The Spinning Cube of Potential Doom 161
An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."
Can anyone explain the data we're seeing? (Score:2, Insightful)
--AC
I wonder.... (Score:5, Insightful)
Here's [nersc.gov] the 31 meg AVI if you want to make it spin faster.
I beg to differ (Score:5, Insightful)
I'm sorry, but I do not agree. While it makes it easy to visually detect intrusion attempts, it is of no use in the daily life of a BOFH. I have the responsibility of quite a number of machines. Most of the time, they don't require attention. So I don't pay them any. Then, once in a while, something extraordinary is happening, and I'm being alerted by an automatic monitoring system. That means I can use my day on all the important things (like hanging out on IRC etc). Visualizing network intrusion attempts is cool, but it's not a tool for me.
Re:I beg to differ (Score:5, Insightful)
Having a shiny toy with brightly coloured lights on it is a vital part of that excercise for many of us. We NEED this. We NEED it to have the Fisher-Price logo on it and play short musical bits when you push on the buttons. We NEED to be able to say "Here is a pretty picture. You like pretty pictures, don't you? The brightly coloured parts show bad people. Oooh, brightly coloured. Look at the picture. Do you like the picture? Good, now there are a few things we need to discuss about next year's budget..."
Automated monitoring systems that handle problems for you make you (and themselves) look unnecessary. Pretty pictures with lights can be used to show everybody you work for just how important you really are.
Re:virtual ICE? (Score:3, Insightful)
Re:Can anyone explain the data we're seeing? (Score:4, Insightful)
If there was an attack in progress, it would be some sort of procedural scan from one external system (a single Z location, or a constant depth in the example) across the LAN address space (going left to right) and/or the ports on a single LAN system (going up and down). A simple port scan would be a solid vertical line, as the attacker hit each port on a single system in sequence (Z and X constant, Y varying). I think there's one of these visible in the example, in the back; this short vertical line would be an attacker hitting all the privileged service ports between 0 and 1024. A more advanced attack pattern would attempt to randomize the ports it scanned or hit several different IPs - in a text log, this would be very hard to pick out from the "random" connections that a normal busy LAN is also handling, so the attacker could go undetected for some time. But on the Cube, this would appear as a filigree of closely packed dots all at the same depth (Z would be constant, X and Y varying), and would be immediately obvious to a human viewer.
This isn't really meant to convey detailed information, it's just supposed to let the admin see at a glance that something suspicious may be happening, by making the data easier to examine as a whole.
Re:What a pity it will not be useful for too long. (Score:2, Insightful)
Now, the "barbwire" scan tries a port on each host. This could be made less distinguishable by randomizing the port, rather than using linearly increasing port numbers for the IP range, which produces the evel-looking diagonal slashes in the picture.
Re:I wonder... (Score:3, Insightful)
Re:dude! (Score:3, Insightful)
Matter of fact, I used to say something much like that to the techs I was training to work on nuclear tipped missiles. So did the guys who taught me ASW. So did the official documents used to learn ASW tactics... In all of these these things, failing to take care to make sure that all your unknowns are known, or at least accounted for, can kill.
It only sounds ignorant to the ignorant.
Re:Missing the point? (Score:3, Insightful)