Presentation is loading. Please wait.

Presentation is loading. Please wait.

IRONMAN V1.5 Network NetworkManagementEnvironment.

Similar presentations


Presentation on theme: "IRONMAN V1.5 Network NetworkManagementEnvironment."— Presentation transcript:

1 IRONMAN V1.5 Network NetworkManagementEnvironment

2 IRONMAN V1.5 Traffic Problem Domain Nodes : 50,000,000 total ; 5000 to protect Protocols : Ports : 1024 well-known ; others Services : (e.g. WWW, ) Applications : ??? Typically instances (packets) per second Acceptable vs unacceptable combinations

3 IRONMAN V1.5 Network Management Environment Provides Interactive Management of networks and components Policy Based Modeling, Analysis and Control Passive Monitoring and Active Probing of Networks Dynamic Visualization of Information and Systems Integration of Existing Commercial Tools and Custom Tools Virtual Common Data Repository for all Information Sources Client-Server and Peer-to-Peer Architecture using Standard Technology

4 Functional Architecture RepresentationPresentation ADAPTIVEMANIFOLD AnalysisDecision AcquisitionControl

5 System Architecture IRONMAN HTTP Server Network IRONMAN IRONMAN Agent Server WWW Browser VRML 2.0 Plugin Client Manifold Client Support Applications HTTPServer(Sockets) IRONMAN HTTP Server

6 Distributed Interactive Simulation and Control client-server structure servers: data-gathering (probes and monitors), analysis, control, representation, persistent storage and decision support clients: working storage, presentation (display) and command consoles some analysis in clients but only for network efficiency collaborative architecture (i.e. shared workspace through servers, storage and presentation space) streaming data updates database architecture: local working and global persistent

7 Hierarchy of Fusion Problems

8 Probing, Monitoring and Control Probes: CyberCop, Nessus, Internet Security Scanner,.... Intrusion Detection: NetRanger, Network Flight Recorder, ….. Monitoring: SNMP RMON, TCP Dump, …... Policy/Configuration: SNMP, Telnet, X-Windows,.... Agents: perform one or more of the above... other

9 Vulnerability Database Schema Vulnerability Identification(id, title) Description and impact System identification Application information Reference to the vulnerability Detailed analysis, detection techniques and fixes analysis, detection, fix, test, workaround, patch Detailed information about exploitation (exploit, pattern) Classifications and features (class, category) Verification of vulnerability Source of vulnerability information Vulnerability Identification(id, title) Description and impact System identification Application information Reference to the vulnerability Detailed analysis, detection techniques and fixes analysis, detection, fix, test, workaround, patch Detailed information about exploitation (exploit, pattern) Classifications and features (class, category) Verification of vulnerability Source of vulnerability information

10 AgentsAgents several intrusion detection system use agents as collectors /sensors ( e.g. AAFID); several intrusion detection system use agents as collectors /sensors ( e.g. AAFID); agents are being studied as component of IRONMAN for: agents are being studied as component of IRONMAN for: acquisition acquisition analysis analysis communication communication control control

11 IETF IDWG Core Terms and Relationships IETF IDWG Core Terms and Relationships

12 Principal Visualization Goals to identify if system is stable or unstable relative to an identified set of criteria (e.g. a security policy) to identify if internal changes to the system will move system toward instability to identify any external events which are tending to move the system towards instability to identify if system is stable or unstable relative to an identified set of criteria (e.g. a security policy) to identify if internal changes to the system will move system toward instability to identify any external events which are tending to move the system towards instability

13 IRONMAN Visualization the generation of a set of (visual and aural) sensory stimuli for the user; and the detection and interpretation of these stimuli by the user user input to visualization use VRML 2.0 as implementation framework the generation of a set of (visual and aural) sensory stimuli for the user; and the detection and interpretation of these stimuli by the user user input to visualization use VRML 2.0 as implementation framework

14 VRML 2.0 Scene Graph Group: Collections and HierarchiesGroup: Collections and Hierarchies Transform (Xform): Shape,Colour, Location, Texture of ObjectTransform (Xform): Shape,Colour, Location, Texture of Object Script: Behaviour of Object and/or connection to NetworkScript: Behaviour of Object and/or connection to Network Sensor: Connection to User Actions and/or User Avatar LocationSensor: Connection to User Actions and/or User Avatar Location Group: Collections and HierarchiesGroup: Collections and Hierarchies Transform (Xform): Shape,Colour, Location, Texture of ObjectTransform (Xform): Shape,Colour, Location, Texture of Object Script: Behaviour of Object and/or connection to NetworkScript: Behaviour of Object and/or connection to Network Sensor: Connection to User Actions and/or User Avatar LocationSensor: Connection to User Actions and/or User Avatar Location

15 Individual Control of Visualization Elements VRML 2.0 scene is composed of nodes each node is coupled to data source or network process very large distributed computational structures can be monitored in real time over the network each element can display individual characteristics aggregate provides visualization support through collective morphology and topology VRML 2.0 scene is composed of nodes each node is coupled to data source or network process very large distributed computational structures can be monitored in real time over the network each element can display individual characteristics aggregate provides visualization support through collective morphology and topology

16 Visualization Toolkit a basic object editor; a mapping assignment editor (to map data to parameters); a basic visualization library manager; a data set formatter; a VRML 2.0 generator; a basic object editor; a mapping assignment editor (to map data to parameters); a basic visualization library manager; a data set formatter; a VRML 2.0 generator;

17 Six data structures are being developed to support models :- network - main objects (vertices and lines); network - main objects (vertices and lines); permutation - reordering of vertices; permutation - reordering of vertices; vector - values of vertices; vector - values of vertices; cluster - subset of vertices (e. g. one class from partition); cluster - subset of vertices (e. g. one class from partition); partition - mapping of vertices to clusters; partition - mapping of vertices to clusters; hierarchy - hierarchically ordered clusters and vertices. hierarchy - hierarchically ordered clusters and vertices. Algorithns which operate on these are being developed and evaluated. Data Structures Visualization Toolkit Data Structures Visualization Toolkit

18 VR Server Uses specification to generate a visualization; inputs: one or more data sets; a set of prototypes or templates; an algorithm for converting or mapping the data sets into Euclidean space using the available prototypes and templates distributed compositional architecture Uses specification to generate a visualization; inputs: one or more data sets; a set of prototypes or templates; an algorithm for converting or mapping the data sets into Euclidean space using the available prototypes and templates distributed compositional architecture

19 System High-Level Visualization

20 System Level of Detail Visualization

21

22 System High-Level Visualization 676 hosts Ring is a LAN White box is a selected host. HUD displays IP of host Example:

23 System Attribute Visualization e.g. Mapping Network Components to Vulnerabilities VRML 2.0 with behaviours and external interfaces

24 System Attribute Visualization

25

26 System Behaviour Visualization tracking events through topology e.g. Traceroute Events can be displayed using shapes which travel along links in the visual display.Events can be displayed using shapes which travel along links in the visual display. Events can (1) have any shape, and can either be (2) persistent and aggregate or (3) transientEvents can (1) have any shape, and can either be (2) persistent and aggregate or (3) transient VRML 2.0 with behaviours and external interfaces

27 System Constraint Visualization e.g. Policy Violations by Multiple Components VRML 2.0 with behaviours and external interfaces

28 Partitioned Host Traffic Visualization Various display layouts are possible This example shows line and spiral

29 Partitioned Host Traffic Visualization Partition Hosts into 2 or more categories Time-independent Display

30 Partitioned TCP Dump Visualization External Hosts - red disk Internal Hosts - green line

31 Partitioned Host Traffic Visualization shows partition of hosts time-independent scan of network displayed

32 Temporal TCP Dump Traffic Visualization Cartesian Display

33 Temporal TCP Dump Visualization

34 Temporal TCP Dump Traffic Visualization Polar Display

35 EPIC Port Alerts

36 EPIC Signature Alerts

37 Hyper-Geometric Visualization

38

39 Heads Up Displays

40

41 Context Displays

42

43

44

45 Top View

46 Context Displays

47 Textured reference floor providing context status and “bubbles” indicating status of particular machines Textured reference floor providing context status “Bubbles” indicating status of particular machines

48 ConetreesConetrees Conetrees can be used either for user interface ( i.e. selection of options, etc) or to indicate hierarchical structures

49 Controls and Level of Detail Controls and Level of Detail Elements of the visual presentation can be provided with associated controls and displays. Buttons can be persistent or can become visisble with proximity or external triggers

50 Controls and Level of Detail Controls and Level of Detail In this case, selecting the red button caused the remainder of the elements in the display to be hidden. Actions associated with each user interface can be dynamically assigned or form part of a standard user interface profile. If buttons are dynamically assigned, they will have information tableaus associated with them.

51 Controls and Level of Detail Controls and Level of Detail In this display, almost every visible element has an associated action. Some cause changes to the display while others open new displays or activate analytic tasks.

52 Cellular Automata driven by Sensors driven by Sensors Cellular Automata driven by Sensors driven by Sensors

53 Cellular Automata Implemented with Agents Implemented with Agents Cellular Automata Implemented with Agents Implemented with Agents

54 Collaborative Environments Conventional Environments Conventional Environments Virtual Network Computing (VNC) :- Virtual Network Computing (VNC) :- Virtual Environments Virtual Environments DeepMatrix :- multi-user virtual environment DeepMatrix :- multi-user virtual environment Vnet :- multi-user virtual environment Vnet :- multi-user virtual environment DIS-Java-VRML :- distributed interactive simulation (DIS) environment implemented in Java and VRML DIS-Java-VRML :- distributed interactive simulation (DIS) environment implemented in Java and VRML

55 OntologiesOntologies Purpose :- to enable communication between computer systems in in a way that is independent of the individual system technologies, information architectures and application domain. Purpose :- to enable communication between computer systems in in a way that is independent of the individual system technologies, information architectures and application domain. Key Ingredients :- a vocabulary of basic terms and a precise specification of what those terms mean. Key Ingredients :- a vocabulary of basic terms and a precise specification of what those terms mean. IRONMAN Implementation :- IRONMAN Implementation :- KIF KIF Ontolingua Ontolingua Onotological Knowledge Base Connectivity (OKBC) Onotological Knowledge Base Connectivity (OKBC)

56 OntolinguaOntolingua provides a mechanism for defining ontologies that are portable over representation systems provides a mechanism for defining ontologies that are portable over representation systems consists of consists of a KIF parser, a KIF parser, tools for analyzing ontologies, and tools for analyzing ontologies, and a set of translators for converting Ontolingua sources into forms acceptable to implemented knowledge representation systems. a set of translators for converting Ontolingua sources into forms acceptable to implemented knowledge representation systems. Currently supported target representation systems are: Currently supported target representation systems are: (:EPIKIT :CLIPS :LOOM :GENERIC-FRAME :KIF :EXESS)

57 OntolinguaOntolingua (define-class NETWORK-ELEMENT (?ne) "A network element is a device attached to the network, and thus having one or more interfaces. We assume the device has at least one DNS name." "A network element is a device attached to the network, and thus having one or more interfaces. We assume the device has at least one DNS name." :def (and (has-some ?ne element.interface) :def (and (has-some ?ne element.interface) (has-some ?ne element.name)) (has-some ?ne element.name)) :issues ( :issues ( (:VRML use-proto "$vrml_protos/node_proto2.wrl") (:VRML use-proto "$vrml_protos/node_proto2.wrl") (:DIS use-class “$dis_lib/network/network_element.class”) (:DIS use-class “$dis_lib/network/network_element.class”) (:XML use-DTD "$ironman_dtd/network.dtd") (:XML use-DTD "$ironman_dtd/network.dtd")) Bridging Technologies in One Specification

58 Policy Management Generic Policy model (ontology) to support: Generic Policy model (ontology) to support: High-level Policy Specification High-level Policy Specification ( confidentiality, integrity, availability, accountability, assurance ) Low-level Policy Specification Low-level Policy Specification (applications, ports, services, protocols and packets ) Data-based and System-based Policy Assertions Data-based and System-based Policy Assertions Visual Policy Editor Visual Policy Editor Standard Policy Specification Exchange Format Standard Policy Specification Exchange Format Generic Policy model (ontology) to support: Generic Policy model (ontology) to support: High-level Policy Specification High-level Policy Specification ( confidentiality, integrity, availability, accountability, assurance ) Low-level Policy Specification Low-level Policy Specification (applications, ports, services, protocols and packets ) Data-based and System-based Policy Assertions Data-based and System-based Policy Assertions Visual Policy Editor Visual Policy Editor Standard Policy Specification Exchange Format Standard Policy Specification Exchange Format

59 Policy Views Global ViewGlobal View Link and/or Node ViewLink and/or Node View Relationships among applications, services, protocols, ports and packetsRelationships among applications, services, protocols, ports and packets Groups of Links and/or nodes.Groups of Links and/or nodes. Global ViewGlobal View Link and/or Node ViewLink and/or Node View Relationships among applications, services, protocols, ports and packetsRelationships among applications, services, protocols, ports and packets Groups of Links and/or nodes.Groups of Links and/or nodes.

60 Analysis and Decision Support Scenario Generation and Detection Scenario Generation and Detection Strategic Risk Analysis Strategic Risk Analysis Collaborative Hierarchical Command Infrastructure Rapid Response Infrastructure and Mechanisms

61 Analysis and Decision Support Components Ontolingua as basic Knowledge Engine; Ontolingua as basic Knowledge Engine; KIF (Knowledge Interchange Format) KIF (Knowledge Interchange Format) OKBC (Open Knowledge Base Connectivity) OKBC (Open Knowledge Base Connectivity) Implemented as applications with HTTP Server support Implemented as applications with HTTP Server support Z-EVES (ORA) - formal modelling environment Z-EVES (ORA) - formal modelling environment ExESS (Systolics) - expert system shell ExESS (Systolics) - expert system shell CLIPS (Systolics) - expert system shell CLIPS (Systolics) - expert system shell other (Vulcanizer, neural nets, Petri nets, …..) other (Vulcanizer, neural nets, Petri nets, …..)

62 Strategic Risk Analysis ontological model based on NIST Risk Model Builder’s workshops ontological model based on NIST Risk Model Builder’s workshops basic rule-based model enhanced with relational analysis and sequential event model for scenario generation and detection basic rule-based model enhanced with relational analysis and sequential event model for scenario generation and detection

63 Scenario Generation and Detection sequential event model sequential event model used to analyse collections of events for potential exploitation of vulnerabilities used to analyse collections of events for potential exploitation of vulnerabilities possible processing in possible processing in CLIPS for rule-based analysis CLIPS for rule-based analysis ExESS for dynamic simulation ExESS for dynamic simulation Petri net tools (reachability); and Petri net tools (reachability); and neural net based classifier neural net based classifier

64 IRONMAN Information Management Distributed Virtual Information Repository Distributed Virtual Information Repository Ontology is used for coherence and consistency Ontology is used for coherence and consistency Information Source Mapping through Manifold Information Source Mapping through Manifold ODBC, JDBC, SQL for standard database support (early adoption) ODBC, JDBC, SQL for standard database support (early adoption) Extensions to IRONMAN DNS support Extensions to IRONMAN DNS support SNMP (including agents and additional MIBs) SNMP (including agents and additional MIBs) LDAP LDAP

65 Defensive Information Operations Hierarchical Command and Control :- Hierarchical Command and Control :- operational and architectural issues to support a hierarchical collaborative infrastructure which has a command center, command posts and "road warriors". operational and architectural issues to support a hierarchical collaborative infrastructure which has a command center, command posts and "road warriors". develop the analytic engines to provide interactive process mapping and dynamic situation status reports. develop the analytic engines to provide interactive process mapping and dynamic situation status reports. Rapid Response Mechanisms :- Rapid Response Mechanisms :- study means to provide rapid initial analysis of a situation within an information infrastructure managed by IRONMAN and provide potential response strategies. study means to provide rapid initial analysis of a situation within an information infrastructure managed by IRONMAN and provide potential response strategies.

66 Visual Literacy Laws of Perceptual Organisation Visual Imprinting ……. Some of Many Issues

67 The ability to produce and understand visual messages What are the symbols and grammar used in a visual transaction/interaction How do we know that someone can “read” what we have “written” Visual Literacy

68 Is literacy learned? cultural? what else? If it is learned, how do we teach it? If it is cultural, how do we generalize it? What else is needed to improve literacy? Visual Literacy

69 How much is the skill of the “writer”? How much is the experience and imagination of the “reader/viewer”? Does abstraction help or hinder EFFECTIVE GOAL-ORIENTED visualization Visual Literacy

70 Law of Pragnanz ( law of good figure, law of simplicity) Complex objects are seen in such a way that the structure is seen as simple as possible Laws of Perceptual Organisation

71 Law of Similarity Things that have similar perceptions appear grouped together. Laws of Perceptual Organisation

72 Law of Good Continuation Complex objects are seen in such a way that the structure is seen as simple as possible Laws of Perceptual Organisation

73 Law of Proximity Things close to each other in space are visually grouped together. Laws of Perceptual Organisation

74 Law of Common Fate Objects that move together through space appear grouped together (until they move apart). This makes ballet and modern dance troupes so interesting. Laws of Perceptual Organisation

75 Law of Familiarity (or Meaningfulness) Objects that form familiar or meaningful patterns are grouped together. Laws of Perceptual Organisation

76 Process in young animals for early recognition Does it or an analogous process take place in visualization? If so, do we confuse if we change visual syntax or semantics? Visual Imprinting


Download ppt "IRONMAN V1.5 Network NetworkManagementEnvironment."

Similar presentations


Ads by Google