Multi-Dimensional Visualization for Network Forensic ...

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

Multi-Dimensional Visualization for Network Forensic Analysis 1

Nuttachot Promrit, 2Anirach Mingkhwan, 3Supaporn Simcharoen, 4Nati Namvong King Mongkut’s University of Technology North Bangkok, Faculty of Information Technology, Bangkok, Thailand, [email protected] *2, Corresponding Author King Mongkut’s University of Technology North Bangkok, Faculty of Industrial and Technology Management, Prachinburi, Thailand, [email protected] 3,4, Author King Mongkut’s University of Technology North Bangkok, Faculty of Industrial and Technology Management, Prachinburi, Thailand, [email protected], [email protected], [email protected] 1, First Author

Abstract This research studies the offense on a computer network with multiple dimensions of network traffic and logs using parallel coordinates to show relationships of various parameters such as user, source ip address, time, destination ip address, destination service and domain name. The aim is to test the hypothesis that this technique is able to identify patterns of attacks and the behavior of offenders. Initially the attacks were simulated by creating text file dataset. The results of the experiment showed that (i) Attacked signatures are various depending on the situation of attack. (ii) Analyst can observe the attacks obviously in details. In addition, researchers proposed - user investigations with visualization time machine for network forensic (UIV) as a tool for analyzing the behavior on a computer network, the results also showed that (iii) it is possible to track an individual’s behavior using this tool.

Keywords: Network Forensic, Network Traffic Visualization, Parallel Coordinates 1. Introduction In an age of communication via the internet, limitations are borderless. The communication over computers is beneficial but can also cause damage to the public and other agencies. The crimes have no physical restrictions, such as victims of credit card fraud or personal information stolen while connecting to a network. Moreover, when crimes occur, there are no crime scenes to investigate or witnesses as in real life. The fact that the judicial process requires is the network forensic analysis of evidence such as the network traffic and logs which are kept and maintained. The main problem of the network forensic analysis, data is overwhelming and hard to interpret as it is mostly text or numbers/statistics. Non-dimensional image correlation of data cannot be easily understood but requires expertise in data analysis. Network forensic research is often presented by such visualization as [1], [2], [3], [4], [5], [6], which allow an analyst to visualize abnormalities caused by the shape and color of objects quickly. The aim of this research is creating a system that can produce multi-dimensional relationships of the logs and network traffic from a network, to help in a crime inspection. It can answer questions based on a model in a court prosecution such as who, what, where, when and how the suspect performed the attack over the network. Results of the experiments in this paper have been produced for prototyping, as a guideline to develop network forensic tools. In the next section, we discussed related work, UIV architecture, the attacks simulation and analysis of attack patterns, UIV visualization tool design, behavior study, discussion, conclusions and possible future work.

2. Related Work A network forensic process starts with the gathering/storage of evidence and basic analyzes data such as checking the data accuracy, data clustering, and data transformation for analysis in the next process. G. Maier et al. [7] presented a method to capture and store traffic data, data indexing, information retrieval via user interface and network connection interface. These

International Journal of Advancements in Computing Technology(IJACT) Volume4, Number5, March 2012 doi: 10.4156/ijact.vol4.issue5.27

222

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

approaches can work with Real-time Network Intrusion Detection System (NIDS) to trace the historical traffic data automatically In order to facilitate the analysis, some researchers have shown the data relationships in a visualization form which help to find a pattern to discover crimes on the network. F. B. Viégas, D. Boyd, D. H. Nguyen, J. Potter, and J. Donath [1] presented a method used in an electronic mail with visualization. It allowed them to see and visualize interactions between people while S. Krasser, G. Conti, J. Grizzard, J. Gribschaw, and H. Owen [3] presented the network traffic visualization using parallel coordinate techniques by incorporating scatter plot techniques for real time data analysis and forensics. The parallel coordinate method is one of the information visualization techniques such as [8], it was first proposed by Inselberg [9]. Figure 1 demonstrates parallel coordinates. It is a communication from the ip address 192.168.1.1 to the ip address 192.168.10.100 using TCP source port 12,680 with TCP destination port 80.

Figure 1. The Parallel coordinates In addition to the visualization of the data relationships to assist in analysis, other researchers have presented techniques for identifying and classifying the offense as in H. Choi, H. Lee, and H. Kim [4] who proposed methods of intrusion detection techniques using misuse detection and displayed the result with visualization, by comparing flow data on the network to attack signatures. This method shows the relationships of multi-dimensional data with parallel coordinates using 4 parameters: 1. Source ip address; 2. Destination ip address; 3. Destination port; 4. Average size of the packet. In the research of R. Hadjidj et al. [5], data mining techniques have been used to cluster and classify information in order to identify the author of electronic mail. To investigate the offense and understand the situation thoroughly, D. Phan, A. Paepcke, and T. Winograd [6] presented a tool for investigating the suspect using timeline technique to analyze such situations of outbreaks of infectious diseases and the behavior on a computer network. Some of the main research presentation techniques and methods have been summarized in Table 1. Thus, it can be seen that these studies did not focus on network forensic system solutions. The goal of stored data analysis is to answer questions such as who, what, where, when and how did the suspect perform the attacks over the network to support a legal claim. Table 1. Characteristics of research on the Network forensic Research Time Machine [7] Social Email [1] Home-Centric Visualization [2] Real-Time and forensic [3] IDS Visualization [4] E-mail Forensic Analysis [5] FORWEB [10] Source Attribution for NAT [11] Timeline Visualization [6] Multi-Dimensional [12], [13], [14]

Traffic recording

Pattern matching/ Classification

Stream identification

User identification

Visualization based analysis

Behavior analysis

Datasets Network traffic E-mail archives Network traffic Network traffic Network traffic E-mail archives Digital image Network traffic N/A Logs + Network traffic

223

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

To examine the behavior and identify suspicious activity from data which can be used as evidence in accordance with the provisions of law, this research presents the UIV model [12], [13] to study the behavior on a network using parallel coordinates, which show the relationships of multi-dimensional data from the user, source ip address, time, destination ip address, destination service and domain name. Researchers expect that the additional dimension of time and other dimensions will help to identify suspicious behavior on a computer network.

3. UIV Architecture This research presents the UIV model with the aim to study the behavior on a computer network and detect behavior that violates the network security policy from flow data [12], [13]. The UIV architecture includes 7 components. Collector collects network traffic on the network and logs from the logs server. Time machine retrieves network traffic and logs from a specified time period. Flow generator generates the flow data from the network traffic and logs. Detection analysis analyzes the behavior of the network security policy violations from flow data and attack signatures. Parallel coordinates visualizer shows the flow data in the parallel coordinates form. Data cloud visualizer displays the results of detection by the data cloud. Investigation interface displays a network timeline.

Figure 2. UIV architecture In Figure 2, the collector collects traffic and logs into a database for the detection of behavior that violates the network security policy in phase 1: “detection of suspect” and the investigation in phase 2: “Investigation”. The flow generator creates the flow data with parallel coordinates technique from traffic and logs which are retrieved from a specified period of time via the time machine. Then the flow data shows with parallel coordinates visually, while the detection analysis takes flow data and attack signatures to analyze their behavior. The results are shown with data cloud visualization and the analysts can investigate further using the investigation interface.

4. Simulation of Attacks and Analysis of Attack Patterns To examine the hypothesis that the parallel coordinate technique can be used to recognize patterns and behavior of committing attacks on the network, initially researchers simulated host scan attacks, port scan attacks, single source DoS attacks, back scatter attacks and Trudy attacks. The attack datasets was created in a text file format. Figure 3 shows a dataset of the port scan. A username is Charlie who is assigned random numbers of the destination services, a source ip address, a destination ip address and a domain name.

224

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

To create a multi-dimensional relationship, dataset has been transformed and stored in a relational database to create a flow data matrix using the steps shown in Figure 4. Charlie Charlie Charlie Charlie Charlie Charlie Charlie Charlie Charlie Charlie

215.123.153.189 215.123.153.189 215.123.153.189 215.123.153.189 215.123.153.189 215.123.153.189 215.123.153.189 215.123.153.189 215.123.153.189 215.123.153.189

30/Jun/2010 13:27:04 30/Jun/2010 13:27:04 30/Jun/2010 13:27:04 30/Jun/2010 13:27:04 30/Jun/2010 13:27:04 30/Jun/2010 13:27:04 30/Jun/2010 13:27:04 30/Jun/2010 13:27:04 30/Jun/2010 13:27:04 30/Jun/2010 13:27:04

12.90.27.73 12.90.27.73 12.90.27.73 12.90.27.73 12.90.27.73 12.90.27.73 12.90.27.73 12.90.27.73 12.90.27.73 12.90.27.73

51341 63726 38434 50989 47690 42662 43556 61523 35067 26112

temp.gamefanc.com temp.gamefanc.com temp.gamefanc.com temp.gamefanc.com temp.gamefanc.com temp.gamefanc.com temp.gamefanc.com temp.gamefanc.com temp.gamefanc.com temp.gamefanc.com

Figure 3. Sample dataset for the port scan

Figure 4. Steps of data transformation Let the flow data matrix A = [aij] When i = 1 to MaxUserTrafficIn24H and j = 1 to 6 by a i1 = a i2 = ai3 =

MaxUserTrafficIn 24 H

(1)

MaxTrafficIn 24 H int SourceIPaddress int 255.255.255.255

SerialDate Number Time

(2) floor SerialDate Number Time

(3)

ai4 =

int DestinationIPaddress int 255.255.255.255

(4)

ai5 =

Destinatio nService 65535

(5)

ai6 =

Order DomainName Max DomainName

(6)

From equation (1) - (6), we can adjust the flow data matrix A to a value between 0 and multiplying by a positive integer . A parallel coordinates visualizer shows the flow data matrix in the graphic form as shown in Figure 5. (a) Host scan

(b) Port scan

225

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

(c) Single source DoS

(d) Backscatter

(e) Host scan, Port scan and Single source DoS by Trudy

Figure 5. Parallel coordinates of committing attacks In Figure 5, flow of host scan attacks, port scan, single source DoS, backscatter and Trudy’s flow have been shown in parallel coordinates technique. Each of the flow shows the following behaviors. (a) Host scan, an attacker tried to send traffic to many hosts on the network by spreading the destination ip addresses in a range of subnet. The events continued during a period of time. We are able to see the lines drawn to the time axis and the destination ip address axis by distribution within the range of both axes, while the rest fall onto a single point on the axis. (b) Port scan, an attacker tried to send traffic to the ports of the target host. The events continued during a period of time. We are able to see the lines drawn to the time axis and the destination service axis by distribution within the range of both axes, while the rest fall onto a single point on the axis. (c) Single source DoS which makes the destination host stops serving, an attacker tried to send large amounts of traffic to the host. The events continued during a period of time. We are able to see the lines drawn to the time axis by distribution within a certain range of this axis, while the rest fall onto a single point on the axis. (d) Backscatter attack, an attacker tried to do both host scan and port scan. The events continued during a period of time. We are able to see the lines drawn to the time axis, the destination ip address axis and the destination service axis by distribution within a certain range of the three axes, while the rest fall onto a single point on the axis. (e) In Trudy’s flow, Trudy used the 3 source ip addresses to do host scan, port scan and single source DoS, respectively; we are able to see the lines drawn to the source ip address axis and time axis at three points. The destination ip address and the destination service feature a combination of host scan, port scan, and single source DoS, while the rest fall onto a single point on the axis. We can see that Trudy had tried 3 attack sequences, the host scan for the first time made it possible to be aware of available hosts. Port scan made it possible to be aware of open ports. Finally, the single source DoS to host target stopped the service. Typically, detecting a single source DoS attack is difficult because the nature of the flow is similar to the normal communication. So when the attacker attempts to do host scan firstly and port scan the next, then the subsequent flows are marked suspiciously and can be analyzed further.

5. UIV Visualization Tool Design UIV visualization tool was designed as a tool for analyzing network usage. The username that is being analyzed is displayed in the title bar as in Figure 6.

226

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

Figure 6. UIV visualization tool UIV visualization tool consists of 2 main panels. 1. Calendar panel shows the network usage information in calendar format. Each month, it features a month name, and day starting with a Sunday column and ending with a Saturday column in cyan letters, while Monday through Friday is shown by black letters. Under the day display, the traffic volume of user is shown by a rectangle. The size of the rectangle is proportional to the amount of network usage. An analyst can choose the desired date by a simple click at the rectangle. The selected rectangle becomes blue, while the other rectangles are red. 2. Parallel coordinates panel displays flow data of users with status of the following. (a) Replay mode, when it is clicked, a rectangle in the calendar panel is highlighted. The parallel coordinates panel will display flow data of a user at the order of one per hour from 0 o'clock to 23 o'clock, while at the bottom of the parallel coordinates panel will appear blue and moves along with flow data to show the time. Flow data is shown as a blue line, while previous flow data is shown as a red line. An analyst can easily look at a past events, as the history can be rewound back to play again. (b) Overall mode, after complication of flow data at the end, an analyst is able to view flow data for the past 24 hours, which is represented by red lines. At the bottom of the parallel coordinate panel, the number of network traffic (Volume) with a bar graph is also shown. The height of the graph is proportional to the amount of network usage for each hour, an analyst can choose to view flow data over time, by clicking on the bar graph. Replay mode provides the ability to return by clicking on the replay button. (c) Selected mode is displayed with a flow data for each hour and highlighted by a blue line. An analyst can go back to the replay mode again by clicking the replay button.

6. Behavior Study This research studied the behavior on a computer network of a university in Thailand with the outbound traffic and logs from an authentication server for 7 days. Flow data of the users were created by the join network traffic/logs files, and some selected fields, which were: 1. User; 2. Source ip address; 3. Time; 4. Destination ip address; and 5. Destination service. In Table 2, there were 1,302 user accounts, 4,092 login times from the 1,237 source ip addresses which communicated with 43,473 destination ip addresses and 10,280 destination port numbers. Researchers resolved the server names from the destination ip addresses, and found 12,147 server names of 43,473 destination ip addresses. Server names can be transformed to domain name forms such as www-10-01-snc2.facebook.com to facebook.com and speedtest.nectec.or.th to nectec.or.th, etc, which produced 3,787 domain names.

227

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

Table 2. The characteristics of outbound traffic and logs 7 Days User, Source ip address, Time, Destination ip address, Destination service Number of user accounts 1,302 Accounts Number of login 4,092 Login times Number of source ip 1,237 Addresses addresses Number of destination ip 43,473 Addresses addresses Number of destination 10,280 Ports services Number of server names 12,147 Server names Number of domain names 3,787 Domain names Duration storage Selected fields

Researchers analyzed flow data images of the username "2536001" with the UIV visualization tool. "2536001" accessed the network on September 2 to 4 and 6 to 7. The maximum amount of traffic was on Monday, September 6 and minimum on Tuesday, September 7, as shown in Figure 7 (a). Monday, September 6, "2536001" logged in from the only one source ip address between 8-17 o'clock. It can be divided into two ranges which are 8-11 o'clock and 13-17 o'clock also shown in Figure 7 (b), you can see that "2536001" communicated with the destination host through the wellknown ports more than the registered ports/private ports are obvious. Figure 7 (c), at 13 o'clock, "2536001" communicated with many hosts via the registered ports/private ports. There were also registered ports/private ports which did not have a domain name. They were expected as Peer-to-Peer communications. (a) Calendar panel

(b) Parallel coordinates panel with overall mode

228

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

(c) Parallel coordinates panel with selected mode

Figure 7. Flow data of username "2536001"

7. Discussion The previous section discussed simulated attacks and studied the behavior of the user using visualization technique. The visualization shows past events that occurred on the network. When users interact with machines or humans via user agents, information which is electronic data (digital artifacts) is exchanged on the network. Not only the investigator can take advantage of this artifacts in order to find the offender but the artifacts can also be claimed as evidence under the provision of the criminal procedure code or other laws (The computer crime act 2550, Section 25:Thailand). In Thailand, an internet provider must retain traffic data and the user profiles which are necessary for user identification. Since data should be stored at least 90 days, the agencies would have a lot of storage. When there is a criminal crisis or trouble on the computer network, an investigator will analyze the data which was stored in order to find the machines which a criminal entered the data into the network and to study the criminal’s behavior. The purposed visualization is expected to solve doubts by studying the interaction between users and machines/humans. Innocuous events and malicious events of a user who is suspected of causing damage would be identify and tack on and then it would be further considered carefully. All four cases of attack can be summarized as attack signatures which are shown in Figure 8. From host scan events, the attacker sent the traffic to destination hosts by spreading the destination ip addresses in a range of subnet that cause the parallel coordinates image has a wide range at time axis and destination ip address axis while the PCAV technique [4] has a wide range at destination ip address axis only. UIV visualization tool is a tool to study the interaction of the user and discover patterns of events that are innocuous events and malicious events. The signatures which are discovered would be knowledge for the user behavior classification. The pattern of attacks on the network can be identified from the characteristics of the attack such as Figure 8 while giving meaning to other events which are not attack directly but causing damage is a challenge for this research. Considering on the flow data of the user, it is noticed that the patterns of the flow data for each user are unique as a fingerprint of the user as shown in Figure 9. Accordingly we are able to use anomaly detection technique to detect malicious events from abnormal flow data.

Figure 8 . Comparing difference attack signatures between UIV and PCAV [4]

229

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

8. Conclusion Network forensic tasks often require the processing of large amount of data and visualization of data relationships. In this paper, presentation of a network forensic model for a crime investigation over a network is suggested. It works by creating multiple dimensions of information from network traffic and logs, with parallel coordinate techniques. In the preliminary study of attack behavior and crime patterns on network simulations attacks, host scan, port scan, single source DoS and back scatter show flows of the attacks with parallel coordinate techniques. Attack signatures were obtained from an experiment which showed differences according to the circumstances of the attack. This method lets an analyst observe the attacks obviously in details. In other words, provides the ability to simulate host scan and backscatter which an analyst can tell if an attacker sent traffic to a destination host with random destinations. Leading to predictable attacks of single source DoS of Trudy, as previously Trudy performed host scan attacks and port scan attacks. In addition, this research presents the UIV visualization tool as a tool to analyze the behavior of users over a computer network. This allows an analyst to track usage activity in the network. Username “robinson”

Username “2536001”

Figure 9. A contrast of two different username

9. Future Work For possible future work, researchers will develop the UIV visualization tool on a cluster computing system which should hopefully help to process large amounts of network traffic. To make the UIV visualization tool work in real-time, a researcher may use a technique such as data reduction [15]. The cluster computing system is composed of personal computers and a gigabit ethernet network, as shown in Figure 10. In the gigabit ethernet network, each computer within a group communicate with a private ip address while a head node which manages the tasks distribution has a public ip address in order to contact the outside hosts. It enables an admin to config a system via the Internet from a remote node. In addition, a collector node has the other ip address to connect to a local area network (LAN), so it is able to store network traffic of the local area network to the cluster directly.

230

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

Figure 10 . The UIV cluster computing system The system structure shows a collector node which collects inbound and outbound network traffic on the local area network via network gateway and stores them on the HDD network storage. A job manager on the head node has a responsibility to distribute tasks to computers on the cluster. At the same time; as a database server; the head node has a responsibility to assemble network traffic collected by the collector node and log files collected by logs server on local area network. This database is transformed into a suitable format and stored into HDD network storage for the processing of the UIV application. The UIV application that run on the cluster system would take network traffic and logs from the database server including other necessary information such as attack signatures to create multidimensional images that support network forensics analysis.

10. Acknowledgment This research was supported by the office of the Higher Education Commission of Thailand (2011).

11. References [1] Fernanda B. Viégas, danah boyd, David H. Nguyen, Jeffrey Potter and Judith Donath, “Digital artifacts for remembering and storytelling: Posthistory and social network fragments”, In Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS’04). IEEE Computer Society, pp.1–10, 2004. [2] Robert Ball , Glenn A. Fink and Chris North, “Home-centric visualization of network traffic for security administration”, In VizSEC/DMSEC ’04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pp.55-64, October 2004. [3] Sven Krasser, Gregory Conti, Julian Grizzard, Jeff Gribschaw and Henry Owen, “Real-time and forensic network data analysis using animated and coordinated visualization”, In Information Assurance Workshop, 2005. IAW ’05. Proceedings from the Sixth Annual IEEE SMC, pp.42–49, June 2005. [4] Hyunsang Choi, Heejo Lee and Hyogon Kim, “Fast detection and visualization of network attacks on parallel coordinates”, Computers and Security, vol. 28, pp.276–288, 2009. [5] Rachid Hadjidj, Mourad Debbabi, Hakim Lounis, Farkhund Iqbal, Adam Szporer and Djamel Benredjem, “Towards an integrated e-mail forensic analysis framework”, Digital Investigation, vol. 5, pp.124–137, 2009. [6] Doantam Phan, Andreas Paepcke, and Terry Winograd, “Progressive multiples for communication-minded visualization”, In Graphics Interface Conference, pp.225–232, May 2007. [7] Gregor Maier, Robin Sommer, Holger Dreger, Anja Feldmann, Vern Paxson and Fabian Schneider, “Enriching Network Security Analysis with Time Travel”, In SIGCOMM’08, pp.183 – 194, August 2008. [8] HE Huaiqing, YANG Lei and XU Qing, “Multidimensional Uncertainty Visualization with Parallel Coordinate and Star Glyph”, JDCTA: International Journal of Digital Content Technology and its Applications, vol. 5, no. 6, pp. 412 - 420, 2011. [9] Alfred Inselberg, “Multidimensional detective”, In INFOVIS ’97: Proceedings of the 1997 IEEE Symposium on Information Visualization (InfoVis ’97), pp.100–107, 1997.

231

Multi-Dimensional Visualization for Network Forensic Analysis Nuttachot Promrit, Anirach Mingkhwan, Supaporn Simcharoen, Nati Namvong

[10] John Haggerty, David Llewellyn-Jones and Mark Taylor, “Forweb: file fingerprinting for automated network forensics investigations”, In e-Forensics ’08: Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, pp.1-6, January 2008. [11] M. I. Cohen, “Source attribution for network address translated forensic captures”, Digital Investigation, vol. 5, pp.138-145, 2009. [12] Nuttachot Promrit and Anirach Mingkhwan, “User investigations with visualization time machine for network forensic”, In The 6th National Conference on Computing and Information Technology, pp.311–316, June 2010. [13] Nuttachot Promrit and Anirach Mingkhwan, “User investigations with visualization time machine for network forensic”, Information Technology Journal, vol. 11, pp.31-36, 2010. [14] Nuttachot Promrit and Anirach Mingkhwan, “The Parallel Coordinates Methodology to Study Suspicious Behavior on a Computer Network”, In The 3rd National Conference on Information Technology (NCIT2010), pp.53-58, July 2010. [15] Peng Tao, Chen Xiaoshu, Liu Huiyu and Chen Kai, "Data Reduction Based on Local Hausdorff Measures for Forensic Data", JCIT: Journal of Convergence Information Technology, vol. 6, no. 5, pp. 273 - 279, 2011.

232