The Spinning Cube of Potential Doom

← Back to Stories (view on slashdot.org)

The Spinning Cube of Potential Doom

Posted by michael on Tuesday June 1, 2004 @08:11AM from the wing-commander dept.

An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."

4 of 161 comments (clear)

Min score:

Reason:

Sort:

I wonder.... by telstar · 2004-06-01 08:15 · Score: 4, Insightful

Wonder if they've got one of these monitoring DOS attacks now that they've been posted on Slashdot.
Here's the 31 meg AVI if you want to make it spin faster.
I beg to differ by broothal · 2004-06-01 08:18 · Score: 5, Insightful

"Definitely a step towards the new types of tools we will need to secure hosts and networks."

I'm sorry, but I do not agree. While it makes it easy to visually detect intrusion attempts, it is of no use in the daily life of a BOFH. I have the responsibility of quite a number of machines. Most of the time, they don't require attention. So I don't pay them any. Then, once in a while, something extraordinary is happening, and I'm being alerted by an automatic monitoring system. That means I can use my day on all the important things (like hanging out on IRC etc). Visualizing network intrusion attempts is cool, but it's not a tool for me.
1. Re:I beg to differ by Minwee · 2004-06-01 08:33 · Score: 5, Insightful
  
  The daily life of most admins include something called "Talking To Managers".
  
  Having a shiny toy with brightly coloured lights on it is a vital part of that excercise for many of us. We NEED this. We NEED it to have the Fisher-Price logo on it and play short musical bits when you push on the buttons. We NEED to be able to say "Here is a pretty picture. You like pretty pictures, don't you? The brightly coloured parts show bad people. Oooh, brightly coloured. Look at the picture. Do you like the picture? Good, now there are a few things we need to discuss about next year's budget..."
  
  Automated monitoring systems that handle problems for you make you (and themselves) look unnecessary. Pretty pictures with lights can be used to show everybody you work for just how important you really are.
Re:Can anyone explain the data we're seeing? by Have+Blue · 2004-06-01 09:40 · Score: 3, Insightful
The cube displays 3 pieces of information (assuming you know how TCP works):
- The X axis represents the local IP. Every computer on the LAN is at a unique location on this line.
- The Z axis represents all possible IP addresses. Every computer in the *world* is a unique location on that line, so every possible connection that can be made between a SCinet computer and an external system is somewhere on the "floor" of the cube. Think of it like an old phone switchboard.
- The Y axis represents the port number, so as two computers establish multiple TCP connections to each other they "stack" and move up towards the top of the cube.
The upshot of all this is that all network activity on the LAN during a specific time period can be placed in this cube. And once it's here in visual form, it becomes easy for a human operator to apply our brain's pattern recognition abilities to the problem of noticing unusual activity, which is hard to do with just a text dump from a normal IDS. Normal Internet usage would be a single point, or a small vertical line, which would represent a single persistent TCP connection for a specific service (for SSH or something) or a small number of TCP connections established momentarily (for a stateless protocol like HTTP), and this can be seen in the example as a lot of random dots scattered throughout the cube.

If there was an attack in progress, it would be some sort of procedural scan from one external system (a single Z location, or a constant depth in the example) across the LAN address space (going left to right) and/or the ports on a single LAN system (going up and down). A simple port scan would be a solid vertical line, as the attacker hit each port on a single system in sequence (Z and X constant, Y varying). I think there's one of these visible in the example, in the back; this short vertical line would be an attacker hitting all the privileged service ports between 0 and 1024. A more advanced attack pattern would attempt to randomize the ports it scanned or hit several different IPs - in a text log, this would be very hard to pick out from the "random" connections that a normal busy LAN is also handling, so the attacker could go undetected for some time. But on the Cube, this would appear as a filigree of closely packed dots all at the same depth (Z would be constant, X and Y varying), and would be immediately obvious to a human viewer.

This isn't really meant to convey detailed information, it's just supposed to let the admin see at a glance that something suspicious may be happening, by making the data easier to examine as a whole.