Malwarez v0.1.a “Ben”

Malwarez v0.1.a Code Name:Ben

We are pleased to announce the alpha release of version 0.1 of Malwarez project.

You can find the demo here.

The aim was to provide real time visualization of malware activities with historical data. In our development plan there are 3 main features we are planning to implement.
1) Activity map
2) Heatmap
3) Attack Relation Map

Currently we implemented activity map feature. Other 2 features are currently work in progress. We hope soon to announce them too.

In activity map we visualize the malware activities based on geo locations. As zooming capability 2 levels of maps exists with names of world and country levels.

World Level:

In world level you would notice 2 kind of symbols. First one is red bubbles, which represents the malware activity frequencies. For performance reason overlapped symbols are drawn as one larger bubble. The other one is yellow dots, which represent live data. Each yellow dot shows a new event fetched from hpfriends project and disappears after 3 seconds and update the red bubbles. Both countries and Symbols have tooltips to show the frequencies. Country tooltips shows the total number of activities caused by that country. Symbol tooltips shows the total number of activities caused by host located at that geo location.

Here are some screen shots:
screenshot-1screenshot-3

On the left side of the screen you will see some statistics about the collected hpfeeds data. Each statistics is in form of “<value>(<number of records>)”.  Here is a screen shot:

screenshot-2

Here is the meanings of labels:

Attacker Country: most seen malware activity in countries.
Attacker Port: most seen Source port for attacks.
Attacker IP: most seen Source IP in collected hpfeeds data
Target Port: most seen Destination Port in collected hpfeeds data(Currently we collect data only from dionaea.capture channel. So that there is only one value. We will add more channels soon.)

Clicking on statistics (currently it is available for attacker IP only) will show a small modal and gives additional information collected from hpfeeds. We plan to add additional data sources soon such as Mnemosyne.

Country Level

Clicking on countries or red bubbles will open a new modal screen to show country specific malware activities. In that map, bar graphs represents the malware activity frequencies. Bars are updated upon new event data. In this map there is no indicator for new events like yellow dots in world map but we will add such feature soon. Bar symbols have tooltips which shows the name of the city and the number of events recorded. Clicking on bars will open new statistics modal in the next release.

On the left side of the screen again you will find some statistics. This time they are country specific. Same labels are used as in world map.

Limitations
– Poor performance on firefox. (Works best with chromium)
– Poor browser compatibility tests
– Static tooltip content on world map
– No i18n
– Poor design (I am new on javascript so still learning…)
– new added symbols does not have tooltips on worldmap

Plans
In short, next minor release will contain following new features and improvements:
– dynamic tooltip content on world map
– clicking on bars will open a statistics modal about the selected city
– more hpfeeds channels
– new event indicator for country maps
– Heat map feature (optional may be delayed to major release)
– code improvements

Next major release will contain:
– Attack Relation Map Feature
– Performance improvements
— Currently upon new event all symbols are updated which is unnecessary. We should update only necessary symbols.
– Code Refactoring
– Pan and Zoom feature on both levels

It is an alpha release with limitations and bugs. Feel free to report any issue or feature request! Any feedback is welcomed.

Hope you enjoy it.🙂
Gurcan

Tagged with: ,
Posted in yakindanegitim

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
%d bloggers like this: