Real-Time Interactive Visual Port Monitoring and Analysis Robert F. Erbacher1 and Menashe Garber2 1

Utah State University, Dept. of Computer Science, UMC 4205, Logan, UT 84322, Phone: 435-797-3291, Fax: 435-797-3265, Email: [email protected] 2 University at Albany-SUNY, Dept. of Computer Science, LI67A, Albany, NY 12222 [email protected]

Abstract Techniques in conjunction with an implemented environment are described for the visual monitoring and analysis of port activity. The goal is to provide the ability to detect anomalous or mischievous activity on an individual system basis. Such capabilities would allow individual users of systems to garner greater insight into the network activity of their system than is currently provided by typical tools, such as personal firewalls. Thus, we are closing the gap between the software designed to protect an individual’s computer system, e.g., software firewalls, and the user’s comprehension of the actual activity occurring on said system. Keywords: Intrusion Detection, Visual Analysis, Interactive Visualization

1. Introduction In today’s networked society new tools and techniques are needed to aid in monitoring computer systems to aid identification of unauthorized activity. Of particular interest for this research is the monitoring and analysis of individual computer systems. This is in contrast with the majority of prior work which has focused on networks of computer systems or servers. This work was motivated by the consideration of the lack of information provided by most personal firewalls and the need to provide additional feedback to individual users, e.g., home users. The focus of the developed techniques and capabilities is to provide visual monitoring of individual computer systems. More specifically, we have developed capabilities for the real-time visual monitoring and analysis of port connections. The goal is to provide more

information than is currently available, from event logs, as to the actual activity occurring and its implications.

2. Relation to Prior Art In terms of visualization, many intrusion detection environments incorporate “odometerlike” scales or apply other techniques to represent system state [9]. This is embodied in the Hummer “perceived level of threat” [6] indicator. Earlier systems, such as DIDS [7], provided graphical representations in the form of color to indicate when a system had experienced a sequence of suspicious events. While useful, these approaches do not provide adequate information to aid diagnosis.

2.1. Intrusion Detection Systems While many intrusion detection tools have begun to incorporate basic graphical user interfaces (BlackICE [10], RealSecure [11], Cisco Secure IDS [12], eSecure [13]) they fall short of providing effective visualization displays to aid in interpreting the generated information. For example, most of the tools will provide an indication when it received an unexpected packet. But was this an attack, a misdirected packet, a casual attack, or a real attempt to break into the system? These systems do not adequately provide the detail and event interrelationships needed to analyze the activity in the detail needed forensically.

2.2. Visualization systems In contrast to intrusion detection, quite a bit of visualization research has been applied to network accesses. The principal body of work

related to network intrusion is from the information exploration shoot-out, organized by Georges G. Grinstein and supported by the National Institute of Standards and Technology (NIST) [5]. In this project, researchers were given access to a data set consisting of network intrusions. The goal was to identify which researcher’s techniques were effective at identifying the intrusions. The previous work involving visualization related to networks emphasized network performance and bandwidth usage [2], even down to the router [2], individual packets [4], and individual e-mail messages [3]. The techniques developed for these purposes do not provide sufficient detail or handle sufficient numbers of nodes and attributes in combination for our needs. The work by Teoh et al [8] focuses on Internet routing data and thus is limited in its applicability in intrusion detection and will have no applicability to forensics. The work by Eick et al. [3] strictly deals with e-mail and subsequently resolves many fewer nodes and attributes than is needed for intrusion detection. In terms of port monitoring, McPherson et al. developed a tool for the visualization of port activity which is geared more towards analysis of large scale systems and isn’t geared towards the effective analysis of attacks on individual systems [1].

3. Configuration and Initialization The discussed environment was developed under MS Windows using Cygwin, C++, OpenGL, WinPcap, and TclTk. The environment was developed in a system independent fashion and thus should be easily ported to other platforms. Upon execution of the environment the user must either select an interface at the command line or in response to a presented list of choices, figure 1. Additionally, the user can configure ports to be identified as known malicious ports. These are ports which are known to be active for particular types of attacks. For example, the blaster worm will open port 4156 for communication and further dissemination. Seeing this port open should be a warning indication that the system may have been so compromised. This does not guarantee that the system has been compromised as individuals could be running custom software requiring use of this port. This is true for most university settings in which students often create networking software as class assignments that will open various sundry ports.

This configuration is stored in a text editable file called malPorts.txt. This allows system administrators to easily reconfigure the set of malicious ports as is suitable for their environment and the expected or known vulnerabilities in their environment. Additionally, ports known to be blocked through the perimeter firewall can be left off as being not likely malicious. A sample subset of such a configuration file is shown below: 666 Satanz_Backdoor 1001 Silencer_and_WebEx 1011 Doly_Trojan 1170 Psyber_Stream_Server 1234 Ultors_Trojan 1245 VooDoo_Doll 1492 FTP99CMP 1600 Shivka-Burka 1807 SpySender 1981 Shockrave 1999 BackDoor 2001 Trojan_Cow 2023 Ripper 2115 Bugs 2140 Deep_Throat_and_The_Invasor 2801 Phineas_Phucker 30129 Masters_Paradise 3700 Portal_of_Doom 4092 WinCrash 4590 ICQTrojan

4. Port Visualization The port visualization technique, in its default mode, is shown in Figure 2. The display consists of four primary components: The interface at the bottom of the display, the legend at the top of the display, the four horizontal lines of target ports, and the bottom line (above the GUI), which represents time. Inbound connections are represented by drawing a ling from the appropriate temporal point on the bottom line to the relative position on the port lines for the target port on the given system. The port numbers are divided into four lines to more effectively segregate the large number of ports. An exponential distribution is used to be more representative of the volume of activity, sensitivity, and criticality of the individual port numbers, This results in the following distributions: 0-1999, 2000-9999, 10000-24999, and 25000-50000. Different colors are used for each of the major port connection types: blue for UDP and green for TCP.

$ ./viabi.exe a7.dump -D1 -M5 Finished Mode part!! Parser done! Done Parsing 1. \Device\NPF_{DFAF8CC5-48DB-499B-984C-A9D525FAB774}Dell Wireless WLAN 1450 Dual Band WLAN MiniPCI Card (Microsoft's Packet Scheduler) 2. \Device\NPF_{CF0698BE-2105-466B-8AAE-4F3276FE2264}Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler) 3. \Device\NPF_{AF810396-6BA0-4594-A441-10CEBB346F3F}NET IP/1394 Miniport Reading Packets on Device: Dell Wireless WLAN 1450 Dual Band WLAN Mini-PCI Card (Microsoft's Packet Scheduler)

Figure 1: Network packet driver selection. –D1 specifies the first packet driver. This allows switching between multiple devices and interfaces.

When a new connection arrives, it is placed to the far right of the bottom line (the time line). This lines continuously shifts to the left to be representative of the passage of time. Thus, the oldest time points and their associated connection will eventually leave the display to the left. When the time point leaves the display area, the connections associated with that time point are removed entirely from the display. Thus, the monitoring environment provides a historical representation of connections activity, showing all activity that has occurred during a specified duration of time.

Figure 2: Initial port monitoring example. Lower port numbers are at the bottom of the display Line color is indicative of the type of connection with green representing TCP, blue represents UDP, white is a selected connection, and red is a connection to a known malicious port.

The two triangles in the top left corner of the display allows for the ordering of the port

numbers to be swapped and inverted. This modifies the display such that the lower port numbers are represented at the top of the display rather than at the bottom, figure 3. By inverting the display we in essence change the visual acuity of the active ports. For example, in figure 3 it can be easier to visually segregate connection information by moving the most frequently accessed ports to the top of the display, However, doing so increases the screen real-estate allocated to these connections, creating more collisions (intersections) than are exhibited in figure 2 and potentially occluding critical information from underlying port connections.

Figure 3: Alternative example with lower port numbers at the top of the display. Inverting the display in this fashion in essence inverts the visual attention focused on the individual connections, i.e., more emphasis is placed on the lower port numbers in this scenario.

5. Port Activity Analysis Merely representing port connection information is insufficient for providing needed value. For this reason additional exploration and analysis capabilities are incorporated. This includes the ability to select hosts, retrieve feedback on a connection, and filter ports. The ability to filter ports may be the most valuable capability as it allows the user to remove connections associated with a select set of ports. This allows connections to protected or unthreatening ports to be filtered. Additionally, ports with many connections that are leading to occlusion can also be filtered. This allows the user to control the visualization such that it will provide the most useful information both for that user and for the activity and analysis task at hand. When a connection is selected, the connection will be highlighted in white. This highlight will remain until the connection is removed from the display or the user selects a different connection. This allows a connection to be followed over time and the analysis of the connection to be continued.

A second analysis capability is the ability to garner feedback as to the specifics of a connection. When the mouse is left hovering over a connection a popup will be presented showing specific detailed information as to said connection, figure 4. This will include all of the most relevant information related to the connection, including: Source IP, Destination IP, Source Port, Destination Port, Connection Type, Connection Time Stamp, and Packet Length. Additional information can be acquired by doing a whois lookup on a connection, either of the source IP or the destination IP, figure 5. This informational display can be critical when evaluating the meaning or intentions of the identified activity. In other words, we must examine the available information to determine if the activity is acceptable or malicious and the extent of needed response.

Figure 5: This final example shows both informational feedback of a selected node as well as the whois lookup of the destination IP. All information provided by whois is included in the large informational popup display.

Figure 4: This example shows a selected TCP connection and the available feedback for such connections. Information provided includes: Source IP, Destination IP, Source Port, Destination Port, Connection Type, Connection Time Stamp, and Packet Length.

The combination of the provided capabilities provides a complete monitoring and analysis environment that allows the user to determine the threat and criticality of identified activity. Employing this environment for the actual identification of malicious activities requires the identification of unusual activity, followed by the

analysis of said activity. Unusual activity that should garner interest can include access to known malicious ports, clusters of activity that deviate from normal activity, persistent or repeated connections to unexpected ports, etc. The concept of identifying activity that deviates from the norm is a typical concept that follows through much of the intrusion detection field but is also found to be very effective, powerful, and consistent.

6. Malicious Port Examples Figures 6 and 7 provide examples of accesses to known malicious ports. These ports have their connections highlighted in red. Selecting one of these connections will behave as before, highlighting the link in white and bringing up informative popup displays. More specifically, Figure 6 shows an example of a malicious port being accessed. This is in conjunction with a port scan. The port scan is identifiable due to the large number of accesses in a very short period of time. When viewed in an animated form the port sequences in this case happen to activate in sequence. Thus, this is a naïve scan. In terms of analysis, the fact that this is clearly a naïve scan in conjunction with only a single access indicates that there should be little concern over this access/series of accesses.

Had this activity been a single connection in isolation from any other port scans then there would be a greater cause for alarm as it could indicate that the machine was compromised and the port was being used by a Trojan. A single point of activity could also be an individual attempting to identify such compromised machines. Thus, connectivity of this form in isolation should raise concerns but these concerns should be limited until further investigation can be applied. However, even greater concern would arise given frequent or continuous access to a known malicious port, as in figure 7. In this final example of malicious port activity, figure 7, we can see a sequence of four connections or scans to the known malicious port. It could be a probe of the specified port or malicious activity. This example is not in conjunction with any observable port scan. Consequently, the fact that there is so much activity occurring simultaneously should raise great concern that the system has been compromised and the identified port is actively being used in conjunction with the compromise to propagate the compromise or control the machine.

Figure 7: Multiple accesses to a known malicious port. This example is not in conjunction with a port scan.

7. Port Scanning Examples Figure 6: A single access to a malicious port in conjunction with a port scan.

In the prior section, we saw an example of a port scan in conjunction with access to a known

malicious port. In this section, we explore several examples of port scans and their implications. Port scans generally incorporate a series of packets accessing a wide range of ports. These accesses allow the attacker to identify characteristics of the software installed and operating on the host and potential vulnerabilities associated with said software. Identified vulnerabilities can then be exploited in an attempt to gain access to the system. Such scans can take a variety of forms.

select ports within the middle and upper end of the port address range.

The advantage of the fact that we include temporal information (i.e., history information) is that this allows us to distinguish between individual packets and large numbers of packets. By changing the duration of time represented on the horizontal axis we can control the amount of history represented. This will essentially accumulate results over time and allow port scans to be detected, even if they are low and slow sophisticated attacks. The first example, exhibited in figure 8, shows an example of a UDP port scan. This scan accesses a single known malicious port as well as numerous other ports, focusing on the lower end of the port address range.

Figure 8: UDP scan of the system. Many low numbered ports are scanned as well as a few upper numbered ports.

A second example is shown in figure 9. This example shows a TCP port scan focusing primarily on the lower end of the port address range. However, a portion of the scan focuses on

Figure 9: A TCP scan with a wide assortment of ports being scanned, including low and high numbered ports.

A final example is shown in figure 10. This example focuses on a UDP scan within the upper range of the port address range. No ports in the lower end of the range are scanned. This may indicate that the attacker is looking for a particular type of activity. Also of note is that the scan was applied twice, as is exhibited by the two separate clusters of scan activity. These two clusters overlap in terms of target port numbers. It is the clarity with which details of the various port scans can be identified and intrinsically analyzed that makes this tool useful. Again, we are attempting to monitor a single host and make the information present in typical personal firewall logs more informative and educational that they are currently. These capabilities will prove valuable in identifying current activity and make the information more comprehensible and reachable than is possible with log files. This will enable users to monitor their systems more frequently and completely. Monitoring of system log files is considered critical to successful security deployment but is unfathomable to most users. This capability will allow a much wider range of users to perform such monitoring at least as far as port monitoring is concerned.

on Visualization and Data Mining for Computer Security, October 29, 2004. [2]

Kenneth Cox, Stephen Eick, and Taosong He, “3D geographic network displays,” ACM Sigmod Record, Vol. 25, No. 4, pp. 50, December 1996.

[3]

Stephen G. Eick and Graham J. Wills, “Navigating Large Networks with Heirarchies,” In Visualization ‘93 Conference Proceedings, San Jose, California, pp. 204-210, October 1993.

[4]

Deborah Estrin, Mark Handley, John Heidermann, Steven McCanne, Ya Xu, and Haobo Yu, “Network Visualization with Nam, the VINT Network Animator,” IEEE Computer, Vol. 33, No. 11, pp. 63-68, November 2000.

[5]

Georges Grinstein, “Workshop on Information Exploration Shootout Project and Benchmark Data Sets: Evaluating How Visualization does in Analyzing Real-World Data Analysis Problems,” Proceedings of the IEEE Visualization ‘97 Conference, IEEE Computer Society Press, Phoenix, AZ, pp. 511-513, 1997.

[6]

Polla, D., J. McConnell, T. Johnson, J. Marconi, D. Tobin, and D. Frincke, “A FrameWork for Cooperative Intrusion Detection,” 21st National Information Systems Security Conference, pp. 361-373, October 1998.

[7]

Snapp, S. et al., “DIDS (Distributed Intrusion Detection System) Motivation, Architecture and An Early Prototype,” National Information Systems Security Conference, 1991.

[8]

S.T. Teoh, K.L. Ma, and S. F. Wu, “Visual exploration process for the analysis of internet routing data,” In Proceedings of the IEEE Conference on Visualization 2003, 2003, pp. 523-530.

[9]

Vert, G., J. McConnell, and D. Frincke. “Towards a Mathematical Model for Intrusion,” 21st National Information Systems Security Conference, pp. 329-337, October 1998.

Figure 10: A UDP port scan focusing on the upper end of the valid port number range. Since these ports generally aren’t blocked and aren’t used for anything else they are being reported to the sensor with greater frequency.

8. Conclusions and Future Work We have described a visualization technique and associated environment that allows for the monitoring of individual systems for potential security threats. The design of the environment allows for easy use by a wide variety of users. The incorporation of extensive interaction capabilities allows for the analysis of unusual activity identified within the visualization paradigm. While the environment has proven capability it must be extended and enhanced to improve its representational capability. For example, in keeping with good visualization design we must attempt to reduce the amount of occlusion and intersecting lines. Additionally, we must examine the feasibility of incorporating the representation of additional monitored systems, rather than just a single system as is configured here.

9. References [1]

Jonathan McPherson, Kwan-Liu Ma, Paul Krystosek, Tony Bartoletti, Marvin Christensen, “PortVis: A Tool for Port-Based Detection of Security Events,” Proceedings of CCS Workshop

[10] http://www.networkice.com/ [11] http://www.iss.net/securing_ebusiness/security_products/intrusion_detection/i ndex.ph [12] http://www.cisco.com/univercd/cc/td/doc/pcat/ne rg.htm [13] http://www.esecurityinc.com/