VAST 2012 Challenge
Mini-Challenge 1: Bank of Money Enterprise: Cyber Situation Awareness
Team Members:
Gonzalez Sebastian, Universidad de Buenos Aires, sgonzalez.arg@gmail.com
Quevedo Adrian, Universidad de Buenos Aires adrianquevedo@gmail.com
Ruiz Abdul, Universidad de Buenos Aires darien.abdul@gmail.com
Student Team: Yes
Tool(s):
Tableau Desktop
Processing
d3js
Microsoft Excel
Video:
Answers to Mini-Challenge 1 Questions:
MC 1.1 Create a visualization of the health and policy status of the entire Bank of Money enterprise as of 2 pm BMT (BankWorld Mean Time) on February 2. What areas of concern do you observe?
The first picture shows the policy status by business unit at 2pm.
It is observed that region-10 and region-5 have surprisingly high number of computers in policy status 2. It suggests that those business unit could have been infected.
The next picture shows other variables for the same snapshot.
We have observed there were ATMs to which external devices had been added. Depending on their features, that might be anomalous.
MC 1.2 Use your visualization tools to look at how the network’s status changes over time. Highlight up to five potential anomalies in the network and provide a visualization of each. When did each anomaly begin and end? What might be an explanation of each anomaly?
The following and the next three pictures show the overall evolution of the network during all the evaluation period. The first one shows how much a policy status is present in the network, represented in logarithmic scale.
The following heatmaps show the evolution of the number of connections and active computers.
 |
 |
 |
We can see at region-10 a small number of computers which have a high number of connections starting at 8:15am. The number of computers with that behavior increases, and the next day most of them in the region have a high number of connections.
In addition, we have analyzed the number of connections by machine function for region-10.
The maximum number of connections for 'teller' is strongly distrant from the average, due to the explained above. That situation continues until 1pm. A possible cause is the begining of an infection.
Next, we show the first occurrence of a policy status 5, which happens at 12:15pm.
It is generated by a computer and marked as normal activity. It could be caused by a non detected attack.
Finally, we depicted the number of machines by activity flag by business unit and time. At region 5, we noted that the proportion of machines with activity flag 3 and 5 is larger than activity flag 2.
We excluded activity flag 5 in order to have a cleaner view of the rest.
