3D Network Traffic Monitoring based on an Automatic Attack Classifier Diego Roberto Colombo Dias1, José Remo Ferreira Brega2, Luis Carlos Trevelin1, Bruno Barberi Gnecco3, João Paulo Papa2, Marcelo de Paiva Guimarães4 1
Computer Science Department - Federal University of São Carlos, São Carlos, SP, Brazil 2 Computer Science Department - UNESP, Bauru, SP, Brazil 3 Corollarium Technologies, São Paulo, SP, Brazil 4 Open University of Brazil – Federal University of São Paulo/Faccamp’s Master Program, São Paulo, SP, Brazil {diegocolombo.dias, trevelin}@dc.ufscar.br, {remo, papa}@fc.unesp.br,
[email protected],
[email protected]
Abstract. In the last years, the exponential growth of computer networks has created an incredibly increase of network data traffic. The management becomes a challenging task, requesting a continuous monitoring of the network to detect and diagnose problems, and to fix problems and to optimize performance. Tools, such as Tcpdump and Snort are commonly used as network sniffer, logging and analysis applied on a dedicated host or network segment. They capture the traffic and analyze it for suspicious usage patterns, such as those that occur normally with port scans or Denial-of-service attacks. These tools are very important for the network management, but they do not take advantage of human cognitive capacity of the learning and pattern recognition. To overcome this limitation, this paper aims to present a visual interactive and multiprojection 3D tool with automatic data classification for attack detection.
1 Introduction Network data traffic in computer networks is originated by devices such as TVs, tablets, mobile phones, computers, sensors, personal digital assistants and camera throw applications as webmail, video-conference and internet banking. In last decade, with the growing of users and applications, the amount of data traffic has increased dramatically. Consequently, it is necessary a network management, in order to protect the data against improper access and usage. It is essential an ongoing monitoring to detect and diagnose vulnerabilities and threats. In the most of networking protocols, the data are split into small segment, or packets, to be transmitted. These packets contain information - such as user identification, passwords and confidential data, and some time isn´t encrypted in some way - that let interested the attackers. These data can be also useful for other purposes - network administrator uses it to diagnose network faults. To accomplish this task is
necessary to take care of heterogeneous networks, which involve sharing and transmitting data but also voice and video. It is complex because lacks tools to provide a sense of network situational awareness. Traditionally, this task accomplished using sniffers tools, such as TCPdump [1], Ngrep [2] and Snort [3], which work in "promiscuous mode" grabbing a copy of every packet that goes past the segment. Sniffers analyze the packets looking for suspicious usage patterns, such as those that occur normally with port scans or Denial-of-service (DoS) attacks. These tools are very important for the network management, but they do not take advantage of human cognitive capacity of the learning and pattern recognition. The network administrator has to analyze almost manually a huge data set generated by these sniffers. This paper aims to present a solution to facilitate the detection of new network attacks automatically throw a multi-view 3D and interactive tool, amplifying the cognition, which means facilitate the perception of the events concerned (attacks). Two modules compose it: the automatic pattern classification based on optimum-path forest [4]; and a 3D users interface. This visual tool becomes necessary because the amount of data generated by the sniffers is enormous. Further, this data is normally saved in text log file. There are visual tools that have the objective of the tool present, but they don´t offer an automatic attack classifier in real time and are not interactive. Figure 1 depicts the architecture of Sniffer 3D applied to an academic environment, where many attacks occur. Considering this, the main contributions of this work is to present an automatic attack classifier with an interactive interface with multiprojection. It is a powerful real time tool for the network administrator to detect the attacks pleasantly; with 3D, interaction and navigability. Furthermore, this tool can provide information, which might otherwise be missed during textual analysis. For example, it shows alerts when an attack is detected. The tool developed is an IDS (Intrusion Detection Systems). This paper is organized as follows: section 2 is an overview of related work. Section 3 describes how the tool was developed, explaining the automatic attack classifier, the interactive interface and the tests. Section 4 presents the conclusions and future researches.
2. Related Work Many network management tools uses information visualization techniques to present the data in a visual representation to get an easy way of perception, access and manipulation of the data. The main issue is how represent, visualize and select important information in these massive data to detect attacks. EtherApe is tool that displays network activity graphically in 2D [5]. It uses lines to represent the connection between hosts. Hosts and links change in size with traffic. Each protocol is associated with a color. It supports Ethernet, FDDI, Token Ring, ISDN, PPP, SLIP and WLAN devices, and some encapsulation formats. The visual representation is not good when there is a huge number of hosts. VISUAL (Visual Information Security Utility for Administration Live) is another tool which uses 2D representation [6]. Its mains purpose is to show the traffic
between local and external network. VISUAL does not provide analyze in real time, it relies on a preprocessor to treat network packet trace. It suffers from similar limitation of EtherApe, it is not easy to detect a attack when there is a large amount of data.
Figure 1. The Architecture of Sniffer 3D.
Spinning Cube of Potencial Doom is a 3D network visualizer that listen a network interface or stdin, extracts new connections, and maps them onto a cube [7]. The coordinates of each point are determined by mapping the source, destination, and port to the cube axis. The cube emphasizes the connection attempts and port scans using colored lines. Nevertheless, it is very hard to identify the origins of attempts. Additionally, it offers just a simple interaction, allowing only cube rotation. NVisionIP is another 2D tool that focuses on the representation of the network traffic on an entire class-B IP network [8]. It has a single user interface that allows the network administrator to have an overview of the current state of network. It allows filtering the traffic based on upon a number of attributes useful in categorized security incidents. Tcpdump prints out a description of the contents of packets on a network interface that match in a boolean expression [1]. The network administrator uses command line to interact with him. Snort is another tool that has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks [9]. It performs
protocol analysis, content searching, and content matching. This tool can also be used to detect probes or attacks, including, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. Tranfshow is another tool that continuously shows the information regarding packet traffic on the configured network interface [10]. It periodically sorts and updates this information. It may be useful for locating suspicious network traffic on the net. Tcpdump, Snort and Trafshow offer a poor visual representation. They are not appropriate to visualize huge amount of data. Table 1 compares several tools. Each one has the own features, differing visualization form (1D, 2D or 3D), number of available traffic filters and the results that can present. In the last line is the tool developed in this work that differs from the others in the interactive interface and in the automatic attack classifier. Table 1. Comparison tools related.
Tool
Interface
Filter
Results presented
EtherApe
3D
Protocol
Traffic volume
Visual
2D
Port, Protocol
Traffic volume
Spinning Cube of Pontential Doom
3D
IP range
Attack
NvisionIP
2D
Protocol
Traffic volume
Tcpdump
1D
Header parameters
Packet header
Snort
1D
Rules
Packet header
Trafshow
1D
IP range
Traffic volume
Tool developed
3D
Header parameters; network interface; quantity
Traffic volume; relationship; details on- demand
quantity
3. Tool Developed Nowadays, all organization rely on computer network to run their business, generating a critical dependency of this infrastructure. Meanwhile Symantec report shows that [11]:
They blocked a total of over 5.5 billion malware attacks in 2011, an 81% increase over 2010;
Web based attacks increased by 36% with over 4,500 new attacks each day;
403 million new variants of malware were created in 2011, a 41% increase of 2010;
SPAM volumes dropped by 34% in 2011 over rates in 2010.39% of malware attacks via email used a link to a web page;
Mobile vulnerabilities continued to rise, with 315 discovered in 2011;
In 2011, 232 million identities were exposed. An average of 82 targeted attacks take place each day;
Mobile threats are collecting data, tracking users and sending premium text messages. Facts like these boost investment in research in IDS development. These tools should find the threats and show to the network administrator, which will take the appropriate action. The ideal is that the administrator take care of the attacks while it is happing, requiring an automatic and real-time detection. The tool developed aims facilitate the network administrator work, alerting him in real-time of attempted attacks. Two modules compose it: the automatic attack classifier; and the 3D visual interface. It was implemented using: Linux (operational system), C++ (programming language), Python (programming language), QT interface (design), Ogre3D (graphical engine) and LibpCap (sniffer). 3.1. Automatic attack classifier The automatic pattern classification based on optimum-path forest implemented uses samples mode as nodes of a complete graph [4]. The most representative elements of each class (attacks) in the training set (prototypes) were selected as being the ones belonging to the border regions between classes. Each prototype competes with another looking for samples, offering least-cost paths and their respective labels. This process results in a training set partitioned into optimum-path trees. The union of these leads us to an optimum-path forest. This approach has several benefits over other methods of supervised pattern classification: is parameters free; treats natively multiclass problems; and it does not use form and/or class separation. The classifier-training phase has to find a set of prototypes. Several heuristics can be applied, such as randomized choice of prototypes. However, a heuristic based randomized choice can affect the classifier performance, becoming it unstable and with a high sensitivity degree during the process of selecting the prototype. We aim to provide prototypes that overlap samples regions and class boundaries, since they are regions more susceptible to misclassification. We used the Minimum Spanning tree algorithm. The classifier requests an adaptation to be implemented. We use the database KDD (Knowledge Discovery and Data Mining) CUP 99 to train the classifier. This database contains information about traffic data and their classification. It has 41 features with 22 types of classification of attacks. Initially, we don´t implemented all types of attacks. We applied a filter, generating a new database. It was added a new tables to connect source to the destine. It was composed by the following fields:
duration: this field specifies duration of a connection;
protocol_type: this field specifies the network protocol type (tcp, udp,...);
service: this field specifies the network service used in the connection (http, telnet,..);
src_bytes: this field specifies length of bytes sent from the source node;
dst_bytes: this field specifies his field specifies length of bytes sent from the destine node;
flag: link status (1 - normal ; 0- error);
land : 1 - if source and destine are the same;
wrong_fragment: quantity of wrong fragments;
urgent: quantity of urgent packets. The connection status (flag) is not recovered straight from the packets. This process is done using an automata with final states representing the connection status; the transaction states shows the packet type that can reach the state. The Figure 2 depicts, in order, the steps present in the training/test phase of attacks in Sniffer 3D. During the test phase the Sniffer 3D captures a packet (sample) and compares it with the optimum paths tree. The tree that matches with the sample is rotuled, otherwise, it is not classified as an attack.
Figure 2. Classification and Test Phase of Sniffer 3D.
The Table 2 present five tests applied to the classifier. Test I and II classified two classes of attack: normal and smurf. Test III classified three classes: normal, smurf and back. Test IV classified five classes: normal, smurf, back, spy and nmap. Test V involved different classification types: not attack and attack, with the following classes: smurf, back, spy and nmap. For each test, we used a specific percentage of databases KDD to train the optimum-path forest algorithm. For example, Test I used 60%, then requesting more time for training (3863s). With 30%, it was possible to achieve a close hit rate that utilized 60%. The number of classes of attacks classified also affects the hit rate. The traffic data used during the test was captured from a backbone network of a university.
Table 2. Evaluating the classifier. Test I
Test II
Test III
Test IV
Test V
Classes
2
2
4
5
2
Training (% of database used)
60%
30%
30%
30%
30%
Test (% of database used)
40%
70%
70%
70%
70%
Training duration
3863s
942s
942s
980s
983s
Test duration
1138s
865s
976s
1017s
1015s
Hit rate
100%
100%
99,99%
89,81%
99,99%
3.2. 3D Visual interface One of the main ideas of Information Visualization is help the user during the large amount of data interpretation. It can basically support tree activities: exploratory analysis, confirmatory analysis and presentation. During exploratory analysis, the user don´t have idea of what knowledge is part of the data, and using an analytic process, he explores the visual presentation looking for relationship that can create some hypothesis. In confirmatory analysis, the user has a hypothesis, and aims to find it during the visual exploration. He can confirm or reject the hypothesis. The presentation is used for the graphical representation of the relationship and exposure, structure, behavior and other characteristics intrinsic to the data being analyzed. Whatever what the analysis supported by the tool, it should provide interaction mechanisms to facilitate the data visualization from various perspectives, including [12]:
Mapping: it is the process which determines how to visualize information or how to encode information into visual form;
Selection: it means to select data among those data which is available according to the given task;
Presentation: it treats of how to manage, organize information in the available space on the screen effectively;
Scale and dimensionality: it treats of how to manage huge visualization in available space; and
Rearrangement: it treats of how to organize, explore, and rearrange the visualization. The main goal of this work is that the administrator can easily detect attacks over the computer network. We maps in real time the network traffic into a cube. It shows information such as source IP, destine IP, source port and destine port. This interface is similar to the Spinning Cube of Potencial Doom, but it is interactive, the user can
rotate, translate the cube, zoom-in and zoon-out. Each point in the cube represents a connection. While the network traffic is captured, it is added colored points inside of the cube. The automatic classifier determinates the colors, such as red color is associated with a possible attack or virus. The cube is configured using a special interface. The main settings are:
Network interface: the administrator can visualize the traffic of a specific interface; or the traffic can be read from a log file;
Axes: it allows to configure which information will be associated with each edge of the cube;
Filters: the administrator can customize filters following LibpCap functionalities; and
Indicators: it allows defining classification for each connection found and colors (packets types, source port, destine port, alerts...). Furthermore, there is a graphical interface with details about the connections, that is showed when the administrator clicks over an object (point) in the 3D cube. Figure 3 depicts the cube and detail about a packet (one point inside the cube). Packets that are identified as attack are displayed in different colors according to the level of attack.
Figure 3. Details about a connection.
Interaction is critical to the success of our tool, since it affects directly the network administrator satisfaction and their efficiency in performing tasks. It can be performed through conventional devices, such as mouse and keyboard, and also by nonconventional devices, such as data gloves and motion trackers. In this project we used two devices originally developed for game consoles, Wii Remote, through the WiiUseJ library [13]; and Microsoft Kinect, throught the OpenNI library [14]. The
network administrator can execute operations as zoom in, zoom out, rotation, pan and detail view. It is possible use the Sniffer 3D in multiprojection environments. Figure 4 depicts an example where three Sniffer 3D instances are used. The purpose is to divide display in several cubes by ip ranges, allowing that large networks, which has many connections, can be displayed in a separate manner, eg, three university department, which are represented by three different cube.
Figure 4. Implementation of Sniffer 3D in a multiprojection environment.
4. Conclusion and future researches Traditionally, network administrator analyses text log files to detect attacks and to take some action. However, the growing constant of network computer becomes this task impractical. For this, this paper presented a tool that can optimize the network administrator job showing the analyze of the traffic data in an effective way. The use of log files is not excluded in this work, because it can be utilized to later analysis, allowing comparison and improvement of tool developed. The tests was done with real data and showed efficiency of the tool developed. The automatic classifier is to support the user, giving him the idea of what might be an attack. However, we believe only in user perception. How future research, it is
expected that the Sniffer 3D can automatically take some decisions, such as closing a connection that may be trying to attack the network. Confirmations of activities to be taken by Sniffer 3D can also be generated, not excluding the user cognition. We are aiming to compare our classifier with others based on neural networks. We believe that we can achieve a lower training time, and an improvement of the hit rate. Usability tests are being conducted as a next step of the research.
References [1] TCPDUMP. TCPDUMM & LIBPCAP. Available in: < http://www.tcpdump.org/ >. Accessed: September 2012. [2] NGREP, Ngrep – networl grep. Avaliable in: < http://ngrep.sourceforge.net/>. Acessed: September 2012. [3] SNORT. Snort::Home Page. Avaliable in: < http://www.snort.org/>. Acessed: September 2012. [4] Papa, J. P., Falcão, A. X., Suzuki, C. T. N. Supervised Pattern Classification based on Optimum-Path Forest. In Journal of Imaging Systems and Technology, Vol. 19, Issue 2, 120-131, Jun 2009, ISSN: 0899-9457. [5] ETHERAPE. EtherApe, a graphical network monitor. Avaliable in: < http://etherape.sourceforge.net/>. Acessed: September 2012. [6] Ball, R., Fink, G. A., North, C. Home-Centric Visualization of Network Traffic for Security Administration. In VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and. 55-64, ACM Press, 2004. [7] LAU, S. The Spinning Cube of Potential Doom. In Communications of the ACM, v.47, n.6, June 2004. [8] Lakkaraju, K., Yurcik, W., Lee, A. J. NVisionIP: netflow visualizations of system state for security situational awareness. In Proceedings of the 2004 ACM Workshop on Visualization and Data Mining For Computer Security (Washington DC, USA, October 29 - 29, 2004). VizSEC/DMSEC '04. ACM, New York, NY, 65-72. DOI= http://doi.acm.org/10.1145/1029208.1029219 [9] SNORT. Snort network intrusion prevention and detection system. Avaliable in: . Acessed: September 2012. [10] TRAFSHOW. Network traffic monitoring utility. Avaliable in: . Acessed: September 2012. [11] SYMANTEC. Symantec – Confidence in a connected world. Avaliable in: < http://www.symantec.com/threatreport/topic.jsp?id=highlights>. Acessed: September 2012. [12] Khan, M., Khan, S. S. Data and Information Visualization Methods, and Interactive Mechanisms: A Survey. In International Journal of Computer Applications (0975 – 8887) Volume 34– No.1, November 2011. [13] WIIUSEJ. Java Api for Wiimotes : WiiUseJ. Avaliable in:HTTP://code.google.com/p/wiiusej/. Acessed: September 2012. [14] OPENNI. OpenNI – Introducing OpenNI. Avaliable in: < http://openni.org/ >. Acessed: September 2012.
