Beijing University
VAST 2009 Challenge
Challenge 1: - Badge and Network Traffic
Authors and
Affiliations:
e.g. Qi Ye, University of Posts and Telecommunications, yeqibupt@gmail.com [PRIMARY contact]
Chao Han, University of Posts and Telecommunications, hanchaobupt@gmail.com
Jian Liu, University of Posts and
Telecommunications, liujianbupt@gmail.com
Tian Zhu, University of Posts and Telecommunications, zhutian.bupt@gmail.com
Deyong hu, University of Posts and Telecommunications, hudeyong@tseg.org
Bin Wu, University of Posts and Telecommunications, wubin@bupt.eud.cn [Faculty
advisor]
Bai
Wang, University of Posts and Telecommunications, wangbai@bupt.edu.cn
Tool(s):
To observe the potential interplay
between IP traffic and human dynamics, based on our
network visual analytical framework of JSNVA, we develop a tool called HumanDynamicVis
in Java to analyze the abnormal patterns of employees and computers. The
primary interface of our tool is shown in Fig. 1. HumanDynamicVis focuses on two abnormal patterns of the
suspicious computers: first, the computers may send out data when the
employees were absent; second, the computers
may send lots of data while receiving just a little. The abnormal events will be shown on an abnormal matrix in which y-axis shows the date and x-axis
indicates the IDs of employees. As
shown in Fig. 2, by clicking certain cell of
the matrix,
user can get the daily IP traffic of
an
employee in an hourly histogram. In each bar, there are two boxes: the red one shows the request
bytes, and the blue one shows the response bytes. If the request bytes are more
than the response bytes, the bar’s border will be red. Our tool also provides animated histograms to monitor the IP traffic of each source computer. In the hourly
histogram,
basic interaction is done with simple mouse operations. Clicking on a bar causes
it to expand into a minutely
histogram. In each histogram, we use grey areas to show in periods certain employee is in the restricted area, and we can identify the abnormal
events
immediately when the owner’s computer is used by
others to send data out.
Figure 1 the HumanDynamicVis
system
Figure 2 the Interface of
Abnormal Matrix Frame
Video:
ANSWERS:
MC1.1: Identify which computer(s)
the employee most likely used to send information to his contact in a
tab-delimited table which contains for each computer identified: when the
information was sent, how much information was sent and where that information
was sent.
MC1.2: Characterize
the patterns of behavior of suspicious computer use.
First, all suspicious
computers send lots of data to the destination IP 100.59.151.133 through Port
8080 while receiving just a little. The
IP 100.59.151.133 received 144634785 bytes while just sending 943911 bytes. By
using our tool, we can first explore the abnormal events by the data size of
each log record. There are 4 records whose total sizes are more than 10
mega-bytes. There are 3 records whose request sizes are much more than the
response sizes. Using the link relationships between IPs, we can get a subgraph
of all the IPs linked to IP 100.59.151.133 as shown in Fig. 2.
Second, some of these
suspicious computers are used by others to send data to destination IP
100.59.151.133 through Port 8080 when their owners are absent. In the hourly
histogram, basic interaction is done with simple mouse operations. Clicking on
a bar in the hourly histogram causes it to expand into a
minutely histogram. In each histogram, we use grey areas to show in periods certain employee is in the restricted area. As shown in Fig. 2 and Fig. 3, we can identify the abnormal patterns immediately when suspicious computers are used by others.
Third, in most cases, the suspicious computers are likely to send a
huge mount of data in a burst that is they are not likely to send data
continuously as shown in Fig. 3. In our view this reason is that when the
employee tries to send information to an outside criminal organization by using
others’ computers, he will try to finish the job as soon as possible.
Fourth, the computers of Employees 15,
16, 31, 41, 52 and 56 are used by others to send data to IP 100.59.151.133
through Port 8080 when they are in the restricted area. So we can rule out
these employees and their computers are red in the IP link network in Fig. 4.
However, we can still rule out other suspicious computer owners. As there is
only one employee in the embassy, we can rule out the ones who were also in the
restricted areas when the abnormal events happened. As shown in Fig. 4, the
innocent suspicious computers are green vertices in the IP link network. After
using these rules, only the suspicious computer of Employee 32 can not be ruled
out. So we regard Employee 32 as the prime suspect in the criminal operation.
Figure 3 Suspicious Sending Information Event of IP 137.170.100.31
Figure 4 the IPs of suspicious computers which link to 100.59.151.133