'Network and Incident Symbology: Comments Wanted'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Network and Incident Symbology:  Comments Wanted
From:       "Stephen P. Berry" <spb () meshuggeneh ! net>
Date:       2001-11-09 19:59:28
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Ever since I was in high school I've been playing wargames.  Back then
this involved pushing little cardboard counters around hexes.  Nowadays,
like everything else, it's all done on computers[0].  The other day
I was playing a newish wargame called `Decisive Action'.  I've heard
several folks complain about the interface.  Thinking about it, it
occurred to me that while DA's interface was a little unfriendly
by modern standards, it was still pretty straightforward given the
complexity of the system it controlled.  Specifically, I got to thinking
about the enormous volume of information available to me by just looking
at the map, filled with the electronic version of those little cardboard
counters wargamers used to use.

The thing that really struck me was that a modern battlefield is
a pretty damn complex environment, yet it can be abstracted well enough
that a meaningful evaluation of the overall situation can be had at
a (reasonably well-educated and well-informed) glance.

The following thought was that network security really doesn't have
anything similar.  There are plenty of tools that will create pretty
pictures of your network for you.  Some have lots of nice illustrations
of various vendors' hardware that you can cut 'n paste into your
presentations.  Some have little blinky bits that tell you when your
border routers are having a bad day.  None of them, however, seem able
to capture the overall situation in a way that would be of interest
to a incident handler or NIDS analyst.  During the recent nimbda
problem, for example, none of the existing systems would be very
useful in giving an overview of the current progress of the worm through
a given network.

I was mulling all of this over while I was tinkering around with some
new visualisation tools for the NIDS software I've been working on.  The
result is a new GUI widget or two that will probably be in the next
release of my code.  It seems to me (and this might just be hubris) that
the symbology and diagramming methodology I worked out might be of
more general interest.

So, I present a draft of a document describing the symbols and diagrams
for review, discussion, criticism, revision, derision, and whatnot.  The
draft can be found at:

	http://www.meshuggeneh.net/shoki/symbols/

I'm unaware of any existing standards of this sort, with the exception
of the systems I allude to above (and in the draft document) which
have the weaknesses I address.  If someone is aware of an existing
standard or system similar to the one I propose, a pointer would be
much appreciated.








- -Steve

- -----
0	This isn't entirely true;  in fact, I have the paper-and-dice
	rules for the latest edition of ASL.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7653fG3kIaxeRZl8RAlKhAJ98jBDPCnhJog8AeP2IWt5rT1ZjwwCeJmy7
GK3QSAA7sCS58PkOu0idrvk=
=j57W
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic