UFMG-Minardi-MC1
VAST 2012 Challenge
Mini-Challenge 1: Bank of Money Enterprise: Cyber Situation Awareness
Team Members:
Yussif Barcelos, Universidade Federal de Minas Gerais,
yussifcefet@gmail.com
Flávia Aburjaile, Universidade Federal de Minas Gerais,
faburjaile@gmail.com
Laura Rabelo Leite, Universidade Federal de Minas Gerais,
rabelo.leite@gmail.com
Solange Teixeira Oliveira, Universidade Federal de Minas Gerais,
oliveirastbr@gmail.com Raquel Cardoso de Melo-Minardi, Universidade Federal de Minas Gerais,
raquelcm@dcc.ufmg.br
Student Team: YES
Tool(s):
Microsoft SQL Server 2005
Processing
Video:
Answers to Mini-Challenge 1 Questions:
MC 1.1 Create a visualization of the health and policy status of the entire Bank of Money enterprise as of 2 pm BMT (BankWorld Mean Time) on February 2. What areas of concern do you observe?
On February 2, at 2pm BMT, we can see in our existence visualization shown in Figure 1 that there are machines exposed to serious policy deviations and non-critical patches failing in almost regions (except 49). Furthermore, in regions 9, 11, 12, 13, 16, 19, 20, 21, 43, 46 the visualization highlights also critical policy deviations and many patches are failing at 8 regions (9, 11, 12, 13, 20, 21, 43, 46) from which 6 were lunched at 2pm. We also verify that there are many devices being added on the machines what is not necessarily a problem as it is work time.
In Figure 2, we present the three more critical policy status (3, 4 and 5). Through the screen shot we can suppose there is a sequence of status 3 followed by 4 and 5 in every region. In other words, we verify many machines exhibit serious policy deviations, after that they turn to present critical policy deviations and finally they suffer a virus infection and/or questionable files are found. For instance, ATMs in region 11, are exposed to serious deviations since 10am, and at 14pm they already have critical deviations and at 19pm viruses are found in that region. Similar sequential behavior is found in almost every region with time shifts.
This can be seem also in Figure 3 where we show the distribution of the number of the 3 more critical policy status in ATMs in the 3 days. Notice that there are a great number of machines with critical deviations on February 3 and that this frequency starts to rise at about 14pm on February 2. We show figures with ATM data but Server and Workstations presented similar behavior.
MC 1.2 Use your visualization tools to look at how the network’s status changes over time. Highlight up to five potential anomalies in the network and provide a visualization of each. When did each anomaly begin and end? What might be an explanation of each anomaly?
The first anomaly we found concerns a high percentage of virus found at servers after business hours. In Figure 4, we use a percentage graph to compare the number of servers presenting policy status 5 i.e. virus detection in red. In orange we present the percentage of the same machines with activity flag 4 meaning 100% CPU use. We use this flag just to highlight business time band between 7am and 6pm. Notice that in a considerable number of business units, where a high percentage of servers have viruses found after 6pm. The same behavior is presented in Figure 5, where we use lines graphs to present distributions of policy status 5 and activity flag 4 for the whole set of days in the dataset. Orange line shows the expected plateau in business time where CPU use should be maximum. Virus attack starts at about 14pm on February 2 and reaches its peak on February 3 at about 10pm.
The second anomaly is presented in Figure 6 where we can see a very small percentage of servers presenting policy status 1 in large business units 5 and 10 what means their machines present at least a moderate policy deviation. In Figure 7, we can see the distribution of healthy servers across all regions (policy status 1 and activity flag 1) in the 3 days. In general, servers present very high rate of normal activity confirming exceptional activity in servers from regions 5 and 10 and the need for intervention.
The third anomaly if presented in Figure 6. We can see region 25 is another exception in terms of normal activity and policy. However we believe it is a less critical problem as we have some healthy servers and as region 25 is a small region having less machines. However, Figure 8 presents a quite deep valley in the normal policy and activity of servers in the night of February 2 which ends in the morning of February 3.
The fourth anomaly can be seen in Figures 9 and 10. On one hand, the first screen shot focuses on servers from all business units and shows that both on February 2 and 3 we have similar normal behaviurs as the activities 5 invalid login attempts and external device added appears always on business time being apparently normal. On the other hand, second picture shows exception on region 25 that presents a considerable peak of invalid logins at 8am on February 2. This can be responsible for many security events that happens in that day.
The last anomaly we describe concerns business units 16 and 23 where no serious deviations were found during February 2. Almost every region present critical policy deviations that evolve to many failures in patches. However, this does not happen in regions 16 and 23 until February 3.
