Title: Visualizing DNS Traffic
1Visualizing DNS Traffic
- Pin Ren, John Kristoff, Bruce Gooch
Northwestern University
Northwestern University
Neustar
2DNS (Domain Name System)
64.233.167.99 v.s. www.google.com Which one do
you prefer to use?
Gif image from http//www.learnthenet.com
3DNS Security Challenges
- Service Authentication
- Spoofed authoritative server (Man in the middle
attack) - Data Integrity
- Cache poisoning (Pharming attack)
- Malicious DNS Traffic
- Reflection and amplification attacks
(Distributed DoS attack)
4Why Visualizing DNS Traffic
- Provide visual insights
- DNS Security challenges
- Internet operation and security vulnerability,
e.g. Botnet, worm propagation - Situational Awareness
- Monitoring and detecting malicious activities
- Visualization guided data mining and attacking
pattern profiling
5Previous Work
- DNS Implementations and its Expansion
- ISC BIND Logs
- DNSSec
- Common DNS Tools
- dsc
- dnstop
- scripts to monitor a handcrafted blacklist
6Previous Work
- BreakingStory, Fitzpatrick et al. 2003
- TextPool, Albrecht-Buehler et al. 2005
- Visual correlation for situational awareness,
- Livnat et al. 2005
-
7Kristoff, J. 2006 http//www.nanog.org/mtg-0602/pd
f/kristoff.pdf
8DNS Queries
- DNS Query example
- Jun 30 000200 dns_server_name
- Client 167.156.183.12332768
- query www.google.com IN A
9System Overview
DNS Server
10Client App Interface
Play Video client_ip.avi
11Visual Metaphor FlyingTerm
- What is FlyingTerm
- Subject query string (or IP address,port) time
series data (aggregated count) - Animated by moving the visualized time window and
updating the new location of each term - Interpolating to generate smooth animation.
Play Video Big_port.avi
12FlyingTerm Spatial Layout
- X counts weighted average time
- Y aggregated counts
Max
Y Counts (normalized)
Importance Scale
Subject
Min
new
old
X Time
13FlyingTerm Curly Tail
- Quadratic Bezier Curve
- From the previous calculated location to the
current one depicting direction - Length of tail indicate rate of change
- Highlighting the important/selected visual object
14FlyingTerm Summary
- Novelty
- Importance driven spatial layout
- Utilizing human motion perception for visualizing
- Curly Tail for visualize both direction of change
and rate of change. - Limitation
- Normalization with in a time window.
- Visual scalability
15Other Visual Presentations
- Stacking Graphs
- Two-Tone Pseudo Color (Saito et al. 2005)
- Chernoff Face (Chernoff, 1973)
16Stacking Graphs
Play Video Client_ip.avi (2nd half)
17Two-Tone Pseudo-Color
Saito et al, 2005
18Chernoff Face
Chernoff, 1973
19Interaction
- Brush and linking
- Visually guided dynamic querying and filtering
- Detail on demand
- Standard playback control
20Case Study Botnet
21Case Study Botnet
22Conclusion
- Introduce DNS security problems to Vizsec
- Propose a novel visual metaphor FlyingTerm
- Incorporate existing visual representations
- Integrate visual, textual, statistical info
together - A suite of visualization techniques for the same
underlying dataset
23Future Work
- Work with more real data and tasks
- Highly sensitive data, not easy to get
- Integrate into current DNS monitoring tools
- Generate comparisons of different visual
presentation comparison and provide design guide - Find broader range of application for this system
24Thanks for your attention
http//www.cs.northwestern.edu/pren/dns_vis/
25FlyingTerm
26Case Study SSH password attack
27Case Study SSH password attack