Skyrails is a social network (or any graph really) visualization system. It has a built in programming language for processing (as far as visualisation attributes goes) the graph and its attributes. The system is not only aimed at expert users though, because through the scripting languages menus can be built and the system can be used by any users.
The main distinguishing point of the system comes from the built in scripting language, the added flexibility of how to represent attributes (nodes can be binded to planes and spheres based on their attributes) and the scriptability of the user interface system. This makes skyrails ideal for creating presentations targeted at the average users.
http://cgi.cse.unsw.edu.au/~wyos/skyrails/
skyrails in action:
http://www.youtube.com/watch?v=I2d312_dXEs
For those who are interested, here are the slides from the DAVIX workshop that Jan Monsch and Raffael Marty taught at DefCon 2008 in Vegas. The content is as follows:
Could I possibly get a little help with getting the afterglow / neato tools usefully working. have 291 lines of data and for the life of me the graphs I'm generating are quite poor.
I am not a Perl programmer but have managed to get cygwin working and afterglow & neato working.
using this sample set of the 291 I can get the two diagrams I have attached, but I would dearly like some advise how to generate a more representative image.
If this forum is inappropriate for a little mentoring then please advise / delete as appropriate.
With kind regards,
Stephen
10.140.122.23,10.142.162.88,80
10.142.40.198,10.142.44.233,80
10.129.20.81,10.142.162.88,80
10.142.45.99,10.142.162.88,80
10.142.41.106,10.142.162.88,80
10.142.41.106,10.142.162.88,80
10.142.45.191,10.142.162.88,80
10.239.41.33,10.143.23.79,80
10.142.36.98,10.142.162.88,80
10.142.36.98,10.142.162.88,80
10.142.45.99,10.142.162.88,80
10.142.45.70,10.142.162.88,80
10.142.45.70,10.142.162.88,80
10.143.24.45,10.142.44.233,80
10.142.41.194,10.142.162.88,80
INAV is a project that displays connection information in real time. It creates a dynamic interactive directed graph in real time. http://inav.scaparra.com
After months of building and testing, the long anticipated release of DAVIX - The Data Analysis & Visualization Linux® - arrived last week during Blackhat/DEFCON in Las Vegas. It is a very exiting moment for us and we are curious to see how the product is received by audience. So far the ISO image has been downloaded at least 600 times from our main distribution server. Downloads from the mirrors are not accounted.
All those eager to get their hands dirty immediately can find a description as well as the download links for the DAVIX ISO image on the DAVIX homepage.
We wish you happy visualizing!
Kind regards
Jan
Have you noticed? There is a new logo for secviz.org. To be correct this is the first real logo. What was there before wasn't really a logo.
The Applied Security Visualization book is DONE and available in your favorite store!
You can download an electronic version of Chapter 5 for free! The book also ships with a version of DAVIX, the Data Analysis and Visualization Linux!
Martin McKeay recorded a podcast with me where I talk a little bit about the book.
Plotted above is the used Portrange of a Storm Worm Spambot with private IP. Interesting that it (almost) stops at about Port Number 33.789, very sparse above that... Verified with multiple binaries and by the analysis of a so-called Storm Gateway (supernode) with public IP, here as well sparse data above the mentioned port, while ports between 50000 and 51000 seem to be very dense again. More information and plots on
http://honeyblog.org/archives/196-Interesting-Pattern-in-Storm-Worm-Traffic.html
For these plots, I analyzed the binaries in NetFlow data, converted it to CSV Files and did some data mining on these files with the commercial tool 'SPSS Clementine'
Graph of ten minutes of iptables logs, showing 8000 events. It was generated with the not released yet Picviz (http://sourceforge.net/projects/picviz/) program.
Russ McRee wrote an article for the ISSA journel where he describes various security visualization approaches. SecViz is prominently featured, as well as a few tools, such as TNV, InetVis, and Rumint. The article also mentions DAVIX. You can read the article here.
In an older article, Russ talked about Argus – Auditing network activity. In that article, he mentions how to use AfterGlow for network traffic analysis.
At the end of June, during FIRST 2008, Peter Wood and Ben Chai interviewed me about my Applied Security Visualization talk and my book. I really like how the podcast turned out. Tune in!
Turning old Storm news into a celebration of the 4th of July, we applied little AfterGlow magic to fireworks.pcap,
tcpdump -vttttnnelr /home/rmcree/pcap/fireworks.pcap | ./tcpdump2csv.pl "sip dip ttl" | perl ../graph/afterglow.pl -c /home/rmcree/afterglow/src/perl/graph/color.properties -p 2 | neato -Tgif -o fireworks.gif
,
and the results look just like the fireworks we hoped they would.
For the analysis of this Storm variant, fireworks.exe, and the resulting fireworks.pcap that lead to this visualization, see http://holisticinfosec.blogspot.com/2008/07/visualized-storm-fireworks-for-your-4th.html.
Happy 4th of July!
API Calls and Imported Symbols of Nepenthes Download Binary Files
The goal of this graph is to show the api calls and the imported symbols used by malware files collected by Nepenthes.
To extrat this information I reutilize a file from Jan Goebel ´s Amun project.
I´ve added some regex to detect imported symbols.
Source Code:
"""
Jaime Blasco - jaime.blasco[at]aitsec.com
Thanks to Jan Goebel
[Amun - low interaction honeypot]
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, see
"""
import sys
import os
import re
def start(content, name):
### api
checksbin = {}
checksbin['listen'] = re.compile('\\xa4\\xad\\x2e\\xe9', re.S|re.I)
checksbin['bind'] = re.compile('\\xa4\\x1a\\x70\\xc7', re.S|re.I)
checksbin['closeSocket'] = re.compile('\\xe7\\x79\\xc6\\x79', re.S|re.I)
checksbin['accept'] = re.compile('\\xe5\\x49\\x86\\x49', re.S|re.I)
checksbin['LoadLibraryA'] = re.compile('\\x8e\\x4e\\x0e\\xec', re.S|re.I)
checksbin['WSASocketA'] = re.compile('\\xd9\\x09\\xf5\\xad', re.S|re.I)
checksbin['WSAStartup'] = re.compile('\\xCB\\xED\\xFC\\x3B', re.S|re.I)
checksbin['ExitProcess'] = re.compile('\\x7e\\xd8\\xe2\\x73', re.S|re.I)
checksbin['CreateProcessA'] = re.compile('\\x72\\xfe\\xb3\\x16', re.S|re.I)
checksbin['WaitForSingleObject'] = re.compile('\\xad\\xd9\\x05\\xce', re.S|re.I)
checksbin['system'] = re.compile('\\x44\\x80\\xc2\\x77', re.S|re.I)
checksbin['SetStdHandle'] = re.compile('\\x1d\\x20\\xe8\\x77', re.S|re.I)
checksbin['GetProcAddress'] = re.compile('\\xcc\\x10\\xbe\\x77', re.S|re.I)
checksbin['URLDownloadToFileA'] = re.compile('\\x36\\x1a\\x2f\\x70', re.S|re.I)
checksbin['connect'] = re.compile('\\xec\\xf9\\xaa\\x60', re.S|re.I)
checksbin['socket'] = re.compile('\\x6e\\x0b\\x2f\\x49', re.S|re.I)
checksbin['socket2'] = re.compile('\\x83\\x53\\x83\\x00', re.S|re.I)
checksbin['send'] = re.compile('\\xa4\\x19\\x70\\xe9', re.S|re.I)
checksbin['receive'] = re.compile('\\xb6\\x19\\x18\\xe7', re.S|re.I)
checksbin['WinExec'] = re.compile('\\x98\\xfe\\x8a\\x0e', re.S|re.I)
checksbin['WriteFile'] = re.compile('\\x1f\\x79\\x0a\\e8', re.S|re.I)
checksbin['Unknown (sign for correct decryption)'] = re.compile('\\x68\\x33\\x32\\x00\\x00\\x68\\x77\\x73\\x32\\x5F', re.S|re.I)
### plain
checksplain = {}
checksplain['possible windows cmd'] = re.compile('\\x63\\x6d\\x64', re.S|re.I)
checksplain['http address'] = re.compile('\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f', re.S|re.I)
checksplain['ftp address'] = re.compile('\\x66\\x74\\x70\\x3a\\x2f\\x2f', re.S|re.I)
checksplain['tftp.exe'] = re.compile('\\x74\\x66\\x74\\x70\\x2e\\x65\\x78\\x65', re.S|re.I)
checksplain['WSAStartup'] = re.compile('\\x57\\x53\\x41\\x53\\x74\\x61\\x72\\x74\\x75\\x70', re.S|re.I)
checksplain['WSASocketA'] = re.compile('\\x57\\x53\\x41\\x53\\x6f\\x63\\x6b\\x65\\x74\\x41', re.S|re.I)
checksplain['GetProcAddress'] = re.compile('\\x47\\x65\\x74\\x50\\x72\\x6f\\x63\\x41\\x64\\x64\\x72\\x65\\x73\\x73',re.S|re.I)
checksplain['CreateProcessA'] = re.compile('\\x43\\x72\\x65\\x61\\x74\\x65\\x50\\x72\\x6f\\x63\\x65\\x73\\x73\\x41', re.S|re.I)
checksplain['CreateFileA'] = re.compile('\\x43\\x72\\x65\\x61\\x74\\x65\\x46\\x69\\x6c\\x65\\x41', re.S|re.I)
### plain imported symbols
checksplainimport = {}
checksplainimport['kernel32'] = re.compile('\\x6b\\x65\\x72\\x6e\\x65\\x6c\\x33\\x32',re.S|re.I)
checksplainimport['USER32'] = re.compile('\\x55\\x53\\x45\\x52\\x33\\x32',re.S|re.I)
checksplainimport['MSVCR80'] = re.compile('\\x4d\\x53\\x56\\x43\\x52\\x38\\x30',re.S|re.I)
checksplainimport['ws2_32'] = re.compile('\\x77\\x73\\x32\\x5f\\x33\\x32',re.S|re.I)
checksplainimport['shell32'] = re.compile('\\x73\\x68\\x65\\x6c\\x6c\\x33\\x32',re.S|re.I)
checksplainimport['gdi32'] = re.compile('\\x67\\x64\\x69\\x33\\x32',re.S|re.I)
checksplainimport['oleaut32'] = re.compile('\\x6f\\x6c\\x65\\x61\\x75\\x74\\x33\\x32',re.S|re.I)
checksplainimport['advapi32'] = re.compile('\\x61\\x64\\x76\\x61\\x70\\x69\\x33\\x32',re.S|re.I)
checksplainimport['COMCTL32'] = re.compile('\\x43\\x4f\\x4d\\x43\\x54\\x4c\\x33\\x32',re.S|re.I)
checksplainimport['wsock32'] = re.compile('\\x77\\x73\\x6f\\x63\\x6b\\x33\\x32',re.S|re.I)
checksplainimport['URLMON'] = re.compile('\\x55\\x52\\x4c\\x4d\\x4f\\x4e',re.S|re.I)
checksplainimport['msvcrt'] = re.compile('\\x6d\\x73\\x76\\x63\\x72\\x74',re.S|re.I)
checksplainimport['CRTDLL'] = re.compile('\\x43\\x52\\x54\\x44\\x4c\\x4c',re.S|re.I)
checksplainimport['WININET'] = re.compile('\\x57\\x49\\x4e\\x49\\x4e\\x45\\x54',re.S|re.I)
checksplainimport['ntdll'] = re.compile('\\x6e\\x74\\x64\\x6c\\x6c',re.S|re.I)
keys = checksplain.keys()
for key in keys:
match = checksplain[key].search(content)
if match:
print name + "," + key + ",2"
keys = checksbin.keys()
for key in keys:
match = checksbin[key].search(content)
if match:
print name + "," + key + ",2"
keys = checksplainimport.keys()
for key in keys:
match = checksplainimport[key].search(content)
if match:
print name + "," + key + ",1"
if __name__ == '__main__':
list = os.listdir("binaries/")
for filename in list:
if os.path.exists("binaries/" + filename):
fp = open("binaries/" + filename, 'r')
content = "".join(fp.readlines())
fp.close()
start(content, filename)
The CSV file looks like:
...
50c0c0fa44ed9e09bbe9558c61e22006,http address,2
50c0c0fa44ed9e09bbe9558c61e22006,gdi32,1
50c0c0fa44ed9e09bbe9558c61e22006,kernel32,1
50c0c0fa44ed9e09bbe9558c61e22006,ws2_32,1
50c0c0fa44ed9e09bbe9558c61e22006,oleaut32,1
50c0c0fa44ed9e09bbe9558c61e22006,USER32,1
50c0c0fa44ed9e09bbe9558c61e22006,shell32,1
50c0c0fa44ed9e09bbe9558c61e22006,advapi32,1
849c5ae144ed43741d1c2eb4d0cd552a,possible windows cmd,2
849c5ae144ed43741d1c2eb4d0cd552a,CreateProcessA,2
849c5ae144ed43741d1c2eb4d0cd552a,kernel32,1
849c5ae144ed43741d1c2eb4d0cd552a,MSVCR80,1
...
...
1: Imported Symbol
2: Api call
And the color.properties file to generate the grah with afterglow:
color.target="lightblue" if ($fields[2]==2)
color.target="green" if ($fields[2]==1)
color.source="red"
I taught a workshop in Vancouver at the FIRST 2008 conference. I put the slides for the talk about Applied Security Visualization online. It covers parts of the book on the same topic. The outline of the talk looks as follows:
|
The podcast discussing the presentation.
With several binaries collected by nepenthes I have correlate the imported symbols with python module pefile and generate an interesting graph.
CSV:
...
...
b02a18d2dca59219b86354a442a95b0e,USER32.DLL
146d61fca77d748f5a5ecff53afd30e4,KERNEL32.DLL
146d61fca77d748f5a5ecff53afd30e4,COMCTL32.DLL
95a7a3e5ea764eed286b53623f9521ab,KERNEL32.DLL
2059abe419dfeca527b7cf5b53bbee6f,KERNEL32.DLL
005472c686a5f84ad8e2dea597f50e1d,KERNEL32.DLL
005472c686a5f84ad8e2dea597f50e1d,ADVAPI32.DLL
005472c686a5f84ad8e2dea597f50e1d,MPR.DLL
005472c686a5f84ad8e2dea597f50e1d,OLEAUT32.DLL
...
...
Regards
VizSEC 2008 Workshop on Visualization for Cyber Security
http://vizsec.org/workshop2008/
September 15, 2008 / Cambridge, MA USA
In conjunction with RAID 2008
Submission deadlines:
Poster and Demo submissions - July 18, 2008
VizSec is accepting submissions (2 page abstract) for posters and demonstrations. Poster and Demo abstracts will be made available on the VizSec web site.
Posters
Posters can be used to describe work in progress or updates to previously published VizSec research or R&D. Poster submissions should consist of a 2 page abstract. Poster will be presented at the VizSec/RAID reception. Abstracts will be made available on the web site.
Demos
Demonstrations can be used to show new or updated development efforts. Demo submissions should consist of a 2 page abstract. Demonstrations will take place at the VizSec/RAID reception. (You will need to bring a laptop for demos.) Abstracts will be made available on the web site.
This file is the result of correlating data from Nepenthes, ip2country and ClamAV, the process is described in the paper
An approach to malware collection log visualization by Jaime Blasco
Regards
I have just published an article related to malware collection log visualization.
The paper focus on visualization of Nepenthes logs using AfterGlow. In the paper you can find information about correlation ips with countries and binary files with ClamAV signatures with the goal of generating interesting graphs.
You can get it at
An approach to malware collection log visualization
Regards
You may have noticed a page on secviz.org called DAVIX. DAVIX is the upcoming live CD for data analysis and visualization, which will be released at Blackhat/DEFCON in Las Vegas in August 2008.
We have prepared the second beta version of DAVIX. Raffael and I are now seeking for beta testers that have the time to test DAVIX and answer the questionnaire that comes along with the beta version.
All completely filled out questionnaires received by me until Monday 23 June 2008 18:00 UTC will enter a raffle for one autographed copy of Raffy's upcoming book Applied Security Visualization. Legal recourse is excluded.
If you want to participate in the beta test please contact: jan.monsch ät iplosion.com