Forensic Challenge 10 - Attack Visualization

16 Feb 2012

Challenge 10 - Attack Visualization (provided by Ben Reardon from Australia Chapter)

Skill Level: Intermediate

Forensic Challenge 10 takes us back in time, to revisit one of last year’s popular Forensic Challenges (FC5). Although this time around, the goal is to create a visual representation of the attack.

There are no right or wrong answers here, and we are keen to see what can create! If you are constrained by any guidelines, or have ideas that are “out of the box” – that’s fine, we want you to use your imagination and have fun.

The Challenge:
Design and build a visualization that describes the attacks that were analyzed in FC5. Use the three prize winners’ solutions as references and to give you a head start on the data analysis. Use the FC5 dataset to create your FC10 visualization.

As an example, the visualization may have a geographic element, represented as a map, link graphs, histogram, or parallel coordinates, that sheds light on the following:

  • Where the attacks came from
  • The volumes of attacks originating from various locations
  • The success or failure of these attacks
  • The nature of the attacks. For example which are “primary” and which are the “secondary” phases.
  • Can the attacks be color coded to describe groups of attacks/attackers?

Use external data sources such as the many freely available geomapping databases.

The output can be anything that you like - from a still image, to interactive flash/java, dynamically updating, dashboard style, magazine infographic, holograms are also accepted.

Judging:
Because data visualization is a very subjective topic, we will have a panel of 3 Honeynet members to judge entries. These panel members have an active interest in the data visualization field in the Honeynet Project. Keep in mind though, the nature of this challenge is not really to find a “winner”, but rather to inspire newcomers into the data visualization field within cybersecurity. If you know anyone who is not in security field , but may enjoy being part of this challenge, please forward this to them – we’d love to get some submissions from people outside the security field.

Points:
The minimum question set that the visualization should address is:

  • Where do attacks come from? (10 points)
  • What is the most prolific attack? (5 points)
  • Which attacks were successful and which failed ? (5 points)
  • What assumptions were made and what was the reasoning? Don’t be afraid to make assumptions! (5 points)
  • What are the limitations of the visualization? (5 points)
  • How could you improve the visualization if given more time and resources - e.g. on a future GSOC project? (2 points)
  • Provide a description of the toolsets and scripts used (10 points)

Bonus points:

  • Aesthetic appeal and ability to hold the subject’s attention (5 points)
  • Interactivity , eg the ability to drill down, explore, or zoom in on events. (10 points)
  • Animation, particularly based on a timeline. (10 points)
  • Creating a visualization which uncovers any trends, observations or artifacts which were not described in the FC5 prize winning solutions. (20 points)
  • Creating a visualization that tells a story about the data set, threat environment, and the attack. (20 points)
Attachment Size
Fabian_Fischer_-_Forensic_Challenge_2011_-_Challenge_10.pdf 7.64 MB
1323732877_Forensic_Report_Johnathon_Tracz.zip 925.16 KB
1323998682_fc10HoneynetChallengeSubmissionDanGleebits.pdf 4.47 MB
1327193551_logvis_Fraser_Scott.zip 736.21 KB
1327239365_hn_vis_chorsley.zip 110.89 KB