Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Network Visualization - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Network Visualization

One area of interest that I have is network visualization.  What I'm referring to is being able to visually see the traffic flows and patterns to determine anomolies or events of interest.  We have so much information with our networks today, that it is difficult to process all of it.    The trend seems to be getting worse and reverting back to my good ole Army days of "Do more with less".  With the economic times we live it, it always seems that security is one area that takes a hit.  So, we have to work smarter and network visualization is one area that I think has great potential, but seems to be very under developed. 

I haven't explored what's out there in a couple of years.  What was out there that I experimented with it were tools such as:

  • Time-based Network Traffic Visualizer (TNV)
  • NVisionIP
  • Spinning Cube of Potential Doom
  • VisFlowConnect
  • FlowTag
  • InetVis

However, these tools had a long ways to go before they could really be effective on a large scale.  Some were java based and SLOW (others were just slow) when processing any significant amount of data.  However, what they did do, was pretty impressive for being able to visually make sense of a pcap file or your netflow data.  They work great for looking at small chunks of traffic and helping immediately see anomolies.  If this could just be channeled into a near real-time scenario for monitoring networks, that would be fantastic.

I did some quick google searches and didn't turn up any thing new in this arena.  If anyone has any experience with network visualization or knows of any tools or work being done, please let us know.

Lorna

165 Posts
ISC Handler
The following blog is in Spanish but it has a lot of information about network visualization tools like Xplot, Xtraffic, TShark, ... http://seguridadyredes.nireblog.com/
Anonymous
Make haste to the console:
iftop
pktstat
James

34 Posts
you touched upon a subject close to my heart as well and wanted to share open source Sguil (pronounced sgweel) tool but have not had a chance to play with it yet. Seems promising and if anyone has used it would love to hear about their experience.

http://sguil.sourceforge.net/

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
James
1 Posts
One robust software is Network Instrument's Observer - http://www.networkinstruments.com/products/observer/.
This is a very powerful solution when used in conjuction with GigaStor (from the same company).
They have a demo for download at http://www.netinst.com/downloads/observer_form.html
James
1 Posts
Check out CACE Pilot.

http://www.cacetech.com/products/cace_pilot.html
Steve

3 Posts
For folks with the $$, Arbor Networks' Peakflow devices do a good job of presenting visually network monitoring done thru Netflow. There are other Netflow tooks out there, of course, including free ones, but I haven't had the chance to play w/ any. I'd like to hear any recommendations.
Hal

50 Posts
One of the coolest things I've ever seen was the look on my boss' face as an SSH scan of our network happened WHILE I was showing him how BSOD worked... http://research.wand.net.nz/software/visualisation.php
Henry

3 Posts
Intermapper (http://www.intermapper.com/)

We have used it over a decade.
Jeff

3 Posts
This may be a crude solution in comparison to fancier netflow-based stuff, but if all you want to see is bandwidth utilization, I've been using nagios with mklivestatus and nagvis (http://www.nagvis.org/) to overlay a network diagram with icons and "weathermap lines" with performance data from nagios. So at a glance at the "WAN Dashboard" I can tell which links are being utilized the most (each link's stats update once a minute). In a complicated WAN environment it's almost a sort of nagios lava-lamp. :-)

One nice thing about this is I can use the same tools for making (and viewing) dashboards for WAN connectivity, LAN router/switch connectivity in each office, or even SAN Fabrics.

Of course it doesn't show you what the traffic is or what ports/protocols are in use, but it's a start.
Brent

118 Posts
There was a presentation at Defcon in 2009 about network security visualization by Raffael Marty.
He has a book, and a blog at http://raffy.ch/blog/

Also see http://secviz.org/

BJ
Brent
28 Posts
I suggest checking out the recent proceedings of the VizSec symposium (http://www.vizsec.org/). Most of the tools mentioned in this article have been published in VizSec.

There have been recent advances in real-time network monitoring. One particular system that visualizes large networks and incorporates machine learning for drawing attention to anomalous traffic is described in "Real-Time Visualization of Network Behaviors for Situational Awareness" by Best et al.

Brent
1 Posts
We are lucky enough to have a talented network engineer who is very interested in network visualization. He has created a couple neat visualization tools. The CIDR IPVisualizer and the Organic Visualizer.

The CIDR IPVisualizer is a visualization in which a CIDR range of IP addresses are represented as dots on a screen. The shape, intensity, and color of the dot indicate the direction, count, and type of the
traffic, respectively. This project is described at:
https://it.wiki.usu.edu/IPVisualizer
Here is a sample movie of activity at the border of an academic /16:
http://mirror.usu.edu/oip/ipvisualizer/sample1.avi

The Organic Visualizer (OIP) is a visualization in which individual machine IPs are placed randomly on a display, and packets are visualized as different sized dots flowing from one machine to another.

The OIP project is described at: https://it.wiki.usu.edu/OIP

The CIDR IPVisualizer was originally designed to monitor the status of our /16. It supports 3 mapping styles:
1) Linear. In this mapping, the 'Y' axis is the 3rd octet of the IP and the 'X' axis is the 4th octet of the IP.
2) XKCD. This uses the mapping algorythm from http://xkcd.com/195/
3) /24 blocks. This represents a /24 as 16X16 block of display elements. Each display element represents an IP address. These IP display elements are laid out left to Right, then Bottom to Top. A /16 is represented by laying out 16 rows of 16 columns of /24 blocks.

We tried each of these mapping styles for a while. We stay with the /24 block style, because this mapping closely matches our allocation scheme for our IP address space.

This screenshot shows both visualizers in use today:
http://singsing.usu.edu/images/20110214Normalb.jpg

This screenshot was taken at the end of the day. On campus use is dwindling. External use of the Web and VPN servers are picking up.

The CIDR visualizer is on the right. It integrates input from 3 data sources:
1) The white boxes are the current CIDR sub-allocations on all our router interfaces. We sub-allocate CIDR blocks for various projects or buildings. The size of our various sub-allocations vary from /30s up to /20s.
2) The Green|Red|Blue dots are individual IP address display elements. The elements are driven by a data collector that is located on a monitor (SPAN) port at the border. The element blinks Green when the associated IP is sending or receiving TCP packets. It blinks Red for UDP. It blinks Blue for other (usually ICMP). It merges the colors if the IP handles a mixture of protocols during the current sample interval. So, mixed protocols like Skype and BitTorrent have characteristic yellow or orange colors on this visualizer.
3) The white snowflakes are driven by reject logging on the border firewall. Every time the border rejects a packet, a white 'x' pattern is overlaid on the associated IP display element.

If you look closely at the CIDR Visualizer, you can see that there is a pattern of white 'snowflakes' scattered across the entire /16. The
pattern is that most of them are concentrated in the bottom /25 of each /24. These blocked packets are generated by remote Conficker infested hosts.

The two boxes on the left are Organic Visualizers (OIPs). These visualizers are driven by a data collector that is located on a monitor (SPAN) port at the border. We configure OIP by specifying a TCPDump filter. The OIP moving particles have the same color scheme as the CIDR Visualizer. Green for TCP, red for UDP, Blue for other. The OIP endpoints may also be colored, if you wish.

The top OIP is monitoring "host www.usu.edu and port 80" You can see that this is DNS load-balanced across two serving IPs.

The bottom OIP is monitoring "host vpn.usu.edu" This monitors connections to our VPN server. You can see that VPN connections primarily occcur via
UDP (UDP/500 and UDP/4500). There are also a small number of IPSec and SSL connections.

Here is a screenshot from a few hours earlier:
http://singsing.usu.edu/images/20110214Scan1b.jpg

In the above screenshot, the CIDR Visualizer is dominated by the effects of a rapid portscan (about 20K PPS) for a blocked service (TCP/445). The portscan had covered just over 1/2 of our /16 when I took the screenshot.

Here is screenshot of an unblocked scan:
http://singsing.usu.edu/images/20110214Scan80b.jpg

In this screenshot, the CIDR Visualizer is dominated by a fast moving (about 10K PPS) TCP/80 scan. These packets were not blocked by the border firewall. The relative brightness of the map elements as the scan traverses them shows which IPs respond to the probe.

This screenshot shows a rather pretty scan for MySQL (TCP/UDP/3306) from today:
http://singsing.usu.edu/images/20110214MySQLScanB.jpg

This was another high speed scan. About 30K PPS. The MySQL port is blocked at the border, so the CIDR Visualizer painted this scan with white 'x's. In this scan the attacker did not try to test every IP. Instead, he appeared to test every 17th (or so) IP. It appears that the attacker is more interested in speed and in finding unblocked
ranges, then finding individual IPs.

The code for these visualizers is available on the above sites. It is licensed GPL. It is written in C. The native environment is Linux. The
developer has gotten it running on Windows and OSX, but Linux is his primary interest. If you wish to get it running, you will probably need to have an experienced FOSS person contact our developer.

Miles
Brent
3 Posts
It's probably a bit crude compared to the other tools, but ipaudit (http://ipaudit.sourceforge.net/) is free and we've run it for a couple of years on the Internet link here and it does a good job of flagging scans (especially outbound!) and big up/downloads. It only needs a fairly low spec Linux box - we recycled a junked rack server - and some basic setup info on your networks.
Brent
1 Posts
Nexthink, a Swiss company, provides a network visualization / analysis tool (unfortunately, it works only from Windows client machines, but it is quite interesting).

www.nexthink.com for more info.
Brent
1 Posts
I've actually developed a software called Picviz, a free opensource version is available from http://www.wallinfire.net/picviz .
Then started a company to support huge real-time events called Picviz Labs http://www.picviz.com

The idea is to use parallel coordinates visualization to handle quite a lot of logs, database or network traffic data.

I published a paper around the techniques behind that "Applied parallel coordinates for logs and network traffic attack analysis" http://www.springerlink.com/content/xjp0416377270r85/ .
Brent
1 Posts
I use an enterprise level Netflow based network behavioral analysis system by Lancope (http://www.lancope.com) in a global environment which allows extremely detailed traffic visualization and flow analysis in the new version 6.0 which was just released.
Anonymous
Sorry it took so long for me to comment but you REALLY need to check out NetWitness Investigator. http://www.netwitness.com/products/investigator.aspx
I haven't actually messed with it much lately but it is rather impressive how it is able to break the traffic down in to sessions and filter through the traffic based on any criteria you choose...
John

10 Posts

Sign Up for Free or Log In to start participating in the conversation!