Beijing University of Posts and Telecommunications–HumanDynamicVis

VAST 2009 Challenge
Challenge 1: -  Badge and Network Traffic

Authors and Affiliations:

e.g. Qi Ye, University of Posts and Telecommunications, yeqibupt@gmail.com [PRIMARY contact]
Chao Han
, University of Posts and Telecommunications, hanchaobupt@gmail.com
Jian Liu, University of Posts and Telecommunications, liujianbupt@gmail.com
Tian Zhu,
University of Posts and Telecommunications,  zhutian.bupt@gmail.com
Deyong hu, University of Posts and Telecommunications, hudeyong@
tseg.org
Bin Wu, University of Posts and Telecommunications, wubin@bupt.eud.cn [Faculty advisor]

Bai Wang, University of Posts and Telecommunications, wangbai@bupt.edu.cn

Tool(s):

To observe the potential interplay between IP traffic and human dynamics, based on our network visual analytical framework of JSNVA, we develop a tool called HumanDynamicVis in Java to analyze the abnormal patterns of employees and computers. The primary interface of our tool is shown in Fig. 1.  HumanDynamicVis focuses on two abnormal patterns of the suspicious computers: first, the computers may send out data when the employees were absent; second, the computers may send lots of data while receiving just a little. The abnormal events will be shown on an abnormal matrix in which y-axis shows the date and x-axis indicates the IDs of employees.  As shown in Fig. 2, by clicking certain cell of the matrix, user can get the daily IP traffic of an employee in an hourly histogram. In each bar, there are two boxes: the red one shows the request bytes, and the blue one shows the response bytes. If the request bytes are more than the response bytes, the bar’s border will be red. Our tool also provides animated histograms to monitor the IP traffic of each source computer.  In the hourly histogram, basic interaction is done with simple mouse operations. Clicking on a bar causes it to expand into a minutely histogram. In each histogram, we use grey areas to show in periods certain employee is in the restricted area, and we can identify the abnormal events immediately when the owner’s computer is used by others to send data out.

 

Figure 1 the HumanDynamicVis system

 

Figure 2 the Interface of Abnormal Matrix Frame

 

Video:

 

HumanDynamicVis video

 

 

ANSWERS:


MC1.1: Identify which computer(s) the employee most likely used to send information to his contact in a tab-delimited table which contains for each computer identified: when the information was sent, how much information was sent and where that information was sent.

Traffic.txt


MC1.2:  Characterize the patterns of behavior of suspicious computer use.

First, all suspicious computers send lots of data to the destination IP 100.59.151.133 through Port 8080 while receiving just a little.  The IP 100.59.151.133 received 144634785 bytes while just sending 943911 bytes. By using our tool, we can first explore the abnormal events by the data size of each log record. There are 4 records whose total sizes are more than 10 mega-bytes. There are 3 records whose request sizes are much more than the response sizes. Using the link relationships between IPs, we can get a subgraph of all the IPs linked to IP 100.59.151.133 as shown in Fig. 2.

Second, some of these suspicious computers are used by others to send data to destination IP 100.59.151.133 through Port 8080 when their owners are absent. In the hourly histogram, basic interaction is done with simple mouse operations. Clicking on a bar in the hourly histogram causes it to expand into a minutely histogram. In each histogram, we use grey areas to show in periods certain employee is in the restricted area. As shown in Fig. 2 and Fig. 3, we can identify the abnormal patterns immediately when suspicious computers are used by others.

Third, in most cases, the suspicious computers are likely to send a huge mount of data in a burst that is they are not likely to send data continuously as shown in Fig. 3. In our view this reason is that when the employee tries to send information to an outside criminal organization by using others’ computers, he will try to finish the job as soon as possible.

Fourth, the computers of Employees 15, 16, 31, 41, 52 and 56 are used by others to send data to IP 100.59.151.133 through Port 8080 when they are in the restricted area. So we can rule out these employees and their computers are red in the IP link network in Fig. 4. However, we can still rule out other suspicious computer owners. As there is only one employee in the embassy, we can rule out the ones who were also in the restricted areas when the abnormal events happened. As shown in Fig. 4, the innocent suspicious computers are green vertices in the IP link network. After using these rules, only the suspicious computer of Employee 32 can not be ruled out. So we regard Employee 32 as the prime suspect in the criminal operation.

 

Figure 3 Suspicious Sending Information Event of IP 137.170.100.31

 

Figure 4 the IPs of suspicious computers which link to 100.59.151.133

 

Web Accessibility