Home CyberAttack! Hunting Anomalous Bots and An Introduction to Cyber-Objects – LIVE from Cyberspace...

Hunting Anomalous Bots and An Introduction to Cyber-Objects – LIVE from Cyberspace !

3545
0
SHARE
Hunting Anomalous Bots and An Introduction to Cyber-Objects - LIVE from Cyberspace !
Hunting Anomalous Bots and An Introduction to Cyber-Objects - LIVE from Cyberspace !

Hi everyone,

This is Rich, and I’ll be your Cyberspace Pilot for our second tutorial.  First, we’ll identify a couple of Bots.  And then, we’ll explain these colored sphere thingies … “Cyber-Objects”.

This video was captured in near real time, with data updates from only a few minutes before this video was created (best Viewed in 1600 x 1200 resolution – maximize it to see the text):

Flying though Cyberspace in Real-Time !

(Or download here if you have difficulty streaming):
Cyberspace-Situational-Awareness-Bots-Introduction-to-Cyber-Objects-10-FPS-v06

 

We’re also going to use screenshots to discuss our Cyberspace voyage.  Based on user testing, this application allows me to efficiently identify threats in nearly real-time.  And later, we can also conduct deeper analysis (for example – when editing the videos, I noticed a few things which I did not notice while first flying in real time).  In a future tutorial, I’ll compare this application versus traditional log file analysis (we’ve received very good feedback on this concern, and so we hope to properly address this).

 

First BOT - 4,500 Website Hits in 3 Hours
First BOT – 4,500 Website Hits in 3 Hours

Okay, we engaged auto-pilot mode for our navigation system.  We’ve selected the “high-risk” auto-pilot mode, as this automatically flies us to Cyber-Object nodes with a high RiskScore (and in a future post, we’ll explain how RiskScore is calculated).

After auto-pilot is engaged, and within less than 5 seconds… I’ve already become aware of a BOT!  It’s really easy, I just see it has about 4,500 website hits in about 3 hours.  This information is displayed in the upper right side of our Heads Up Display (HUD), and the important information is underlined in red.  It’s really that simple!  I also take notice that the “Cyber Persona” behind this Cyber-Object node, is from an IP address from Italy – as I underlined in the HUD (and more details for “Cyber Persona” are below – in the tutorial slides).

 

Second BOT - 500 Website Hits in Ten Minutes
Second BOT – 500 Website Hits in Ten Minutes

Okay, so now we move on to the second Cyber-Object thanks to our auto-pilot (darn that computer is probably a better pilot than me, LOL!).  During real-time, I notice this Cyber-Object has hit our website 500 times… and we just purged our database only 3 hours ago… so I’m thinking… hey why is this user trying to hit our website over 500 times in 3 hours… so I’m suspicious of it.  I suspect it’s a bot, and flag it for offline analysis.  When I was editing the videos, I noticed the “Time Seen” for this Cyber-Object was only 9 minutes and 28 seconds… so, this user actually hit our website over 500 times in less than 10 minutes… BOT!!!  Unless, you click on websites that quickly?

Also, this same “time duration information” can be deduced by the “First Seen” and “Last Seen” fields right above the “Time Seen” field.  Hey, did you notice… this “Cyber Persona” is also from Italy? A coincidence??

 

What are Nodes, Cyber-Objects, and Cyber Persona?
What are Nodes, Cyber-Objects, and Cyber Persona?

So yeah, I can imagine that you’re asking why we gotta be so complicated… and call these “colored node sphere thingies” with names like “Cyber-Objects” or even “Cyber Persona”?  In the future, we’ll be using this framework to incorporate Multi Sensor Data Fusion (MSDF) towards better security and Cyberspace Situational Awareness (CSA).  Also yes, sorry my video and slides are still a bit rough… I’ll try to improve them in the upcoming 3rd video.  I’m a nerd, and am still learning all this visualization stuff! 🙂

 

Nodes are Cyber-Objects!
Nodes are Cyber-Objects!

So yes, I hope this slide states it all?  These “colored sphere node thingies” are really Cyber-Objects!  These Cyber-Objects represent the entities in cyber space, and they are interacting with our web server (and in the future… our other cyber assets). Our HUD displays the interesting information for these Cyber-Objects (in the upper right corner).  But hey, here’s the secret… these Cyber-Objects are all really nodes in a Graph!  (see below)

 

Our Same Cyberspace Scene, but with Edges Turn ON - A Graph !
Our Same Cyberspace Scene, but with Edges Turn ON – A Graph !

So yes, in this screenshot:  we’ve turned on the “Edges” between our Cyber-Object nodes.  But… It’s really a Graph representation of Cyber-Objects!  Can you see it?  So far, we want to keep the concepts simple… so we only demonstrate a small graph relationship between our one web server “Cyber-Object” node and the many web client “Cyber-Objects”.  There’s  amazing future work possible with these graph concepts, as well as “virtualizing Cyberspace”.  We’re only tipping our toes into this ocean of Cyberspace virtualization, and this is truly a new and unexplored frontier.

 

Color Legend for our Cyber-Objects
Color Legend for our Cyber-Objects

Red indicates a high risk Cyber-Object as defined by RiskScore.  Yellow indicates a Bot which has properly (and kindly) self-identified itself as a Bot in its User Agent string. Green indicates a Cyber-Object which is a registered and *authenticated* user on the website. Blue indicates an *unauthenticated* user (or Cyber-Object).

We might change the colors, or maybe possibly make them “user configurable”.  But hey, we gotta focus on more important MSDF and CSA concepts first!

 

What are Cyber Persona ?
What are Cyber Persona ?

A Cyber Persona is a type of Cyber Object, and it’s really just the person or organization responsible for the action of the Cyber-Object.  For example, “a Russian Intelligence Service” was attributed to being the Cyber Persona behind the “stolen Podesta emails” from Hillary Clinton (while she was a Presidential candidate).  We’ll keep it simple for now, and in the future we’ll also discuss other types of Cyber-Objects (when we require them due to more advanced data fusion issues).

 

Advanced Cyber-Object Concepts
Advanced Cyber-Object Concepts

For a “deeper dive” into Cyber-Objects and Cyber Space Graphs (CSGs), I’ll refer you to Tim’s excellent research:

Bass, T., Cyberspace Situation Graphs – A Brief Overview, Presentation, September 2016, DOI: 10.13140/RG.2.2.16014.56643/9 (Footnote 1)

 

Cyber Space Graph research by Tim Bass - and Adapted Joint Publication 3-12 (R)
Cyber Space Graph research by Tim Bass – and Adapted Joint Publication 3-12 (R)

This slide is from when I first met Tim from ResearchGate, where he adapts the military’s Joint Publication 3-12 (R) Cyberspace Operations to Cyber-Objects.  Those were very fun times chatting with Tim, and he was talking to me about Virtualizing Cyberspace like Outer Space (or even like the movie – “the Matrix”).  We were both pretty excited about integrating Virtual Reality features in, but data fusion is important too!  I’ll never forget when I first read that Join Publication 3-12 (R) document, and they were saying something like “Cyberspace is very similar to Outer Space”… and I kept re-reading that part over and over…  Wow, there seems to be something very profound about Virtualizing Cyberspace like Outer Space!

 

Credits and Contacts Page
Credits and Contacts Page

Our creative juices are flowing with all this Visualization stuff, so we added a “Credits page” to our “Movie”.  What do you think?  Give us some comments below?  I believe I should give my Dog “Chewy” a credit too (I named him after Chewbacca)… and you can hear him chomping on his bone in some of the audio clips… sorry, I’ll put him in a different room next time!  But then maybe, I’ll be a lonely Hans Solo as I’m flying through Cyberspace!

And I really need to thank and credit Tim for all the amazing coding that he’s done so far, plus he tolerates my crazy video game thoughts.  Sorry Tim!

Don’t forget… what’s important here:  is that this video footage was all created with real-time data (or only a few minutes old).

This is Rich, signing out LIVE from Cyberspace!

DOI: 10.13140/RG.2.2.22779.62245

———
Footnote 1: See also this blog post, Cyberspace Situation Graphs – A Brief Overview by Tim Bass.