Article

Passive visual fingerprinting of network attack tools

Authors:

Kulsoom AbdullahAuthors Info & Claims

VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security

Pages 45 - 54

https://doi.org/10.1145/1029208.1029216

Published: 29 October 2004 Publication History

Abstract

This paper examines the dramatic visual fingerprints left by a wide variety of popular network attack tools in order to better understand the specific methodologies used by attackers as well as the identifiable characteristics of the tools themselves. The techniques used are entirely passive in nature and virtually undetectable by the attackers. While much work has been done on active and passive operating systems detection, little has been done on fingerprinting the specific tools used by attackers. This research explores the application of several visualization techniques and their usefulness toward identification of attack tools, without the typical automated intrusion detection system's signatures and statistical anomalies. These visualizations were tested using a wide range of popular network security tools and the results show that in many cases, the specific tool can be identified and provides intuition that many classes of zero-day attacks can be rapidly detected and analyzed using similar techniques.

References

[1]

Teoh, S; Ma, K; Wu, F and Zhao, X. Case Study: Interactive Visualization for Internet Security, Proceedings of IEEE Information Visualization, 2002.

Digital Library

[2]

Teoh, S; Ma, K and Wu, F. A Visual Exploration Process for the Analysis of Internet Routing Data, Proceedings of IEEE Information Visualization, 2003.

Digital Library

[3]

Teoh, S. Graphical Presentation of Stepping-Stone Pairs Found. Initial Results. http://graphics.cs.ucdavis.edu/ steoh/ research/tcpdump/tcpdump.html, last accessed April 2004.

[4]

Security Incident Fusion Tool, National Center for Advanced Secure Systems Research Group. http://www.ncassr.org/projects/sift/papers/, last accessed April 2004.

[5]

Cheswick, B and Burch, H. The Internet Mapping Project. http://research.lumeta.com/ches/map/, last accessed April 2004.

[6]

An Atlas of Cyberspaces. http://www.cybergeography.org/atlas/atlas.html, last accessed April 2004.

[7]

Marchette, D. Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint, Springer, 2001.

Digital Library

[8]

Erbacher, R and Frincke, D. Visual Behavior Characterization for Intrusion and Misuse Detection. Proceedings of the SPIE '2001 Conference on Visual Data Exploration and Analysis VIII, CA, January 2001, pp. 210--218.

[9]

Code Red Worm Infections. Cooperative Association for Internet Data Analysis (CAIDA) http://www.caida.org/tools/visualization/walrus/examples/codered/.

[10]

Juslin, J. Intrusion Detection and Visualization Using Perl. O'Reilly Open Source Conference 2001, San Diego, California, U.S.A., 23rd - 29th of July 2001.

[11]

Zalewski, M. Strange Attractors and TCP/IP Sequence Number Analysis. http://razor.bindview.com/publish/papers/tcpseq.html, last accessed April 2004.

[12]

Zalewski, M. Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later. http://lcamtuf.coredump.cx/newtcp/, last accessed April 2004.

[13]

Nyarko, K; Capers, T; Scott, C and Ladeji-Osias, K. Network Intrusion Visualization with NIVA, an Intrusion Detection Visual Analyzer with Haptic Integration. 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems. March 24 - 25, 2002. Orlando, Florida, p. 277.

Digital Library

[14]

Goodall, J. Information Visualization for Intrusion Detection. The Intrusion Detection Tool Kit (IDtk). http://userpages.umbc.edu/ jgood/idtk.php, last accessed April 2004.

[15]

SecureScope. Secure Decisions. http://www.securedecisions.com/, last accessed April 2004.

[16]

StealthWatch + Therminator. Lancope Corporation. http://www.stealthwatch.com/, last accessed April 2004.

[17]

Ethereal: A Network Protocol Analyzer. http://www.ethereal.com/, last accessed April 2004.

[18]

Etherape: A Graphical Network Monitor. http://etherape.sourceforge.net/, last accessed April 2004.

[19]

NetStumbler Homepage, <http://www.netstumbler.com/>, last accessed April 2004.

[20]

3D Traceroute Homepage, http://www.hlembke.de/prod/3dtraceroute/, last accessed April 2004.

[21]

The Xtraceroute Homepage. http://www.dtek.chalmers.se/ d3august/xt/, last accessed April 2004.

[22]

Fydor, "Top 75 Network Security Tools," http://www.insecure.org/tools.html, last accessed March 2004.

[23]

TCPDUMP Public Repository, http://www.tcpdump.org/, last accessed March 2004.

[24]

Snort Project Page. http://www.snort.org/, last accessed March 2004.

[25]

The Honeynet Project. http://project.honeynet.org/, last acccessed April 2004.

[26]

Ptacek, T and Newsham, T. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Secure Networks, Inc. January, 1998. http://www.insecure.org/stf/secnet_ids/secnet_ids.html, last accessed April 2004.

[27]

Tufte, E. The Visual Display of Quantitative Information. Second Edition. Graphics Press, May 2001.

Digital Library

[28]

Tufte, E. Visual Explanations: Images and Quantities, Evidence and Narrative. Graphics Press, February 1997.

Digital Library

[29]

Tufte, E. Envisioning Information. Graphics Press, May 1990.

Digital Library

[30]

Spence, R. Information Visualization. Pearson Addison Wesley, December 2000.

[31]

Inselberg, A. Multidimensional Detective. IEEE Proceedings of Information Visualization '97, pp. 100--107.

Digital Library

[32]

Inselberg, A. The Plane with Parallel Coordinates, The Visual Computer, 1, pp. 100--107.

Digital Library

[33]

Wegman, E. Hyperdimensional Data Analysis Using Parallel Coordinates. Journal of the American Statistical Association, 85:411, pp. 664--675.

[34]

Marchette, D. Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint. Springer Verlag, July 2001.

Digital Library

[35]

Eick, S; Steffen, J and Sumner, E. Seesoft - A Tool for Visualizing Line Oriented Software Statistics. IEEE Transactions on Software Engineering, 18, 11, November 1992, pp. 957--968.

Digital Library

Cited By

Lee KCho MKim JLee K(2023)Anomaly Detection Method for Unknown Protocols in a Power Plant ICS Network with Decision TreeApplied Sciences10.3390/app1307420313:7(4203)Online publication date: 26-Mar-2023
https://doi.org/10.3390/app13074203
Moreaux AMitrea M(2023)Blockchain Asset Lifecycle Management for Visual Content TrackingIEEE Access10.1109/ACCESS.2023.331163511(100518-100539)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3311635
Alhaidari FTammas RAlghamdi DAlrashedi RAlthani NAlsaidan SAlFosail MZagrouba RAlattas H(2022)A study on Automated Cyberattacks Detection and Visualization2022 14th International Conference on Computational Intelligence and Communication Networks (CICN)10.1109/CICN56167.2022.10008351(715-722)Online publication date: 4-Dec-2022
https://doi.org/10.1109/CICN56167.2022.10008351
Show More Cited By

Index Terms

Passive visual fingerprinting of network attack tools
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Networks
  1. Network services
    1. Network monitoring

Recommendations

Passive Fingerprinting of Network Reconnaissance Tools

Detecting reconnaissance provides a key warning of an adversary's impending attack or intelligence-gathering effort against a network. Yet many current network defense tools provide little capability to detect network reconnaissance.
DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication ...
Optimal collusion attack for digital fingerprinting
MM '10: Proceedings of the 18th ACM international conference on Multimedia

The collusion attack is a cost-efficient attack against digital finger-printing where classes of users combine their fingerprinted content for the purpose of attenuating or removing the fingerprints. A recently introduced gradient attack which appeared ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security

October 2004

156 pages

ISBN:1581139748

DOI:10.1145/1029208

General Chairs:
Carla Brodley
Tufts University
,
Philip Chan
Florida Institute of Technology
,
Richard Lippman
MIT Lincoln Lab
,
Bill Yurcik
NCSA

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS04

Sponsor:

CCS04: 11th ACM Conference on Computer and Communications Security 2004

October 29, 2004

Washington DC, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
2,252
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)7

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lee KCho MKim JLee K(2023)Anomaly Detection Method for Unknown Protocols in a Power Plant ICS Network with Decision TreeApplied Sciences10.3390/app1307420313:7(4203)Online publication date: 26-Mar-2023
https://doi.org/10.3390/app13074203
Moreaux AMitrea M(2023)Blockchain Asset Lifecycle Management for Visual Content TrackingIEEE Access10.1109/ACCESS.2023.331163511(100518-100539)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3311635
Alhaidari FTammas RAlghamdi DAlrashedi RAlthani NAlsaidan SAlFosail MZagrouba RAlattas H(2022)A study on Automated Cyberattacks Detection and Visualization2022 14th International Conference on Computational Intelligence and Communication Networks (CICN)10.1109/CICN56167.2022.10008351(715-722)Online publication date: 4-Dec-2022
https://doi.org/10.1109/CICN56167.2022.10008351
Sadasivam GHota CBhojan A(2021)Detection of stealthy single-source SSH password guessing attacksEvolving Systems10.1007/s12530-020-09360-3Online publication date: 2-Jan-2021
https://doi.org/10.1007/s12530-020-09360-3
Aldaoud MAl-Abri DAl Maashri AKausar F(2021)DHCP attacking tools: an analysisJournal of Computer Virology and Hacking Techniques10.1007/s11416-020-00374-8Online publication date: 3-Jan-2021
https://doi.org/10.1007/s11416-020-00374-8
Sönmez FGünel B(2020)Security Visualization Extended Review Issues, Classifications, Validation Methods, Trends, ExtensionsResearch Anthology on Artificial Intelligence Applications in Security10.4018/978-1-7998-7705-9.ch054(1184-1229)Online publication date: 27-Nov-2020
https://doi.org/10.4018/978-1-7998-7705-9.ch054
Zheng SWu YWang SWei YMu DHe HHan DLiao JChen H(2020)PTVis: Visual Narrative and Auxiliary Decision to Assist in Comprehending the Penetration Testing ProcessIEEE Access10.1109/ACCESS.2020.30333918(194523-194540)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3033391
Sönmez FGünel B(2018)Security Visualization Extended Review Issues, Classifications, Validation Methods, Trends, ExtensionsSecurity and Privacy Management, Techniques, and Protocols10.4018/978-1-5225-5583-4.ch006(152-197)Online publication date: 2018
https://doi.org/10.4018/978-1-5225-5583-4.ch006
Bou-Harb EAssi CDebbabi M(2018)CSC-Detector: A System to Infer Large-Scale Probing CampaignsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2016.259344115:3(364-377)Online publication date: 1-May-2018
https://doi.org/10.1109/TDSC.2016.2593441
Garcia-Lebron RSchweitzer KBateman RXu S(2018)A Framework for Characterizing the Evolution of Cyber Attacker-Victim Relation GraphsMILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM.2018.8599852(70-75)Online publication date: Oct-2018
https://doi.org/10.1109/MILCOM.2018.8599852
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten