IIIT - GAMI

VAST 2011 Challenge
Mini-Challenge 2 – Computer Networking Operations at All Freight Corporation

Authors and Affiliations:

Sounjanya Lanka,IIIT Hyderabad, soujanyav@gmail.com  [PRIMARY contact]
Divya Mokkapati,IIIT Hyderabad, divyamokkapati@students.iiit.ac.in
Kamal Karlepalam, IIITHyderabad [Faculty advisor], [kamal@iiit.ac.inl]

Video:

vedio

ANSWERS:

MC 2.1 Events of Interest: Using the new situation awareness display(s), what noteworthy events took place for the time period covered in the firewall, IDS and syslog logs? Which events are of concern from a security standpoint? Limit your answer to no more than five noteworthy events. For each event, at least one of the submitted screen shots must be relevant in your explanation of the event.

After analyzing number of connections between different source- destination pair, the number of ports scanned for a particular source destination pair and by observing the rare events in security logs and using network policies we found five noteworthy events. Events are classified according to the parameter used

  1.  

After analyzing number of connections between different source- destination pair, the number of ports scanned for a particular source destination pair and by observing the rare events in security logs and using network policies we found five noteworthy events. Events are classified according to the parameter used

Event1:

We calculated number of connections in one minute intervals. All ips except the following have number of connections less than 2000.

1. 10.200.150.201

2. 10.200.150.206

3.10.200.150.207

4.10.200.150.208

5.10.200.150.209

These above mentioned ips show sudden increase (greater than 30,000) in number of connections. By plotting the graphs with time on x-axis and number of connections on y-axis we observed the following patterns for these ips.

Figure1

Event2:

We calculated the number of the ports scanned for the particular source-destination pair. Following ips scanned for abnormally high number of ports.

·192.168.2.174

·192.168.2.175

·10.200.150.2

By plotting the graphs with time on x-axis and number of ports on y-axis we observed the following patterns . In the following graphs top right corner indicates source -> destination ips, top left corner indicates date.

                                                                                                Figure2

By plotting the number of occurrences of each item we find that most frequently occurring events are the events which are in heavy count. That comprises of login and logout. We worked on events which occurred in less number. Events with following event ids occurred less than one percent of time.

1102,4776,4648,4662 ,4742 ,4625.

We found following events by analyzing 4742, 4625 event ids. 

Event3:   

Event with event id 4625:

There were 44 unsuccessful login attempts in the internal web server in 15 minute intervals from consecutive ports.

 

Figure3

Event4:

Event with event id 4742:

Here the account information was changed with anonymous login. 

Figure4

Event5:

There is a host with ip 10.200.150.2 which is directly connected to the intranet server (192.168.1.2) without the authentication of the external web server. This ip performed portscan on 192.168.1.2.

All the events mentioned above are noteworthy from security standpoint.

MC 2.2 Timeliness: For each event submitted in MC 2.1, how early in the course of the event would your display(s) enable a CNO team member to recognize that the event was noteworthy? For each event, specify the earliest moment of recognition as a timestamp and provide a screen shot at the earliest moment of recognition. Explain how the CNO team member had enough information to determine that the event warranted attention.

Event1:Here, for recognizing this event we take the data i.e. the number of connections b/w a host and a server with an interval of 1 minute. We decide a threshold value (30,000)  for the number of connections and then declare them as an attack. So the earliest moment of recognition would be less than 1 minute from which the attack took place. CNO team member can calculate the number of connections by summing up the connections b/w source destination pairs as per given in the firewall logs. For timeline refer Figure 5.

Closer look of Figure1

                                                Figure4

Event2:Here for recognizing this event we take the data i.e. the number of ports scanned per source on to a destination. We could conclude that it is an attack when the number of ports scanned exceeds a threshold value. We would scan the data once in 10 minutes. So we can recognize that a attack took place in less than 10 minutes. CNO team member can calculate number of ports scanned by particular source ip on a particular destination ip by the port number , source ip, destination ip information provided in the firewall logs.For timeline refer Figure 6.

                        Figure6

Event3:To recognize this event we should know the number of unsuccessful login attempts. If the number of unsuccessful login attempts calculated from security logs using EventID 4625 is more then we can consider it. CNO team member can calculate the number of unsuccessful login attempts by summing up the number of events with eventide 4625 and a particular target user name from the information provided in security logs. For timeline refer Figure 3.

Event4:EventID 4742 indicates that a computer account was changed. Here this was done by anonymous login. We can recognize this event by verifying whether account is changed by administrator. CNO team member can check the username  for the events with EVENTID 4742 provided in the security logs. For timeline refer Figure 4.

Event5:Here for recognizing this event we need to check whether there were any connections without the authentication of the external web server. This could be done by examining the connections from the external subnet mask to the intranet server.CNO team member has the information of source and destination ips for all the connections in the network which helps in checking the authentication of external web server. For all the connections to intranet servers source ip should not belong to internet subnet

 

MC 2.3 Recommendations: What are the implications of the events discovered in MC 2.1? What report should the CNO give to the CEO and/or what actions should the CNO take to improve security?

Event1:

Implication: Sudden increase in number of connections blocks  the server which intern results in starvation of other users.

Action:

·Limited number of connections from a particular ip can solve the problem.

· Blocking the ips causing this event can also solve the problem.

Event2:

Implication: Scanning considerably high number of ports helps the attacker in recognizing the active attacks. This might result in loss of sensitive information etc.

Action:

·Blocking the ips causing this event can solve the problem.

Event3:

Implication: Continuous unsuccessful login attempts indicate that the attacker is trying to hack the account. The attacker can then take the control of whole computer(target).

Action:

·If the number of unsuccessful logins is larger the account should be blocked temporarily and administrator should be notified this.

Event4:

Implication: Changing account of a computer helps the attacker to gain control over the computer.

Action:

·Administrator should be informed about this event as soon as it is recognized.

Event5:

Implication: Connections to the intranet without authentication by external web server might help the attacker in attacking the intranet servers.

Action:

·A connection from internet without authentication of external web server should be blocked.