A TECHNICAL APPROACH
|
| < Day Day Up > |
|
One approach here will be to use an interactive visualization interface to drive the underlying network forensic data acquisition tools and analysis routines. The objective of the interface will be to capture the abilities of a skilled network security analyst into an intuitive and guided examination of network security events. To achieve this, you should propose to investigate different visualization techniques to model the network security data. The goal is to encapsulate these visualization techniques into modular network forensic data visualizes. In addition, you should investigate tying these data visualizers into a visual query interface that can drive the network security database backend.
For example, a prototyping vehicle to conceptualize and test these ideas is AVS/Express. AVS/Express is a multi-platform (UNIX, NT) object-oriented data visualization tool that has 2D and 3D data visualization modules; as well as, a configurable GUI interface combined with selection and picking capability to support interactive data probing and visual querying. In addition, AVS/Express will allow you to develop custom modules to interact with external data sources, databases, and analysis programs. Also, an interactive data flow process allows multiple visualization steps to be combined as a single visualization macro. The main components of a network forensic data visualizer are as follows:
-
Network forensic data and database
-
Visual query interface
-
Network forensic data visualizers
Note AVS/Express is Advanced Visual Systems’[i] new visualization development tool. It is a modular, hierarchical, open, and extensible system, with hundreds of predefined components for visualizing data.
Network Forensic Data and Database
The data that will be used for visual analysis consists of network forensic data describing IP sessions. This data can consist of, but is not limited to, a time, date, IP address pair, session type, and duration. Session type identifies the communication event type. For example, network communications such as e-mail, ftp transfers, and http session are considered to be session types.
The collected network communication metadata should be stored in a high-capacity data warehouse. The data warehouse should consist of the following two stages: Stage 1 collects all observed network transactions and records them into logs; Stage 2 summarizes these transactions into objects and communicants producing a network event. You should also investigate creating additional smaller browsable tables for supporting rapid high-level looks into the database. If successful, these will support a smooth interactive visual query interface, while still allowing drilling down into the more extensive databases with additional, more expensive queries.
Currently there are various reports that can be generated on these databases via queries. One approach to integrate these reports into the visualization engine is to develop network forensic data models that can hold the different types of report data and provide a seamless input into the visualization engine through data readers.
Thus, to integrate a new report type into the visualization engine, you must first create a predefined query as a data model or a variation on an existing data model that is created for the report; where the data is inserted into the data model and a reader is developed to load the data model into the visualization engine.
Visual Query Interface
The visual query interface allows the network security analyst to interactively probe the output of the network forensic data visualizers. A probe may involve one of several different actions. One is to expose greater detail at a particular data point. For example, if the node of a network security event is shown, then picking it would give the ancillary information associated with that node. Second, one may use node information as a way to give additional constraints to a drill down query. This would allow, for example, a way to pare down the number of nodes that need to be examined. An effective data visualization is highly spatially and colorwise segregated. Therefore, spatially oriented visual queries can serve to partition the data space and be automatically translated to query constraints. Range constraints can be applied based on the node data or color values. Finally, a menu-driven choice of a set of predefined queries can help to serve as a navigational aid into the various parts of the database.
The goal here is to investigate the effectiveness of each of the preceding techniques in browsing and navigating the network forensics database. Effective techniques can then be incorporated as templates to allow the network security analyst to customize the interface to perform context-based searches pertinent to his or her investigation.
Network Forensic Data Visualizers
Network forensic data visualizers are key to an understanding of the network forensic data. They not only allow the raw network data to be displayed, but also do so in a way that highlights relevant data through spatial, color, or projection techniques. You should also investigate a number of different visualizations of the network forensic data to see which methods work best in conveying useful information to the network forensic analyst. Due to the large nature of the network forensic database, a hierarchical approach may be useful in categorizing the visualizations with each level showing a correspondingly greater detail. Such an approach could also support the visual query interface in a browse/detail mode. You should also investigate such a hierarchical partitioning of detail to see if it can be used as an effective means of displaying network forensic data at different detail levels.
The network forensic database also has several possibly different modes of investigation. The first looks at the data from a chronological or time-ordered point of view. In this case, the visualization performs a mapping from time-ordered to space-ordered view; or presents a specific time range with other parameters such as duration, ip_address, and session type being mapped spatially. In addition, binning (see note below) to create counts of events within certain ranges of parameters is also possible.
| Note | Binning is a method used to map data to spatial axes in uniform sized bins. Real values are discretized into data ranges that define a bin. Unique categorical values define a bin. Binning resolution determines accuracy and rendering efficiency. |
In the second case, a network event view of the database is appropriate. This can lead to nodal map view of the network events. Connections could represent paths an intruder has used to enter the network domain.
Next, let’s look at another facet of the network forensics dilemma: the destruction of e-mail. Any attempts to destroy e-mail today will more than likely be met with harsh consequences. Let’s take a look.
[i]Advanced Visual System, World headquarters, 300 Fifth Avenue, Waltham, MA 02451, 2002.
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 263
- Step 1.2 Install SSH Windows Clients to Access Remote Machines Securely
- Step 3.3 Use WinSCP as a Graphical Replacement for FTP and RCP
- Step 3.4 Use PuTTYs Tools to Transfer Files from the Windows Command Line
- Step 6.2 Using Port Forwarding Within PuTTY to Read Your E-mail Securely
- Step 6.3 X11 Forwarding
- Chapter V Consumer Complaint Behavior in the Online Environment
- Chapter X Converting Browsers to Buyers: Key Considerations in Designing Business-to-Consumer Web Sites
- Chapter XIV Product Catalog and Shopping Cart Effective Design
- Chapter XV Customer Trust in Online Commerce
- Chapter XVII Internet Markets and E-Loyalty