Visualizing DNS Traffic - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Visualizing DNS Traffic

Description:

Spoofed authoritative server ('Man in the middle' attack) Data Integrity ... Updating counters, maintain top list. Visualization Client. Standard SQL queries. 10 ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 28
Provided by: pin75
Category:

less

Transcript and Presenter's Notes

Title: Visualizing DNS Traffic


1
Visualizing DNS Traffic
  • Pin Ren, John Kristoff, Bruce Gooch

Northwestern University
Northwestern University
Neustar
2
DNS (Domain Name System)
64.233.167.99 v.s. www.google.com Which one do
you prefer to use?
Gif image from http//www.learnthenet.com
3
DNS Security Challenges
  • Service Authentication
  • Spoofed authoritative server (Man in the middle
    attack)
  • Data Integrity
  • Cache poisoning (Pharming attack)
  • Malicious DNS Traffic
  • Reflection and amplification attacks
    (Distributed DoS attack)

4
Why Visualizing DNS Traffic
  • Provide visual insights
  • DNS Security challenges
  • Internet operation and security vulnerability,
    e.g. Botnet, worm propagation
  • Situational Awareness
  • Monitoring and detecting malicious activities
  • Visualization guided data mining and attacking
    pattern profiling

5
Previous Work
  • DNS Implementations and its Expansion
  • ISC BIND Logs
  • DNSSec
  • Common DNS Tools
  • dsc
  • dnstop
  • scripts to monitor a handcrafted blacklist

6
Previous Work
  • BreakingStory, Fitzpatrick et al. 2003
  • TextPool, Albrecht-Buehler et al. 2005
  • Visual correlation for situational awareness,
  • Livnat et al. 2005

7
Kristoff, J. 2006 http//www.nanog.org/mtg-0602/pd
f/kristoff.pdf
8
DNS Queries
  • DNS Query example
  • Jun 30 000200 dns_server_name
  • Client 167.156.183.12332768
  • query www.google.com IN A

9
System Overview
DNS Server
10
Client App Interface
Play Video client_ip.avi
11
Visual Metaphor FlyingTerm
  • What is FlyingTerm
  • Subject query string (or IP address,port) time
    series data (aggregated count)
  • Animated by moving the visualized time window and
    updating the new location of each term
  • Interpolating to generate smooth animation.

Play Video Big_port.avi
12
FlyingTerm Spatial Layout
  • X counts weighted average time
  • Y aggregated counts

Max
Y Counts (normalized)
Importance Scale
Subject
Min
new
old
X Time
13
FlyingTerm Curly Tail
  • Quadratic Bezier Curve
  • From the previous calculated location to the
    current one depicting direction
  • Length of tail indicate rate of change
  • Highlighting the important/selected visual object

14
FlyingTerm Summary
  • Novelty
  • Importance driven spatial layout
  • Utilizing human motion perception for visualizing
  • Curly Tail for visualize both direction of change
    and rate of change.
  • Limitation
  • Normalization with in a time window.
  • Visual scalability

15
Other Visual Presentations
  • Stacking Graphs
  • Two-Tone Pseudo Color (Saito et al. 2005)
  • Chernoff Face (Chernoff, 1973)

16
Stacking Graphs
Play Video Client_ip.avi (2nd half)
17
Two-Tone Pseudo-Color
Saito et al, 2005
18
Chernoff Face
Chernoff, 1973
19
Interaction
  • Brush and linking
  • Visually guided dynamic querying and filtering
  • Detail on demand
  • Standard playback control

20
Case Study Botnet
21
Case Study Botnet
22
Conclusion
  • Introduce DNS security problems to Vizsec
  • Propose a novel visual metaphor FlyingTerm
  • Incorporate existing visual representations
  • Integrate visual, textual, statistical info
    together
  • A suite of visualization techniques for the same
    underlying dataset

23
Future Work
  • Work with more real data and tasks
  • Highly sensitive data, not easy to get
  • Integrate into current DNS monitoring tools
  • Generate comparisons of different visual
    presentation comparison and provide design guide
  • Find broader range of application for this system

24
Thanks for your attention
http//www.cs.northwestern.edu/pren/dns_vis/
25
FlyingTerm
26
Case Study SSH password attack
27
Case Study SSH password attack
Write a Comment
User Comments (0)
About PowerShow.com