The amount of data accumulated in network threat detection is massive. Even during live captures of network traffic, being able to identify emerging threats and irregular activity is difficult using traditional data mining, filtering and legacy visual analytic programs that were all designed around a time when data logs were significantly smaller and threats less complicated.
I will address the challenge of network threat detection through next generation visual analytics using two different scenarios commonly tasked to network threat analysts and investigators; mal-ware forensics, network visualizations and IRC or chat log analysis.
Mal-ware Forensics and Network Threats:
Determining the anatomy of network threats and mal-ware requires the network analyst to understand how the threat originated, spread and ultimate impacted the users. Stopping or mitigating network threats additionally require determining the "signature" of the mal-ware, network vulnerabilities and establishing appropriate countermeasures to make the threat benign.
Through visual analytics, the first step is gathering all the data available from network packet logs and server logs to get an overview of the issue. In this example we are going to deploy SynerScope to assist us with our visual analysis of a network attack by uploading our network log information (over 150,000 lines of data) to provide a holistic view of the threat.
SynerScope has several interactive representations for the network analyst, first is the relationship view which shows which geography and IP addresses are related within the network logs. Second, SynerScope displays the direction of travel between the related entities with red being the receiving and green the sending network points. Third, SynerScope provides an interactive visualization of sequence of events to the right which allows us to simultaneously view relationship, direction and sequence.
Immediately apparent from the holistic or full view is that there is a command and control server which has a large amount of centrality within our visualization. Sending to the command and control server are two groups of IP addresses located in two specific geographies. These two area represented with the cluster of green bundles are only sending information to the command and control server, however are not receiving any information.
Within the sequence view, we can see a group of structured network traffic sending and receiving to the same area at the earliest point within our data. By drilling into that block of structured traffic, we can see within the relationship view how the planning and execution of the attack began.
Moving forward within the sequence visualization, we can see how once planning and execution is complete, how the command and control server begins to reach out to infected. Through visualization of the data within SynerScope we can follow the progression of the network threat as the command and control server begins compromising networks in different geographical areas.
To aid network security and threat analysts, leveraging visual analytics to gain a real time understanding of network traffic is essential. Accomplished in the past through data mining and statistical analysis, this process could not occur in close to real time and was a manpower intensive task undertaken daily.
Through SynerScope's visual analytic capabilities, I can feed in information from my network and gain a visual representation of the traffic that is occurring at any point in time to look for potential network threats and irregularities that need to be addressed.
I begin by uploading network activity logs into SynerScope to gain a holistic view of all network protocols, IP's and devices currently utilizing my network to look for signatures of concern.
By isolating down on certain protocols or IP addresses through the relationship and sequential views within the program and utilizing the color coding of direction provided by SynerScope I can drill down into specific events that I want to further examine.
Once I have isolated a specific signature of concern, I can execute the data stream view within SynerScope to examine the raw underlying data constructing my visualization to confirm or refute if the signature contains a threat to my network or is benign activity that I do not need to be concerned with.
Chat and IRC Log Visualization
Those tasked with investigation and forensic discovery within IRC or chat logs knows that determining the activity, flow of conversation and content can be a monumental task based on the volume of information that is present.
By utilizing visual analytics and the capabilities within SynerScope, I can save countless investigation and forensic hours by quickly determining through visual representations of velocities and structure which entities have the greatest amount of betweeness or centrality within the social network of the logs, the direction of communication that is occurring and the time the conversations are occurring interactively.
By importing the log data I have for my investigation and leveraging SynerScope's visual analytic tools to look for velocities and direction of travel I can quickly identify those individuals engaged in the most activity within the data.
By hovering over the bundles within the relationship view, I can view the time and sequence of the conversations between the active individuals to determine the rate, dates and time the persons of interest are most engaged in communication.
Finally, by drilling down on the individuals who I am most interested in for my investigation, I can execute SynerScope's data stream view to visualize the conversation in order of which it occurred to determine if the content of the communication is relevant to my investigation or if I should continue on to other entities within my investigation.
The following video provides a comprehensive look at SynerScope for Network Threat Detection:
Through the examples within my article, you can see how leveraging visual analytics in network investigations can aid in more rapid discovery of threats and irregular activity. It can allow analysts and investigators to save countless hours by allowing immediate discovery of relevant activity and can increase understanding and solutions to addressing network threat issues more rapidly mitigating the threat and minimizing exposure.
** Note ** Some image items within this article were blurred or distorted to protect private information