VIDI Surveillance - Embassy Monitoring and Oversight System

VAST 2009 Challenge
Challenge 1: -  Badge and Network Traffic

Authors and Affiliations:

Chad Jones, University of California Davis, cejjones@ucdavis.edu  [PRIMARY contact]
Michael Ogawa, University of California Davis
James Shearer, University of California Davis
Anna Tikhonova, University of California Davis
Kwan-Liu Ma, University of California Davis [Faculty advisor]

Tool(s):

Processing was used to create our custom visualization system, which is described below. MS Excel was also used to verify data entries and solutions using its sorting and filtering methods.

 

Video:

 

UCD-EMOS-MC1.mov

 

 

ANSWERS:

MC1.1: Identify which computer(s) the employee most likely used to send information to his contact in a tab-delimited table which contains for each computer identified: when the information was sent, how much information was sent and where that information was sent. 

Traffic.txt

 

MC1.2:  Characterize the patterns of behavior of suspicious computer use.

Finding Suspicious IP Activity:

  1. We hypothesized that potential spies would try to use other employees' terminals in order to not draw attention to themselves. Of course, this means that the actual owner of the compromised terminal would not be present while the spy uses it. While we do not have exact information on when employees enter or leave the building (the badge reader is not reliable), we do know when they are inside the classified area. Therefore, we define one type of suspicious activity as IP use on a terminal when the owner is inside the classified area.

  2. We created a timeline visualization of IP usage, overlaid with classified area entrances and exits. The vertical axis divides the timelines into 31 rows, one for each day of the month. The horizontal axis represents the time of day from early morning to late evening. A single employee's entire month is viewed all at once using this visualization. The employee being viewed can be changed using the arrow keys. Every IP event is represented by a vertical bar positioned at the exact time of its appearance. We color the IP events by port number, which is either intranet, http, tomcat, or email, and size the bar based on the outgoing data size. Whenever an employee enters the classified area, a semi-transparent yellow region is drawn until that user exits the classified area. In rare cases when the user double enters, the region is twice as opaque, and in the other rare case where a user leaves the exits without entering, a red region is drawn until the next time the employee enters. The legend key and office diagram showing the current selected employee, highlighted in red, can be seen in the top left-hand corner. See: phase1.png

  3. Employee behavior begins to emerge as each person is viewed in turn. Whenever an employee begins using his or her computer for the day, there is a single authenication into the intranet server. It is also possible to note each employee's lunch habits on a daily basis by observing periods of absent activity and occasional re-entries into the building during the middle of the day.

  4. Since there are 60 employees and 31 days of data, we visually highlighted IP accesses when the employee is inside a classified area by eliminating the time spans when they are not. This showed us quite clearly that there were several suspicious accesses on several employees' terminals. Furthermore, by querying these accesses, we determined that, in all cases, the destination IP is 100.59.151.133 using socket 8080. We refer to traffic with this IP/socket pattern as Package Drops. See: phase2.png

  5. We then asked the question: Do the same type of suspicious accesses occur when victim employees are not in the classified area? To test this hypothesis, we highlighted the Package Drops by increasing their visual size and darkening their color. See: phase3.png


  6. We can now see these Package Drops clearly, even with normal traffic present in the visualization. Many of the Package Drops, if not occurring when the victim is inside the classified area, appear when the victim is plausibly outside the building. We are now confident that the Package Drops represent the espionage activity the embassy suspects is happening.

  7. To collect the Package Drops into a data file, we simply grep for 100.59.151.133 and redirect the output to Traffic.txt.

Finding the Culprit

  1. Using our tool, we can mark the times when Package Drops occur and see them overlaid on all employee activities. This is done manually by freehand drawing onto the timeline itself. We are able to circle areas of interest, make notes, and emphasis important times as we please.
  2. Starting with the pool of all employees, we eliminate employees who are in the classified area at any time a Package Drop occured.

  3. This leaves us with employees #27 and #30 who had plausible opportunity to hijack a terminal. However, if #27 were the culprit, they would hijack a terminal almost 2 hours before they show any other activity on the 22nd day. This makes #30 the most likely culprit. See: 27marked.png and 30marked.png

  4. The likelihood of #30 being the culprit is supported by the fact that the first two Package Drops, as well as the fourth, were made from Employee 31's terminal. Since 30 and 31 share an office, gaining access to 31's account would be easier for 30 than any other. All of the culprit's victoms can be seen as the green highlighted spaces in the office diagram on the left. Employee #30's central location gives him an easy view to many of the terminals, and the access pattern is concentrated around his office.

Unanswered Questions

  • How did the culprit get access to so many terminals?
  • What do the badge anomalies mean, i.e. double entries and no-entry exits?