FlowTag: A Collaborative Attack-Analysis, Reporting, and Sharing Tool for Security Researchers Christopher P. Lee Georgia Institute of Technology School of Electrical and Computer Engineering Communications Systems Center Lab chrislee@gatech.edu John A. Copeland Georgia Institute of Technology School of Electrical and Computer Engineering Communications Systems Center Lab john.copeland@ece.gatech.edu ABSTRACT Current tools for forensic analysis require many hours to under- stand novel attacks, causing reports to be terse and untimely. We apply visual filtering and tagging of flows in a novel way to address the current limitations of post-attack analysis, reporting, and shar- ing. We discuss the benefits of visual filtering and tagging of net- work flows and introduce FlowTag as our prototype tool for Hon- eynet researchers. We argue that online collaborative analysis ben- efits security researchers by organizing attacks, collaborating on analysis, forming attack databases for trend analysis, and in pro- moting new security research areas. Lastly, we show three attacks on the Georgia Tech Honeynet and describe the analysis process using FlowTag. Categories and Subject Descriptors C.2.0 [Computer-Communication Networks]: GeneralSecurity and Protection;; H.3.1 [Information Storage and Retrieval]: Con- tent Analysis and IndexingAbstracting methods;; H.5.2 [Information Interfaces and Presentation]: User Interfaces;; I.3.8 [Computer Graphics]: Applications General Terms Security, Human Factors Keywords information visualization, user interfaces, tagging, folksonomy, team collaboration, network attack analysis, parallel coordinates, hon- eynet 1. INTRODUCTION After a cyberattack has occurred, it is often necessary to deter- mine the exploit used, the severity of the compromise, and the mo- tives of the attacker. These key pieces of information are com- monly used for system repair, strengthening of security policies, malware/exploit collection, and trend analysis. For Honeynet re- searchers, trend analysis and early detection of novel attacks are Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. VizSEC’06, November 3, 2006, Alexandria, Virginia, USA. Copyright 2006 ACM 1-59593-549-5/06/0011 ...$5.00. often the primary goals. Enterprise administrators focus on system repair and policy. Internet providers generally focus on the veri- fication of a reported attack and identification of the culprit. Re- gardless of the desired goal, attack analysis can be a difficult and time-consuming task. In this paper, we focus on the needs of Hon- eynet researchers. 1.1 Attack Analysis with Logs, IDS, and Ethereal Analysts have several sources of information to aid them in un- derstanding an attack: system logs, IDS logs, and network capture files (usually PCAP). System logs often do not have adequate in- formation in them to understand an attack and can often be deleted by the attacker. Signature-based IDS logs tend to have excellent descriptions of attacks they recognize, but fail to show what an at- tacker does once inside. Anomaly-based IDS systems are good at detecting new attacks, but give general alerts that give very little information about the attack itself. Furthermore, IDS systems are notorious at being noisy and difficult to tune to the alarms of in- terest to the administrator. Network capture files contain all the network traffic. However, with so much detail, it is easy to become overwhelmed and lose context. Common tools for network capture analysis include tcpdump, Ethereal, and tcpflow. Ethereal is perhaps the most commonly used and the easiest to use without scripting; we describe it here for comparison. Ethereal, shown in Figure 1, is a graphical interface that displays packets in a table, the dissection tree of the selected packet, and the contents of the packet in hex. Ethereal’s dissec- tors support almost all well-known protocols. Filters in Ethereal are specified as query strings of the form ip.addr == 10.0.43.1 and, when mastered, are extremely powerful at expressing complex queries. Functionality exists to click on a TCP packet and view the reconstructed payload of that TCP flow, but because Ethereal au- tomatically filters out other packets to perform the viewing of the complete payload, context with other flows is lost. This is a key tool for debugging network protocols, but for the specific task of examining attacks, this tool is cumbersome because of its packet- based views, narrow queries, and processing time overhead. Even for experienced analysts, analyzing a compromise is a long and arduous task that requires lots of copy and pasting, finding key packets in Ethereal, searching, filtering, and keeping context in mind at all times. A proper analysis often takes days for a short attack and weeks for more complex attacks. Because analyzing at- tacks is such a laborious task, reports are often delayed or never generated. The resulting reports often lack the overview and detail structure for rapid comprehension and have a variety of formats that are hard to index and search. These limitations slow the dissemina- tion of attack captures to the security community and make trend