The Spinning Cube of Potential Doom

An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."

Security is only one possible area for innovation

[CreamOfWheat]

When the eventual goal of having this data displayed in a real time setting the applications of usefulness will be startling. Data that had to be updated manually during the conference, will be available to researchers to do tci-square analysis to approximate the optimum network efficencies. Even use in the business sector and th ability to analyze huge databases will be quite amazing, although at least a half-decade down the road. Besides the primary educational aspect of the Cube, the secondary goal of the Cube will see fruition as to how investigate new techniques in visually analyzing network traffic and also to develop a tool that would potentially assist those involved with computer security. Really fascinating stuff.

If this continues...

[Kirijini]

If this becomes a trend, and "Secutiry Visuallization Tools" become widespread... then people will begin to say that movies like Hackers and such were just "before their time."

Do we really want that?

virtual ICE?

[dashersey]

This is evocative of william gibson's concept of ICE -- in a massively distributed computing environment with a direct-brain virtual-reality interface as primary, you interact with security systems visually.

They appear as complex crystalline structures with no obvious holes other than the known authentication interfaces.

Those who hack/defeat them are called "icebreakers" and they use software which has its own visual attack signature to distract or deflect(overload/DNS attack) the ice or to find hidden cracks (exploits)

Visionary stuff (pun partially intended).

what a great name

[surreal-maitland]

it looks like a great tool for ferretting out new styles of attack, even though it's use to an individual trying to protect his/her network is rather limited. the automated system that someone else mentioned sounds much more useful.

The human mind: A better monitoring system?

[zipwow]

I think the point of this interface is that the data is more easily interpreted, allowing the human-user to notice patterns that automated scripts would miss. This could be done either in real time, or as a visualization tool for historical files. The latter usage seems like it would be of interest if you're trying to determine the source of a break-in.

For real-time monitoring, your point about mutliple systems is very valid, but what if this approach could be scaled up to allow you to visually inspect the whole system for a number of problems? Perhaps an entire array of cubes, each for a subnet or an individual system, focusing on those that pique your interest.

This idea may be able to mesh with the glanceable objects [wjla.com] idea (just the idea, not their chicken egg specifically). If it is informative enough, it could allow you to periodically check some aspects of your whole system for things that you either can't write scripts to do, or don't have time to write scripts for.

-Zipwow

SGI did this years ago

[green pizza]

Back in the "what possible use would anyone have for 3D?" days, Silicon Graphics made gobs of 3D utilities such as this. Many exist today as viewers for their (awesome) Performance CoPilot system for IRIX and Linux. Over time they learned that most admins perfer text most of the time. But man, fddivis on a large monitor sure does make the NOC look way more productive to the suits!!

They even had a 3D intra-website link manager at one time!

Re:If this continues...

[TigerNut]

It's pretty inevitable. There will always be extensions to today's technology, and likewise there will be visionaries (authors and screenwriters) who will try to imagine what that extended technology will look like and what it will feel like to use it. The visual scanning is pretty cool. What if you took a port-access logger output and assigned to each port a particular note, duration, or loudness? You'd hear white noise for the most part, but any nonrandom access would quickly be evident as a chirp, whistle or popping.

Old stuff, new usage

[bellwould]

Visible Decisions (acquired by Visual Insights in 2000) has been doing graphical visualization for 15 years - check this [advizorsolutions.com] out for a demo.

This and the orb?

[novakane007]

Remember the ambient orb [ambient411.com]?
Thinkgeek used to sell them, but I couldn't think of something I would find it useful for. This would be perfect. Just have a globe on your desktop that changes colors based on the data provided by the cube matrix. If the orb starts turning crimson, you know that that your network is in need of administrative attention.

Data visualization using Strange Attractors

[freelunch]

About 18 months ago, Slashdot posted an article The Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release [slashdot.org] with a nice collection of unconventional networking tools.

Included was a very cool tool, Phentropy, for visualizing arbitrary data using Strange Attractors. You may recall a paper [coredump.cx] on TCP/IP Sequence number analysis that highlighted the usefulness of Strange Attractors for data visualization.

Phentropy plots an arbitrarily large data source (of arbitrary data) onto a three dimensional volumetric matrix, which may then be parsed by OpenQVIS [sourceforge.net]. Data mapping is accomplished by interpreting the file as a one dimensional stream of integers and progressively mapping quads in phase space.

OpenQVIS is a neat package and could fill a lot of arbitrary data viz needs.. But damned if I have been able to get the thing to build under Linux. The project could really use some help, and I think a lot of good could come of it. The Phd types [uni-erlangen.de] who wrote it seem to have mostly moved on..

Re:The human mind: A better monitoring system?

[Danny Rathjens]

Precisely. Using the human mind as a filter is the whole point. There is also a project called peep [auralizer.com] that does this with sound.

Peep - Allows real-time aural monitoring of network information Peep aims to represent network information in real-time (and therefore eliminate searching through large logs of information to find problems) by using sound to represent the vast amount of available information about network status and to help identify network problems and irregularities.

The project looks a bit stalled, but it's still a really cool idea. You could probably find some stories about it in /. archives too, ;) I thought it was neat that apparently nasa follows this philosophy with sounds for astronauts to filter/interpret on the space shuttle.

Mirror?

[ktulu1115]

Could someone who has downloaded the movie please post a mirror? All of the existing links posted are already 404.

All Glory to the HypnoCube

[Slau]

Thanks for the /. and the comments folks, although I'm not sure if the web admins are gonna talk to me anymore. :-/ I got paged about the /. while I was watching Shrek 2. What happened to Fiona's Dad? Missed that part...oh well... The Cube is still a work in progress. I originally developed it to keep wandering jaded conference attendees mesmerized by pretty moving colors. Hopefully it'll inspire people to develop new ways of educating the wormy masses that they need to take security seriously.

We have something similar

[Isomer]

I work for a network research group ("WAND") at Waikato University in New Zealand. We have a similar visualisation which you can see various stages of evolution here [wand.net.nz], there are also some animations [wand.net.nz].

The universities internal network IP range is mapped onto the left hand face of the cube, the rest of the world is mapped onto the right face. They are mapped so similar addresses are clustered together and addresses further apart are uh, further apart. A box represents one packet, the volume of the particle is proportional to the size of the packet, and the colour is based on port number.

Also we "light" each end of the connection for a bit after the packet has been sent. So machines appear to be glowing in the colour of the traffic they are sending.

We use it to show off "networks" to people who think we just sit at computers and type into stuff, however it has been very useful to detect attacks and broken machines since they provde distinctive patterns. Portscans are a series of "sparkly" packets. Network scans are a row of marching lines. Virii infected machines appear as a cone centered on the infected machine.

My favorite...

[Nugget]

Much lower tech, but my favorite example or a conference's realtime security monitoring is this whiteboard [soupnazi.org] from the 2000 Monterey BSDCon.

It's a brutal but compelling reminder that we should all avoid unencrypted telnet/pop3/imap.

Consider spending some time today getting STARTTLS running on your mail server. Or consider getting IMAP/SSL going. Or consider figuring out GnuPG or S/MIME email once and for all. Don't be part of the problem.