Download team_no_3_co-on_final_presentation_v1.5

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts
no text concepts found
Transcript 
Abnormal Detect: Finding the Suspect
Co-on Team Presented
Background Review
• Finding the suspect
Jialiang Wang
Yi Fu
Yanni Li
Guohao Zhang
Problem
• An embassy employee is suspected of sending data to an outside
criminal organization from the Embassy
• The IP and Network traffic are recorded
• Task
• Identify which computer(s) the employee most likely used to send information to his
contact
• Characterize the patterns of behavior of suspicious computer use
Source Data
• Data
Data Prepossessing
• Data Filter
• Example:
• destIP: 37.170.30.250 has 9638 communications with ALL
the sourceIP
• unlikely to be the suspect’s contact
• it can be filtered
Data Prepossessing
• Data size pattern
1079
1002
925
848
771
694
617
540
463
386
309
232
155
78
1
1000
1443
1340
1237
1134
1031
928
825
722
619
516
413
310
207
104
1
1000
NO.56
10000
100000
1000000 10000000 100000000
337
313
289
265
241
217
193
169
145
121
97
73
49
25
1
1000
NO.32
10000
100000
1000000
10000000
NO.48
10000
100000
1000000
10000000
Data Prepossessing
• Abnormal Records
Visualization metaphor
•Time bar
Visualization metaphor
•Prox data of building entrance
Visualization metaphor
•Prox data of classified region entrance
Visualization metaphor
•Network flow
Data Explor
• Overall view
Stories found
demo
Results
#56
#31 10th Jan
29th Jan
SourceIP
#21 23rd Jan
AccessTime
DestIP
ReqSize
37.170.100.56
2008/1/29 15:41 100.59.151.133
10024754
37.170.100.31
2008/1/10 14:27 100.59.151.133
6543216
37.170.100.21
2008/1/23 12:42 37.158.218.208
2912383
Results
#17 15th Jan
#5 4th Jan
SourceIP
AccessTime
DestIP
Socket
ReqSize
RespSize
37.170.100.17
2008/1/15 9:53 37.170.30.250
25
139964
59318
37.170.100.5
2008/1/4 13:41 37.170.30.250
25
4520912
55328
37.170.100.41
2008/1/17 17:16 37.170.30.250
25
1662032
59307
Left to be Done
• Suspect transfer function
• Data size based on statistics
• DestIP connecting times
• Pattern based transfer function
• Interactive data operations: filter etc.
• Higher resolution: day-view
• Office grouping
• Automatic highest suspicious detect
• More interactions
Left to be Done
• Focus+context method, using sigma lens to
magnify to identify patterns
Thank you!
Related documents