Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | jayme-ramirez |
View: | 26 times |
Download: | 0 times |
Abnormal Detect: Finding the SuspectCo-on Team Presented
Background Review• Finding the suspect
Jialiang Wang Yanni Li
Yi Fu Guohao Zhang
Problem• An embassy employee is suspected of sending data to an out
side criminal organization from the Embassy• The IP and Network traffic are recorded• Task
• Identify which computer(s) the employee most likely used to send information to his contact
• Characterize the patterns of behavior of suspicious computer use
Source Data• Data
Data Prepossessing
• Data Filter• Example:
• destIP: 37.170.30.250 has 9638 communications with ALL the sourceIP
• unlikely to be the suspect’s contact• it can be filtered
Data Prepossessing• Data size pattern
Data Prepossessing• Abnormal Records
Visualization metaphor
• Time bar
Visualization metaphor
• Prox data of building entrance
Visualization metaphor
• Prox data of classified region entrance
Visualization metaphor
• Network flow
Data Explor
• Overall view
Stories found
demo
ResultsResults
#56 29th Jan #31 10th Jan
#21 23rd Jan
SourceIP AccessTime DestIP ReqSize37.170.100.56
2008/1/29 15:41100.59.151.1331002475
437.170.100.31
2008/1/10 14:27100.59.151.133 6543216
37.170.100.21
2008/1/23 12:4237.158.218.208 2912383
ResultsResults
#5 4th Jan #17 15th Jan
SourceIP AccessTime DestIP Socket ReqSize RespSize
37.170.100.17 2008/1/15 9:5337.170.30.250 25 139964 59318
37.170.100.5 2008/1/4 13:4137.170.30.250 25 4520912 55328
37.170.100.41 2008/1/17 17:1637.170.30.250 25 1662032 59307
Left to be Done• Suspect transfer function
• Data size based on statistics• DestIP connecting times• Pattern based transfer function
• Interactive data operations: filter etc.• Higher resolution: day-view• Office grouping• Automatic highest suspicious detect• More interactions
Left to be Done
• Focus+context method, using sigma lens to magnify to identify patterns
Thank you!