ieee vast challenge 2009
DESCRIPTION
IEEE VAST Challenge 2009. Presented By Grant Vandenberghe (TEAM DRDC) [email protected]. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Defence Research andDevelopment Canada
Recherche et développementpour la défense Canada Canada
IEEE VAST Challenge 2009
Presented By Grant Vandenberghe
(TEAM DRDC)
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Introduction
The solutions to these challenges were produced using an application called the Network Traffic Explorer (NTE) originally presented at VizSec 2008. The NTE provides an application front-end for a large library of packet analysis and graph drawing tools.
The NTE allows the user to write short scripts to produce a wide variety of diagrams. The solutions to the VAST challenges were produced using a series of custom scripts written specifically to solve them.
MATLAB
Packet AnalysisLibrary
Graph DrawingLibrary
NTE Application Front End
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Mini-challenge #1 – Badge and Network Traffic
The following steps were followed to process the dataLoad data into MATLAB
Convert data into meaningful data format
Sanitize proximity data
Transfer the VAST data into NTE data structures
Run data queries to detect abnormal activity
Plot The Result
Time strings (YYYY/MM/DD@hh:mm:ss) converted to a real numeric value.IP addresses converted to integer values
Code created to compensate for double badging, piggybacking, double entry double exit, and end of day events
VAST NTE Standard Session Data Structure
Associate physical space with employee id
Employee ID
:
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Sanitizing NotesAlthough the challenge instructions indicated that “employees are required to prox into and out of the restricted area” - this did not prove to be true.
For example, Employees 38 and 49 entered the classified room twice without leaving it. At several different instances Employee 30 left the secret room without entering it.
Although employees do not badge out of the building, it is assumed they leave the building 10 minutes after the last activity of the day. In cases where the employee leaves for lunch the last activity prior to lunch is used.
The following employees piggybacked into the building: 0,7,8,13,27,36,37,38,39,48,49,50,51,54,55,58, and 59.
There is a small amount of time skewing between the proximity and session traffic. It is assumed that sessions starting a minute after entering the secret room are associated with time skewing.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Hypothesis –Employees Should Only Be In One Place At Once
After carefully reviewing the data it was noted that there are instances where an employee’s computer was starting outgoing sessions while the employee was in the secret room. This event is assumed to be significant since the employee’s computers do not transmit data after the end of the day.
(Note: In real life the software installed on the users box will call home for a variety of reasons both legitimate and otherwise)
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Locations Of Abnormal Activity
The NTE freedraw function allows the user to overlay vertices on top of a gif/jpeg image.
The red dots on the diagram indicate the location of abnormal activities. As can be clearly seen the activity does not have an obvious pattern.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Layered Timeline Plot The layered timeline function allows the overlay of multiple time events on a GANTT chart
Zooming in exposes the details. The green line indicates an active session while the employee was inside the classified room (purple bar)
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Unusual Communication Patterns
User 15’s computer at (2008/1/31@13:10)User 16’s computer at (2008/1/10@16:01) User 16’s computer at (2008/1/15@16:14) User 30’s computer at (2008/1/24@08:06) ???? Does not look like othersUser 31’s computer at (2008/1/10@14:27)User 41’s computer at (2008/1/17@12:12) User 41’s computer at (2008/1/29@16:08)User 52’s computer at (2008/1/31@09:41) User 56’s computer at (2008/1/29@15:41)
The layered timeline plot shows several events where an employee was both in the classified room and starting new sessions at his desk. Shown below is a list of anomalies.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Using the NTE to Dig Into The Dataset
BAD_SSN_NUM=print_session_summary_ev(SSN_SUM,'ALL','SERVER_IP=100.59.151.133');ID=26896 2008-01-08 17:01:33.001000 Dur=46.060503 37.170.100.31:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=8889677> 12223< No_FIN_RSTID=36424 2008-01-10 14:27:12.238000 Dur=33.902674 37.170.100.31:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=6543216> 22315< No_FIN_RSTID=37370 2008-01-10 16:01:53.956000 Dur=44.264896 37.170.100.16:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=8543125> 12312< No_FIN_RSTID=53950 2008-01-15 16:14:34.563000 Dur=35.094373 37.170.100.16:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=6773214> 24661< No_FIN_RSTID=54444 2008-01-15 17:03:29.342000 Dur=49.291777 37.170.100.31:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=9513313> 14324< No_FIN_RSTID=62646 2008-01-17 12:12:10.990000 Dur=19.062808 37.170.100.41:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=3679122> 24423< No_FIN_RSTID=65499 2008-01-17 17:57:19.341000 Dur=30.432881 37.170.100.18:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=5873546> 25234< No_FIN_RSTID=72065 2008-01-22 08:50:21.894000 Dur=51.732218 37.170.100.13:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=9984318> 42231< No_FIN_RSTID=76928 2008-01-22 17:41:55.862000 Dur=45.976596 37.170.100.16:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=8873483> 16778< No_FIN_RSTID=83558 2008-01-24 09:46:34.452000 Dur=40.546378 37.170.100.10:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=7825451> 23783< No_FIN_RSTID=83854 2008-01-24 10:26:31.321000 Dur=28.661523 37.170.100.32:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=5531674> 22479< No_FIN_RSTID=87501 2008-01-24 17:07:34.775000 Dur=50.427031 37.170.100.20:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=9732417> 42347< No_FIN_RSTID=103076 2008-01-29 15:41:32.763000 Dur=51.941731 37.170.100.56:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=10024754> 29565< No_FIN_RSTID=103358 2008-01-29 16:08:10.892000 Dur=34.985554 37.170.100.41:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=6752212> 57865< No_FIN_RSTID=103689 2008-01-29 16:38:06.553000 Dur=40.227446 37.170.100.20:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=7763897> 54565< No_FIN_RSTID=110381 2008-01-31 09:41:03.815000 Dur=28.908492 37.170.100.52:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=5579339> 22147< No_FIN_RSTID=112400 2008-01-31 13:10:23.841000 Dur=46.967461 37.170.100.15:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=9064720> 11238< No_FIN_RSTID=113945 2008-01-31 16:02:44.572000 Dur=70.918689 37.170.100.8:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=13687307> 485421< No_FIN_RST
print_session_summary_ev(SSN_SUM,'ALL','CLIENT_IP=37.170.100.16&SSN_START_TIME>2008/1/15@16:05:00&SSN_START_TIME<2008/1/15@16:20:00');ID=53950 2008-01-15 16:14:34.563000 Dur=35.094373 37.170.100.16:0 > 100.59.151.133:8080 tcp Pkts=0> 1< Bytes=6773214> 24661< No_FIN_RST
The NTE application front end takes user input through a GUI interface and then both displays and runs the command on the background library.
Using the NTE reporting tools it was found that most anomalous sessions sent large volumes of information to 1 IP address
By querying this IP address we found even more similar activity.
(NTE MAIN GUI)
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Who Has No Alibi?Using a combination of
MATLAB “numeric-set” filters and data queries unavailable employees were discovered.
The red dots on the diagram indicate that when the data extrusion activity occurred the employee was:
(1) Not in the building(2) Inside Classified Room(3) At their desk using the
network (within the last 60 seconds)
(The clusters of boxes indicate that all employees have an alibi for more than one event.)
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Root Cause of Anomaly
If the attack was triggered by a person then it should be possible to spot any employee with the opportunity to start the session. From the timing of the events however all the employees have an alibi for more than one event.
This looks more like some type of malware is being used to extrude the data from the network.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Answers to Mini Challenge 1
MC1.1: Identify which computer(s) the employee most likely used to sendinformation to his contact in a tab-delimited table which contains foreach computer identified: when the information was sent, how muchinformation was sent and where that information was sent.
TIME Source IP Target IP Outbound Bytes Inbound Bytes2008-01-08 17:01:33.001 37.170.100.31 100.59.151.133 8889677 122232008-01-10 14:27:12.238 37.170.100.31 100.59.151.133 6543216 223152008-01-10 16:01:53.956 37.170.100.16 100.59.151.133 8543125 123122008-01-15 16:14:34.563 37.170.100.16 100.59.151.133 6773214 246612008-01-15 17:03:29.342 37.170.100.31 100.59.151.133 9513313 143242008-01-17 12:12:10.990 37.170.100.41 100.59.151.133 3679122 244232008-01-17 17:57:19.341 37.170.100.18 100.59.151.133 5873546 252342008-01-22 08:50:21.894 37.170.100.13 100.59.151.133 9984318 422312008-01-22 17:41:55.862 37.170.100.16 100.59.151.133 8873483 167782008-01-24 09:46:34.452 37.170.100.10 100.59.151.133 7825451 237832008-01-24 10:26:31.321 37.170.100.32 100.59.151.133 5531674 224792008-01-24 17:07:34.775 37.170.100.20 100.59.151.133 9732417 423472008-01-29 15:41:32.763 37.170.100.56 100.59.151.133 10024754 295652008-01-29 16:08:10.892 37.170.100.41 100.59.151.133 6752212 578652008-01-29 16:38:06.553 37.170.100.20 100.59.151.133 7763897 545652008-01-31 09:41:03.815 37.170.100.52 100.59.151.133 5579339 221472008-01-31 13:10:23.841 37.170.100.15 100.59.151.133 9064720 112382008-01-31 16:02:44.572 37.170.100.8 100.59.151.133 13687307 485421
MC1.2: Characterize the patterns of behavior of suspicious computer use.
Large session are sent after an employee leaves their desk. Packets are sent to a single external IP address.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Mini-Challenge 2 Social and Geospatial
The NTE has a large library of function calls which that were leveraged to produce the social network diagrams.
In this solution the graph data query engine, the layout algorithms and plotting routines were used to produce the diagrams.
In this case, the tools can plot about 400 devices however since the social network was so large the tools could only plot a subset of the data.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Solution Process
Import the raw data
Store Node-to-Node Data into the NTE graph query structure
Find all potential middle men (Boris)
Check if there is a potential leader and 3 handlers on each middle man
Check if the three handlers share a common employee and do not talk directly to one another
Grab links related to the employee/leader/Boris/HandlerSend the selected graph data to the plotting engine
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Social Network Diagram
Answer MC2.1: Since vertex 194 is not directly connected to the fearless leader the organization of the criminal network matches situation A
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Social Network Diagram - Annotated
Boris
Fearless leader
3 Handler
Employee
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Social Network Diagram
Answer: MC2.3 There is a shorter path to the Fearless leader
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Geospatial DiagramDiagram created with the NTE freedraw_graph function.
The fearless leader appears to have more international contacts in Posana. Whether that is significant is not clear.
Employee
Handler
Middleman
International Contact
Fearless Leader
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Answers to Mini-Challenge 2
100 Employee @schaffter251 Handler @benassi252 Handler @reitenspies563 Handler @pettersson4994 Middleman @good92 Leader's International Contact @tolbert4 Fearless Leader @szemeredi282 Leader's International Contact @decker551 Leader's International Contact @chandru589 Leader's International Contact @kodama629 Leader's International Contact @nakhaeizadeh1450 Leader's International Contact @barvinok1630 Leader's International Contact @heyderhoff2077 Leader's International Contact @streng2103 Leader's International Contact @wotawa3235 Leader's International Contact @reed3946 Leader's International Contact @hogstedt4776 Leader's International Contact @bolotov4777 Leader's International Contact @avouris5561 Leader's International Contact @wenocur
MC2.2: Provide the social network structure you have identified as atab delimitated file. It should contain the employee, one or morehandler, any middle folks, and the localized leader with theirinternational contacts.
MC2.1: Which of the two social structures, A or B, most closely matchthe scenario you have identified in the data? A
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Answers to Mini-Challenge 2
MC2.3: Characterize the difference between your social network and theclosest social structure you selected (A or B). If you include extranodes please explain how they fit in to your scenario or analysis.
There is a more direct path between the fearless leader and the employee (through 14, 22, 170, 351)
MC2.4: How is your hypothesis about the social structure in Part 1supported by the city locations of Flovania? What part(s), if any, didthe role of geographical information play in the social network of partone?
The handlers are located in the same city as the employee.
MC2.5: In general, how are the Flitter users dispersed throughout thecities of this challenge? Which of the surrounding countries may haveties to this criminal operation? Why might some be of more significantconcern than others?
The social networking group is predominantly Flovanian. There is slightly more international contacts associated with Posana both in terms of the Fearless Leaders Contacts and the Social network in general.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Mini-Challenge 3
I was not able to complete the mini-challenge 3 however I do find it suspicious that at Location 1 at 45min 27sec into the first video two people are meeting and exchanging a document on the street.