EINSTEIN and the Movie “Zero Days”

I recently watched the movie “Zero Days” via the iTunes Store, and the movie included a couple of shots inside the Security Operations Center (SOC) of the Department of Homeland Security (DHS). In these shots we see a glimpse of DHS’s network monitoring system called EINSTEIN (Wikipedia, DHS). The segment covering the DHS SOC starts at about 1 hour and 26 minutes into the movie.

EINSTEIN is on its third major release. EINSTEIN 1 appears to be a basic NetFlow-class analyzer with anomaly detection, perhaps done in batch mode. EINSTEIN 2 added signature capabilities via threat intelligence feeds. EINSTEIN 3 adds blocking capability plus the ability to move the sensor farther upstream (e.g., running on ISP or backbone traffic).

Below are my analyses (guesses) of some of the EINSTEIN information shown at the SOC.

Table View

Figure 1 (from “Zero Days”) shows a summary of sensors information coming into DHS. Each row represents a single sensor. The following is my interpretation of the fields displayed.

Figure 1

  • B/Pkt. This first visible column appears to be an average of bytes per packet. An empty packet (one with no payload) typically has about 54 bytes (plus or minus depending on a number of factors). The maximum packet size is about 1500 bytes (depending on physical networking technology). An average of about 600 bytes per packet seems about right.
  • B/Pkt ZScore. The second column appears to show how anomalous the current bytes per packet rate is. If DHS is assuming their data is Gaussian distributed, a ZScore is the number of standard deviations the current value is from the mean. The bytes per packet for the first and third rows appear to be fairly normal, but the bytes per packet for the second row appears to be on the low side (2 standard deviations below the average). A low B/Pkts Zscore can be caused by a high number of empty packets like you would get if your site is being scanned or the focus of several types of DDoS attacks (e.g., SYN-flood). It could also be caused by random fluctuations in values. A Zscore of -2 (or lower) should be seen about 2.28% of the time.
  • Current Bytes. This column is harder to interpret on its own, but given that the cell in the top row has the same value as the cell two columns over, my guess is Current Bytes is simply Bytes per Hour. We don’t know the actual value since the ellipses suggest there are more numbers we are not seeing.
  • Average Bytes. This column is also hard to interpret. As with the previous column and the next column, the actual number is not known because some digits are missing from the display.
  • B/Hr. The column appears to be Bytes per Hour. This is an overall traffic rate. It is unclear what technique they are using. For example, are they using an exponentially decaying average? And if so, what half-life are they using?
  • P/Hr. This column appears to be Packets per Hour - another measure of traffic rate.
  • Location. The far right column is named “Location”, and while we cannot see any values here, another shot in the movie shows the value for this column including “Springfield, …”, “Washington, …”, “Reston, VA”, and “Plano, TX”. Yet another shot in the video shows the column “Agency”, with values like “CBP”, “USDA”, and “VA”. And the next column is named “Collector” with values like “CBP3”, “USDA7”, and “VA1”. From these values each row represents a single sensor at a government site, and the “Location” is the city where this government site is located.

From this table it appears that the only value we can determine is anomalous is Bytes per Packet. For example, if volume increased or decreased a lot, it would not be obvious from the view from this image. A “B/Hr ZScore” or “P/Hr ZScore” column could flag these anomalous conditions. However, the next figure can helps visually spot anomalous traffic rates.

Traffic Rates View

Figure 2 shows traffic volume (i.e., bytes per hour or packets per hour) displayed on a protocol by protocol basis.

Figure 2

Trying to read the fuzzy image, the left column appears to be displaying traffic rates for

  • Total (all traffic)
  • ICMP - Internet Control Message Protocol
  • IGRP - Interior Gateway Protocol
  • RSVP - Resource Reservation Protocol
  • Other - all other traffic that is not part of the named protocols

And the right column appears to be displaying traffic rates for

  • HOPOPT - IPv6 Hop-by-Hop Option
  • TCP - Transmission Control Protocol
  • UDP - User Datagram Protocol
  • ESP - Encapsulating Security Payload

My guess is that the red color represents outbound traffic rates and the blue color represents inbound traffic rates (or vice versa).

What is interesting are the five large peaks for TCP and UDP equally separated in time and of equal volumes. These peaks are also reflected in the “Total” chart as well, indicating, not surprisingly, that TCP and UDP traffic dominate the total amount of traffic. These large and rhythmic spikes may indicate there was a large amount of traffic generated by an automated process that spanned both UDP and TCP. Perhaps it is some type of network scan or multi-vector DDoS attack.

Summary

Admittedly this is a lot of guess work trying to interpret two still frames from the movie “Zero Days”, but this is the first time I’ve seen any images from DHS’s EINSTEIN monitoring system. Furthermore, the video segment appears to be part of a public or press tour of the DHS SOC, so any truly revealing images of EINSTEIN would not be displayed.

In particular, there is a scene showing a large blinking red light on the ceiling. I think the director was trying to show “Red Alert! Something bad is happening!” However, being someone without a security clearance, I know lights like these are turned on when people like me are in the building to tell everyone to cover up any sensitive information and not to talk about sensitive topics. In other words, the blinking red light was because the film crew was in the building.