Figure 1: The first suspicious transmission found. Employee thirteen's computer is used for exactly one large upload on day twenty-two well before the employee usually arrives at work.
Faraz
Zaidi, Labri, INRIA Bordeaux - Sud Ouest, faraz.zaidi@labri.fr
[PRIMARY contact]
Paolo Simonetto, Labri, INRIA Bordeaux - Sud
Ouest, paolo.simonetto@labri.fr
Daniel Archambault, INRIA
Bordeaux - Sud Ouest, daniel.archambault@inria.fr
Pierre-Yves
Koenig, Labri, INRIA Bordeaux - Sud Ouest,
Pierre-Yves.Koenig@labri.fr
Frédéric Gilbert,
Labri, INRIA Bordeaux - Sud Ouest, frederic.gilbert@labri.fr
Trung-Tien Phan-Quang, Labri, INRIA Bordeaux - Sud Ouest,
phanquan@labri.fr
Ronan Sicre, Labri, sicre@labri.fr
Mathieu
Brulin, Labri, mathieu.brulin@labri.fr
Remy Vieux, Labri,
vieux@labri.fr
Morgan Mathiaut, Labri, mathiaut@labri.fr
Antoine
Lambert, Labri, antoine.lambert@labri.fr
Guy Melançon,
LaBRI,
INRIA Bordeaux - Sud Ouest, [Faculty
adviser]
The
Tulip framework allows for the visualization, drawing, and editing of
graphs. All the parts of the framework have been built in order to
visualize graphs of more than 1,000,000 elements. The system allows
navigation, geometric operations, extraction of subgraphs, metric
computations, graph theoretic operations, and filtering.
The Tulip
architecture provides the following features :
· 3D visualizations
· 3D modifications
· Plug-in support for easy evolution
· Building of clusters and navigation into it
· Automatic drawing of graphs
· Automatic clustering of graphs
· Automatic selection of elements
· Automatic Metric colouration of graphs
Video:
ANSWERS:
MC1.1: Identify which computer(s) the employee most likely used to send information to his contact in a tab-delimited table which contains for each computer identified: when the information was sent, how much information was sent and where that information was sent.
MC1.2: Characterize the patterns of behaviour of suspicious computer use.
In order to determine the network transmissions that are the most likely candidates for leaks, we developed a visualization which encodes as much of the badge and network information as possible in a single view. As our visualization is fairly non-standard, we first present an overview of the encoding in the Visualization section. We then present our findings in the Suspicious Activity section along with a explanation on how we deduce the final solution.
Visualization
Our visualization technique, shown in Figure 1, is based on a timeline view. The diagram shows, for each day, the actions of each employee. The horizontal axis encodes the time of the day at hour intervals, while the vertical axis encodes the employee ID and IP address. The horizontal lines in the grid group employees into offices. For example, employees 14 and 15 are in the same office because they are in between the same horizontal lines.
The timeline of each employee collects four kinds of data. First, the upwardly directed glyphs, the teal circles and bars, encode the door log events. Circles are badge-in events into the main building. Bars between two vertical lines encode the time when an employee badges into the classified area to the moment the employee badges out. This period of time begins with a badge-in-classified event and ends with a badge-out-classified event.
The central blue bars show intervals of time when the employee's computer is in use. Downwardly directed circles represent transmissions. The size of the circles is proportional of the forth root of the transmission size.
A green background shows the average daily activity of an employee over the 31 days. A more saturated green indicates a higher probability that the employee is at work. Using some simple rules, we change the colour of this green background to red in order to highlight suspicious activities. The most suspicious activities occur when an employee’s computer is active but he or she is most likely not at their desk. These activities include:
an employee badges-into the classified area but does not badge-out or vice versa.
an employee's computer is used while he or she is in the classified area.
an employee's computer is used when the employee is not likely to be in the building.
Suspicious Activities
Suspicious activity was preliminarily defined by the rules described above. From these rules, we discovered several cases.
In our first case, Figure 1 shows a large transmission from employee thirteen’s computer on day twenty-two well before the employee usually arrives at work. By examining the raw data, we determine that this computer activity is forty minutes before the earliest time this employee was at work. Additionally, the badge-in-building event that was recorded for this day was typical for this employee over the thirty-one day period. Notice that thirteen’s office mate is not present during this time, giving the opportunity for a leak to be sent from this computer from a third person not assigned to this office.
Figure
1: The first suspicious transmission found. Employee thirteen's
computer is used for exactly one large upload on day twenty-two well
before the employee usually arrives at work.
In our second case, shown in Figure 2, a large transmission is sent less about a minute before employee twenty badges into the building on day twenty-nine. As the transmission precedes the badge-in-building event, it is highly unlikely that twenty was present at their desk at this time. Notice as well that 20’s office mate is not present in the office, giving the opportunity for a leak to be sent from this computer from a third person not assigned to this office.
Figure
2: The second suspicious transmission. Employee twenty's computer
sends a large transmission on day twenty-nine just before the
employee badges into the building. In this scenario, the employee is
not likely at his or her desk.
Our third case, Figure 3, shows a large transmission sent from employee 17’s computer over two hours since it was last active on day seventeen. Neither employee 17 or 18 is likely in the office at this time as the computer activity and green background of typical behaviour indicate. Thus, it is possible for a leak to be sent from this computer by someone who is not assigned to this office.
Figure
3: The third suspicious transmission. Employee seventeen's computer
sends a large transmission when the employee is probably gone for the
day.
Additionally, we looked for transmissions made from an employee’s computer when the employee had badged into, but not out of, the secure zone. During this time, the employee’s computer should not be used, because we are certain that they are away from their desk. Figure 4 shows two examples, but, in reality, we found eight such cases:
Synthetic Data,37.170.100.31,2008-01 10T14:27:12.238,100.59.151.133,8080,6543216,22315
Synthetic Data,37.170.100.16,2008-01-10T16:01:53.956,100.59.151.133,8080,8543125,12312
Synthetic Data,37.170.100.16,2008-01-15T16:14:34.563,100.59.151.133,8080,6773214,24661
Synthetic Data,37.170.100.41,2008-01-17T12:12:10.990,100.59.151.133,8080,3679122,24423
Synthetic Data,37.170.100.56,2008-01-29T15:41:32.763,100.59.151.133,8080,10024754,29565
Synthetic Data,37.170.100.41,2008-01-29T16:08:10.892,100.59.151.133,8080,6752212,57865
Synthetic Data,37.170.100.52,2008-01-31T09:41:03.815,100.59.151.133,8080,5579339,22147
Synthetic Data,37.170.100.15,2008-01-31T13:10:23.841,100.59.151.133,8080,9064720,11238
Figure
4: Two cases where an employee's computer is used while the employee
is in the secure zone. The computer should not be used at this time,
because the employee is not at his or her desk.
Interestingly enough, all eleven of these suspicious large transmissions of data are sent to the same IP address, 100.59.151.133, and on the same port, 8080. We figured that this machine may the machine to which the embassy leaks were uploaded. Subsequently, we highlighted all transmissions to this IP address made from the embassy and found an additional set of seven transmissions:
Synthetic Data,37.170.100.31,2008-01-08T17:01:33.001,100.59.151.133,8080,8889677,12223
Synthetic Data,37.170.100.31,2008-01-15T17:03:29.342,100.59.151.133,8080,9513313,14324
Synthetic Data,37.170.100.16,2008-01-22T17:41:55.862,100.59.151.133,8080,8873483,16778
Synthetic Data,37.170.100.10,2008-01-24T09:46:34.452,100.59.151.133,8080,7825451,23783
Synthetic Data,37.170.100.32,2008-01-24T10:26:31.321,100.59.151.133,8080,5531674,22479
Synthetic Data,37.170.100.20,2008-01-24T17:07:34.775,100.59.151.133,8080,9732417,42347
Synthetic Data,37.170.100.8,2008-01-31T16:02:44.572,100.59.151.133,8080,13687307,485421
All of these transmissions were large and made on port 8080. In most cases, the office was probably empty with one interesting exception: employee 30 was most likely in 30/31’s office when three of the suspicious transmissions were made from employee 31’s computer. Thus, employee 30 seems to be a person of interest. Figure 5 plots suspicious transmissions to offices. Notice how they are clustered around office 15, which is employee 30's office.
Figure
5: Embassy offices and number of suspicious transmissions made from
each of them. White is zero, yellow is one, orange is two and red is
three.
Finally, we found five cases where an employee either badged into the secure zone without badging out or vice versa. We recommend that the embassy remind employees that no piggybacking is allowed when entering this area. It is also interesting to note that employee 30 was involved in three of these five infractions. This observation could implicate employee 30 further as breaking this particular policy may be an attempt to collect sensitive information without being identified.
In summary, we believe that employee 30 was most likely the embassy employee who caused the leak. The employee probably made several transmissions on the days and from the computers as described above.