIZATION
    Multivariate
    Packet capture, tcp dump from network
    sensors, server logs, operating system logs,
    firewall logs: Host based Intrusion Detection
    System. Data with multiple variables like ip,
    port, packet size, time, etc.
    Table, scatter plot,
    bubble chart, parallel
    coordinate
    Relational/
    Hierarchical
    Network data flow from routers, connection
    between ips, hosts. Top-down hierarchy of the
    system: Network Based Intrusion Detection
    System.
    Node-link diagram,
    matrix diagram.
    Pie chart, treemap.
    Tempor
    al
    Log file, activity events over time Line chart, time series,
    timeline, histogram,
    sparklines
    Designing the User Interface 4th Edition: Ben Shneiderman and Catherine Plaisant

    View Slide

  18. NETWORK

    View Slide

  19. VAST 2012 Challenge Data: 2 days of Flow data
    Nodes sized by in-degree
    Sized by in-degree

    View Slide

  20. View Slide

  21. Color coded: showing only top 25% strong links
    Links color coded by strength: red low, green high

    View Slide

  22. Color coded: showing only top 10% strong links
    Filtered out weak links to declutter network

    View Slide

  23. Color coded: showing only top 5% strong links
    DDoS attack ?

    View Slide

  24. wikipedia
    DDoS attack

    View Slide

  25. CONTENT OF PACKETS

    View Slide

  26. Network Packet Sensing Rule

    View Slide

  27. Network Packet

    View Slide

  28. View Slide

  29. PACKET LABELING

    View Slide

  30. View Slide

  31. View Slide

  32. Distraction !
    Real target!

    View Slide

  33. PORT ANALYSIS

    View Slide

  34. Target IP
    Source IP

    View Slide

  35. Target IP
    Source IP

    View Slide

  36. View Slide

  37. EVENT LOG

    View Slide

  38. System events log

    View Slide

  39. Event timeline

    View Slide

  40. Details on demand

    View Slide

  41. TIME SERIES OF EVENTS

    View Slide

  42. View Slide

  43. Events in Network (rendered using Grafana)
    ANOMALY DETECTION
    Login attempts in the system

    View Slide

  44. MODES OF OPERATIONS
    Put it all together in analysts workflow:
    • Contextual views
    • Dashboard for overview
    • Visual analytics with multiple coordinated views
    • Situational awareness for immediate assessment

    View Slide

  45. DASHBOARDS

    View Slide

  46. Example: SPLUNK

    View Slide

  47. View Slide

  48. MULTIPLE COORDINATED
    VISUALIZATIONS

    View Slide

  49. TempoViz

    View Slide

  50. Low priority
    High priority
    Mid priority
    Alerts aggregated over time

    View Slide

  51. SITUATIONAL AWARENESS

    View Slide

  52. Situation awareness is the ability to :
    •assess data
    •evaluate options
    •make decisions in a timely manner.

    View Slide

  53. VIZSEC:
    WORKSHOP ON SECURITY VISUALIZATION

    View Slide

  54. CYNOMIX
    GOVE ET A.L, VIZSEC 2014
    Find similar malwares

    View Slide

  55. Visualizing the Insider Threat
    http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7312772&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel7%2F7310645%2F7312757%2F0731 2772.pdf%3Farnumber%3D7312772
    Interactive PCA of user activity
    Anomalous cluster

    View Slide

  56. • (Machine + Human) > Machine || Human.
    • Bridge the gap btwn security experts & dataviz experts.
    • Provide contextual clues to the analysts.
    • Integrate visual analytics in analyst workflow.
    • Make room for scalability and efficiency.
    • Avoid visual representations requiring lot of explanation.
    • Choose the network layout that avoids edge crossing or node
    overlapping.
    • Aggregation of data should be obvious.
    TAKE AWAY
    [email protected]

    View Slide