BURN: Baring Unknown Rogue Networks

412 views

Published on

Manual analysis of security-related events is still a necessity to investigate non-trivial cyber attacks. This task is particularly hard when the events involve slow, stealthy and large-scale activities typical of the modern cybercriminals' strategy. In this regard, visualization tools can effectively help analysts in their investigations. In this paper, we present BURN, an interactive visualization tool for displaying autonomous systems exhibiting rogue activity that helps at finding misbehaving networks through visual and interactive exploration. Up to seven values are displayed in a single visual element, while avoiding cumbersome and confusing maps. To this end, animations and alpha channels are leveraged to create simple views that highlight relevant activity patterns. In addition, BURN incorporates a simple algorithm to identify migrations of nefarious services across autonomous systems, which can support, for instance, root-cause analysis and law enforcement investigations.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
412
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

BURN: Baring Unknown Rogue Networks

  1. 1. Francesco Roveta francesco.roveta@mail.polimi.it Politecnico di Milano Luca Di Mario luca.dimario@mail.polimi.it Politecnico di Milano Federico Maggi fmaggi@elet.polimi.it Politecnico di Milano Giorgio Caviglia giorgio.caviglia@polimi.it Politecnico di Milano Stefano Zanero zanero@elet.polimi.it Politecnico di Milano Paolo Ciuccarelli paolo.ciuccarelli@polimi.it Politecnico di Milano BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli
  2. 2. Francesco Roveta francesco.roveta@mail.polimi.it Politecnico di Milano Luca Di Mario luca.dimario@mail.polimi.it Politecnico di Milano Federico Maggi fmaggi@elet.polimi.it Politecnico di Milano Giorgio Caviglia giorgio.caviglia@polimi.it Politecnico di Milano Stefano Zanero zanero@elet.polimi.it Politecnico di Milano Paolo Ciuccarelli paolo.ciuccarelli@polimi.it Politecnico di Milano BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli
  3. 3. Malicious Activity on the Internet
  4. 4. Malicious Activity on the Internet Rogue or Fake Software AD/Click Fraud Targeted Attacks Phishing
  5. 5. Malicious Activity on the Internet Rogue or Fake Software AD/Click Fraud Targeted Attacks Phishing Exposing Malicious Hosts . . .
  6. 6. FIRE: FInding RoguE Networks www.maliciousnetworks.org Funded by WOMBAT FP7 EU Project
  7. 7. Four top Internet threats Funded by WOMBAT FP7 EU Project
  8. 8. Four top Internet threats
  9. 9. Four top Internet threats Malware
  10. 10. Four top Internet threats Malware Botnets
  11. 11. Four top Internet threats Malware Botnets Phishing
  12. 12. Four top Internet threats Malware Botnets Phishing Spam
  13. 13. Four top Internet threats Malware Botnets Phishing Spam
  14. 14. Autonomous System (AS)
  15. 15. FIRE: Per-AS Malicious Activity
  16. 16. FIRE: Per-AS Malicious Activity Activity Data source
  17. 17. Malware Botnet Phishing Spam FIRE: Per-AS Malicious Activity Anubis Anubis PhishTank SpamHaus Activity Data source
  18. 18. Malware Botnet Phishing Spam FIRE: Per-AS Malicious Activity Anubis Anubis PhishTank SpamHaus Overall Malicious Score Many “shady” ISPs exposed Many unaware ISPs helped Activity Data source Outcome
  19. 19. Downside?
  20. 20. Downside?
  21. 21. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli
  22. 22. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli Visualization and Knowledge Discovery on top of FIRE
  23. 23. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli Visualization and Knowledge Discovery on top of FIRE aim
  24. 24. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli Visualization and Knowledge Discovery on top of FIRE Academics Practitioners aim
  25. 25. BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli Visualization and Knowledge Discovery on top of FIRE Academics Practitioners Internet Users aim
  26. 26. System Overview
  27. 27. Global view
  28. 28. AS view Global view
  29. 29. AS view Global view Timeline
  30. 30. AS view Global view Timeline Activity fi lter AS Tracking List Country filter
  31. 31. AS view Global view Timeline Activity fi lter AS Tracking List Country filter Bubb le chart Geographicalmap Trend chart
  32. 32. AS view Global view Timeline Activity fi lter AS Tracking List Country filter Bubb le chart Geographicalmap Trend chart
  33. 33. Global view Bubb le chart Geographicalmap Trend chart
  34. 34. Global view Bubb le chart Geographicalmap Trend chart
  35. 35. Global view Bubb le chart Geographicalmap Trend chart
  36. 36. Global view Bubb le chart Geographicalmap Trend chart
  37. 37. Global view Bubb le chart Geographicalmap Trend chart
  38. 38. Global view Bubb le chart Geographicalmap Trend chart
  39. 39. Bubble Chart
  40. 40. Bubble Chart
  41. 41. Bubble Chart
  42. 42. Bubble Chart
  43. 43. Bubble Chart
  44. 44. Geographical Map
  45. 45. Geographical Map
  46. 46. Geographical Map
  47. 47. Geographical Map
  48. 48. Geographical Map
  49. 49. Geographical Map
  50. 50. Trend Chart
  51. 51. Trend Chart
  52. 52. Global view
  53. 53. AS view
  54. 54. AS view De tails Hi story Migrati on Longev ity
  55. 55. AS view De tails Hi story Migrati on Longev ity
  56. 56. History Chart
  57. 57. History Chart
  58. 58. History Chart
  59. 59. Service Longevity Chart
  60. 60. Service Longevity Chart
  61. 61. Service Longevity Chart
  62. 62. Service Longevity Chart
  63. 63. Service Migration Screen
  64. 64. Service Migration Screen
  65. 65. Service Migration Screen
  66. 66. Service Migration Screen
  67. 67. Service Migration Screen
  68. 68. De tails Hi story Migrati on Longev ity AS view
  69. 69. Rogue behavior analysis
  70. 70. Service Migration
  71. 71. Service Migration !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455
  72. 72. Service Migration !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%&"'(" )*$"+,"-% Shutdowns
  73. 73. Service Migration !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%$&'()*+,-+,().)/$0+ 12)3&-45)3&-16)*+7 85 455 !"#$%&"'(" )*$"+,"-% !" )*$"+,"-% Shutdowns Possible Migrations
  74. 74. Service Migration - Details
  75. 75. Service Migration - Details !"#$%&"'(" )*$"+,"-%Shutdowns !"# )*$"+,"-% Possible Migrations
  76. 76. Compatibility Score
  77. 77. Compatibility Score Source AS Destination AS
  78. 78. Compatibility Score C&C Malware Phishing Spam Source AS Destination AS
  79. 79. Compatibility Score High compatibility C&C Malware Phishing Spam Source AS Destination AS !"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+ !"#$%&%'()$$#'*+,-#.%/%$%.0 > > > > 637 64 687 65 137 14 187 15 > > > > 637 64 687 65
  80. 80. Compatibility Score C&C Malware Phishing Spam Source AS Destination AS !"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0 !"#$%&%'()$$#'*+,-#.%/%$%.0 12 13 14 154 > > > > 637 64 687 65 137 14 187 15 > > > > !"#$ 1234562782 Low compatibility
  81. 81. Compatibility Score C&C Malware Phishing Spam Source AS Destination AS !"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0 !"#$%&%'()$$#'*+,-#.%/%$%.0 12 13 14 154 > > > > 637 64 687 65 137 14 187 15 > > > > !"#$ 1234562782 Low compatibility C(j) (s, d) := mina {s,d} (j)(a) maxa {s,d} (j)(a) , (j) min (j) max j J Cs,d := j J C(j)(s, d) · (j)(s) j J (j)(s) j 2 {C&C, Malware, Spam, Phishing}
  82. 82. Compatibility Score C&C Malware Phishing Spam Source AS Destination AS !"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0 !"#$%&%'()$$#'*+,-#.%/%$%.0 12 13 14 154 > > > > 637 64 687 65 137 14 187 15 > > > > !"#$ 1234562782 Low compatibility C(j) (s, d) := mina {s,d} (j)(a) maxa {s,d} (j)(a) , (j) min (j) max j J Cs,d := j J C(j)(s, d) · (j)(s) j J (j)(s) j 2 {C&C, Malware, Spam, Phishing} C(j) (s, d) := mina {s,d} (j)(a) maxa {s,d} (j)(a) , (j) min (j) max (j)(·) j J Cs,d := j J C(j)(s, d) · (j)(s) j J (j)(s)
  83. 83. Tolerance to long-living rogue hosts
  84. 84. Tolerance to long-living rogue hosts
  85. 85. Tolerance to long-living rogue hosts
  86. 86. Tolerance to long-living rogue hosts
  87. 87. AS view Global view Timeline Activity fi lter AS Tracking List Country filter
  88. 88. Timeline and Time Range selection
  89. 89. Timeline and Time Range selection
  90. 90. Activity Filter
  91. 91. Activity Filter
  92. 92. Country Filter
  93. 93. Country Filter
  94. 94. Autonomous System Tracking List
  95. 95. Autonomous System Tracking List
  96. 96. Conclusions Limitations Future Work
  97. 97. BURN improves FIRE Knowledge discovery through data exploration Academics / Practitioners / Internet users Conclusions Limitations Future Work
  98. 98. BURN improves FIRE Knowledge discovery through data exploration Academics / Practitioners / Internet users Conclusions Migrations are difficult to validate Stress feature to avoid cluttered bubble map Limitations Future Work
  99. 99. BURN improves FIRE Knowledge discovery through data exploration Academics / Practitioners / Internet users Conclusions Migrations are difficult to validate Stress feature to avoid cluttered bubble map Limitations BURN is in private beta — DEMO available Future Work Bot meta-data from Anubis for migration analysis Usability study with three target users
  100. 100. Francesco Roveta francesco.roveta@mail.polimi.it Politecnico di Milano Luca Di Mario luca.dimario@mail.polimi.it Politecnico di Milano Federico Maggi fmaggi@elet.polimi.it Politecnico di Milano Giorgio Caviglia giorgio.caviglia@polimi.it Politecnico di Milano Stefano Zanero zanero@elet.polimi.it Politecnico di Milano Paolo Ciuccarelli paolo.ciuccarelli@polimi.it Politecnico di Milano BURN BARING UNKNOWN ROGUE NETWORKS La visualizzazione come strumento per analizzare il comportamento dei network malevoli

×