"UT-Takeda-MC1"

VAST 2012 Challenge
Mini-Challenge 1: Bank of Money Enterprise: Cyber Situation Awareness

 

 

Team Members:

 

Shinnosuke Takeda, University of Tsukuba, stakeda@iplab.cs.tsukuba.ac.jp     PRIMARY

Aimi Kobayashi, University of Tsukuba, kobayashi@iplab.cs.tsukuba.ac.jp

Hiroaki Kobayashi, University of Tsukuba, hiroaki@iplab.cs.tsukuba.ac.jp

Saori Okubo, University of Tsukuba, okubo@iplab.cs.tsukuba.ac.jp

Kazuo Misue, University of Tsukuba, misue@cs.tsukuba.ac.jp

Student Team:  YES

 

Tool(s):

 

ITF(Irregular Trend Finder), developed by Processing with library json.org for this VAST Challenge 2012 by the members.
More information are on http://www.iplab.cs.tsukuba.ac.jp/~okubo/itf/index.html

 

Video:

 

video.wmv

 

 

Answers to Mini-Challenge 1 Questions:

 

MC 1.1  Create a visualization of the health and policy status of the entire Bank of Money enterprise as of 2 pm BMT (BankWorld Mean Time) on February 2. What areas of concern do you observe? 

We created an original visualization tool, Irregular Trend Finder.
The tool provides 3 views: All-View(AView), Region-View(RView), and Branch-View(BView).
Both AView and RView have 4 modes: Mosaic-Mode, Linechart-Mode, Four-Hours-Linechart-Mode and Histogram-Mode.

Fig.1 shows the health and PolicyStatus with AView in Mosaic-Mode.

Fig.1 AView Mosaic-Mode at 14:00 2nd

In this visualization, we can see the change of the status of each machine in each region over time.
A rectangle represents a Region or a DataCenter, and its location maintains geographically nearness as accurate as possible.
Five colors (pale blue, light green, orange, red and purple) represent PolicyStatus from 1 to 5. In addition, white represents no value, that is the machine is turned off.
From Fig.1, we find that there are many white rectangles in Region-25.
Therefore, we can say that a lot of machines in Region-25 are shutdown.

It is useful to grasp the change of the status along time (Fig.2).

Fig.2 AView Linechart-Mode at 14:00 2nd

A line represents the change of the percentage of each PolicyStatus over time.
Observing with Linechart-Mode, in Region-25, as time passes, white lines (i.e. percentage of turned off machines) go up gradually from 4:00 and reach the highest point at 14:00.
For seeing the status of each Branch in region, we can use RView; it is similar to AView, but a rectangle represents a Branch instead of Region or DataCenter.
We inspected further in the same way, and found that machines in Branch-33 and 39 showed anomalous status at first.

And, as time goes by, each Headquarter or Branch becomes healthy after 14:00.
Fig.3 shows Region-25 in detail for Four-Hours from 19:00 on February 2nd.

Fig.3 BView(Region-25) Four-Hours-Linechart-Mode at 19:00 2nd

It is clear that the percentage of off machines goes down by 19:00 in all Branches.
  

 

MC 1.2  Use your visualization tools to look at how the network’s status changes over time. Highlight up to five potential anomalies in the network and provide a visualization of each. When did each anomaly begin and end? What might be an explanation of each anomaly?

We found 5 anomalies by analyzing with our visualization.

First anomaly was noticed at 4:00 on February 2nd (BMT) in AView with Mosaic-Mode (Fig.1).

Fig.1 AView Mosaic-Mode at 4:00 2nd

According to Fig.1, it seems that the rectangles which mean Region-5 and Region-10 are filled with almost only light green.
In our AView and RView, color expresses machine's PolicyStatus or ActivityFlag.
The mapping rule is like this: 1 is pale blue, 2 is light green, 3 is orange, 4 is red, 5 is purple, and no value (i.e. machine off) is white.
Therefore, very light greenish Regions - in this case Region-5 and Region-10 - means that PolicyStatus of most machines in the Regions is 2.
PolicyStatus 2 means B
gMachine is suffering from a moderate policy deviationB
h in the definition, so we suppose that they are often attacked by something.
This can be also showed clearly with Histogram-Mode in which we can see the percentage of PolicyStatus (Fig.2).

Fig.2 AView Histogram-Mode at 4:00 2nd

In addition, with Linechart-Mode to observe the percentage of the status over time, we found that this anomaly has occurred continuously all this time (Fig.3).

Fig.3 AView Linechart-Mode at 23:45 3rd

It can be told that the machines in Region-5 and 10 are always seemed to have PolicyStatus 2 than the other RegionsB
f from the start to the end.

We found the second anomaly in the same way to find first anomaly (Fig.1).
Fig.1 also shows that the rectangle of DataCenter-5 is filled with almost white at 4:00 on February 2nd.
So, it can be said that most machines in DataCenter-5 give no value, and in the other words, they are shutdown.
With Linechart-Mode in AView, we inspected this Region every 4 hours (Fig.4), and noticed that at 6:00 on February 2nd the pale blue line began to go up, and from 8:00 to 12:00 on February 2nd (Fig.4), at the top, there is a pale blue line at 11:00 on February 2nd.

Fig.4 AView Four-Hours-Linechart-Mode at 12:00 2nd

Because this pale blue line shows the percentage of machines whose PolicyStatus is 1, most machines' PolicyStatus are 1 in DataCenter-5 and it seems that second anomaly ended at this time.

Third anomaly is found in Fig.3, which is a visualization used by discovering first anomaly (i.e. Linechart-Mode in AView).
Generally, pale blue lines in most Regions and DataCenter go down, while the other lines go up.
Since pale blue lines mean the percentage of machines where PolicyStatus is 1, Fig.3 shows that in most Region and DataCenter the percentage of machines whose PolicyStatus is 1 decrease as the time passes.
However, looking at the last a couple of hours in Fig.3, we can also observe that, for many machines, their PolicyStatus suddenly becomes 1 in the end.
To observe this anomaly, we also watched for the last four hours and found that at about 23:00 on February 3rd the percentage of machines of Policy Status is 1 in most of Regions and DataCenter with Four-Hours-Linechart-Mode in AView (Fig.5).

Fig.5 AView Four-Hours-Linechart-Mode at 23:45 3rd

On the other hand, it seemed that only in Region-25 the white lines (which represents the percentage of machines with no value) go up.
Then, we investigated with RView (Fig.6).

Fig.6 RView(Region-25) Four-Hours-Linechart-Mode at 23:45 3rd

The result is that there are some Branches which colored by only white like Headquarters, so we can say that in these areas all machines have no value at the time.

Fourth anomaly is detected at first with Linechart-Mode in AView by using filter that exaggerates small percentages.
In Fig.7, purple line that means the percentage of machine's PolicyStatus is 5 is emphasized by a certain mode.

Fig.7 AView Linechart-Mode(max zoom and Filtering-5) 23:45 3rd

It shows that the number of machines with PolicyStatus 5 increases little by little.
Looking in detail for 4 hours from 7:30 on February 2nd, it seems that the machine which have PolicyStatus 5 appear at first in Region26.

Next, we looked over Region-26 with RView and found that such machines arise in Region-30 at first.
Then we observed Branch-30 with BView (Fig.6).
This view is for obtaining every machine's status in the Branch.
A figure like a gear on the left hand side stands for each machine in the Branch.
Every gear's color depends on the machine's class - "server" is cyan, "workstation" is purple, and "atm" is light green.
When a "gear" is selected, more detailed information and status about the machine appear on the right hand side.
The "teeth" of the gear and spiral of color deepness show the change of PolicyStatus or ActivityFlag over time.
The deeper the color of tooth or inside part are, the higher value the machine has in that time.
In the case of no value, the tooth has no height and its color is black.
A whole circle means a day, and the latest status is shown at top of the circle while the oldest is at the center of the circle.
In addition, red line represents the Number of Connections of the machine.
By looking at Fig.8, we noticed that on the left hand side there is one gear with a deep purple pie.

Fig.8 BView(Region-26/Branch-30/IP=172.41.188.35) 7:30 2nd

We chose this gear, checked further in time, and discovered that this terminal has had PolicyStatus 5 all the time from 7:30 on February 2nd (Fig.9).

Fig.9 BView(Region-26/Branch-30/IP=172.41.188.35) 23:45 2nd

If we refer to Fig.3, as a fifth anomaly, we can observe that there are two pulse-like shapes colored with pale blue in all Regions.
By displaying ActivityFlag 1 to 5 instead of PolicyStatus 1 to 5 with Linechart-Mode in AView, we can see more clearly such shapes (Fig.10).

Fig.10 AView(ActivityFlag) Linechart-Mode at 23:45 3rd