The Spinning Cube of Potential Doom 161
An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."
Security is only one possible area for innovation (Score:5, Interesting)
Re:Security is only one possible area for innovati (Score:5, Funny)
Yes. The Cube knows all. It will make everything all right again. The Cube has been sent to help us. We must trust the Cube.
All hail the Cube.
-Laxitive
Sorry, absolutely nothing of value to add to this. I just liked the way you referred 'the Cube' using proper-noun capitalization, and spoke of it as a single entity.
In Rod We Trust (Score:3)
All hail the Cube.
from "Deep Space Homer" [snpp.com]
Buzz: Homer Simpson was the real hero here. He jury-rigged the door closed using this.
Man 1: Hey, what is that?
Man 2: It's an inanimate carbon rod!
Everyone: Yay!
Time magazine cover: "In Rod We Trust"
Re:In Rod We Trust (Score:2)
The Simpsons have infected my mind more than I can reasonably be comfortable with.
-Laxitive
Re:In Rod We Trust (Score:2)
"Trust the Computer. The Computer is your friend. Only commie mutants hate the Computer, Citizen."
Re:Security is only one possible area for innovati (Score:2)
Too bad... (Score:4, Funny)
dude! (Score:5, Funny)
protect-o (Score:1)
Re:dude! (Score:4, Funny)
It sounds like something "Robert S." [wikipedia.org] Rumsfeld would use to "persuade" "designated terrorists" in Abu Ghraib to talk.
I guess the use of "potential" in the title reminds me of so-called "Rumsfled Poetry" [wikipedia.org]:
--Rumsfeld, at a February 12, 2002, Department of Defense news briefing
Re:dude! (Score:3, Insightful)
If you've ever taken a logic or philosophy class, or seriously studied science, or have been formally trained in troubleshooting real mission critical hardware/software (by that I mean the Space Shuttle, or a nuclear submarine, or a nuclear weapon, not your sales database)... Then that 'poetry' makes perfect sense.
Matter of fact, I used to say something much like that to the techs I was training to work on nuclear tippe
Re:dude! (Score:2)
Spinning Cube of Doom? (Score:5, Funny)
But then, you stupid ignorant mind-traitors cant understand time cube having been manipulated by your word god.
Re:Spinning Cube of Doom? (Score:1, Funny)
Re:Spinning Cube of Doom? (Score:2)
Re:Spinning Cube of Doom? (Score:2)
I thought of this too, but I thought of it become of this Bonus Stage [jeffreyatw.com] episode called "Cube" (warning: direct Flash file link).
I figured I could live with plugging this, as it's slightly on topic under context, and it is one of my fav. Flash toon series. (If you're interested, High Score [highscoreonline.com] is the website)
Re:Spinning Cube of Doom? (Score:2)
As an aside, try to remember to stay away from the Cube when drinking in Ann Arbor. It seems your ability to estimate the danger of a large spinning mass of metal goes down when you're inebriated.
Re:Spinning Cube of Doom? (Score:2)
This guy's schizophrenic. He has no idea how odd he sounds. To him, everybody else around him is just oppressing him. And the more of that he gets, the more convinced he is of a conspiracy to hide the "hidden truth" he's found. It's really kind of sad.
Re:Spinning Cube of Doom? (Score:2)
maybe we should try to figure out what he's saying and take him up on that?
Good luck with that. I'm still not sure if he's serious or not. Either way, it's vastly entertaining. He seems to have become a lot more cranky since I last checked in, about a year ago.
Need new tool (Score:5, Funny)
Re:Need new tool (Score:2)
Two birds with one stone.
Disappointment... (Score:5, Funny)
Sad.
Re:Disappointment... (Score:2)
Can anyone explain the data we're seeing? (Score:2, Insightful)
--AC
Re:Can anyone explain the data we're seeing? (Score:1)
--AC
Re:Can anyone explain the data we're seeing? (Score:2)
But for the lazy. The vertical axis is port and the horizontal axis is IP. So the vertical line is a port scan, a horizontal line is a scan across all IPs for a specific open port. The "barber pole" scans show an interesting technique in which a scan increments both IP and port with each attempt, obviously in order to fool detection mechanisms. The "lawnmower scan" is a multi-IP port scan, which creates a rectangle.
Re:Can anyone explain the data we're seeing? (Score:5, Informative)
1) Your IP range
2) The entire IP range
3) Destination port
It's useful for things like picking up semirandom port scans that you might not detect based on textual data (see "barber poles").
Entire para:
"The Cube takes this connection information stored in the Bro files and displays it in a graphical format which can be more readily understood by people who are unfamiliar with networking and computer security techniques. The 'X' axis of the display (shown in red) represented the SCinet address space, which ranged from 141.221.128.0 - 141.221.255.255. The 'Z' axis (shown in blue) represented all possible IP address space (0.0.0.0 - 223.255.255.255). Multicast traffic (224.0.0.0 and above) was not displayed. The 'Y' axis (shown in green) represented the port number number (0-65535). Some well known port numbers include 22 (ssh), 25 (smtp), 80 (http). "
Re:Can anyone explain the data we're seeing? (Score:4, Informative)
We have a 3 dimensional cube shown on a 2 dimensional display, so the image can be a little confusing. Every dot represents a connection attempt to a machine at the conference, presumably mostly laptops being used by attendees. Successful connections are shown in "white" supposedly, but on my display they look gray. The colored dots are all unsuccessful connections, connection attempts where the machine did not respond. The presumption is that the vast majority of these are attacks and scans.
The left to right access represents the IP address of the machine at the confernece being attacked. Back to front is the IP address of the machine doing the attacking, from out on the internet. Bottom to top is the port number. To aid in viewing, the unsuccessful connections are shown in a color that represents the port, i.e. their height in the cube. That's all the color means. Red and orange are at the bottom for low numbered ports, then through yellow, green and blue in the middle ports, up to purple and back to red at the top for high number ports.
Now let's take a look at the picture. The main feature that jumps out is that most of the dots are colored; there are a lot more attacks than successful connections. Presumably these laptops are not hosting many legitimate servers. Second, we see that most of the dots are orange, meaning that they are attempts to connect on low numbered ports. That makes sense, as most services listen on standard low numbered ports of 1024 or less, or a bit more. That's why we see so many orange dots. Those are attempts to connect to web servers, mail servers, various Windows services that are known to be vulnerable, etc.
Another feature of the orange dots is that they are largely clustered towards the back, which would mean that the attacks are coming from Internet addresses which are relatively low in the address range. Looking closely, I make it out to be about 1/4 of the way from the back to the front, which would correspond to IP addresses of around 64.X.X.X. If we look at the first field of IPV4 addresses, ARIN (North America) has 24, then 63-70; APNIC (Asia/Pacific) has 60-61; RIPE (Europe) has 62, then 80-84, and all of them go on up from there. I'm not sure of the worldwide distribution of IP addresses but I suspect that accounts for the fact that many of the attacks and scans are coming from the 60-80 range or so, on the graph. There's another cluster of IPV4 address assignments in the 198-222 range, and that corresponds to a weak cluster of orange dots near the front of the cube, at the bottom.
Another feature we can see is some vertical structure in the blue and cyan dots, especially to the left and the right. These represent port scans, where a particular host machine is making connection attempts to a series of port numbers on a particular target machine. Such scans show up as vertical lines. Here we don't have a full line but only aligned dots, so we may be missing some packets, or the scan may be accessing only selected ports.
Well, that's about as far as I can go with my analysis. But you can see that if you had a real-time display of the last N minutes or seconds of activity, it would show you a visual picture of scans into your network. Probably be pretty hypnotic. Of course I'm not sure it makes sense to pay somebody to stare at it all day... you'd probably want to run a sped-up version at the end of the day and see if anything untoward leaped out.
Re:Can anyone explain the data we're seeing? (Score:4, Insightful)
- The X axis represents the local IP. Every computer on the LAN is at a unique location on this line.
- The Z axis represents all possible IP addresses. Every computer in the *world* is a unique location on that line, so every possible connection that can be made between a SCinet computer and an external system is somewhere on the "floor" of the cube. Think of it like an old phone switchboard.
- The Y axis represents the port number, so as two computers establish multiple TCP connections to each other they "stack" and move up towards the top of the cube.
The upshot of all this is that all network activity on the LAN during a specific time period can be placed in this cube. And once it's here in visual form, it becomes easy for a human operator to apply our brain's pattern recognition abilities to the problem of noticing unusual activity, which is hard to do with just a text dump from a normal IDS. Normal Internet usage would be a single point, or a small vertical line, which would represent a single persistent TCP connection for a specific service (for SSH or something) or a small number of TCP connections established momentarily (for a stateless protocol like HTTP), and this can be seen in the example as a lot of random dots scattered throughout the cube.If there was an attack in progress, it would be some sort of procedural scan from one external system (a single Z location, or a constant depth in the example) across the LAN address space (going left to right) and/or the ports on a single LAN system (going up and down). A simple port scan would be a solid vertical line, as the attacker hit each port on a single system in sequence (Z and X constant, Y varying). I think there's one of these visible in the example, in the back; this short vertical line would be an attacker hitting all the privileged service ports between 0 and 1024. A more advanced attack pattern would attempt to randomize the ports it scanned or hit several different IPs - in a text log, this would be very hard to pick out from the "random" connections that a normal busy LAN is also handling, so the attacker could go undetected for some time. But on the Cube, this would appear as a filigree of closely packed dots all at the same depth (Z would be constant, X and Y varying), and would be immediately obvious to a human viewer.
This isn't really meant to convey detailed information, it's just supposed to let the admin see at a glance that something suspicious may be happening, by making the data easier to examine as a whole.
Re:Can anyone explain the data we're seeing? (Score:2)
Does this have to do with (Score:2, Funny)
No, it has to do with.. (Score:4, Funny)
EEW....... (Score:2)
bah (Score:2, Funny)
Security companies are just reacting to Swordfish...which used the opposite tool...it was spinning cubes that joined together when you successfully exploited the system.
Re:bah (Score:2, Funny)
Uuuuh, swordfish! (Score:2)
I want my n-monitor system with that funny IDE that lets you code exploits with on-screen spinning lego and gets you fine wines and a hot babe like Halle Berry.
I wonder.... (Score:5, Insightful)
Here's [nersc.gov] the 31 meg AVI if you want to make it spin faster.
Re:I wonder.... (Score:3, Informative)
Link is dead already (they yanked the file).
If this continues... (Score:5, Interesting)
Do we really want that?
Re:If this continues... (Score:4, Interesting)
Re:If this continues... (Score:2)
Of course, Apple didn't put in "per keystroke sounds", so maybe it isn't as bad as one would think.
OTOH, Aqua+AIM with clicky keystroke mode enabled *is* equivalently annoying.
Working in a cube farm is hard enough (Score:2, Funny)
And it's a good damn thing I've got a wireless LAN connection, so my cat5 cable won't get all twisted up.
Re:Working in a cube farm is hard enough (Score:1, Funny)
Irken? (Score:2)
That sounds like a tool used by the Irken Armada.
Re:Irken? (Score:2)
Re:Irken? (Score:2)
I'm gonna sing the doom song now. Doom, doom doom, doom, doom, doomy doomy doom...
I beg to differ (Score:5, Insightful)
I'm sorry, but I do not agree. While it makes it easy to visually detect intrusion attempts, it is of no use in the daily life of a BOFH. I have the responsibility of quite a number of machines. Most of the time, they don't require attention. So I don't pay them any. Then, once in a while, something extraordinary is happening, and I'm being alerted by an automatic monitoring system. That means I can use my day on all the important things (like hanging out on IRC etc). Visualizing network intrusion attempts is cool, but it's not a tool for me.
Re:I beg to differ (Score:1)
Kind of like the shadowy figure snooping through the halls while the security guard dozes at the monitor. The alarms are only going to ring if he lobs a grenade....
The human mind: A better monitoring system? (Score:5, Interesting)
For real-time monitoring, your point about mutliple systems is very valid, but what if this approach could be scaled up to allow you to visually inspect the whole system for a number of problems? Perhaps an entire array of cubes, each for a subnet or an individual system, focusing on those that pique your interest.
This idea may be able to mesh with the glanceable objects [wjla.com] idea (just the idea, not their chicken egg specifically). If it is informative enough, it could allow you to periodically check some aspects of your whole system for things that you either can't write scripts to do, or don't have time to write scripts for.
-Zipwow
Re:The human mind: A better monitoring system? (Score:3, Interesting)
The project looks a bit stall
Re:I beg to differ (Score:5, Insightful)
Having a shiny toy with brightly coloured lights on it is a vital part of that excercise for many of us. We NEED this. We NEED it to have the Fisher-Price logo on it and play short musical bits when you push on the buttons. We NEED to be able to say "Here is a pretty picture. You like pretty pictures, don't you? The brightly coloured parts show bad people. Oooh, brightly coloured. Look at the picture. Do you like the picture? Good, now there are a few things we need to discuss about next year's budget..."
Automated monitoring systems that handle problems for you make you (and themselves) look unnecessary. Pretty pictures with lights can be used to show everybody you work for just how important you really are.
Re:I beg to differ (Score:2)
Sounds like what you need is to learn communication skills and how to actually communicate complex ideas in terms people can understand. And yes, visualizations go a long way in this regard, but you need to be able to communicate verbally in a manner they can understand as well.
What's the use for detecting port scans? (Score:2)
What I do worry about are the connections that take place with actual open services. They are the ones that ought to be monitored for foul play. Log checkers and proactive HTTP request sanitizers are more use there.
Boss Screen (Score:2)
Manager: "Where are your TPS reports?"
BOFH: (pointing at large, flat screen display of Cube of Potential Doom with one hand while typing jjjjjjjjjj with the left) "TPS Reports! My God can't you see we're under attack. Quick! Call facility ma
Just like in Tron! (Score:2, Funny)
"So Cube...do you see anyone invading us from the 201.163.x.x range?" "YES"
"That's Tron. He fights for the Users."
virtual ICE? (Score:4, Interesting)
They appear as complex crystalline structures with no obvious holes other than the known authentication interfaces.
Those who hack/defeat them are called "icebreakers" and they use software which has its own visual attack signature to distract or deflect(overload/DNS attack) the ice or to find hidden cracks (exploits)
Visionary stuff (pun partially intended).
Re:virtual ICE? (Score:4, Informative)
He also mentions that ordinary people got something a good deal more pedestrian, more like the Metaverse than Gibson's Matrix (or as we might say now, more like the Matrix than the funky green overlay Neo got
Re:virtual ICE? (Score:3, Insightful)
what a great name (Score:3, Interesting)
check out the video! (Score:2)
Re:check out the video! (Score:2)
If it's leisurely elevator music you're all hunky dory but if it escalates to 200bpm hardcore acid techno you know you're fucked.
Re:check out the video! (Score:2, Informative)
If only I had this when... (Score:3, Funny)
I wonder... (Score:4, Funny)
Re:I wonder... (Score:4, Funny)
Re:I wonder... (Score:3, Insightful)
Remember! (Score:5, Funny)
Caution: the Spinning Cube of Potential Doom may suddenly accelerate to dangerous speeds.
the Spinning Cube of Potential Doom Contains a liquid core, which, if exposed due to rupture, should not be touched, inhaled, or looked at.
Do not use the Spinning Cube of Potential Doom on concrete.
Discontinue use of the Spinning Cube of Potential Doom if any of the following occurs:
Itching
Vertigo
Dizziness
Tingling in extremities
Loss of balance or coordination
Slurred speech
Temporary blindness
Profuse sweating
Heart palpitations
If the Spinning Cube of Potential Doom begins to smoke, get away immediately. Seek shelter and cover head.
the Spinning Cube of Potential Doom may stick to certain types of skin.
When not in use, the Spinning Cube of Potential Doom should be returned to its special container and kept under refrigeration...
Failure to do so relieves the makers of the Spinning Cube of Potential Doom, Wacky Products Incorporated, and its parent company Global Chemical Unlimited, of any and all liability.
Ingredients of the Spinning Cube of Potential Doom include an unknown glowing substance which fell to Earth, presumably from outer space.
the Spinning Cube of Potential Doom has been shipped to our troops in Saudi Arabia and is also being dropped by our warplanes on Iraq.
Do not taunt the Spinning Cube of Potential Doom.
the Spinning Cube of Potential Doom comes with a lifetime guarantee.
the Spinning Cube of Potential Doom
ACCEPT NO SUBSTITUTES!
Re:Remember! (Score:4, Informative)
Re:Remember! (Score:2)
The Spinning Cube of Potential Doom has been found to cause cancer in the state of California.
Re:Remember! (Score:2)
SGI did this years ago (Score:4, Interesting)
They even had a 3D intra-website link manager at one time!
Missing the point? (Score:5, Funny)
Re:Missing the point? (Score:2)
Re:Missing the point? (Score:2)
Re:Missing the point? (Score:3, Insightful)
Re:Missing the point? (Score:2)
> What is the innovation here?
It's spinning !
Boon to social engineers! (Score:5, Funny)
Well, cook up a portscan that will look like a giant, spinning Mr Goatse, or some racial slurs, etc..
Boss walks past, geek gets fired, replaced by bosses moron nephew who is more than happy to give you the keys to the server when you call and identify yourself as the Hamburglar.
The borg (Score:2)
Old stuff, new usage (Score:4, Interesting)
This and the orb? (Score:4, Interesting)
Thinkgeek used to sell them, but I couldn't think of something I would find it useful for. This would be perfect. Just have a globe on your desktop that changes colors based on the data provided by the cube matrix. If the orb starts turning crimson, you know that that your network is in need of administrative attention.
It's interesting, alright - to HOLLYWOOD... (Score:3, Funny)
...I can see it now:
I know this... this is UNIX!
Would you like to play a game>
Data visualization using Strange Attractors (Score:4, Interesting)
Included was a very cool tool, Phentropy, for visualizing arbitrary data using Strange Attractors. You may recall a paper [coredump.cx] on TCP/IP Sequence number analysis that highlighted the usefulness of Strange Attractors for data visualization.
Phentropy plots an arbitrarily large data source (of arbitrary data) onto a three dimensional volumetric matrix, which may then be parsed by OpenQVIS [sourceforge.net]. Data mapping is accomplished by interpreting the file as a one dimensional stream of integers and progressively mapping quads in phase space.
OpenQVIS is a neat package and could fill a lot of arbitrary data viz needs.. But damned if I have been able to get the thing to build under Linux. The project could really use some help, and I think a lot of good could come of it. The Phd types [uni-erlangen.de] who wrote it seem to have mostly moved on..
What a pity it will not be useful for too long... (Score:5, Funny)
pseed=urand(); iseed=urand();
for(port
for(ip
port ^= pseed; ip^=iseed;
probe(ip,port);
}
or use some fancier one-to-one mapping and the dots in your cube are again "random" to the naked eye.
(On a side note, why whoever implemented that "barberwire"-producing scanner did not do this at the time, I can not understand).
Paul B.
Re:What a pity it will not be useful for too long. (Score:2, Insightful)
Now, the "barbwire" scan tries a port on each host. This could be made less distinguishable by randomizing the port, rather than using linearly increasing port numbers for the IP range, which produces the evel-looking diagonal slas
Re:What a pity it will not be useful for too long. (Score:2)
Paul B.
Re:What a pity it will not be useful for too long. (Score:2)
saw it as SC2003 as well... (Score:3, Funny)
It was still pretty cool, and I'm sure half of the traffic on it was people like who kicked off port scans just to see themselves on the screen
Mirror? (Score:3, Interesting)
Hackers (Score:2)
All Glory to the HypnoCube (Score:3, Interesting)
We have something similar (Score:5, Interesting)
The universities internal network IP range is mapped onto the left hand face of the cube, the rest of the world is mapped onto the right face. They are mapped so similar addresses are clustered together and addresses further apart are uh, further apart. A box represents one packet, the volume of the particle is proportional to the size of the packet, and the colour is based on port number.
Also we "light" each end of the connection for a bit after the packet has been sent. So machines appear to be glowing in the colour of the traffic they are sending.
We use it to show off "networks" to people who think we just sit at computers and type into stuff, however it has been very useful to detect attacks and broken machines since they provde distinctive patterns. Portscans are a series of "sparkly" packets. Network scans are a row of marching lines. Virii infected machines appear as a cone centered on the infected machine.
zerg (Score:2)
My favorite... (Score:3, Interesting)
It's a brutal but compelling reminder that we should all avoid unencrypted telnet/pop3/imap.
Consider spending some time today getting STARTTLS running on your mail server. Or consider getting IMAP/SSL going. Or consider figuring out GnuPG or S/MIME email once and for all. Don't be part of the problem.
The ORIGINAL spinning cube of potential doom (Score:2)
And I already have an exploit (Score:2)
SourceFire RNA? (Score:2)
Re:One of the best Cubes (Score:1)
Re:Gleming the cube (Score:3, Funny)
Yup. And they're
Given the PATRIOT act, does this mean we're all terrorists now?
I'll get the "Free Taco!" campaign started right now, just in case. We can only hope the general public will misunderstand.
(I'm hungry, so?)
Re:Gleming the cube (Score:2)
Big Rough Scary Inmate: "So what do they call you?"
Taco: "Taco....Commander Taco".
Big Rough Scary Inmate smiles.
Re:And I quote: (Score:2)
No, see, it's a private joke. The "Spinning Cube of Impending Doom" roots your network operations center, thus resulting in your doom.