Visualizing DNS Traffic

1
Visualizing DNS Traffic

• Pin Ren, John Kristoff, Bruce Gooch

Northwestern University
Northwestern University
Neustar
2
DNS (Domain Name System)
64.233.167.99 v.s. www.google.com Which one do
you prefer to use?
Gif image from http//www.learnthenet.com
3
DNS Security Challenges

• Service Authentication
• Spoofed authoritative server (Man in the middle
  attack)
• Data Integrity
• Cache poisoning (Pharming attack)
• Malicious DNS Traffic
• Reflection and amplification attacks
  (Distributed DoS attack)

4
Why Visualizing DNS Traffic

• Provide visual insights
• DNS Security challenges
• Internet operation and security vulnerability,
  e.g. Botnet, worm propagation
• Situational Awareness
• Monitoring and detecting malicious activities
• Visualization guided data mining and attacking
  pattern profiling

5
Previous Work

• DNS Implementations and its Expansion
• ISC BIND Logs
• DNSSec
• Common DNS Tools
• dsc
• dnstop
• scripts to monitor a handcrafted blacklist

6
Previous Work

• BreakingStory, Fitzpatrick et al. 2003
• TextPool, Albrecht-Buehler et al. 2005
• Visual correlation for situational awareness,
• Livnat et al. 2005

7
Kristoff, J. 2006 http//www.nanog.org/mtg-0602/pd
f/kristoff.pdf
8
DNS Queries

• DNS Query example
• Jun 30 000200 dns_server_name
• Client 167.156.183.12332768
• query www.google.com IN A

9
System Overview
DNS Server
10
Client App Interface
Play Video client_ip.avi
11
Visual Metaphor FlyingTerm

• What is FlyingTerm
• Subject query string (or IP address,port) time
  series data (aggregated count)
• Animated by moving the visualized time window and
  updating the new location of each term
• Interpolating to generate smooth animation.

Play Video Big_port.avi
12
FlyingTerm Spatial Layout

• X counts weighted average time
• Y aggregated counts

Max
Y Counts (normalized)
Importance Scale
Subject
Min
new
old
X Time
13
FlyingTerm Curly Tail

• Quadratic Bezier Curve
• From the previous calculated location to the
  current one depicting direction
• Length of tail indicate rate of change
• Highlighting the important/selected visual object
  

14
FlyingTerm Summary

• Novelty
• Importance driven spatial layout
• Utilizing human motion perception for visualizing
  
• Curly Tail for visualize both direction of change
  and rate of change.
• Limitation
• Normalization with in a time window.
• Visual scalability

15
Other Visual Presentations

• Stacking Graphs
• Two-Tone Pseudo Color (Saito et al. 2005)
• Chernoff Face (Chernoff, 1973)

16
Stacking Graphs
Play Video Client_ip.avi (2nd half)
17
Two-Tone Pseudo-Color
Saito et al, 2005
18
Chernoff Face
Chernoff, 1973
19
Interaction

• Brush and linking
• Visually guided dynamic querying and filtering
• Detail on demand
• Standard playback control

20
Case Study Botnet
21
Case Study Botnet
22
Conclusion

• Introduce DNS security problems to Vizsec
• Propose a novel visual metaphor FlyingTerm
• Incorporate existing visual representations
• Integrate visual, textual, statistical info
  together
• A suite of visualization techniques for the same
  underlying dataset

23
Future Work

• Work with more real data and tasks
• Highly sensitive data, not easy to get
• Integrate into current DNS monitoring tools
• Generate comparisons of different visual
  presentation comparison and provide design guide
• Find broader range of application for this system
  

24
Thanks for your attention
http//www.cs.northwestern.edu/pren/dns_vis/
25
FlyingTerm
26
Case Study SSH password attack
27
Case Study SSH password attack