Poster on "Visualization of Network Security Policies" presented at this years VizSec Symposium in Chicago

At the 12th IEEE Symposium on Visualization for Cyber Security (VizSec) on October 24th in Chicago, the Trust@HsH research group presented their poster on Visualization of Network Security Policies.

The poster describes our approach of how to combine sensor data, policy data and evaluation data in one data model (IF-MAP) and how a GUI (built on VisITMeta) can emphasize their relationships among themselves to allow a user to analyse when and why an evaluation was triggered and which sensor data was evaluated by which policy element.

The implementation of these features within irondetect and VisITMeta will be released during the next months.

Here are some further impressions from Chicago.

The VizSec symposium was held in conjunction with IEEE VIS and will return in 2016 in the city of Baltimore.

Trust@HsH presents paper on SIMU research project at IDAACS 2015

On September 25th at the 8th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications in Warsaw, the Trust@HsH research group presented their paper SIEM approach for a higher level of IT security in enterprise networks.

The conference tackeled many different topics in the area of data acquisition, representation and processing. Furthermore the use of these data and processes in various domains has been shown, one of them being the area of IT-security.

Within the paper, some results regarding the architecture and the evaluation workflow of the SIMU project were presented. More precisely it was shown how to integrate information from (open-source) off-the-shelf products using the IF-MAP protocol, how analysis on the data can be performerd automatically and how resulting incidents can be presented and managed in a user-friendly manner to support the resolution process.

The next IDAACS conference will take place in 2017 in Bukarest.

ifmapj & ifmapcli - Support for ICS Security specification added

We added support for the metadata and extended identifiers specified in TNC IF-MAP Metadata for ICS Security to both our Java-library ifmapj and our command line tool-set ifmapcli.

ifmapj comes with new classes that allow to create the metadata and identifier objects needed to work with ICS specified entities, just like the already existing classes and methods that help using TNC IF-MAP Metadata for Network Security entities.

As an example of what’s possible with the new release of ifmapj, we also upgraded ifmapcli by CLI tools to publish ICS metadata and identifiers.

The sourcecode of both proiects is available at Github (ifmapj v2.3.0 and ifmapcli v0.3.0).

ifmapj is also available via Maven central.

Big update to VisITMeta - Release of 0.5.0

After months of internal development we are proud to release the new version 0.5.0 of our IF-MAP visualization software VisITMeta.

It features the following changes:

• Multiple subscriptions: the dataservice now supports multiple subscriptions to a single MAP server. It also handles when the same information is gathered via two or more subscriptions at the same time
• New connection handling: the Visualization client now features a new representation of all connection-based settings (connections to VisITMeta dataservices, connections to MAP servers, and subscriptions), allowing managing them as well (add new, edit and delete existing, starting/stopping subscriptions, …).
• Filter in REST API: the REST API now supports filters in the style of IF-MAP filters like match-links or result-filter; they can be used when querying for a graph at a given timestamp
• Error dialogs: (most) errors - both on dataservice side as well as on GUI side - are now shown via basic dialogs
• Minor fixes and enhancements: selected nodes can now correctly be “unselected”, we added a new style for Identifier information, and much refactoring of the code

The new overview of connections to VisITMeta dataservices and IF-MAP servers, as well as the configured and active subscriptions can be seen in the screenshot. Also a new compact representation of Identifier nodes is shown, that uses up to 2 lines of information.

The sourcecode is available at Github on the projects repository page.

Paper about VisITMeta presented at GraMSec 2015

During the Second International Workshop on Graphical Models for Security (GraMSec), held on July 13th 2015 in Verona, a member of the Trust@HsH research group from the University of Applied Sciences and Arts Hanover presented the paper titled Integrated Visualization of Network Security Metadata from Heterogeneous Data Sources.

The paper depicts the general idea behind VisITMeta, a successfully finished research project aimed at visualizing IF-MAP metadata graphs. Within the outlook on future work, the integration of VisITMeta into the SIMU project was explained, where the visualization of metadata graphs is used to allow a better understanding of identified incidents.

The workshop itself, co-located with the 28th IEEE Computer Security Foundations Symposium, mostly dealt with attack graphs and attack trees, used to evaluate possible ways of attacks.

The main intersections with the results of the VisITMeta and SIMU projects are on the layer of data collection, where similar methods are used to get the infrastructure information about clients, servers and services.

(Pre-)Release of irongpm - Graph Pattern Matching on IF-MAP graphs

irongpm is a new client developed within the SIMU research project that searches for patterns in an IF-MAP graph and responds if matching (sub-)graphs are found.

Rules that define a combination of patterns to search for and corresponding actions can be created by implementing a given Rule interface and are loaded via Java reflection on startup. Available via our Github account, irongpm comes with a sample rule that is explained in details the Readme file.

To use irongpm, a running VisITMeta dataservice is needed, as well as an external Maven dependency called simu-entities, which is unfortunately not available to the public at the moment. We hope that this dependency will be available in the next 2-3 weeks, so at the moment the release is only really usable within the SIMU project development team.

If you have any comments or questions, please contact us at f4-i-trust@lists.hs-hannover.de or directly create an Issue at the corresponding Github-project page.

Bugfix-release for irond

Today we fixed a rather critical bug in our MAP server implementation irond. As it turns out, result filters in search and subscribtion request were handled in the wrong way - not removing everything from the result that matches the filter, but instead removing anything but.

This was fixed and thus we released version 0.5.4 via Github. We also added some more client certificates of our tools to the keystore of irond.

If you have any comments or questions, please contact us at f4-i-trust@lists.hs-hannover.de or directly create an Issue at the corresponding Github-project page.

irongenlog - an IF-MAP client for generic log-files

Within the SIMU research project we implemented an IF-MAP client that is able to provide IF-MAP publisher functionality to arbitrary logging-based tools - irongenlog.

irongenlog, which is available as always via our Github account, allows to use a doman specific language together with logstash to quickly transfer log output from an arbitrary program into IF-MAP data.

We ship irongenlog with a short reference of how to use the domain specific language and an example binding for the dnsmasq DHCP and DNS service.

If you have any comments or questions, please contact us at f4-i-trust@lists.hs-hannover.de or directly create an Issue at the corresponding Github-project page.