Transcript Data Visualization with IRONMAN V1.1

IRONMAN V1.5
Network
Management
Environment
IRONMAN V1.5
Traffic Problem Domain
•
•
•
•
•
•
Nodes : 50,000,000 total ; 5000 to protect
Protocols : 160 +
Ports : 1024 well-known ; 60000+ others
Services : 10 - 200 (e.g. WWW, email)
Applications : ???
Typically 500 ++ instances (packets) per second
• Acceptable vs unacceptable combinations
IRONMAN V1.5
Network Management Environment
•
•
•
•
•
•
•
Provides Interactive Management of networks and components
Policy Based Modeling, Analysis and Control
Passive Monitoring and Active Probing of Networks
Dynamic Visualization of Information and Systems
Integration of Existing Commercial Tools and Custom Tools
Virtual Common Data Repository for all Information Sources
Client-Server and Peer-to-Peer Architecture using Standard
Technology
Functional
Architecture
Acquisition
Representation
Control
ADAPTIVE
MANIFOLD
Analysis
Presentation
Decision
System Architecture
IRONMAN
HTTP Server
WWW Browser
VRML 2.0 Plugin
HTTP
Server
IRONMAN
HTTP Server
Client Manifold
Client Support
Applications
(Sockets)
Network
IRONMAN
HTTP Server
IRONMAN
Agent Server
Distributed Interactive
Simulation and Control
•
•
•
•
•
client-server structure
• servers: data-gathering (probes and monitors),
analysis, control, representation, persistent storage
and decision support
• clients: working storage, presentation (display)
and command consoles
some analysis in clients but only for network efficiency
collaborative architecture (i.e. shared workspace through
servers, storage and presentation space)
streaming data updates
database architecture: local working and global persistent
Hierarchy of Fusion
Problems
Probing, Monitoring and
Control
• Probes: CyberCop, Nessus, Internet Security Scanner, ....
• Intrusion Detection: NetRanger, Network Flight
Recorder, …..
• Monitoring: SNMP RMON, TCP Dump, …...
• Policy/Configuration: SNMP, Telnet, X-Windows, ....
• Agents: perform one or more of the above ...
• other
Vulnerability Database
Schema
•
•
•
•
•
•
•
•
•
•
Vulnerability Identification(id, title)
Description and impact
System identification
Application information
Reference to the vulnerability
Detailed analysis, detection techniques and fixes
analysis, detection, fix, test, workaround, patch
Detailed information about exploitation (exploit,
pattern)
Classifications and features (class, category)
Verification of vulnerability
Source of vulnerability information
Agents
• several intrusion detection system use agents as
collectors /sensors ( e.g. AAFID);
• agents are being studied as component of
IRONMAN for:
• acquisition
• analysis
• communication
• control
IETF IDWG
Core Terms and Relationships
Principal Visualization Goals
• to identify if system is stable or unstable relative to
an identified set of criteria (e.g. a security policy)
• to identify if internal changes to the system will
move system toward instability
• to identify any external events which are tending to
move the system towards instability
IRONMAN Visualization
• the generation of a set of (visual and aural)
sensory stimuli for the user; and
• the detection and interpretation of these stimuli
by the user
• user input to visualization
• use VRML 2.0 as implementation framework
VRML 2.0 Scene Graph
• Group: Collections and
Hierarchies
• Transform (Xform):
Shape,Colour, Location,
Texture of Object
• Script: Behaviour of
Object and/or connection
to Network
• Sensor: Connection to
User Actions and/or User
Avatar Location
Individual Control of
Visualization Elements
• VRML 2.0 scene is composed of nodes
• each node is coupled to data source or network process
• very large distributed computational structures can be
monitored in real time over the network
• each element can display individual characteristics
• aggregate provides visualization support through collective
morphology and topology
Visualization Toolkit
• a basic object editor;
• a mapping assignment editor (to map data to
parameters);
• a basic visualization library manager;
• a data set formatter;
• a VRML 2.0 generator;
Data Structures
Visualization Toolkit
Six data structures are being developed to support models :• network - main objects (vertices and lines);
• permutation - reordering of vertices;
• vector - values of vertices;
• cluster - subset of vertices (e. g. one class from partition);
• partition - mapping of vertices to clusters;
• hierarchy - hierarchically ordered clusters and vertices.
Algorithns which operate on these are being developed and evaluated.
VR Server
• Uses specification to generate a visualization;
• inputs:
• one or more data sets;
• a set of prototypes or templates;
• an algorithm for converting or mapping the
data sets into Euclidean space using the
available prototypes and templates
• distributed compositional architecture
System High-Level
Visualization
System Level of Detail
Visualization
System Level of Detail
Visualization
System High-Level
Visualization
Example:
• 676 hosts
• Ring is a LAN
• White box is a
selected host. HUD
displays IP of host
System Attribute
Visualization
• e.g. Mapping Network Components to Vulnerabilities
• VRML 2.0 with behaviours and external interfaces
System Attribute
Visualization
System Attribute
Visualization
System Behaviour
Visualization
VRML 2.0 with behaviours
and external interfaces
• tracking events through
topology e.g. Traceroute
• Events can be displayed
using shapes which travel
along links in the visual
display.
• Events can (1) have any
shape, and can either be (2)
persistent and aggregate or
(3) transient
System Constraint
Visualization
• e.g. Policy Violations by Multiple Components
• VRML 2.0 with behaviours and external interfaces
Partitioned Host Traffic
Visualization
• Various display layouts are possible
• This example shows line and spiral
Partitioned Host Traffic
Visualization
• Partition Hosts into 2 or more categories
• Time-independent Display
Partitioned TCP Dump
Visualization
External Hosts - red disk
Internal Hosts - green line
Partitioned Host Traffic
Visualization
• shows partition of hosts
• time-independent
• scan of network displayed
Temporal TCP Dump
Traffic Visualization
Cartesian Display
Temporal TCP Dump
Visualization
Temporal TCP Dump
Traffic Visualization
Polar Display
EPIC Port Alerts
EPIC Signature Alerts
Hyper-Geometric
Visualization
Hyper-Geometric
Visualization
Heads Up Displays
Heads Up Displays
Context Displays
Context Displays
Context Displays
Context Displays
Context Displays
Top View
Context Displays
Context Displays
Textured reference
floor providing context
status and “bubbles”
indicating status of
particular machines
“Bubbles” indicating
status of particular
machines
Textured reference
floor providing
context status
Conetrees
Conetrees can be used
either for user interface
( i.e. selection of options,
etc) or to indicate
hierarchical structures
Controls and
Level of Detail
Elements of the
visual presentation
can be provided
with associated
controls and
displays.
Buttons can be
persistent or can
become visisble with
proximity or
external triggers
Controls and
Level of Detail
In this case, selecting the
red button caused the
remainder of the elements
in the display to be hidden.
Actions associated with
each user interface can be
dynamically assigned or
form part of a standard
user interface profile. If
buttons are dynamically
assigned, they will have
information tableaus
associated with them.
Controls and
Level of Detail
In this display, almost
every visible element has
an associated action.
Some cause changes to
the display while others
open new displays or
activate analytic tasks.
Cellular Automata
driven by Sensors
Cellular Automata
Implemented with Agents
Collaborative
Environments
• Conventional
Environments
• Virtual Network Computing (VNC) :-
• Virtual
Environments
• DeepMatrix :- multi-user virtual environment
• Vnet :- multi-user virtual environment
• DIS-Java-VRML :- distributed interactive
simulation (DIS) environment implemented in Java
and VRML
Ontologies
• Purpose :- to enable communication between computer
systems in in a way that is independent of the individual
system technologies, information architectures and
application domain.
• Key Ingredients :- a vocabulary of basic terms and a
precise specification of what those terms mean.
• IRONMAN Implementation :• KIF
• Ontolingua
• Onotological Knowledge Base Connectivity (OKBC)
Ontolingua
• provides a mechanism for defining ontologies that are portable over
representation systems
• consists of
• a KIF parser,
• tools for analyzing ontologies, and
• a set of translators for converting Ontolingua sources into
forms acceptable to implemented knowledge representation
systems.
• Currently supported target representation systems are:
(:EPIKIT :CLIPS :LOOM :GENERIC-FRAME :KIF :EXESS)
Ontolingua
Bridging Technologies in One Specification
(define-class NETWORK-ELEMENT (?ne)
"A network element is a device attached to the network, and thus
having one or more interfaces. We assume the device has at least one
DNS name."
:def (and (has-some ?ne element.interface)
(has-some ?ne element.name))
:issues (
(:VRML use-proto "$vrml_protos/node_proto2.wrl")
(:DIS use-class “$dis_lib/network/network_element.class”)
(:XML use-DTD "$ironman_dtd/network.dtd")
)
Policy Management
• Generic Policy model (ontology) to support:
• High-level Policy Specification
( confidentiality, integrity, availability, accountability, assurance )
• Low-level Policy Specification
(applications, ports, services, protocols and packets )
• Data-based and System-based Policy Assertions
• Visual Policy Editor
• Standard Policy Specification Exchange Format
Policy Views
• Global View
• Link and/or Node View
• Relationships among applications, services,
protocols, ports and packets
• Groups of Links and/or nodes.
Analysis and Decision
Support
Scenario Generation and Detection
Strategic Risk Analysis
Collaborative Hierarchical Command Infrastructure
Rapid Response Infrastructure and Mechanisms
Analysis and Decision
Support Components
• Ontolingua as basic Knowledge Engine;
• KIF (Knowledge Interchange Format)
• OKBC (Open Knowledge Base Connectivity)
• Implemented as applications with HTTP Server support
• Z-EVES (ORA) - formal modelling environment
• ExESS (Systolics) - expert system shell
• CLIPS (Systolics) - expert system shell
• other (Vulcanizer, neural nets, Petri nets, …..)
Strategic Risk Analysis
• ontological model based on NIST Risk Model Builder’s
workshops
• basic rule-based model enhanced with relational analysis and
sequential event model for scenario generation and detection
Scenario Generation
and Detection
• sequential event model
• used to analyse collections of events for potential
exploitation of vulnerabilities
• possible processing in
• CLIPS for rule-based analysis
• ExESS for dynamic simulation
• Petri net tools (reachability); and
• neural net based classifier
IRONMAN Information
Management
• Distributed Virtual Information Repository
• Ontology is used for coherence and consistency
• Information Source Mapping through Manifold
• ODBC, JDBC, SQL for standard database support (early
adoption)
• Extensions to IRONMAN DNS support
• SNMP (including agents and additional MIBs)
• LDAP
Defensive Information
Operations
• Hierarchical Command and Control :• operational and architectural issues to support a hierarchical
collaborative infrastructure which has a command center, command
posts and "road warriors".
• develop the analytic engines to provide interactive process mapping
and dynamic situation status reports.
• Rapid Response Mechanisms :• study means to provide rapid initial analysis of a situation within an
information infrastructure managed by IRONMAN and provide
potential response strategies.
Some of Many Issues
• Visual Literacy
• Laws of Perceptual Organisation
• Visual Imprinting
• …….
Visual Literacy
• The ability to produce and understand
visual messages
• What are the symbols and grammar used
in a visual transaction/interaction
• How do we know that someone can
“read” what we have “written”
Visual Literacy
• Is literacy learned? cultural? what else?
• If it is learned, how do we teach it?
• If it is cultural, how do we generalize it?
• What else is needed to improve literacy?
Visual Literacy
• How much is the skill of the “writer”?
• How much is the experience and
imagination of the “reader/viewer”?
• Does abstraction help or hinder
EFFECTIVE GOAL-ORIENTED
visualization
Laws of Perceptual Organisation
Law of Pragnanz
(law of good figure, law of simplicity)
Complex objects are seen in such a way that the structure is seen as
simple as possible
Laws of Perceptual Organisation
Law of Similarity
Things that have similar perceptions appear grouped together.
Laws of Perceptual Organisation
Law of Good Continuation
Complex objects are seen in such a way that the structure is seen as
simple as possible
Laws of Perceptual Organisation
Law of Proximity
Things close to each other in space are visually grouped together.
Laws of Perceptual Organisation
Law of Common Fate
Objects that move together through space appear grouped together
(until they move apart). This makes ballet and modern dance troupes
so interesting.
Laws of Perceptual Organisation
Law of Familiarity (or Meaningfulness)
Objects that form familiar or meaningful patterns are grouped
together.
Visual Imprinting
• Process in young animals for early
recognition
• Does it or an analogous process take place
in visualization? If so, do we confuse if we
change visual syntax or semantics?