Slashdot Mirror
The Spinning Cube of Potential Doom
An anonymous reader writes "This month's Communications of the ACM (does not seem to have a link to online text) has an article about The Spinning Cube of Potential Doom, a security visualization tool that I first saw at SC2003. The cube displays data from Bro along 3 axes and creates interesting visual results (port scans, barber poles, lawnmower). This definitely makes patterns in all that 'boring log data' jump out. This is a very interesting development, the ability to monitor in real time and replay historical security related information. Definitely a step towards the new types of tools we will need to secure hosts and networks."
When the eventual goal of having this data displayed in a real time setting the applications of usefulness will be startling. Data that had to be updated manually during the conference, will be available to researchers to do tci-square analysis to approximate the optimum network efficencies. Even use in the business sector and th ability to analyze huge databases will be quite amazing, although at least a half-decade down the road. Besides the primary educational aspect of the Cube, the secondary goal of the Cube will see fruition as to how investigate new techniques in visually analyzing network traffic and also to develop a tool that would potentially assist those involved with computer security. Really fascinating stuff.
Too bad Cisco didn't have this a couple weeks ago when they needed it!
The best way to predict the future is to invent it. -Alan Kay
I live in the spinning cube of potential doom. At least that's what my co-workers call it.
Sounds like the Time Cube.
But then, you stupid ignorant mind-traitors cant understand time cube having been manipulated by your word god.
I don't need no instructions to know how to rock!!!!
Now we need tools that scan in a pattern that causes little devil faces to appear inside the cube, just to freak the sysadmin out. Words could be fun too.
I Am My Own Worst Enemy
Man, when I heard it could display data along 3 axes I was hoping for a error message featuring a little projection of somebody saying "Help me Obi-Wan Kenobi, you're my only hope."
Sad.
The Human Cow - bringing you scrumtrelescence since 1995
Wonder if they've got one of these monitoring DOS attacks now that they've been posted on Slashdot.
Here's the 31 meg AVI if you want to make it spin faster.
If this becomes a trend, and "Secutiry Visuallization Tools" become widespread... then people will begin to say that movies like Hackers and such were just "before their time."
Do we really want that?
"Definitely a step towards the new types of tools we will need to secure hosts and networks."
I'm sorry, but I do not agree. While it makes it easy to visually detect intrusion attempts, it is of no use in the daily life of a BOFH. I have the responsibility of quite a number of machines. Most of the time, they don't require attention. So I don't pay them any. Then, once in a while, something extraordinary is happening, and I'm being alerted by an automatic monitoring system. That means I can use my day on all the important things (like hanging out on IRC etc). Visualizing network intrusion attempts is cool, but it's not a tool for me.
They appear as complex crystalline structures with no obvious holes other than the known authentication interfaces.
Those who hack/defeat them are called "icebreakers" and they use software which has its own visual attack signature to distract or deflect(overload/DNS attack) the ice or to find hidden cracks (exploits)
Visionary stuff (pun partially intended).
You are in a maze of twisty little passages; all alike.
It sets three variables onto three axes to show network traffic between your network and the net:
1) Your IP range
2) The entire IP range
3) Destination port
It's useful for things like picking up semirandom port scans that you might not detect based on textual data (see "barber poles").
Entire para:
"The Cube takes this connection information stored in the Bro files and displays it in a graphical format which can be more readily understood by people who are unfamiliar with networking and computer security techniques. The 'X' axis of the display (shown in red) represented the SCinet address space, which ranged from 141.221.128.0 - 141.221.255.255. The 'Z' axis (shown in blue) represented all possible IP address space (0.0.0.0 - 223.255.255.255). Multicast traffic (224.0.0.0 and above) was not displayed. The 'Y' axis (shown in green) represented the port number number (0-65535). Some well known port numbers include 22 (ssh), 25 (smtp), 80 (http). "
I'm sorry if I haven't offended anyone
Besides the primary educational aspect of the Cube, the secondary goal of the Cube will see fruition as to how investigate new techniques in visually analyzing network traffic and also to develop a tool that would potentially assist those involved with computer security.
Yes. The Cube knows all. It will make everything all right again. The Cube has been sent to help us. We must trust the Cube.
All hail the Cube.
-Laxitive
Sorry, absolutely nothing of value to add to this. I just liked the way you referred 'the Cube' using proper-noun capitalization, and spoke of it as a single entity.
I think the point of this interface is that the data is more easily interpreted, allowing the human-user to notice patterns that automated scripts would miss. This could be done either in real time, or as a visualization tool for historical files. The latter usage seems like it would be of interest if you're trying to determine the source of a break-in.
For real-time monitoring, your point about mutliple systems is very valid, but what if this approach could be scaled up to allow you to visually inspect the whole system for a number of problems? Perhaps an entire array of cubes, each for a subnet or an individual system, focusing on those that pique your interest.
This idea may be able to mesh with the glanceable objects idea (just the idea, not their chicken egg specifically). If it is informative enough, it could allow you to periodically check some aspects of your whole system for things that you either can't write scripts to do, or don't have time to write scripts for.
-Zipwow
I don't know which is more depressing, that 2/3 didn't care enough to vote, or that 1/2 of those that did are crazy.
Warning: Pregnant women, the elderly and children under 10 should avoid prolonged exposure to the Spinning Cube of Potential Doom.
Caution: the Spinning Cube of Potential Doom may suddenly accelerate to dangerous speeds.
the Spinning Cube of Potential Doom Contains a liquid core, which, if exposed due to rupture, should not be touched, inhaled, or looked at.
Do not use the Spinning Cube of Potential Doom on concrete.
Discontinue use of the Spinning Cube of Potential Doom if any of the following occurs:
Itching
Vertigo
Dizziness
Tingling in extremities
Loss of balance or coordination
Slurred speech
Temporary blindness
Profuse sweating
Heart palpitations
If the Spinning Cube of Potential Doom begins to smoke, get away immediately. Seek shelter and cover head.
the Spinning Cube of Potential Doom may stick to certain types of skin.
When not in use, the Spinning Cube of Potential Doom should be returned to its special container and kept under refrigeration...
Failure to do so relieves the makers of the Spinning Cube of Potential Doom, Wacky Products Incorporated, and its parent company Global Chemical Unlimited, of any and all liability.
Ingredients of the Spinning Cube of Potential Doom include an unknown glowing substance which fell to Earth, presumably from outer space.
the Spinning Cube of Potential Doom has been shipped to our troops in Saudi Arabia and is also being dropped by our warplanes on Iraq.
Do not taunt the Spinning Cube of Potential Doom.
the Spinning Cube of Potential Doom comes with a lifetime guarantee.
the Spinning Cube of Potential Doom
ACCEPT NO SUBSTITUTES!
Did someone just discover that data can be graphed? What is the innovation here?
For great justice.
Got some slick, nobody's fool sysadmin you need to get past?
Well, cook up a portscan that will look like a giant, spinning Mr Goatse, or some racial slurs, etc..
Boss walks past, geek gets fired, replaced by bosses moron nephew who is more than happy to give you the keys to the server when you call and identify yourself as the Hamburglar.
I don't need no instructions to know how to rock!!!!
Visible Decisions (acquired by Visual Insights in 2000) has been doing graphical visualization for 15 years - check this out for a demo.
About 18 months ago, Slashdot posted an article The Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release with a nice collection of unconventional networking tools.
Included was a very cool tool, Phentropy, for visualizing arbitrary data using Strange Attractors. You may recall a paper on TCP/IP Sequence number analysis that highlighted the usefulness of Strange Attractors for data visualization.
Phentropy plots an arbitrarily large data source (of arbitrary data) onto a three dimensional volumetric matrix, which may then be parsed by OpenQVIS. Data mapping is accomplished by interpreting the file as a one dimensional stream of integers and progressively mapping quads in phase space.
OpenQVIS is a neat package and could fill a lot of arbitrary data viz needs.. But damned if I have been able to get the thing to build under Linux. The project could really use some help, and I think a lot of good could come of it. The Phd types who wrote it seem to have mostly moved on..
... After all the $$M spent on cute visualization and PR promotion of the technology, evil authors of port-scanners just add two lines:
/* this */ ...) ...){ /* and this */
pseed=urand(); iseed=urand();
for(port
for(ip
port ^= pseed; ip^=iseed;
probe(ip,port);
}
or use some fancier one-to-one mapping and the dots in your cube are again "random" to the naked eye.
(On a side note, why whoever implemented that "barberwire"-producing scanner did not do this at the time, I can not understand).
Paul B.
I work for a network research group ("WAND") at Waikato University in New Zealand. We have a similar visualisation which you can see various stages of evolution here, there are also some animations.
The universities internal network IP range is mapped onto the left hand face of the cube, the rest of the world is mapped onto the right face. They are mapped so similar addresses are clustered together and addresses further apart are uh, further apart. A box represents one packet, the volume of the particle is proportional to the size of the packet, and the colour is based on port number.
Also we "light" each end of the connection for a bit after the packet has been sent. So machines appear to be glowing in the colour of the traffic they are sending.
We use it to show off "networks" to people who think we just sit at computers and type into stuff, however it has been very useful to detect attacks and broken machines since they provde distinctive patterns. Portscans are a series of "sparkly" packets. Network scans are a row of marching lines. Virii infected machines appear as a cone centered on the infected machine.