Your SlideShare is downloading. ×
0
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
BURN: Baring Unknown Rogue Networks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

BURN: Baring Unknown Rogue Networks

127

Published on

Manual analysis of security-related events is still a necessity to investigate non-trivial cyber attacks. This task is particularly hard when the events involve slow, stealthy and large-scale …

Manual analysis of security-related events is still a necessity to investigate non-trivial cyber attacks. This task is particularly hard when the events involve slow, stealthy and large-scale activities typical of the modern cybercriminals' strategy. In this regard, visualization tools can effectively help analysts in their investigations. In this paper, we present BURN, an interactive visualization tool for displaying autonomous systems exhibiting rogue activity that helps at finding misbehaving networks through visual and interactive exploration. Up to seven values are displayed in a single visual element, while avoiding cumbersome and confusing maps. To this end, animations and alpha channels are leveraged to create simple views that highlight relevant activity patterns. In addition, BURN incorporates a simple algorithm to identify migrations of nefarious services across autonomous systems, which can support, for instance, root-cause analysis and law enforcement investigations.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
127
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Francesco Roveta francesco.roveta@mail.polimi.it Politecnico di Milano Luca Di Mario luca.dimario@mail.polimi.it Politecnico di Milano Federico Maggi fmaggi@elet.polimi.it Politecnico di Milano Giorgio Caviglia giorgio.caviglia@polimi.it Politecnico di Milano Stefano Zanero zanero@elet.polimi.it Politecnico di Milano Paolo Ciuccarelli paolo.ciuccarelli@polimi.it Politecnico di Milano BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli
  • 2. Francesco Roveta francesco.roveta@mail.polimi.it Politecnico di Milano Luca Di Mario luca.dimario@mail.polimi.it Politecnico di Milano Federico Maggi fmaggi@elet.polimi.it Politecnico di Milano Giorgio Caviglia giorgio.caviglia@polimi.it Politecnico di Milano Stefano Zanero zanero@elet.polimi.it Politecnico di Milano Paolo Ciuccarelli paolo.ciuccarelli@polimi.it Politecnico di Milano BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli
  • 3. Malicious Activity on the Internet
  • 4. Malicious Activity on the Internet Rogue or Fake Software AD/Click Fraud Targeted Attacks Phishing
  • 5. Malicious Activity on the Internet Rogue or Fake Software AD/Click Fraud Targeted Attacks Phishing Exposing Malicious Hosts . . .
  • 6. FIRE: FInding RoguE Networks www.maliciousnetworks.org Funded by WOMBAT FP7 EU Project
  • 7. Four top Internet threats Funded by WOMBAT FP7 EU Project
  • 8. Four top Internet threats
  • 9. Four top Internet threats Malware
  • 10. Four top Internet threats Malware Botnets
  • 11. Four top Internet threats Malware Botnets Phishing
  • 12. Four top Internet threats Malware Botnets Phishing Spam
  • 13. Four top Internet threats Malware Botnets Phishing Spam
  • 14. Autonomous System (AS)
  • 15. FIRE: Per-AS Malicious Activity
  • 16. FIRE: Per-AS Malicious Activity Activity Data source
  • 17. Malware Botnet Phishing Spam FIRE: Per-AS Malicious Activity Anubis Anubis PhishTank SpamHaus Activity Data source
  • 18. Malware Botnet Phishing Spam FIRE: Per-AS Malicious Activity Anubis Anubis PhishTank SpamHaus Overall Malicious Score Many “shady” ISPs exposed Many unaware ISPs helped Activity Data source Outcome
  • 19. Downside?
  • 20. Downside?
  • 21. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli
  • 22. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli Visualization and Knowledge Discovery on top of FIRE
  • 23. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli Visualization and Knowledge Discovery on top of FIRE aim
  • 24. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli Visualization and Knowledge Discovery on top of FIRE Academics Practitioners aim
  • 25. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli Visualization and Knowledge Discovery on top of FIRE Academics Practitioners Internet Users aim
  • 26. System Overview
  • 27. Global view
  • 28. AS view Global view
  • 29. AS view Global view Timeline
  • 30. AS view Global view Timeline Activity fi lter AS Tracking List Country filter
  • 31. AS view Global view Timeline Activity fi lter AS Tracking List Country filter Bubb le chart Geographicalmap Trend chart
  • 32. AS view Global view Timeline Activity fi lter AS Tracking List Country filter Bubb le chart Geographicalmap Trend chart
  • 33. Global view Bubb le chart Geographicalmap Trend chart
  • 34. Global view Bubb le chart Geographicalmap Trend chart
  • 35. Global view Bubb le chart Geographicalmap Trend chart
  • 36. Global view Bubb le chart Geographicalmap Trend chart
  • 37. Global view Bubb le chart Geographicalmap Trend chart
  • 38. Global view Bubb le chart Geographicalmap Trend chart
  • 39. Bubble Chart
  • 40. Bubble Chart
  • 41. Bubble Chart
  • 42. Bubble Chart
  • 43. Bubble Chart
  • 44. Geographical Map
  • 45. Geographical Map
  • 46. Geographical Map
  • 47. Geographical Map
  • 48. Geographical Map
  • 49. Geographical Map
  • 50. Trend Chart
  • 51. Trend Chart
  • 52. Global view
  • 53. AS view
  • 54. AS view De tails Hi story Migrati on Longev ity
  • 55. AS view De tails Hi story Migrati on Longev ity
  • 56. History Chart
  • 57. History Chart
  • 58. History Chart
  • 59. Service Longevity Chart
  • 60. Service Longevity Chart
  • 61. Service Longevity Chart
  • 62. Service Longevity Chart
  • 63. Service Migration Screen
  • 64. Service Migration Screen
  • 65. Service Migration Screen
  • 66. Service Migration Screen
  • 67. Service Migration Screen
  • 68. De tails Hi story Migrati on Longev ity AS view
  • 69. Rogue behavior analysis
  • 70. Service Migration
  • 71. Service Migration !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455
  • 72. Service Migration !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%&"'(" )*$"+,"-% Shutdowns
  • 73. Service Migration !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%&"'(" )*$"+,"-% !" )*$"+,"-% Shutdowns Possible Migrations
  • 74. Service Migration - Details
  • 75. Service Migration - Details !"#$%&"'(" )*$"+,"-%Shutdowns !"# )*$"+,"-% Possible Migrations
  • 76. Compatibility Score
  • 77. Compatibility Score Source AS Destination AS
  • 78. Compatibility Score C&C Malware Phishing Spam Source AS Destination AS
  • 79. Compatibility Score High compatibility C&C Malware Phishing Spam Source AS Destination AS !"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+ !"#$%&%'()$$#'*+,-#.%/%$%.0 > > > > 637 64 687 65 137 14 187 15 > > > > 637 64 687 65
  • 80. Compatibility Score C&C Malware Phishing Spam Source AS Destination AS !"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0 !"#$%&%'()$$#'*+,-#.%/%$%.0 12 13 14 154 > > > > 637 64 687 65 137 14 187 15 > > > > !"#$ 1234562782 Low compatibility
  • 81. Compatibility Score C&C Malware Phishing Spam Source AS Destination AS !"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0 !"#$%&%'()$$#'*+,-#.%/%$%.0 12 13 14 154 > > > > 637 64 687 65 137 14 187 15 > > > > !"#$ 1234562782 Low compatibility C(j) (s, d) := mina {s,d} (j)(a) maxa {s,d} (j)(a) , (j) min (j) max j J Cs,d := j J C(j)(s, d) · (j)(s) j J (j)(s) j 2 {C&C, Malware, Spam, Phishing}
  • 82. Compatibility Score C&C Malware Phishing Spam Source AS Destination AS !"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0 !"#$%&%'()$$#'*+,-#.%/%$%.0 12 13 14 154 > > > > 637 64 687 65 137 14 187 15 > > > > !"#$ 1234562782 Low compatibility C(j) (s, d) := mina {s,d} (j)(a) maxa {s,d} (j)(a) , (j) min (j) max j J Cs,d := j J C(j)(s, d) · (j)(s) j J (j)(s) j 2 {C&C, Malware, Spam, Phishing} C(j) (s, d) := mina {s,d} (j)(a) maxa {s,d} (j)(a) , (j) min (j) max (j)(·) j J Cs,d := j J C(j)(s, d) · (j)(s) j J (j)(s)
  • 83. Tolerance to long-living rogue hosts
  • 84. Tolerance to long-living rogue hosts
  • 85. Tolerance to long-living rogue hosts
  • 86. Tolerance to long-living rogue hosts
  • 87. AS view Global view Timeline Activity fi lter AS Tracking List Country filter
  • 88. Timeline and Time Range selection
  • 89. Timeline and Time Range selection
  • 90. Activity Filter
  • 91. Activity Filter
  • 92. Country Filter
  • 93. Country Filter
  • 94. Autonomous System Tracking List
  • 95. Autonomous System Tracking List
  • 96. Conclusions Limitations Future Work
  • 97. BURN improves FIRE Knowledge discovery through data exploration Academics / Practitioners / Internet users Conclusions Limitations Future Work
  • 98. BURN improves FIRE Knowledge discovery through data exploration Academics / Practitioners / Internet users Conclusions Migrations are difficult to validate Stress feature to avoid cluttered bubble map Limitations Future Work
  • 99. BURN improves FIRE Knowledge discovery through data exploration Academics / Practitioners / Internet users Conclusions Migrations are difficult to validate Stress feature to avoid cluttered bubble map Limitations BURN is in private beta — DEMO available Future Work Bot meta-data from Anubis for migration analysis Usability study with three target users
  • 100. Francesco Roveta francesco.roveta@mail.polimi.it Politecnico di Milano Luca Di Mario luca.dimario@mail.polimi.it Politecnico di Milano Federico Maggi fmaggi@elet.polimi.it Politecnico di Milano Giorgio Caviglia giorgio.caviglia@polimi.it Politecnico di Milano Stefano Zanero zanero@elet.polimi.it Politecnico di Milano Paolo Ciuccarelli paolo.ciuccarelli@polimi.it Politecnico di Milano BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli

×