RUMINT is a visualization tool designed to allow insightful analysis of network traffic, either in real-time as a packet sniffer or using historical pcap data. It uses a VCR-like interface to control playback of the packets in seven different visualization windows, similar to the way a Tivo allows a user to record, pause and play back video. Each window provides a different view on the same packets, at the same time, allowing analysts to correlate insights gained from each display. Analysts have found it useful for creating graphical fingerprints of network attacks, analyzing attack tool behavior, communicating Internet security threats to end users, understanding the operation of new protocols, and finding anomalies in network traffic.
Despite these strengths, I consider RUMINT a work in progress and Iím working on a complete rewrite of the source code now. The hacker and computer security communities have been very enthusiastic about the tool and are providing awesome feedback. While the latest version is stable, useful, and usable, I believe RUMINT hasnít reached its full potential. I want to incorporate the feedback Iíve received to take the tool to the next level. My goal is to create a result that is compelling enough to make Fyodorís Top 100 security tools list. This list is based on a survey of what tools the security analyst community finds most valuable. Fyodorís list is an honor that must be earned, and I look forward to seeing RUMINT on it one day.
What kind of evolution can we expect in the upcoming versions of security visualization tools? What new features would you like to see?
I expect to see tools that help bridge the gap between visualization and machine processors. Human time and attention are rare resources, particularly that of experts. Once an analyst makes a discovery, such as the signature of a new form of malware, the visualization tool should make it very easy to offload the signature to machine processors, such as anti-virus programs and intrusion detection systems, to do the heavy lifting in the future. Currently, there is a distinct gap between security visualization systems and machine processors in many areas.
How long did it take you to write Security Data Visualization and what was it like? Any major difficulties?
It took about three years of research and about 14 months of writing to produce Security Data Visualization. The most frustrating aspect was banging into the edges of human knowledge. Visualization of security data is, in many ways a very young field, many aspects are relatively unexplored, such as visualization support for cryptanlysis and malware analysis, but bear great promise. I believe there are several decades before we start seeing the full range of possibilities.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.