The Spinning Cube of Potential Doom

An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."

Can anyone explain the data we're seeing?

[Goobermunch]

Okay, so I see the pretty pictures, but what do they mean. Can anyone explain how to interpret that data?

--AC

I wonder....

[telstar]

Wonder if they've got one of these monitoring DOS attacks now that they've been posted on Slashdot.
Here's [nersc.gov] the 31 meg AVI if you want to make it spin faster.

I beg to differ

[broothal]

"Definitely a step towards the new types of tools we will need to secure hosts and networks."

I'm sorry, but I do not agree. While it makes it easy to visually detect intrusion attempts, it is of no use in the daily life of a BOFH. I have the responsibility of quite a number of machines. Most of the time, they don't require attention. So I don't pay them any. Then, once in a while, something extraordinary is happening, and I'm being alerted by an automatic monitoring system. That means I can use my day on all the important things (like hanging out on IRC etc). Visualizing network intrusion attempts is cool, but it's not a tool for me.

Re:I beg to differ

[Minwee]

The daily life of most admins include something called "Talking To Managers".

Having a shiny toy with brightly coloured lights on it is a vital part of that excercise for many of us. We NEED this. We NEED it to have the Fisher-Price logo on it and play short musical bits when you push on the buttons. We NEED to be able to say "Here is a pretty picture. You like pretty pictures, don't you? The brightly coloured parts show bad people. Oooh, brightly coloured. Look at the picture. Do you like the picture? Good, now there are a few things we need to discuss about next year's budget..."

Automated monitoring systems that handle problems for you make you (and themselves) look unnecessary. Pretty pictures with lights can be used to show everybody you work for just how important you really are.

Re:virtual ICE?

[James Lewis]

I disagree. Gibson's whole description of icebreaking was interesting science fiction, rather than something that was really attempting to make an informed guess on how future computer systems would work. For one thing, users could be killed by the security systems through their connection. It seems increadibly unlikely to me that this would ever occur, since any system connected to the internet should be able to handle disconnections, and so one could be produced on purpose the moment trouble showed up. But obviously, it made for a much more exciting plot. The same goes for the visual stuff, it's a lot more interesting than someone spending days maticulously banging away at a system. Gibson's a great author, but I think it silly to give him credit for things he obviously didn't intend in his books. By is own admission, Gibson is no techie [philly.com]. He writes fiction, and trying to pull deeper meaning (or predictions of the future) out of it is a waste of time.

Re:Can anyone explain the data we're seeing?

[Have Blue]

The cube displays 3 pieces of information (assuming you know how TCP works):

• The X axis represents the local IP. Every computer on the LAN is at a unique location on this line.
• The Z axis represents all possible IP addresses. Every computer in the *world* is a unique location on that line, so every possible connection that can be made between a SCinet computer and an external system is somewhere on the "floor" of the cube. Think of it like an old phone switchboard.
• The Y axis represents the port number, so as two computers establish multiple TCP connections to each other they "stack" and move up towards the top of the cube.

The upshot of all this is that all network activity on the LAN during a specific time period can be placed in this cube. And once it's here in visual form, it becomes easy for a human operator to apply our brain's pattern recognition abilities to the problem of noticing unusual activity, which is hard to do with just a text dump from a normal IDS. Normal Internet usage would be a single point, or a small vertical line, which would represent a single persistent TCP connection for a specific service (for SSH or something) or a small number of TCP connections established momentarily (for a stateless protocol like HTTP), and this can be seen in the example as a lot of random dots scattered throughout the cube.

If there was an attack in progress, it would be some sort of procedural scan from one external system (a single Z location, or a constant depth in the example) across the LAN address space (going left to right) and/or the ports on a single LAN system (going up and down). A simple port scan would be a solid vertical line, as the attacker hit each port on a single system in sequence (Z and X constant, Y varying). I think there's one of these visible in the example, in the back; this short vertical line would be an attacker hitting all the privileged service ports between 0 and 1024. A more advanced attack pattern would attempt to randomize the ports it scanned or hit several different IPs - in a text log, this would be very hard to pick out from the "random" connections that a normal busy LAN is also handling, so the attacker could go undetected for some time. But on the Cube, this would appear as a filigree of closely packed dots all at the same depth (Z would be constant, X and Y varying), and would be immediately obvious to a human viewer.

This isn't really meant to convey detailed information, it's just supposed to let the admin see at a glance that something suspicious may be happening, by making the data easier to examine as a whole.

Re:What a pity it will not be useful for too long.

[khrtt]

The time is NOT a display variable in the Cube. Your "enhanced" scanner would produce the same pattern as it would without the randomization. The order in which the scan's packets reach its target, and the dots are put on the display does not even change the resulting picture.

Now, the "barbwire" scan tries a port on each host. This could be made less distinguishable by randomizing the port, rather than using linearly increasing port numbers for the IP range, which produces the evel-looking diagonal slashes in the picture.

Re:I wonder...

[Have Blue]

I imagine it would look like a thick, mottled square or blob drawn on a plane perpendicular to the X axis. It would represent a large number of external systems (large Z extent) connecting to a single web server (single X value) and taking up a large number of ports with HTTP transfers (large Y extent).

Re:dude!

[DerekLyons]

I guess the use of "potential" in the title reminds me of so-called "Rumsfled Poetry":

If you've ever taken a logic or philosophy class, or seriously studied science, or have been formally trained in troubleshooting real mission critical hardware/software (by that I mean the Space Shuttle, or a nuclear submarine, or a nuclear weapon, not your sales database)... Then that 'poetry' makes perfect sense.

Matter of fact, I used to say something much like that to the techs I was training to work on nuclear tipped missiles. So did the guys who taught me ASW. So did the official documents used to learn ASW tactics... In all of these these things, failing to take care to make sure that all your unknowns are known, or at least accounted for, can kill.

It only sounds ignorant to the ignorant.

Re:Missing the point?

[Herkum01]

Management: That looks good but can you use a pie chart instead? I just get whoozy looking at it...