VT-Haeyong-MC1
VAST 2012 Challenge
Mini-Challenge 1: Bank of Money Enterprise: Cyber Situation Awareness
Team Members:
Haeyong Chung, Virginia Tech, chungh@vt.edu PRIMARY
Yong Ju Cho, Virginia Tech, ycho76@vt.edu
Jessica Self, Virginia Tech, jazeitz@vt.edu
Chris North, Virginia Tech, north@cs.vt.edu
Student Team: Yes
Tool(s):
For the VAST mini challenge 1, we developed a prototype situation
awareness visualization for very large status data, which is designed
explicitly for use on large, high-resolution displays to take advantage of both
the wide field of view and physical navigation. Its basic visual
representations are based on Treemap, but each leaf
node’s rectangles (regions or branches in this challenge) include many small
shapes which represents different statuses of machines in different color
coding. Our prototype consists of the OverviewTreemap which shows the overview of data status on
large displays and the Detail views
which enable users to examine detailed information on each region of the
interesting Treemap region interactively.
Video:
Answers to Mini-Challenge 1 Questions:
MC 1.1 Create a visualization of
the health and policy status of the entire Bank of Money enterprise as of 2 pm
BMT (BankWorld Mean Time) on February 2.
What areas of concern do you observe?
Our Treemap visualization (size: 6400x5300 pixels) can
represent three different types of status data from the BoM dataset at a time,
such as policy status, activity flag, and number of connections within each
region of BoM. Individual online devices with unique IP addresses within Bank
of Money (BoM) are represented by small squares and each activity flag/policy
status is represented by a unique color as shown in Figure 1c. The color black
represents machines that are currently offline.
As of February 2, we observed a number of invalid login attempts
(activity flag: 3) and the addition of new devices (activity flag: 5) spread
across all regions and throughout the entire timeframe, shown in Figure 1a
(orange and red squares respectively). Within the Main Headquarters, we clearly
saw that some regions like HQ and datacenter-4 included many machines with 3
and 5 activity states. For policy status, except regions 1 and 2, which
included a number of offline workstations, we observed several moderate policy
deviations (policy status: 2) which were dispersed across all regions and branches
at 2pm on February 2 (yellow squares on Figure 1b). These deviations were
spread out across entire regions and branches along with more serious policy
deviations and patch failings (Figure 1b).
We also found that regions 5 and 10 were constantly suffering from a
moderate policy deviation in most of the machines (Figure 1d).
Figure
1. Two views of Treemap, one for Activity Flags and one for Policy Status;
each containing statuses for 14:00 on Feb. 2. Each rectangle represents
a different region in BoM.
MC 1.2 Use your visualization
tools to look at how the network’s status changes over time. Highlight up to
five potential anomalies in the network and provide a visualization of each.
When did each anomaly begin and end? What might be an explanation of each
anomaly?
We found a relationship between activity flags 3 and 5 and the total
number of connections from a piece of equipment. Regions that included many
machines with activity flags 3 and 5 also maintained a greater number of
incoming and outgoing connections. Figure 2 shows this relationship. The views
on the left represent the status of the main HQ region, which includes machines
with activity flags. The views on the right hand side show the number of
connections in each region using a gray scale. In this Treemap,
brighter regions show more connections. We can clearly observe that as the
number of activity flags 3 and 5 increase, so do the number of network
connections within that region.
Figure
2. Two examples showing relationship
between activity flags 3 and 5 and the number of connections in the main HQ region.
We also found that most of the BoM machines were turned on at strange
hours. Despite business hours of BoM being 7am to 6pm, at 10:45am on 2/2, most
of the workstations were still turned off, shown in black regions (Figure 1),
but we observed they were turned on all of sudden around 8pm on 2/2. It was
abnormal because the machines are supposed to be online during office hours and
offline afterward, but many machines were actually turned on after daily work
hours. As shown in Figure 3 at 20:30pm on 2/3, most concentrated black regions
(representing offline machines) disappeared at 21:00 and the number of
connections increased (the visualization’s bright regions in the gray Treemap).
Figure
3. All BoM machines get online at unusual
time of 20:30 on 2/3 in
three different statuses.
On the other hand we found some regions that were still online very early
in the morning (around 3 and 4am) on 2/3 and 2/4. For example, many computers
in regions 34 and 35 were still online and had active connections at 4am in
contrast to the other branches (Figure 4).
From 12:15 on 2/2, we found a sequence of computers in region 25 that
were disconnected from the network. In contrast to other regions, all computers
in branch 33 went offline at the same time and these anomalies spread
to other computers within this region. At 21:15, most of workstations and
servers in this region went offline. This outage continued and the
region clearly showed different patterns of offline computers from other
regions by 2:15 on 2/3.
Interestingly, two sets of two regions each, regions 21 and 24 and 25 and
26, were somewhat synchronized for their activities. For example, at 10:15 on
2/2 and 2/3, machines in these regions went online together and at 21:30 on 2/2
and 2/3, many computers in these regions went offline at the same time.
Figure
4. Suspicious activities of some machines
in regions 34 and 35 at 4 am on 2/3 and 2/4.
Analytic process
During our analytic process, we preprocessed the data to construct the Treemap and sort the machines based on regions and
branches. We assigned unique IDs based on the machine’s location to all other
machines. Our prototype is intended for multiple users during collaboration.
Two users place their personal laptops near a large display and start their
analyses. We began our analysis by examining interesting changes across the
regions and branches using the Overview Treemap on
the large wall display. Even though the Treemap
supports panning and zooming through mouse movement and the usage of the
magnifier lens in Windows 7, all users used physical navigation to examine the Treemap. After they discovered specific regions and
machines to investigate through the usage of the large display, the user
returned to their personal laptop and continued analysis using the Detail View
(Figure 5). The Detail View enables users to interact and examine one part of a
region on the Treemap (Figure 5). This allows users
to interact with the detailed data. Users can hover
their mouse over the equipment glyphs in order to quickly browse the detailed
information. To compare the changes of more than two visualizations, we also
created video.
Figure
5. The Detail View of an individual machine from Region
17 at 21:15 on 2/3