220 likes | 231 Views
Learn how NTE application processed data, identified anomalies, and visualized unusual patterns for VAST Challenge. Explore abnormal activities and communication incidents using NTE's unique features.
E N D
IEEE VAST Challenge 2009 Presented By Grant Vandenberghe (TEAM DRDC) Grant.Vandenberghe@drdc-rddc.gc.ca
Introduction The solutions to these challenges were produced using an application called the Network Traffic Explorer (NTE) originally presented at VizSec 2008. The NTE provides an application front-end for a large library of packet analysis and graph drawing tools. The NTE allows the user to write short scripts to produce a wide variety of diagrams. The solutions to the VAST challenges were produced using a series of custom scripts written specifically to solve them. NTE Application Front End Packet Analysis Library Graph Drawing Library MATLAB
Mini-challenge #1 – Badge and Network Traffic The following steps were followed to process the data Load data into MATLAB Time strings (YYYY/MM/DD@hh:mm:ss) converted to a real numeric value. IP addresses converted to integer values Convert data into meaningful data format Code created to compensate for double badging, piggybacking, double entry double exit, and end of day events Sanitize proximity data Transfer the VAST data into NTE data structures VAST NTE Standard Session Data Structure Associate physical space with employee id : Employee ID Run data queries to detect abnormal activity Plot The Result
Sanitizing Notes Although the challenge instructions indicated that “employees are required to prox into and out of the restricted area” - this did not prove to be true. For example, Employees 38 and 49 entered the classified room twice without leaving it. At several different instances Employee 30 left the secret room without entering it. Although employees do not badge out of the building, it is assumed they leave the building 10 minutes after the last activity of the day. In cases where the employee leaves for lunch the last activity prior to lunch is used. The following employees piggybacked into the building: 0,7,8,13,27,36,37,38,39,48,49,50,51,54,55,58, and 59. There is a small amount of time skewing between the proximity and session traffic. It is assumed that sessions starting a minute after entering the secret room are associated with time skewing.
Hypothesis –Employees Should Only Be In One Place At Once After carefully reviewing the data it was noted that there are instances where an employee’s computer was starting outgoing sessions while the employee was in the secret room. This event is assumed to be significant since the employee’s computers do not transmit data after the end of the day. (Note: In real life the software installed on the users box will call home for a variety of reasons both legitimate and otherwise)
Locations Of Abnormal Activity The NTE freedraw function allows the user to overlay vertices on top of a gif/jpeg image. The red dots on the diagram indicate the location of abnormal activities. As can be clearly seen the activity does not have an obvious pattern.
Layered Timeline Plot The layered timeline function allows the overlay of multiple time events on a GANTT chart Zooming in exposes the details. The green line indicates an active session while the employee was inside the classified room (purple bar)
Unusual Communication Patterns The layered timeline plot shows several events where an employee was both in the classified room and starting new sessions at his desk. Shown below is a list of anomalies. User 15’s computer at (2008/1/31@13:10) User 16’s computer at (2008/1/10@16:01) User 16’s computer at (2008/1/15@16:14) User 30’s computer at (2008/1/24@08:06) ???? Does not look like others User 31’s computer at (2008/1/10@14:27) User 41’s computer at (2008/1/17@12:12) User 41’s computer at (2008/1/29@16:08) User 52’s computer at (2008/1/31@09:41) User 56’s computer at (2008/1/29@15:41)
Using the NTE to Dig Into The Dataset The NTE application front end takes user input through a GUI interface and then both displays and runs the command on the background library. Using the NTE reporting tools it was found that most anomalous sessions sent large volumes of information to 1 IP address (NTE MAIN GUI) print_session_summary_ev(SSN_SUM,'ALL','CLIENT_IP=37.170.100.16&SSN_START_TIME>2008/1/15@16:05:00&SSN_START_TIME<2008/1/15@16:20:00'); ID=53950 2008-01-15 16:14:34.563000 Dur=35.094373 37.170.100.16:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=6773214> 24661< No_FIN_RST By querying this IP address we found even more similar activity. BAD_SSN_NUM=print_session_summary_ev(SSN_SUM,'ALL','SERVER_IP=100.59.151.133'); ID=26896 2008-01-08 17:01:33.001000 Dur=46.060503 37.170.100.31:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=8889677> 12223< No_FIN_RST ID=36424 2008-01-10 14:27:12.238000 Dur=33.902674 37.170.100.31:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=6543216> 22315< No_FIN_RST ID=37370 2008-01-10 16:01:53.956000 Dur=44.264896 37.170.100.16:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=8543125> 12312< No_FIN_RST ID=53950 2008-01-15 16:14:34.563000 Dur=35.094373 37.170.100.16:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=6773214> 24661< No_FIN_RST ID=54444 2008-01-15 17:03:29.342000 Dur=49.291777 37.170.100.31:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=9513313> 14324< No_FIN_RST ID=62646 2008-01-17 12:12:10.990000 Dur=19.062808 37.170.100.41:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=3679122> 24423< No_FIN_RST ID=65499 2008-01-17 17:57:19.341000 Dur=30.432881 37.170.100.18:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=5873546> 25234< No_FIN_RST ID=72065 2008-01-22 08:50:21.894000 Dur=51.732218 37.170.100.13:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=9984318> 42231< No_FIN_RST ID=76928 2008-01-22 17:41:55.862000 Dur=45.976596 37.170.100.16:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=8873483> 16778< No_FIN_RST ID=83558 2008-01-24 09:46:34.452000 Dur=40.546378 37.170.100.10:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=7825451> 23783< No_FIN_RST ID=83854 2008-01-24 10:26:31.321000 Dur=28.661523 37.170.100.32:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=5531674> 22479< No_FIN_RST ID=87501 2008-01-24 17:07:34.775000 Dur=50.427031 37.170.100.20:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=9732417> 42347< No_FIN_RST ID=103076 2008-01-29 15:41:32.763000 Dur=51.941731 37.170.100.56:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=10024754> 29565< No_FIN_RST ID=103358 2008-01-29 16:08:10.892000 Dur=34.985554 37.170.100.41:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=6752212> 57865< No_FIN_RST ID=103689 2008-01-29 16:38:06.553000 Dur=40.227446 37.170.100.20:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=7763897> 54565< No_FIN_RST ID=110381 2008-01-31 09:41:03.815000 Dur=28.908492 37.170.100.52:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=5579339> 22147< No_FIN_RST ID=112400 2008-01-31 13:10:23.841000 Dur=46.967461 37.170.100.15:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=9064720> 11238< No_FIN_RST ID=113945 2008-01-31 16:02:44.572000 Dur=70.918689 37.170.100.8:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=13687307> 485421< No_FIN_RST
Who Has No Alibi? • Using a combination of MATLAB “numeric-set” filters and data queries unavailable employees were discovered. • The red dots on the diagram indicate that when the data extrusion activity occurred the employee was: • Not in the building • Inside Classified Room • At their desk using the network (within the last 60 seconds) (The clusters of boxes indicate that all employees have an alibi for more than one event.)
Root Cause of Anomaly If the attack was triggered by a person then it should be possible to spot any employee with the opportunity to start the session. From the timing of the events however all the employees have an alibi for more than one event. This looks more like some type of malware is being used to extrude the data from the network.
Answers to Mini Challenge 1 MC1.1: Identify which computer(s) the employee most likely used to send information to his contact in a tab-delimited table which contains for each computer identified: when the information was sent, how much information was sent and where that information was sent. TIME Source IP Target IP Outbound Bytes Inbound Bytes 2008-01-08 17:01:33.001 37.170.100.31 100.59.151.133 8889677 12223 2008-01-10 14:27:12.238 37.170.100.31 100.59.151.133 6543216 22315 2008-01-10 16:01:53.956 37.170.100.16 100.59.151.133 8543125 12312 2008-01-15 16:14:34.563 37.170.100.16 100.59.151.133 6773214 24661 2008-01-15 17:03:29.342 37.170.100.31 100.59.151.133 9513313 14324 2008-01-17 12:12:10.990 37.170.100.41 100.59.151.133 3679122 24423 2008-01-17 17:57:19.341 37.170.100.18 100.59.151.133 5873546 25234 2008-01-22 08:50:21.894 37.170.100.13 100.59.151.133 9984318 42231 2008-01-22 17:41:55.862 37.170.100.16 100.59.151.133 8873483 16778 2008-01-24 09:46:34.452 37.170.100.10 100.59.151.133 7825451 23783 2008-01-24 10:26:31.321 37.170.100.32 100.59.151.133 5531674 22479 2008-01-24 17:07:34.775 37.170.100.20 100.59.151.133 9732417 42347 2008-01-29 15:41:32.763 37.170.100.56 100.59.151.133 10024754 29565 2008-01-29 16:08:10.892 37.170.100.41 100.59.151.133 6752212 57865 2008-01-29 16:38:06.553 37.170.100.20 100.59.151.133 7763897 54565 2008-01-31 09:41:03.815 37.170.100.52 100.59.151.133 5579339 22147 2008-01-31 13:10:23.841 37.170.100.15 100.59.151.133 9064720 11238 2008-01-31 16:02:44.572 37.170.100.8 100.59.151.133 13687307 485421 MC1.2: Characterize the patterns of behavior of suspicious computer use. Large session are sent after an employee leaves their desk. Packets are sent to a single external IP address.
Mini-Challenge 2 Social and Geospatial The NTE has a large library of function calls which that were leveraged to produce the social network diagrams. In this solution the graph data query engine, the layout algorithms and plotting routines were used to produce the diagrams. In this case, the tools can plot about 400 devices however since the social network was so large the tools could only plot a subset of the data.
Solution Process Import the raw data Store Node-to-Node Data into the NTE graph query structure Find all potential middle men (Boris) Check if there is a potential leader and 3 handlers on each middle man Check if the three handlers share a common employee and do not talk directly to one another Grab links related to the employee/leader/Boris/Handler Send the selected graph data to the plotting engine
Social Network Diagram Answer MC2.1: Since vertex 194 is not directly connected to the fearless leader the organization of the criminal network matches situation A
Social Network Diagram - Annotated Fearless leader Employee Boris 3 Handler
Social Network Diagram Answer: MC2.3 There is a shorter path to the Fearless leader
Geospatial Diagram Diagram created with the NTE freedraw_graph function. The fearless leader appears to have more international contacts in Posana. Whether that is significant is not clear. International Contact Fearless Leader Middleman Handler Employee
Answers to Mini-Challenge 2 MC2.1: Which of the two social structures, A or B, most closely match the scenario you have identified in the data? A MC2.2: Provide the social network structure you have identified as a tab delimitated file. It should contain the employee, one or more handler, any middle folks, and the localized leader with their international contacts. • Employee @schaffter • Handler @benassi • Handler @reitenspies • Handler @pettersson • Middleman @good • 92 Leader's International Contact @tolbert • Fearless Leader @szemeredi • Leader's International Contact @decker • Leader's International Contact @chandru • Leader's International Contact @kodama • Leader's International Contact @nakhaeizadeh • 1450 Leader's International Contact @barvinok • Leader's International Contact @heyderhoff • Leader's International Contact @streng • Leader's International Contact @wotawa • Leader's International Contact @reed • Leader's International Contact @hogstedt • Leader's International Contact @bolotov • Leader's International Contact @avouris • 5561 Leader's International Contact @wenocur
Answers to Mini-Challenge 2 MC2.3: Characterize the difference between your social network and the closest social structure you selected (A or B). If you include extra nodes please explain how they fit in to your scenario or analysis. There is a more direct path between the fearless leader and the employee (through 14, 22, 170, 351) MC2.4: How is your hypothesis about the social structure in Part 1 supported by the city locations of Flovania? What part(s), if any, did the role of geographical information play in the social network of part one? The handlers are located in the same city as the employee. MC2.5: In general, how are the Flitter users dispersed throughout the cities of this challenge? Which of the surrounding countries may have ties to this criminal operation? Why might some be of more significant concern than others? The social networking group is predominantly Flovanian. There is slightly more international contacts associated with Posana both in terms of the Fearless Leaders Contacts and the Social network in general.
Mini-Challenge 3 I was not able to complete the mini-challenge 3 however I do find it suspicious that at Location 1 at 45min 27sec into the first video two people are meeting and exchanging a document on the street.