abnormal detect: finding the suspect

Abnormal Detect: Finding the SuspectCo-on Team Presented

Background Review• Finding the suspect

Jialiang Wang Yanni Li

Yi Fu Guohao Zhang

Problem• An embassy employee is suspected of sending data to an out

side criminal organization from the Embassy• The IP and Network traffic are recorded• Task

• Identify which computer(s) the employee most likely used to send information to his contact

• Characterize the patterns of behavior of suspicious computer use

Source Data• Data

Data Prepossessing

• Data Filter• Example:

• destIP: 37.170.30.250 has 9638 communications with ALL the sourceIP

• unlikely to be the suspect’s contact• it can be filtered

Data Prepossessing• Data size pattern

Data Prepossessing• Abnormal Records

Visualization metaphor

• Time bar

Visualization metaphor

• Prox data of building entrance

Visualization metaphor

• Prox data of classified region entrance

Visualization metaphor

• Network flow

Data Explor

• Overall view

Stories found

demo

ResultsResults

#56 29th Jan #31 10th Jan

#21 23rd Jan

SourceIP AccessTime DestIP ReqSize37.170.100.56

2008/1/29 15:41100.59.151.1331002475

437.170.100.31

2008/1/10 14:27100.59.151.133 6543216

37.170.100.21

2008/1/23 12:4237.158.218.208 2912383

ResultsResults

#5 4th Jan #17 15th Jan

SourceIP AccessTime DestIP Socket ReqSize RespSize

37.170.100.17 2008/1/15 9:5337.170.30.250 25 139964 59318

37.170.100.5 2008/1/4 13:4137.170.30.250 25 4520912 55328

37.170.100.41 2008/1/17 17:1637.170.30.250 25 1662032 59307

Left to be Done• Suspect transfer function

• Data size based on statistics• DestIP connecting times• Pattern based transfer function

• Interactive data operations: filter etc.• Higher resolution: day-view• Office grouping• Automatic highest suspicious detect• More interactions

Left to be Done

• Focus+context method, using sigma lens to magnify to identify patterns

Thank you!