LaBRI, INRIA Bordeaux Sud-Ouest

VAST 2009 Challenge
Challenge 1: -  Badge and Network Traffic

Authors and Affiliations:

Faraz Zaidi, Labri, INRIA Bordeaux - Sud Ouest, faraz.zaidi@labri.fr [PRIMARY contact]
Paolo Simonetto, Labri, INRIA Bordeaux - Sud Ouest, paolo.simonetto@labri.fr
Daniel Archambault, INRIA Bordeaux - Sud Ouest, daniel.archambault@inria.fr
Pierre-Yves Koenig, Labri, INRIA Bordeaux - Sud Ouest, Pierre-Yves.Koenig@labri.fr
Frédéric Gilbert, Labri, INRIA Bordeaux - Sud Ouest, frederic.gilbert@labri.fr
Trung-Tien Phan-Quang, Labri, INRIA Bordeaux - Sud Ouest, phanquan@labri.fr
Ronan Sicre, Labri, sicre@labri.fr
Mathieu Brulin, Labri, mathieu.brulin@labri.fr
Remy Vieux, Labri, vieux@labri.fr
Morgan Mathiaut, Labri, mathiaut@labri.fr
Antoine Lambert, Labri, antoine.lambert@labri.fr
Guy Melançon,
LaBRI, INRIA Bordeaux - Sud Ouest, [Faculty adviser]

Tool(s):

Tulip Software

The Tulip framework allows for the visualization, drawing, and editing of graphs. All the parts of the framework have been built in order to visualize graphs of more than 1,000,000 elements. The system allows navigation, geometric operations, extraction of subgraphs, metric computations, graph theoretic operations, and filtering.
The Tulip architecture provides the following features :

·         3D visualizations

·         3D modifications

·         Plug-in support for easy evolution

·         Building of clusters and navigation into it

·         Automatic drawing of graphs

·         Automatic clustering of graphs

·         Automatic selection of elements

·         Automatic Metric colouration of graphs

For more information visit: http://www.tulip-software.org/

Video:

video here

ANSWERS:


MC1.1: Identify which computer(s) the employee most likely used to send information to his contact in a tab-delimited table which contains for each computer identified: when the information was sent, how much information was sent and where that information was sent.

Traffic.txt


MC1.2:  Characterize the patterns of behaviour of suspicious computer use.

In order to determine the network transmissions that are the most likely candidates for leaks, we developed a visualization which encodes as much of the badge and network information as possible in a single view. As our visualization is fairly non-standard, we first present an overview of the encoding in the Visualization section. We then present our findings in the Suspicious Activity section along with a explanation on how we deduce the final solution.

Visualization

Our visualization technique, shown in Figure 1, is based on a timeline view. The diagram shows, for each day, the actions of each employee. The horizontal axis encodes the time of the day at hour intervals, while the vertical axis encodes the employee ID and IP address. The horizontal lines in the grid group employees into offices. For example, employees 14 and 15 are in the same office because they are in between the same horizontal lines.

The timeline of each employee collects four kinds of data. First, the upwardly directed glyphs, the teal circles and bars, encode the door log events. Circles are badge-in events into the main building. Bars between two vertical lines encode the time when an employee badges into the classified area to the moment the employee badges out. This period of time begins with a badge-in-classified event and ends with a badge-out-classified event.

The central blue bars show intervals of time when the employee's computer is in use. Downwardly directed circles represent transmissions. The size of the circles is proportional of the forth root of the transmission size.

A green background shows the average daily activity of an employee over the 31 days. A more saturated green indicates a higher probability that the employee is at work. Using some simple rules, we change the colour of this green background to red in order to highlight suspicious activities. The most suspicious activities occur when an employee’s computer is active but he or she is most likely not at their desk. These activities include:

Suspicious Activities

Suspicious activity was preliminarily defined by the rules described above. From these rules, we discovered several cases.

In our first case, Figure 1 shows a large transmission from employee thirteen’s computer on day twenty-two well before the employee usually arrives at work. By examining the raw data, we determine that this computer activity is forty minutes before the earliest time this employee was at work. Additionally, the badge-in-building event that was recorded for this day was typical for this employee over the thirty-one day period. Notice that thirteen’s office mate is not present during this time, giving the opportunity for a leak to be sent from this computer from a third person not assigned to this office.


Figure 1: The first suspicious transmission found. Employee thirteen's computer is used for exactly one large upload on day twenty-two well before the employee usually arrives at work.

In our second case, shown in Figure 2, a large transmission is sent less about a minute before employee twenty badges into the building on day twenty-nine. As the transmission precedes the badge-in-building event, it is highly unlikely that twenty was present at their desk at this time. Notice as well that 20’s office mate is not present in the office, giving the opportunity for a leak to be sent from this computer from a third person not assigned to this office.


Figure 2: The second suspicious transmission. Employee twenty's computer sends a large transmission on day twenty-nine just before the employee badges into the building. In this scenario, the employee is not likely at his or her desk.

Our third case, Figure 3, shows a large transmission sent from employee 17’s computer over two hours since it was last active on day seventeen. Neither employee 17 or 18 is likely in the office at this time as the computer activity and green background of typical behaviour indicate. Thus, it is possible for a leak to be sent from this computer by someone who is not assigned to this office.


Figure 3: The third suspicious transmission. Employee seventeen's computer sends a large transmission when the employee is probably gone for the day.

Additionally, we looked for transmissions made from an employee’s computer when the employee had badged into, but not out of, the secure zone. During this time, the employee’s computer should not be used, because we are certain that they are away from their desk. Figure 4 shows two examples, but, in reality, we found eight such cases:



Figure 4: Two cases where an employee's computer is used while the employee is in the secure zone. The computer should not be used at this time, because the employee is not at his or her desk.

Interestingly enough, all eleven of these suspicious large transmissions of data are sent to the same IP address, 100.59.151.133, and on the same port, 8080. We figured that this machine may the machine to which the embassy leaks were uploaded. Subsequently, we highlighted all transmissions to this IP address made from the embassy and found an additional set of seven transmissions:

All of these transmissions were large and made on port 8080. In most cases, the office was probably empty with one interesting exception: employee 30 was most likely in 30/31’s office when three of the suspicious transmissions were made from employee 31’s computer. Thus, employee 30 seems to be a person of interest. Figure 5 plots suspicious transmissions to offices. Notice how they are clustered around office 15, which is employee 30's office.


Figure 5: Embassy offices and number of suspicious transmissions made from each of them. White is zero, yellow is one, orange is two and red is three.

Finally, we found five cases where an employee either badged into the secure zone without badging out or vice versa. We recommend that the embassy remind employees that no piggybacking is allowed when entering this area. It is also interesting to note that employee 30 was involved in three of these five infractions. This observation could implicate employee 30 further as breaking this particular policy may be an attempt to collect sensitive information without being identified.

In summary, we believe that employee 30 was most likely the embassy employee who caused the leak. The employee probably made several transmissions on the days and from the computers as described above.

 

Web Accessibility