1 / 18

Identifying Suspicious Data Transfers by Embassy Employee: An Abnormal Detection Approach

This project focuses on detecting abnormal network behaviors of an embassy employee suspected of leaking data to a criminal organization. We analyze logged IP and network traffic to determine which computer(s) were likely used for this illicit communication. Through data preprocessing and advanced visualization techniques, we characterize behavioral patterns associated with suspicious activities. Key methodologies include filtering unrelated communications, identifying targets based on connection frequencies, and employing interactive operations to pinpoint high-risk interactions. Findings will aid in preventing future data breaches.

jayme-ramirez
Télécharger la présentation

Identifying Suspicious Data Transfers by Embassy Employee: An Abnormal Detection Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abnormal Detect: Finding the Suspect Co-on Team Presented

  2. Background Review Yi Fu • Finding the suspect Jialiang Wang Yanni Li Guohao Zhang

  3. Problem • An embassy employee is suspected of sending data to an outside criminal organization from the Embassy • The IP and Network traffic are recorded • Task • Identify which computer(s) the employee most likely used to send information to his contact • Characterize the patterns of behavior of suspicious computer use

  4. Source Data • Data

  5. Data Prepossessing • Data Filter • Example: • destIP: 37.170.30.250 has 9638 communications with ALL the sourceIP • unlikely to be the suspect’s contact • it can be filtered

  6. Data Prepossessing • Data size pattern

  7. Data Prepossessing • Abnormal Records

  8. Visualization metaphor • Time bar

  9. Visualization metaphor Prox data of building entrance

  10. Visualization metaphor Prox data of classified region entrance

  11. Visualization metaphor Network flow

  12. Data Explor • Overall view

  13. Stories found demo

  14. Results Results #31 10th Jan #56 29th Jan #21 23rd Jan

  15. Results Results #17 15th Jan #5 4th Jan

  16. Left to be Done • Suspect transfer function • Data size based on statistics • DestIP connecting times • Pattern based transfer function • Interactive data operations: filter etc. • Higher resolution: day-view • Office grouping • Automatic highest suspicious detect • More interactions

  17. Left to be Done • Focus+context method, using sigma lens to magnify to identify patterns

  18. Thank you!

More Related