Entry Name: "ZJU-Guo-MC3"
VAST 2013 Challenge
Mini-Challenge 3: Visual Analytics for Network Situation Awareness
Team Members:
Guo Fangzhou, Zhejiang University,
State Key Lab of CAD&CG, Visual Analytics Group, guofz1234@gmail.com PRIMARY
Xia Jing, Zhejiang University, State
Key Lab of CAD&CG, Visual Analytics Group, summer@gmail.com
Ma Xiaohong,
Zhejiang University, State Key Lab of CAD&CG, Visual Analytics Group, xiaohongma.1112@gmail.com
Hou Yumeng, Zhejiang University, State Key
Lab of CAD&CG, Visual Analytics Group, junesnow26@gmail.com
Advisor:
Prof. Chen Wei, Zhejiang University, State Key Lab of CAD&CG,
Visual Analytics Group, chenwei@cad.zju.edu.cn
Student Team: YES
Analytic Tools
Used:
May we post your submission in the
Visual Analytics Benchmark Repository after VAST Challenge 2013 is complete? YES
Video:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Questions
MC3.1 – Provide a timeline (i.e., events organized in
chronological order) of the notable events that occur in Big Marketing’s computer
networks for the two weeks of supplied data. Use all data at your disposal to
identify up to twelve events and describe them to the extent possible. Your answer should be no more than 1000 words
long and may contain up to twelve images.
Event
1:
Time: 2013-04-01 09:30
Description:
The regular period of rush hour in Big Marketing computer
networks is approximately from 5:00 to 12:00 every day. But it went irregular
at 9:30 2013-04-01 that part of the computer networks disappeared. As shown below,
the traffic flow of the enterprise site 3, whose IP
is 172.30.0.0/16, sharply decreased.
The blue point in the following figure indicates that the
connection frequency from 172.10.0.3 to 10.3.1.25 goes abnormally high at 500
times per minute. The phenomenon lasted for about 10 hours from 8:20 to 18:30.
Event
2:
Time: 2013-04-02 05:10
Description:
At 5:10, a huge amount of connections suddenly appeared
and lasted for around 2 hours till 7:00. During the time, the traffic flow of
ten IP surged to a high level, as shown below:
|
firstSeenSrcIP |
firstSeenDestIP |
count |
|
|
172.30.0.4 |
634561 |
|
|
172.30.0.4 |
1546889 |
|
|
172.30.0.4 |
529517 |
|
|
172.30.0.4 |
1604925 |
|
|
172.30.0.4 |
1217118 |
|
|
172.30.0.4 |
1506931 |
|
|
172.30.0.4 |
1540784 |
|
|
172.30.0.4 |
1700824 |
|
|
172.30.0.4 |
1635316 |
|
|
172.30.0.4 |
489981 |
Meanwhile, the flows of others are less than 100 times.
Event
3:
Time: 2013-04-02 22:00
Description:
Beginning from 22:00, connections from 172.30.0.3 to
10.3.1.25 accumulated to 4957 times during an hour. It lasted for one hour in
all and the destination port was 25.
Event
4:
Time: 2013-04-03 11:40
Description:
In the following figure, there are two sets of points
(red ones and blue ones) aligned radially. These points appeared at 9:30
2013-04-03, lagging behind the appearance of the rush hour, and disappeared at
11:40, before the end of rush hour. Thus, we could conclude that this event has
nothing to do with the rush hour. The traffic flows of relevant IPs are shown
below:
|
firstSeenSrcIP |
firstSeenDestIP |
Count |
|
172.30.0.4 |
10.11.106.5 |
1378106 |
|
172.30.0.4 |
10.14.107.115 |
1035565 |
|
172.20.0.15 |
10.15.7.85 |
828848 |
|
172.30.0.4 |
10.89.54.12 |
815631 |
|
172.20.0.4 |
10.0.0.42 |
811575 |
|
172.20.0.4 |
10.10.11.102 |
804973 |
|
172.20.0.4 |
10.12.14.15 |
794309 |
|
172.20.0.15 |
10.70.68.127 |
769503 |
|
172.30.0.4 |
10.10.11.15 |
765753 |
|
172.20.0.15 |
10.250.178.101 |
757405 |
|
172.30.0.4 |
10.97.34.66 |
749784 |
|
172.30.0.4 |
10.47.56.7 |
693396 |
|
172.30.0.4 |
10.206.5.2 |
692292 |
|
172.20.0.4 |
10.200.20.2 |
668135 |
|
172.30.0.4 |
10.9.81.5 |
663098 |
|
172.20.0.4 |
10.17.15.10 |
648937 |
|
172.20.0.15 |
10.6.6.7 |
577639 |
|
172.30.0.4 |
10.47.55.6 |
572401 |
|
72.20.0.15 |
10.12.15.152 |
485643 |
|
172.30.0.4 |
10.98.107.5 |
130260 |
|
10.11.106.5 |
172.30.0.4 |
57701 |
|
10.14.107.115 |
172.30.0.4 |
47721 |
|
10.89.54.12 |
172.30.0.4 |
41667 |
|
10.0.0.42 |
172.20.0.4 |
39193 |
|
10.10.11.102 |
172.20.0.4 |
38225 |
|
10.10.11.15 |
172.30.0.4 |
37195 |
|
10.12.14.15 |
172.20.0.4 |
37077 |
|
10.15.7.85 |
172.20.0.15 |
35769 |
|
10.97.34.66 |
172.30.0.4 |
34870 |
|
10.70.68.127 |
172.20.0.15 |
34233 |
|
10.206.5.2 |
172.30.0.4 |
32471 |
|
10.250.178.101 |
172.20.0.15 |
32437 |
|
10.47.56.7 |
172.30.0.4 |
32339 |
|
10.200.20.2 |
172.20.0.4 |
31846 |
|
10.9.81.5 |
172.30.0.4 |
31807 |
|
10.17.15.10 |
172.20.0.4 |
27838 |
|
10.47.55.6 |
172.30.0.4 |
25854 |
|
10.6.6.7 |
172.20.0.15 |
23264 |
|
10.12.15.152 |
172.20.0.15 |
22195 |
Event
5:
Time: 2013-04-04 22:00
Description:
Massive connections from 172.30.0.3 to 10.3.1.25 appeared.
It lasted for 1 hour in all and the destination port was 25.
Event
6:
Time: 2013-04-06 22:00
Description:
Massive connections from external IP address: 10.3.1.25
to internal IP addresses: 172.30.0.3 and 172.10.0.3 appeared (represented by
two blue points). It lasted for one hour.
Event
7:
Time: 2013-04-10 12:20
Description:
The traffic flow from three external IP addresses to
internal ones (represented by red points) were huge, they are 10.13.77.49,
10.138.235.111 and 10.6.6.7. At 12:50, most of the points disappeared except
these three ones. Till 17:20, all red points were gone. It is obvious in the Table of IPS View that all the data indicates rejection of the
three IP.
Event
8:
Time: 2013-04-11 11:30
Description:
A large amount of red points appeared at 11:30. It lasted
for two hours. It could be
indicated in the Table of IPS View that the request from 10.6.6.7 and 10.12.15.152
were denied.
|
10.138.214.18 |
172.20.0.15 |
705930 |
|
10.156.165.120 |
172.30.0.4 |
701894 |
|
10.15.7.85 |
172.30.0.4 |
679994 |
|
10.170.32.110 |
172.20.0.15 |
679974 |
|
10.138.235.111 |
172.30.0.4 |
673823 |
|
10.10.11.102 |
172.20.0.4 |
668052 |
|
10.170.32.181 |
172.20.0.4 |
666879 |
|
10.200.20.2 |
172.30.0.4 |
657973 |
|
10.13.77.49 |
172.30.0.4 |
651377 |
|
10.0.0.42 |
172.30.0.4 |
647550 |
|
10.247.106.27 |
172.20.0.4 |
637443 |
|
10.70.68.127 |
172.30.0.4 |
629447 |
|
10.78.100.150 |
172.10.0.4 |
600777 |
|
10.250.178.101 |
172.30.0.4 |
550573 |
|
10.247.58.182 |
172.10.0.4 |
528123 |
|
10.38.217.48 |
172.10.0.4 |
506362 |
|
10.17.15.10 |
172.20.0.15 |
462738 |
|
10.12.15.152 |
172.20.0.15 |
409288 |
|
10.12.14.15 |
172.10.0.4 |
380061 |
|
10.6.6.7 |
172.10.0.4 |
255756 |
|
172.10.0.4 |
10.247.58.182 |
12073 |
|
172.10.0.4 |
10.78.100.150 |
10902 |
Among the IPS
data, there are amounts of records showing that requests from 10.17.15.10 and 10.12.15.152 were denied.
Event
9:
Time: 2013-04-13 05:40
Description:
Three marked red points appeared at 05:40 and disappeared
at 23:40, during which the external IP addresses: 10.17.15.10, 10.12.15.152, 10.1.0.100
communicated with internal ones. Statistics are shown below:
|
firstSeenSrcIP |
firstSeenDestIP |
count |
|
10.17.15.10 |
172.10.0.2 |
11378 |
|
10.12.15.152 |
172.10.0.7 |
11100 |
|
10.12.15.152 |
172.10.0.8 |
11077 |
|
10.12.15.152 |
172.10.0.4 |
11074 |
|
10.12.15.152 |
172.10.0.9 |
11053 |
|
10.12.15.152 |
172.10.0.5 |
11033 |
|
10.12.15.152 |
172.20.0.6 |
11030 |
|
172.30.1.218 |
10.1.0.100 |
5282 |
|
172.20.1.81 |
10.1.0.100 |
5281 |
|
172.10.2.135 |
10.1.0.100 |
5280 |
|
172.10.2.66 |
10.1.0.100 |
5280 |
|
172.20.1.23 |
10.1.0.100 |
5280 |
|
172.30.1.223 |
10.1.0.100 |
5280 |
|
172.10.2.106 |
10.1.0.100 |
5279 |
|
172.20.1.47 |
10.1.0.100 |
5279 |
|
172.20.0.3 |
10.3.1.25 |
1250 |
|
10.17.15.10 |
172.10.0.9 |
1144 |
|
10.17.15.10 |
172.10.0.7 |
1143 |
|
10.17.15.10 |
172.10.0.8 |
1143 |
|
10.17.15.10 |
172.10.0.5 |
1141 |
|
10.17.15.10 |
172.20.0.6 |
1136 |
|
10.17.15.10 |
172.10.0.3 |
1102 |
|
10.17.15.10 |
172.10.0.4 |
1099 |
|
10.12.15.152 |
172.10.0.3 |
910 |
|
10.12.15.152 |
172.10.0.40 |
494 |
|
10.17.15.10 |
172.10.0.40 |
446 |
|
172.10.0.3 |
10.3.1.25 |
428 |
Event
10:
Time: 2013-04-13 07:20
Description:
Till 8:30, the external IP: 10.1.0.100 was in connection
with internal ones. In the Table of
IPS View, there was a great deal of information about 10.1.0.100
and the connected internal IP addresses, restricted to two classes: built and
tear down.
Event
11:
Time: 2013-04-13 23:10
Description:
The figure below shows the pattern appearing on the
beginning of the rush hour. At 23:10 2013-04-13, the pattern appeared, followed
by the communication between the internal and the external on enterprise site
1. The communication didn't disappear until 1:30 on 04-14.
MC3.2 – Speculate on one or more narratives
that describe the events on the network. Provide a list of analytic hypotheses
and/or unanswered questions about the notable events. In other words, if you
were to hand off your timeline to an analyst who will conduct further
investigation, what confirmations and/or answers would you like to see in their
report back to you? Your answer should be no more than 300 words long and may
contain up to three additional images.
Event 1:
It is possible that after the rush hour
appeared on 1st April, Big Brother closed the subnet with IP address
of 172.30.0.0/16 due to server maintenance or external attacks, which resulted
to the sharp decrement in external communication of the subnet.
Event 2:
Chances are that before the rush hour on 2nd
April, namely from 5:00 to 7:00, the web browser whose address was 172.30.0.4
got attacked, possibly by a dos attack.
Event 3:
At around 9:30, 3rd April, Big
Brother got a dos attack again.
Event 7
According to the Time of Traffic View, at
12:20, 10th April, the flow of external IP addresses came to a
sudden growth. While in the Traffic Snapshot View, we find that only three
external IP addresses conducted communication. They are frequently recorded in
the IPS data, most of whose states are deny. Thus we conclude that was is an abnormal condition, possibly a dos attack.
MC3.3 – Describe the role that your visual analytics played in
enabling discovery of the notable events in MC3.1. Describe whether your visual
analytics play a role in formulating the questions in MC3.2. Your answer should
be no more than 300 words long and may contain up to three additional images.
During the discovery process of the network
events, we applied various visualization methods. Firstly, we use an overview
to position the events initially, locate the time points of abnormal conditions
individually. The overview could demonstrate the sequential changes of the
overall traffic flow as well as the flow changes. Then, we visualize the communication
between different IPs to accurately locate the events and efficiently find the
relevant abnormal IP.
Hence, we could make it to find the trend,
pattern and abnormal conditions in the network with our method.
Just like in the section of MC3.2, we could use the visualization
analytic system as an auxiliary tool to find and describe the events happened
in the network. For the trend of overall traffic flow, the changes and
distributions, the discovery of abnormal IP and network health condition, and
the intrusion protection system data could illustrate most of the traits of the
events. Thus, it make it easier for analyst to locate
them.