Download Proceedings of the 2007 IEEE Workshop on Information Assurance

Proceedings of the 2007 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY 20-22 June 2007
PANEMOTO: Network Visualization of Security
Situational Awareness Through Passive Analysis
William Streilein, Kendra Kratkiewicz, Michael Sikorski, Keith Piwowarski, Seth Webster
Massachusetts Institute of Technology, Lincoln Laboratory
Abstract--To maintain effective security situational
awareness, administrators require tools that present up-todate information on the state of the network in the form of ‘ata-glance’ displays, and that enable rapid assessment and
investigation of relevant security concerns through drill-down
analysis capability. In this paper, we present a passive
network monitoring tool we have developed to address these
important requirements, known as Panemoto (Passive
Network Monitoring Tool).
We show how Panemoto
enumerates, describes, and characterizes all network
components, including devices and connected networks, and
delivers an accurate representation of the function of devices
and logical connectivity of networks. We provide examples of
Panemoto’s output in which the network information is
presented in two distinct but related formats: as a clickable
network diagram (through the use of NetViz, a commercially
available graphical display environment) and as staticallylinked HTML pages, viewable in any standard web browser.
Together, these presentation techniques enable a more
complete understanding of the security situation of the
network than each does individually.
Index Terms—Computer network security, computer
networks, local area networks, visualization
I. INTRODUCTION
Today’s security administrators face the difficult task of
maintaining and protecting enterprise computer networks
that are constantly changing and are under continuous
attack from a growing number of sophisticated hackers. To
maintain effective security situational awareness [1],
administrators require tools that present up-to-date
information on the state of the network in the form of ‘at-aglance’ displays, and that enable rapid assessment and
investigation of relevant security concerns through drilldown analysis capability [2].
To address these important requirements, we have
developed a passive network monitoring tool known as
Panemoto (Passive Network Monitoring Tool). Panemoto
avoids common pitfalls of active network mapping [3, 4],
relying solely on passively captured network traffic to build
Manuscript received March 8, 2007. This work is sponsored by the
Department of Defense under Air Force Contract FA8721-05-C-0002.
Opinions, interpretations, conclusions and recommendations are those of
the author and are not necessarily endorsed by the United States
Government.
an annotated visual representation of a computer network.
It enumerates, describes, and characterizes all network
components, including devices and connected networks,
and delivers an accurate representation of the function of
devices and logical connectivity of networks. Panemoto
presents the network information in two distinct, but related
formats: as a clickable network diagram (through the use of
NetViz [5], a commercially available graphical display
environment) and as statically-linked HTML pages,
viewable in any standard web browser. Together, these
presentation techniques enable a more complete
understanding of the security situation of the network than
each does individually.
The contributions of this paper are twofold. First, this
paper presents a novel network visualization tool that
provides both ‘at-a-glance’ displays and drill-down analysis
capability. Second, the paper demonstrates that information
sufficient to maintaining security situational awareness for
a network can be discovered through passive methods. To
the authors’ knowledge, Panemoto is the first tool of its
kind to demonstrate these capabilities.
Section II of this paper reviews current research into the
uses of passive network monitoring for network
visualization. Section III briefly summarizes Panemoto,
discussing the goals behind the tool and the overall
architecture of the implementation. Section IV presents
screen shots of the current generation of the tool’s network
visualizations, while section V argues for the use of passive
network mapping and makes suggestions for follow-on
work.
II. BACKGROUND
Many analysis and visualization tools are available to
the network administrator and security analyst today.
These tools range from outputting simple lists of hosts and
attributes to providing more complicated, interactive
displays of real-time connections. While many tools are
active in nature, for example probing for the existence of
devices and presence of applications, researchers are
discovering the benefits of passive network monitoring as
an alternate way to understand the current state of a
network and to stay abreast of the associated security issues
[6].
Ethereal [7], tcpdump [8], and Ntop [9] are popular
choices for tasks such as packet breakout and simple
statistical analysis. Ethereal and tcpdump provide network
Proceedings of the 2007 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY 20-22 June 2007
To support the enumeration, description, and
administrators the ability to view actual traffic through
characterization of network devices and connectivity,
header field break-out displays. User-defined traffic filters
Panemoto’s analysis methodology focuses on three levels
support basic analysis and understanding of traffic and flow
of analysis: packet, session, and episodic. These analysis
rates on their networks. Ethereal also provides session
capabilities build upon common passive mapping
reconstruction for individual sessions of interest. Ntop
techniques, such as described in [6], with the addition of
enumerates individual devices on the network, performs
several novel identification algorithms [15].
operating system identification, and provides traffic rate
characterization. Visualization of the original data and
summary statistics through Ntop is supported through
Table I
HTML pages and dynamically-prepared pie charts.
LIST OF PROTOCOLS ANALYZED BY PANEMOTO
Some security tools enable administrators to enumerate
devices on a network and to discern the operating systems
and applications running on them. Active mapping tools
PROTOCOL INFORMATION RETRIEVED
such as NMAP [10], Cheops [11], and DSniff [12], as well
ARP
IP to Mac address mapping
as passive tools such as p0f [13] and siphon [14], can
BROWSER
Microsoft
network
devices,
provide operating system and application identification to
servers, services, names
the user.
Presentation of the information discerned
DHCP
Network configuration: net/mask,
typically takes the form of textual read-out with minimal or
router IP, time server
no graphical display.
DNS
DNS servers, remote domain
It is our intention with Panemoto to bring together into a
names
single analysis tool the individual capabilities of device
LPD, CUPS
Printer identification
enumeration,
operating
system
and
application
NBNS,
Machine names/IP addresses
identification, and traffic rate characterization. While the
NetBIOS
tools mentioned above lack sophisticated information
NETLOGON
User/machine names
visualization capability, we recognize the value of the
RIPv1, RIPv2 Network connectivity, router IPs
analysis and mapping techniques each has to offer. We
SRVSVC
Microsoft shares and services
strive to incorporate similar capabilities into Panemoto
offered
while introducing our own enhanced capabilities for
STP
Switch identification (sender and
complete visualization of the enterprise network.
root switch)
The goals of Panemoto are to:
WHO
Usernames/IP addresses
• Develop a complete picture of the network under
SNMP
Interfaces,
system description
observation by enumerating all network
IEEE
802.11
Wireless
access
points
components and attached networks
BGP4,
OSPF,
Internet
routing,,
AS mappings
• Present both a graphical display of the network
IEGRP
state, supporting at-a-glance assessment, and a listHTTP
HTTP server ID, client OS
oriented enumeration of the network components
for more in-depth investigation
POP, IMAP, Mail server identification, mail
• Use passive methods to gather information about
SMTP
path
the network
• Allow for introduction of supplemental network
information and functionality extensions through a
At the packet level, analysis uncovers information about
plug-in architecture
the network from individual packets. For example, an
individual DHCP ACK packet can contain information
about the local network number and mask, the default
III. VISUALIZATION AND ANALYSIS
gateway, DNS server, and, of course, the assigned IP
METHODOLOGY
address for the destination host. At this level, every packet
seen by Panemoto can provide information for the emerging
Underlying the goal of providing a complete
visualization. Table I provides a list of the protocols that
understanding of a computer network are three important
Panemoto analyzes and what is learned from each.
capabilities:
At the session level, analysis gathers information from
1. enumeration of the network components
reconstructed conversations between two machines.
2. description of the enumerated components in
Information about relationships between machines can be
terms of relevant TCP/IP attributes
understood. Panemoto makes use of NetTracker, a tool
3. characterization of the enumerated components by
developed at MIT-LL to reconstruct TCP, UDP, and ICMP
quantifying network behavior and traffic rate
sessions.
Proceedings of the 2007 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY 20-22 June 2007
networks, hosts, routers, servers, switches, domains,
Episodic analysis, which can span protocols and
interfaces, connections, ASes, and any server and client
sessions, provides a higher-level understanding of a
applications that have been identified on hosts.
network’s structure and behavior. This capability can be
used to recognize network events that cannot be perceived
within packet analysis or session analysis alone. For
example, it is nearly impossible to detect the rebooting of a
Windows machine in a single packet or session, but it can
be seen through the recognition of a sequence of specific
packets (e.g. three gratuitous ARPs). Event recognition
lends a temporal context to the network data that can be
very useful to an administrator wishing to understand a
network beyond simply how it’s put together, and into how
it behaves temporally. Episodic analysis also supports
larger, time-domain descriptions of general network
characteristics such as packet flows, amount of traffic sent,
etc. This analysis permits characterization of server
Fig. 2. Local network view, showing individual devices
machines by connection rates, and network links by traffic
rates.
IV. VISUALIZING NETWORK STATE VIA NETVIZ
AND HTML
Panemoto produces its output in a format that can be
imported and viewed by the NetViz visualization program.
This interface presents a display of the connectivity of
subnets and gateways learned via passive monitoring. An
example of this display, shown in Fig. 1, illustrates the
distinction made between local networks (green clouds) and
remote networks (gray clouds). In this example, an
intervening gateway provides connectivity for the network.
Fig. 3. HTML table of devices on local network
An important capability for network administrators is the
ability to understand how connections flow through the
network [16]. Panemoto analyzes all the TCP, UDP, and
ICMP connections seen in the network traffic and produces
a simple display using Graphiz [17] that shows source and
destination nodes, port of connection, and number of
connections made during the observation period.
Fig. 1. Top-level connectivity view via NetViz
Selecting and clicking through a network icon in NetViz
brings the user to the local network view, shown in Fig. 2,
where individual devices are presented. Selecting a device
reveals a list-oriented description of that device. Devices
are arranged on the screen according to their determined
functions: routers are at the top, servers are at the bottom,
and normal hosts are presented on either side of the blue
network line.
The at-a-glance information presented through the
NetViz interface is also prepared in HTML table format, as
in Fig. 3, where embedded links enable navigation around
the data. Other tables presented in HTML format include
Fig. 4. Connection map of hosts communicating
Proceedings of the 2007 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY 20-22 June 2007
While a view such as that shown in Fig. 4 can become
unwieldy if a large number of hosts are communicating,
Panemoto also produces individual connection maps for
each of the hosts seen, as in Fig. 5.
In the connection diagram, individual connections are
indicated by directed arrows from client to server and are
color-coded according to the state of the port at the time of
the connection: green means “open,” red means “closed,”
and yellow means “restricted.” Using the individual
connection diagrams drawn by Panemoto, it becomes a
simple task to understand who is talking to whom and how
frequently. In Fig. 5, host 200.1.101.16 has been seen
making five (5) connections on UDP port 735 to host
200.1.101.15. This connection display is particularly useful
Fig. 6. Visualization of changes through NetViz
for tracking active open ports on machines to find unwanted
servers.
V. ACTIVE AND PASSIVE ANALYSIS
Other researchers have compared and contrasted the
relative merits of active and passive network mapping and
analysis [18, 19, 20]. In general, the two techniques
complement each other. Active analysis enables specific,
on-demand polling of devices for vulnerable ports, but can
miss information for which there are no specific probes.
Passive analysis, on the other hand, is able to see any
devices that are transmitting on the network and can
provide a more accurate picture of the network in real time.
However, passive analysis must wait for the devices to
communicate and may never see traffic from some devices
on a network in which traffic segmented, as in a switched
environment.
Passive analysis supports the detection of the other types
Fig. 5. Individual host connection map for 200.1.101.16
of network problems that are difficult, if not impossible, for
active systems to detect. For instance, because passive
analysis tools are not forced to follow a scripted survey of
the network components, they can recognize devices and
A. Change Detection
networks that aren’t supposed to be there. Passive analysis
can be used to recognize hosts that have been
By comparing current network state information to
misconfigured with the incorrect IP network and mask
previously stored information, Panemoto can detect
settings. Traffic from these hosts is seen to contain invalid
potentially anomalous changes to the network
source IP addresses and inappropriate destination broadcast
configuration. This capability can alert administrators to
addresses. Passive analysis tools can also recognize when
dynamic changes in the network environment. As seen in
the network architecture is not operating efficiently, such as
Fig. 6, Panemoto recognizes devices and networks that are
when the wrong router has been configured on a host. In
new, missing, or changed, and displays them in different
this case, the presence of ICMP redirect messages indicates
colors depending on their status: new devices are shown in
a faulty configuration. These three examples describe
blue, missing devices in grey, and changed devices in
actual
situations discovered on the authors’ network that
yellow. A field on the left of the screen indicates what
would
not
have been discovered through active scanning.
about the object has changed. In this case, an operating
Realizing
that passive scanning may miss some devices
system has changed from Windows 5.0 (2000) to Windows
on
the
network,
information supplemental to that gleaned
5.1 (XP). This visual illustration of changes provides a
from
the
raw
network
data can be provided to Panemoto
simple mechanism to convey changes in the network to the
through
a
flat
text
file.
In this way, network administrators
user.
can inform Panemoto of devices that for one reason or
another aren’t seen in raw network data and thus aren’t part
of Panemoto’s catalog of devices. Panemoto also supports
a plug-in architecture that enables users and/or contributors
Proceedings of the 2007 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY 20-22 June 2007
to add to its analysis capabilities at the packet, session, and
LPD: Line Printer Daemon protocol, IETF RFC 1179
episodic levels.
VI. CONCLUSIONS
The future of passive analysis monitoring for network
state visualization is promising. As networks become more
dynamic, the need to stay on top of these changes in real
time and to address immediate security needs presents a
continuing challenge. We believe Panemoto addresses
these concerns and will continue to do so with a flexible
architecture supporting packet, session, and episodic
analysis plug-ins. The information found by Panemoto is
presented in a logical, informative, and actionable way that
permits at-a-glance understanding of network state and
drill-down investigation. An important area for future
research is the integration of Panemoto with vulnerability
assessment tools that automatically highlight specific
weaknesses in an enterprise network’s defenses.
Visualization of network information requires displaying
multiple levels of information including the enumeration of
devices and networks, description of how these devices
operate and interact with each other, and characterization of
these devices. These analyses enable assessment of the
most important components on the network to protect. We
believe Panemoto provides these capabilities.
APPENDIX A
Protocol Descriptions and References
ARP: Address Resolution Protocol, IETF RFC 826
NBNS: NetBios Name Service, IETF RFC 1002
NetBIOS: Network Basic Input/Output System,
http://www.netbiosguide.com
NETLOGON: Microsoft Windows Logon Protocol,
http://www.ethereal.com/docs/dfref/n/netlogon.html
OSPF: Open Shortest Path First, IETF RFC 2328
POP: Post Office Protocol, IETF RFC 1939
RIPv1: Routing Information Protocol, IETF RFC 1058
RIPv2: Routing Information Protocol Version 2, IETF
RFC 2453
SRVSVC: Server Service Remote Protocol,
www.ethereal.com/docs/dfref/s/srvsvc.html
SMTP: Simple Mail Transfer Protocol, IETF RFC 1123
SNMP: Simple Network Management Protocol, IETF RFC
1157
STP: Spanning Tree Protocol, IETF RFC 2674
WHO: www.ethereal.com/docs/dfref/w/who.html
BGP-4: Border Gateway Protocol, IETF RFC 4271
BROWSER: Microsoft Windows Browser Protocol,
CIFS/E Browser Protocol, Network Working Group
INTERNET-DRAFT, P. Leach, and D. Naik, Microsoft,
1997
REFERENCES
[1]
R. Becker, S. Eick, and A. Wilks, “Visualizing Network Data,”
IEEE Transactions on Visualization and Computer Graphics, 1(1),
pp. 16-28, March 1995
[2]
CUPS: Common Unix Printing System,
http://www.cups.org
J. Goodall, A. Ozok, W. Lutters, P. Rheingans, and A. Komlodi, “A
user-centered approach to visualizing network traffic for intrusion
detection,” CHI ’05 Extended Abstracts on Human Factors in
Computing Systems, April 2-7, 2005, Portland, OR, USA
DHCP: Dynamic Host Configuration Protocol, IETF RFC
2131
[3]
J. Kuntzelman, “Comparative Analysis of Active and Passive
Mapping Techniques in an Internet-Based Local Area Network,”
DNS: Domain Name Service, IETF RFC 1035
Master’s Thesis, Air Force Institute of Technology WrightPatterson AFB OH School of Engineering and Management, March
EIGRP: Enhanced Interior Gateway Routing Protocol,
http://www.cisco.com/warp/public/103/eigrp-toc.html
2004
[4]
J. Nazario, “Passive system fingerprinting using network client
HTTP: Hypertext Transfer Protocol, IETF RFC 1945
applications,” Crimelabs Research, January 2001,
IEEE 802.11: Wireless Local Area Network standards,
http://standards.ieee.org/getieee802/802.11.html
erprinting_using_Network_Client_Applications.html
http://www.windowsecurity.com/whitepapers/Passive_System_Fing
[5]
IMAP: Internet Message Access Protocol, IETF RFC 3501
NetViz: http://www.netviz.com
Proceedings of the 2007 IEEE
Workshop on Information Assurance
United States Military Academy, West Point, NY 20-22 June 2007
[6]
A. Montigny-Leboeuf and F. Massicotte, “Passive Network
Discovery for Real Time Situational Awareness,” RTO IST
Symposium on Adaptive Defense in Unclassified Networks,
Toulouse, France, April 19-20, 2004
[7]
A. Orebaugh, G. Morris, E. Warnicke, and G. Ramirez, Ethereal,
Syngress Publishing, February 2004, http://www.ethereal.com
[8]
“Monitoring with TCPDUMP,” http://wwwiepm.slac.stanford.edu/monitoring/passive/tcpdump.html
[9]
L. Deri and S. Suin, “Improving Network Security Using Ntop,”
Proceedings of the Third International Workshop on the Recent
Advances in Intrusion Detection (RAID 2000), Toulouse, France,
October 2000, (http://www.ntop.org)
[10]
NMAP, http://www.insecure.org/nmap
[11]
Cheops, http://www.marko.net/cheops/
[12]
Dsniff, http://www.monkey.org/~dugsong/dsniff
[13]
M. Zalewski, “The new p0f: 2.0.8,” 2006,
http://lcamtuf.coredump.cx/p0f.shtml
[14]
The Subterrain Security Group: “Siphon Project,” 2000,
http://siphon.datanerds.net
[15]
R. Lippmann, D. Fried, K. Piwowarski, and W. Streilein, “Passive
Operating System Identification Using TCP/IP Header Fields,”
ICDM, May 2002
[16]
X. Yin, W. Yurcik, M. Treaster, Y. Li, and K. Lakkaraju,
“VisFlowConnect: netflow visualizations of link relationships for
security situational awareness,” Proceedings of the 2004 ACM
Workshop on Visualization and Data Mining for Computer
Security, pp. 26-34, October 29, 2004, Washington, DC, USA
[17]
E. Gansner, and S. North, “An open graph visualization system and
its applications to software engineering,” Software - Practice and
Experience, 30(11), pp. 1203-1233, 2000
[18]
S. Webster, R. Lippmann, M. Zissman, "Experience Using Active
and Passive Mapping for Network Situational Awareness", Fifth
IEEE International Symposium on Network Computing and
Applications, July 2006
[19]
B. Dayoglu and A. Ozgit, “Use of passive network mapping to
enhance signature quality of misuse network intrusion detection
systems,” 16th International Symposium on Computer and
Information Sciences, November 2001
[20]
R. Gula, R. Deraison, and T. Hayton, “Passive Vulnerability
Scanning Introduction,” Tenable Network Security,
http://www.tenablesecurity.com/images/pdfs/passive_scanning_tena
ble.pdf, March 2006