The Spinning Cube of Potential Doom

An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."

Re:Can anyone explain the data we're seeing?

[upside]

It sets three variables onto three axes to show network traffic between your network and the net:

1) Your IP range
2) The entire IP range
3) Destination port

It's useful for things like picking up semirandom port scans that you might not detect based on textual data (see "barber poles").

Entire para:

"The Cube takes this connection information stored in the Bro files and displays it in a graphical format which can be more readily understood by people who are unfamiliar with networking and computer security techniques. The 'X' axis of the display (shown in red) represented the SCinet address space, which ranged from 141.221.128.0 - 141.221.255.255. The 'Z' axis (shown in blue) represented all possible IP address space (0.0.0.0 - 223.255.255.255). Multicast traffic (224.0.0.0 and above) was not displayed. The 'Y' axis (shown in green) represented the port number number (0-65535). Some well known port numbers include 22 (ssh), 25 (smtp), 80 (http). "