picviz finding a needle in a haystack
play

Picviz finding a needle in a haystack Sbastien Tricaud INL - PowerPoint PPT Presentation

Sep 28, 2023 •107 likes •601 views

Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 1 / 47 Speaker: Sebastien Tricaud I Live and work in Paris (FR)

  1. Picviz finding a needle in a haystack Sébastien Tricaud INL Usenix, San Diego 2008 Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 1 / 47

  2. Speaker: Sebastien Tricaud • I Live and work in Paris (FR) • Happy Linux user since 1995 • I work for INL as CRO: • The company (www.inl.fr), not the lab (www.inl.gov) • We work on Netfilter • We develop NuFW (GPL) and differenciate users from IP addresses • You define what each group is allowed to access, and NuFW enforces it at the network layer • We know which packets a given user sent • Lead the French Honeynet project • Developer of Linux PAM, Prelude IDS, OSSEC, Wolfotrack and Picviz <stricaud@inl.fr> Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 2 / 47

  3. Introduction What logs are What are logs? Syslogs Nov 6 13:12:04 quine avahi-daemon[2285]: Interface eth0.IPv4 no longer relevant for mDNS. Nov 6 13:12:06 quine ifplugd(eth0)[1811]: Program executed successfully. Nov 6 13:12:06 quine kernel: ADDRCONF(NETDEV_UP): eth0: link is not ready Nov 6 13:12:24 quine kernel: Unhandled event received : 0x50 Database sql> SELECT * FROM logdb WHERE user = "ptc"; Network 08:50:01.522077 arp who-has 10.0.0.254 tell 10.0.0.1 08:50:01.522115 arp reply 10.0.0.254 is-at 00:69:de:ad:be:ef 08:50:01.522210 IP 192.168.0.1.5860 > 172.16.17.235.33373: UDP , length 25 08:50:01.522377 IP 192.168.0.1.5860 > 10.30.254.247.18946: UDP , length 25 Others stderr, binary/text file, . . . Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 3 / 47

  4. Introduction What logs are What (normal) people do with them? They grep grep -i "segmentation fault" /var/log/* They watch tail -f /var/log/messages They use tools OSSEC a , Prelude LML b , Sisyphus c . . . a http://www.ossec.net b http://www.prelude-ids.org c http://www.cs.sandia.gov/ jrstear/sisyphus/ They even correlate! http://security.ncsa.uiuc.edu/research/mithril/Mithril.html Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 4 / 47

  5. Introduction What logs are What (normal) people do with them? They visualize They even do communities! http://www.secviz.org Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 5 / 47

  6. Introduction What logs are Actual issue 1 • A lot of information • Syslogs are unstructured • Human interaction needed after the problem • When automated, needs signatures (usually pcre based) • Overwhelming a single machine 1 yeah, it is not fixed yet, wait for WASL2009 Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 6 / 47

  7. Introduction Honeypots fun Picviz and Honeynet Typical low-interaction honeypot setup Nepenthes var/log/nepenthes/logged_submissions var/log/nepenthes/logged_downloads Snort /var/log/snort/alert SSH authentication /var/log/auth.log (Debian Linux) Auditd /var/log/audit/audit.log Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 7 / 47

  8. Introduction Honeypots fun ⇒ 220574 lines of logs in total • This is a log overdose • Most people are happy just to extract known patterns • The French honeynet chapter is full of busy (lazy?) people • Keep the fun where it is, avoid log file slavery Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 8 / 47

  9. Introduction Picviz Picviz Deal with logs a better way. Use Picviz, that: • Creates a picture of your logs • Does not interpret anything, just displays logs as they are • Is not signatures based • Can deal with an infinity of events Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 9 / 47

  10. Introduction Picviz Picviz Moto "Finding a needle in a haystack... when you don’t even know how the needle looks like" Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 10 / 47

  11. Introduction Picviz Picviz Moto "Finding a needle in a haystack... when you don’t even know how the needle looks like" To generate pictures like this Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 10 / 47

  12. Agenda 1 Introduction 2 Parallel Coordinates 3 Picviz 4 Analysis Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 11 / 47

  13. Parallel Coordinates � -coords introduction � -coords are Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 12 / 47

  14. Parallel Coordinates � -coords introduction Inventors Invented by Maurice d’Ocagne in 1885 ISBN 978-1429700979 Applied by Alfred Inselberg in 1959 • Senior Fellow San Diego Supercomputing Center and Computer Science and Applied Mathematics Departments Tel Aviv University, Israel • Conflict Resolution, One-Shot Problem and Air Traffic Control, 1st Canadian Conf. on Comp. Geom., 1989, 26-9 Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 13 / 47

  15. Parallel Coordinates � -coords introduction � -coords u = ( 0 . 6 , 1 . 6 , − 0 . 8 , 1 . 2 ) ∈ R 4 � Properties • N-dimensions: one axis per dimension • Axes are equidistants • ∞ of events: one line per event • Lowest value at each axis bottom Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 14 / 47

  16. Parallel Coordinates � -coords introduction � -coords correlation x and y are linked by an affine relationship y = α x + β Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 15 / 47

  17. Parallel Coordinates � -coords introduction Todays objectives Apply � -coords to logs: • Focus on security • See if by doing this we succeed in finding things Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 16 / 47

  18. Picviz 1 Introduction 2 Parallel Coordinates 3 Picviz 4 Analysis Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 17 / 47

  19. Picviz Purpose Picviz goals • Help to generate � -coords images • Scalable architecture (filters, real-time, . . . ) • Provide an interface to query lines and reorganize axes • Mainly security oriented Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 18 / 47

  20. Picviz Architecture Picviz world Three main parts • Perl scripts : Transforms your logs into Picviz graph description language (PGDL) • pcv : CLI to transforme PGDL into an image • picviz-gui : Frontend Code architecture Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 19 / 47

  21. Picviz Architecture Global architecture Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 20 / 47

  22. Picviz Architecture Use PGDL source header { title = "Usenix WASL 2008"; } axes { timeline t; integer in; } data { t="14:42", in="12" [color="red"]; t="14:45", in="432"; } Genererate the image pcv -Tpngcairo file.pcv ’filter’ > out.png Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 21 / 47

  23. Picviz Picviz Graph Description Language Axes Types • Time: timeline, years • Numbers: integer, short, gold, char • Addresses: ipv4, ipv6 • Strings: string • Specials: enum, ln Properties • relative: to place data relatively to each other • print: to turn off data value printing • label: display this name Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 22 / 47

  24. Picviz Picviz Graph Description Language Strings • The hardest variable to place • Two algorithms can be chosen: • Basic: Ascii value addition and place the string compared to a famous quote 2 • Prefix: strings are placed collision-safe with their first 4/8 characters (prefix size is architecture dependent) 2 The competent programmer is fully aware of the limited size of his own skull. He therefore approaches his task with full humility, and avoids clever tricks like the plague. Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 23 / 47

  25. Picviz Picviz Graph Description Language Enumerations Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 24 / 47

  26. Picviz Picviz Graph Description Language Lines Properties • color: line color • red • #ff0000 • (1,0,0) • penwidth: line width Why a custom format? why not CSV? • Flipping the axis order is as simple as moving the axis declaration order • Line properties are aready computed by generators • Actually CSV can be used as input, it is simply converted into PGDL Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 25 / 47

  27. Picviz Rendering and selection Some CLI options • -r..r : Increase the image height and width • -a : Display lines values • -Ln : Display value every n lines • -Tplugin : Output plugin • -Rplugin : Rendering plugin • -Astuff : Plugins argument Sébastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 26 / 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FINDING A NEEDLE IN HAYSTACK, FACEBOOKS PHOTO STORAGE Based on: D. Beaver, S. Kumar, H. C. Li,

FINDING A NEEDLE IN HAYSTACK, FACEBOOKS PHOTO STORAGE Based on: D. Beaver, S. Kumar, H. C. Li,

FINDING A NEEDLE IN HAYSTACK, FACEBOOKS PHOTO STORAGE Based on: D. Beaver, S. Kumar, H. C. Li, J. Sobel, and P. Vajgel: Finding a Needle in Haystack: Facebook's Photo Storage, in Proceedings USENIX OSDI 2010, Vancouver, Canada, October

397 views • 23 slides
Finding the Needle in the Haystack Jonzy Data Security Analysis, Sr. Information Security

Finding the Needle in the Haystack Jonzy Data Security Analysis, Sr. Information Security

Finding the Needle in the Haystack Jonzy Data Security Analysis, Sr. Information Security Office Finding the Needle in the Haystack With all the information available via NetFlows, finding the &quot;Needle in the Haystack&quot; (the bad actor

243 views • 20 slides
Finding the Needle in a Haystack: Materials discovery through

Finding the Needle in a Haystack: Materials discovery through

Finding the Needle in a Haystack: Materials discovery through high-throughput ab ini;o compu;ng and data mining Geoffroy Hau+er Max conference January

508 views • 40 slides
Finding a Needle in Haystack Presentation by: Neelim Haider Authors (of paper): Doug Beaver,

Finding a Needle in Haystack Presentation by: Neelim Haider Authors (of paper): Doug Beaver,

Finding a Needle in Haystack Presentation by: Neelim Haider Authors (of paper): Doug Beaver, Sanjeev Kumar, Harry C. Li, Jason Sobel, Peter Vajgel Question 1: : Please briefly introduce the Haystacks architecture. Haystack consists of 3

377 views • 12 slides
Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and

Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and

Finding a Needle in the Haystack of Hardened Interconnect Patterns S. Nikoli, G. Zgheib*, and P. Ienne FPL19, Barcelona, 09.09.2019 cole Polytechnique Fdrale de Lausanne *Intel Corporation Why harden connections? 2 crossbar LUT LUT

626 views • 44 slides
Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio,

Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio,

Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio, Ph.D. PA DEP- Office of the Great Lakes 19 March 2019 Presentation Outline Share current AIS monitoring research Discuss regional AIS

623 views • 24 slides
Configuring Debugging as Search: Finding the Needle in the Haystack Andrew Whitaker, Richard S.

Configuring Debugging as Search: Finding the Needle in the Haystack Andrew Whitaker, Richard S.

Configuring Debugging as Search: Finding the Needle in the Haystack Andrew Whitaker, Richard S. Cox and Steven D. Gribble. University of Washington Divya Muthukumaran Some slides borrowed from Aditya Y.S.V Whats the big picture? Can we

305 views • 30 slides
Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree

Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree

. Zhuoren Jiang 3 . . . . . . . Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree Model Guoxiu He 1,2 Yangyang Kang 2 Zhe Gao 2 Changlong Sun 2 . Xiaozhong Liu *4,2 Wei Lu *1 Qiong Zhang 2 Luo

489 views • 19 slides
Data Acquisition and Event Filtering Problem: finding the needle in the haystack total

Data Acquisition and Event Filtering Problem: finding the needle in the haystack total

Data Acquisition and Event Filtering Problem: finding the needle in the haystack total inelastic cross section 50 mb Interesting physics most channels &lt; 100 nb 2x10 6 interactions /s Data rate after FEE

277 views • 14 slides
Haystack full of needles. Beaver, D., Kumar, S., Li, H.C., Sobel, J., and Vajgel, P.: Finding

Haystack full of needles. Beaver, D., Kumar, S., Li, H.C., Sobel, J., and Vajgel, P.: Finding

Haystack full of needles. Beaver, D., Kumar, S., Li, H.C., Sobel, J., and Vajgel, P.: Finding a Needle in Haystack: Facebook's Photo Storage, in Proceedings USENIX OSDI 2010. Introduction 65 billion photos (in 4 copies) 260

295 views • 28 slides
Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke Tian, Steve T.K. Jan , Hang Hu, Danfeng Yao, Gang Wang Computer Science, Virginia Tech Phishing is a Big Th Threat Phishing: fraudulent attempt

411 views • 30 slides
Feature Selection for Predictive Modelling A Needle in a Haystack Problem Munshi Imran Hossain

Feature Selection for Predictive Modelling A Needle in a Haystack Problem Munshi Imran Hossain

Feature Selection for Predictive Modelling A Needle in a Haystack Problem Munshi Imran Hossain Sudipta Basu Introduction Suppose someone is studying heart diseases. They want to find out what are the possible factors that may cause

451 views • 33 slides
Needle in a Haystack: Searching for Approximate k- Nearest Neighbours in High-Dimensional Data

Needle in a Haystack: Searching for Approximate k- Nearest Neighbours in High-Dimensional Data

Needle in a Haystack: Searching for Approximate k- Nearest Neighbours in High-Dimensional Data Liang Wang* , Ville Hyvnen, Teemu Pitknen, Sotiris Tasoulis, Teemu Roos, and Jukka Corander University of Cambridge*, UK University of Helsinki,

266 views • 16 slides
Content Relevancy starts with understanding your international Audience Rob Zomerdijk

Content Relevancy starts with understanding your international Audience Rob Zomerdijk

Content Relevancy starts with understanding your international Audience Rob Zomerdijk Rzomerdijk@sdl.com 7 May 2014 2 It can sometimes feel like looking for a needle in a haystack! 3 How to find a needle in a haystack? 4

514 views • 19 slides
FIND THE NEEDLE IN THE HAYSTACK February 2017 CHALLENGES OF SYSTEM INTEGRATION CANopen Device

FIND THE NEEDLE IN THE HAYSTACK February 2017 CHALLENGES OF SYSTEM INTEGRATION CANopen Device

Automated Trace Analysis for Testing of CANopen Devices by Andrew Ayre &amp; Olaf Pfeiffer FIND THE NEEDLE IN THE HAYSTACK February 2017 CHALLENGES OF SYSTEM INTEGRATION CANopen Device Testing Highly dynamic systems has its limits can

1.02k views • 16 slides
Haystack FACEBOOKS PHOTO STORAGE AKIB ZAMAN MOTIVATION Facebook stores an enormous amount

Haystack FACEBOOKS PHOTO STORAGE AKIB ZAMAN MOTIVATION Facebook stores an enormous amount

Finding a needle in Haystack FACEBOOKS PHOTO STORAGE AKIB ZAMAN MOTIVATION Facebook stores an enormous amount of data: 260 billion images 20 petabytes of data Traditional filesystems perform poorly under their workload

550 views • 21 slides
Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of

701 views • 44 slides
IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors ,

IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors ,

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/303210806 IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors , including: Victor R Kebande Nickson

389 views • 23 slides
HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for Computer Science Operating Systems and Distributed Systems Reykjavk, July 29, 2013 Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 -

890 views • 31 slides
A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

Honeypots architecture Security Properties Statistical results Conclusion A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande C. Toinard LIFO Universit dOrlans ENSI de Bourges SHPCS08,

401 views • 19 slides
Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to

Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to

Benjamin Braun, Klemens Mang Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to detect attackers accessing your service? How to analyze attack patterns? How to detect yet unknown attack

246 views • 13 slides
A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran , Martin Fong, Mabry Tyson (SRI International) Seungwon Shin, Guofei Gu (Texas A&amp;M University) Classic Network Perimeter Defense Security

207 views • 20 slides
Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Monitoring, Attack Detection and Mitigation Monitoring, Attack Detection and Mitigation MonAM 2006 MonAM 2006 Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti Authors: merson Virti, Liane

474 views • 16 slides
Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera &lt;angelo.dellaera@honeynet.org&gt; Security Researcher @ Area 1 Security Full Member @ Honeynet Project Information Security Independent

680 views • 48 slides

More recommend