!:!A!Recommender!System!for!3D! Network!Security!Visualiza<ons! Troy%Nunnally% Kulsoom!Abdullah! A.!Selcuk!Uluagac! John!A.!Copeland! Raheem!Beyah! October!14,!2013! CAP!Group,!School!of!ECE! VizSec!2013!
Outline Security Visualization Overview Visualization Challenges Proposed Work Motivation Application 1 2 3 4 5 Introduc<on! Related!Work!! Evalua<on!! 2! 2!
Convert this Textual network traffic for Tcpdump tool.
255.255.255.255 65535 65535 255.255.255.255 Into this. 2D Parallel Coordinate System 0.0.0.0 0 0 0.0.0.0 Source IP Source Port Dest. Port Dest. IP
255.255.255.255 65535 65535 255.255.255.255 Source IP confusion 2D Parallel Coordinate System 0.0.0.0 0 0 0.0.0.0 Source IP Source Port Dest. Port Dest. IP
Visualization Challenges Security Visualization Overview Visualization Challenges Proposed Work Motivation Application Add Interactions to 2D visualizations Expand the visualization space Introduce!interac<on!techniques! such!as!linking'and'brushing.!! Add!the!z5direc8on'(i.e.,!3D)!to! allow!more!informa<on!to!be! visualized!vs.!its!2d!counterparts.! 6!
Visualization Challenges Security Visualization Overview Visualization Challenges Proposed Work Motivation Application Add Interactions to 2D visualizations Expand the visualization space Many!of!today's!network!security!applica<ons!require!a! user!to!perform!many!interac<ons!within!a!ui.!! Introduce!interac<on!techniques! such!as!color,!linking,!brushing.!! Add!the!zYdirec<on!(i.e.,!3D)!to! allow!more!informa<on!to!be! visualized!vs.!its!2d!counterparts.! 7!
Visualization Challenges Security Visualization Overview Visualization Challenges Proposed Work Motivation Application A!large!number!of!interac<ons!could!overwhelm!or! confuse!a!novice!user.! Finding!visualiza<on!steps!to!complete!cri<cal!tasks! becomes!difficult!to!accomplish!and!could!take!years!to! master.! The!more!complex!visualiza<ons!become,!the!more! visualiza<ons!become!difficult!to!navigate.!! Tenable Nessus 3D Tool [1] 8! 8!
Security Visualization Overview Visualization Challenges Proposed Work Motivation Application NAVSEC: A Recommender System for 3D Network Security Visualizations The!objec<ve!of!this!work!is!to!help!network! administrators!navigate!through!complex!visualiza<ons! and!assist!in!searching!for!advanced!network!abacks.! 9!
Motivation Security Visualization Overview Visualization Challenges Proposed Work Motivation Application Visualization Goal t=n Visualization from an expert Visualization from an active user Recommend next interaction Interaction Path t=3 t=2 t=1 10!
Applications Background Security Visualization Overview Visualization Challenges Proposed Work Motivation Application As a new administrator, you may need guidance to help you find existing or new attacks. Network Administrator of Companies Military Personnel Education/Training 11!
Outline 1 2 3 4 5 Introduc<on! Related!Work!! Evalua<on!! 12! 12!
Searching!takes!<me!and! effort.!also,!finding!specific! uses!of!visualiza<on!tool!of! abacks!is!difficult.!!! Experts!cost!<me!and!money.! Plus,!he/she!may!not!always! be!present.!! Ask an expert. 13!
Recommender!systems!(e.g.,!Neflix!and!Amazon)!are!used!in! recommending!products!and!services.! Community'Command'[16]'recommend!a!single!interac<on!for! soiware!applica<ons!such!as!autocad.!!nimble'[21]!calculates!the!similarity!for!given!ids!alerts!and! historical!alerts.! To!our!knowledge,!no!work!has!been!done!in!developing!a!recommender! system!to!help!a!novice!user!make!intelligent!decisions!about!network! abacks!in!3d!visualiza<on!applica<ons.! 14!
Outline Overview Recommendation Engine Implementation 1 2 3 4 5 Introduc<on! Related!Work!! Evalua<on!! 15!
System Overview Overview Recommendation Engine Implementation Ac<ve!User!!Y!!individual!naviga<ng! the!visualiza<on!tool.! Expert!User!Community!Y!a!set!of! users!with!significant!experience!in! the!network!security!and! visualiza<on!fields! Interac<on!Database!Y!a!collec<on!of! interac<on!sequences.!! Recommender!Y!!parses!the!data! computes!a!set!of!interac<ons!for! recommenda<on!to!an!ac<ve!user!in! realy<me.! 16!
Recommender Engine Overview Recommendation Engine Implementation We!apply!recommenda<ons!of!interac<ons!so!that!the!user!could! navigate!through!the!visualiza<on!more!effec<vely.!! 17!
3D Parallel Coordinates Recommendation Engine Overview Recommendation Engine Implementation 1 Formulate an interaction vector v k V k = interaction vector for an attack sessions s k n j = interaction type (zoom, rotate, etc.) for an attack sessions s k 2 Create a Similarity Matrix M 65535 v k Active users v h - Expert users M k similarity matrix 3 Recommend a set of interactions Recommend interaction sequence with the highest similarity score. 0 18!
Implementation Overview Recommendation Engine Implementation NAVSEC server uses an Application Programming Interface (API) to receive HTTP requests. NAVSEC API uses Model-View- Controller architecture design to assist in code reusability. NAVSEC server could act as a centralized database for multiple active user clients. 19!
Implementation Overview Recommendation Engine Implementation NAVSEC contains a client-side C++ component which is integrated as a module of FRE3DS to send GET HTTP request of interactions to the server-side application. ' FRE3DS NAVSEC Module P3D [19] T. Nunnally, A. S. Uluagac, J. Copeland, and R. Beyah, 3DSVAT: 3D Stereoscopic Vulnerability Assessment Tool for Network Security, in Proceedings of the 37 th IEEE Conference on Local Computer Networks (LCN), 2012. 20!
Use-case Convergence Test 1 2 3 4 5 Introduc<on! Related!Work!! Evalua<on!! 21!
Concurrent FTP transfer Use-case Convergence Test 22!
Concurrent FTP transfer Use-case Convergence Test 23!
Disguised Port Scan Attack Use-case Convergence Test 24!
Convergence Test Use-case Convergence Test 5!Sessions!from!an!ac<ve!user.! 40!interac<on!vectors!from!expert! users.! 30!types!of!interac<on!types!(e.g.,! zoom!out,!zoom!in,!rotate,!add!lei! plane,!add!line!glyphs).!! These!results!suggest!that!with!the!use!of! NAVSEC,!visualiza<ons!for!the!P3D!tool! converges!towards!an!expert!user s! interac<on!set.! 25!
Outline Contributions and Summary Future Work 1 2 3 4 5 Introduc<on! Related!Work!! Evalua<on!! 26!
Contributions and Summary Contributions and Summary Future Work NAVSEC!uses!advanced!data!mining!techniques!to! recommend!interac<ons.! NAVSEC!is!useful!for!assis<ng!novice!users!in!naviga<ng! 3D!visualiza<ons.!! Our!results!show!that!NAVSEC!can!converge!to!a! meaningful!visualiza<on!performed!by!a!user.!! 27!
Future Work Contributions and Summary Future Work The future work includes: Implementa<on!and!evalua<on!of!more!advance! useycase!scenarios!(i.e.,!introduce!benign!traffic).! User!tes<ng.! 28!
Thank You Thank You Troy.Nunnally@gatech.edu! 29!