intrusion and fraud detection
DESCRIPTION
Intrusion and Fraud DetectionTRANSCRIPT
![Page 1: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/1.jpg)
Bildnummer 1
Intrusion and Fraud Detection
Presentation at SWITS-IVVadstena, June 7-8 2004
Håkan KvarnströmDepartment of Computer EngineeringChalmers University of Technology
URL: http://www.ce.chalmers.se/staff/hkv
![Page 2: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/2.jpg)
Bildnummer 2
Outline
! Why do we need IDS/FDS?! Security countermeasures! Definitions! History of fraud! How do we detect intrusions and fraud?! Detection mechanisms! IDS vs. FDS! Attacks against IDS/FDS! A fraud detection example! Some results from my own research! Problems to be solved
Time: approx. 50 minutes
![Page 3: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/3.jpg)
Bildnummer 3
Intrusion and fraud detection
! Automated analysis of events to detect intrusion and fraud
Bilden uppgjord av Ulf Lindqvist
![Page 4: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/4.jpg)
Bildnummer 4
Similar to a burgular alarm
! Intrusion and fraud detection complements preventive mechanisms such as firewalls and OS-security.
Alarm Preventivemechanisms
By Ulf Lindqvist
![Page 5: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/5.jpg)
Bildnummer 5
Why intrusion and fraud detection?
Prevention RecoveryDetection Response
! It is hard to design completely secure systems! IDS/FDS have the capability to detect unauthorized use
of information and resources! Even authorized entities may become corrupt! Offers early-warning capabilities
![Page 6: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/6.jpg)
Bildnummer 6
Security countermeasures
Prevention RecoveryDetection Response
AffectedSystemAttacks
Preventivemechanisms
Detection Activecountermeasures
Recovery
Undiscovered
Remainingattacks
alarm
Missedattacks
By Emilie Lundin Barse
![Page 7: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/7.jpg)
Bildnummer 7
Detection capabilites
By Ulf Lindqvist
![Page 8: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/8.jpg)
Bildnummer 8
IDS Trivia
Question:There is at least one type of attack that an IDS cannot detect?
Answer: Passive attacks, such as decrypting/breaking an encrypted packet/stream
![Page 9: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/9.jpg)
Bildnummer 9
Definition of ”intrusion”
”An attack in which a vulnerability is exploited,resulting in a violation of the implicit or explicitsecurity policy”
![Page 10: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/10.jpg)
Bildnummer 10
Definition of ”fraud”
”An intentional deception or misrepresentationthat an individual knows to be false that results insome unauthorized benefit to himself or anotherperson”
! The definition includes “insiders”! “Fraud” can be seen as an application specific
form of “intrusion”
![Page 11: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/11.jpg)
Bildnummer 11
History of telecom fraud – Celebrities
!John Draper, 1972! Used a toy whistle (2600 Hz) from a box of
Cap’n Crunch cereal to manipulate AT&T’s phoneswitches (Blue boxing). He was able to route newcalls by signalling the phone system into ”operator mode”
!Kevin Poulsen, 1990! Won a Porsche 944 S2 by taking over all incoming
phone lines going to LA radio station KIIS-FM. (102nd caller)
! He continued to ”win”… A second Porsche, $22.000, two trips to Hawaii… … and 3 years in prison.
![Page 12: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/12.jpg)
Bildnummer 12
History lesson - Fraud
! Cell phone fraud! Eavesdropping. The NMT-system did not use encryption. ! Tumbling. Rapidly changing a cell phone’s serial number gave free
access to the network. Was common in US.! Cloning. Duplication of SIM-cards and terminal serial numbers. The
legitimate subscriber is billed for the services used.! Subscription fraud. Signing up for a subscription under a false name and
address.
! Computer related fraud! Electronic banking and payment. Not so common… yet! Illegal downloading and distribution of digital content. Very common.! Phising. Attackers trying to “fish” for private information. Mostly using
spam as a vehicle.
![Page 13: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/13.jpg)
Bildnummer 13
Interesting reading
! P. Hoath. Telecoms fraud, the gory details. Computer Fraud & Security 20(1) 1998.
![Page 14: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/14.jpg)
Bildnummer 14
An intrusion/fraud detection system
• Network packets(IP)• Application logs• OS-logs
• A formalization of the security policy
• Rule-based• Anomaly-based
Target
Collectionfunction
Responsefunction
Decisionfunction
Detectionpolicy
Responsepolicy
Raw input events
Raw data
![Page 15: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/15.jpg)
Bildnummer 15
Classification of fraudulent activities
![Page 16: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/16.jpg)
Bildnummer 16
Interesting reading
! H. Debar, M. Dacier and A. Wespi.Towards an Taxonomy of Intrusion Detection Systems. Computer Networks 31(8) 1999
! L. R. Halme, K. R. Bauer.AINT misbehaving – a taxonomy of anti-intrusion techniques.Proceedings of the 18th National Information Systems Security Conference, 1995.
![Page 17: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/17.jpg)
Bildnummer 17
Rule based (signature) vs. anomali based
Normal behaviourFr
audu
lent
beh
avio
ur
Known UnknownKn
own
Unk
now
n
• Well-known services• Well-known fraud
• New services• Well-known fraud in
similar services
• Well-known services• New types of fraud
• New types of services• New types of fraud
Rule based IDS/FMS
Anomali based IDS/FMS ?
![Page 18: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/18.jpg)
Bildnummer 18
Detection mechanisms
! Signatures! Visualization! Thresholds! Clustering and
classification! Statistical analysis! Bayesian networks! Neural networks! Markov models
H I
ED
A B
G
F
DomesticUser
CommercialUser
Customerchurn
ProfileChange
‘Hot’Destinations
RevenueLoss
Propensityto Fraud
BadDebt
C LowIncome
Pr{A} = 0.76 Pr{B} = 0.24 Pr{C} = 0.74
Pr{D|¬A} = 0.27 Pr{D|A} = 0.73
Pr{E|¬A,¬B,x} = 0.01
Pr{E|¬A,B,¬C} = 0.02 Pr{E|¬A,B,C} = 0.04 Pr{E|A,x,x} = 0.03
Pr{F|¬B,x} = 0.00 Pr{F|B,¬C} = 0.01 Pr{F|B,C} = 0.04
Pr{G|¬D,¬E} = 0.03 Pr{G|¬D,E} = 0.72
Pr{G|¬D,E} = 0.84 Pr{G|D,E} = 0.96
Pr{H|¬E} = 0.58 Pr{H|E} = 0.42
Pr{I|¬E,¬F} = 0.02 Pr{I|¬E,F} = 0.98
Pr{I|E,¬F} = 1 Pr{I|E,F} = 1
![Page 19: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/19.jpg)
Bildnummer 19
Visualization
! Find patterns and deviating behavior! Use the power of the brain!
Suspects
Premium Rate Services
Service Users
![Page 20: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/20.jpg)
Bildnummer 20
FDS vs. IDSTelecom fraud management systems (FMS)
Intrusion detection systems (IDS)
Input: • Call Detail Records (CDR)
A-number, B-number, Duration, Call Path, Timestamps, … (>40 parameters)
• OS and application log files • Network traffic
Detection: • Thresholds • Customer profiles
• Signatures • Anomaly detection
![Page 21: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/21.jpg)
Bildnummer 21
FDS vs. IDSTelecom fraud management systems (FMS)
Intrusion detection systems (IDS)
Post processing: • Case building • Correlation of alarms
Response: • Identify fraud case • Many people involved in
investigation process • Not interested in low-cost
frauds
• Identification of known attack or description of suspicious event, active response
• Small resources for investigation -> limit number of alarms
• Difficult to sort out “insignificant” attacks
![Page 22: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/22.jpg)
Bildnummer 22
Attacks against signature based IDS
! The IDS and the target system interpret the inputdata stream differently!
! Possible to avoid detection of an attack by crafting packets/data carefully
Hacker IDS Target system
Raaa^h^h^hoot Raaa^h^h^hoot Raaa^h^h^hoot
Harmlessstring
root
![Page 23: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/23.jpg)
Bildnummer 23
Attacks against signature based IDS
! Insertion attack
![Page 24: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/24.jpg)
Bildnummer 24
Attacks against signature based IDS
! IP Fragmentation reassembly behavior (Overlaps)
Operating System Overlap Behavior
WindowsNT Always Favors Old Data
4.4BSD Favors New Data for Forward Overlap Linux FavorsNew Data for Forward Overlap
Solaris 2.6 Always Favors Old Data
HP-UX 9.01 Favors New Data for Forward Overlap
Irix 5.3 Favors New Data for Forward Overlap
![Page 25: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/25.jpg)
Bildnummer 25
Attacks against anomaly based IDS
! Slow changes in user behavior can be hard to detect!! Wait for a time-slot where an event would be
considered “normal behavior”
![Page 26: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/26.jpg)
Bildnummer 26
Interesting reading
! T. Ptacek and T. Newsham.Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. 1998
! M. Handley, Vern Paxson and C. Kreibich. Network intrusion detection: evasion, traffic normalization, andend-to-end protocol semantics. USENIX security symposium 2001.
! D. Wagner and P. Soto.Mimicry attacks on host based Intrusion detection systems.Proceedings of the Ninth ACM Conference of Computer and Communications Security. 2002.
![Page 27: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/27.jpg)
Bildnummer 27
FDS - Video-on-demand example
! Log data:! Settop-box logins! Movie orders! Delivery notifications! Router statistics per IP-addr.! DHCP Requests DHCP
server
router
video-on-demand-server
application-server
database
Internet
User
Provider
![Page 28: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/28.jpg)
Bildnummer 28
Neural network detector
! Neuralt nätverk! One net per fraud type! 7 input nodes
1. Sum of successful login attempt2. Sum of failed login attempt3. Sum of successful movie orders4. Sum of failed movie orders5. Sum of movie delivery notifications6. Sum of billing notifications7. Upload/Download ratio
! 1 output node! Likelihood (0-1) of fraud
! An exponential trace memory was used to model temporal sequences of input
1
2
3
4
5
6
7
![Page 29: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/29.jpg)
Bildnummer 29
Synthetic data generation Papers B, C
Data collection
Data analysis
Profile generation
Authentic data
Statistics
User and attackmodelling
System modelling
1.
2.
5.
4.
3.
Data generation:
User simulator
Attackersimulator
Target systemsimulator
Userprofiles
1. Collection of log-data from real users
2. Analyze collected data (statistics)
3. Create profiles4. Model users and
attackers5. Model the target
systems
![Page 30: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/30.jpg)
Bildnummer 30
Training and detection testsAuthentic data Synthetic data
0
0.2
0.4
0.6
0.8
1
0 10 20 30 40 50 60
Fra
ud li
kelih
ood
Days since epoch
Detection results - Billing fraud in authentic data
Detected FraudActual Fraud
0
0.2
0.4
0.6
0.8
1
1.2
20 30 40 50 60 70 80
Fra
ud li
kelih
ood
Days since epoch
Detection results - Billing fraud in synthetic data
Detected FraudFraudulent period
Billingfraud
0
0.2
0.4
0.6
0.8
1
1.2
0 10 20 30 40 50 60 70 80 90
Fra
ud li
kelih
ood
Days since epoch
Detection results - Breakin fraud in authentic data
Detected FraudActual Fraud
0
0.2
0.4
0.6
0.8
1
1.2
0 10 20 30 40 50 60 70 80 90
Fra
ud li
kelih
ood
Days since epoch
Detection results - Breakin fraud in synthetic data
Detected FraudFraudulent period
Break-infraud
![Page 31: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/31.jpg)
Bildnummer 31
Confidentiality issues in different architectures
Confidentiality of the detection policyLow High
Low
High
Con
fiden
tialit
y of
inpu
t eve
nts
D A= Data collection = Analysis = Security domain
D
D
A
D
D
D
D
A
A A?
D
D
A
D
A
A A
Our research problem!
![Page 32: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/32.jpg)
Bildnummer 32
Detection policy protection
♦ A mechanism for protecting the confidentialityof security policies, such as:♦ A detection policy in an IDS♦ A filtering policy in a firewall♦ …
♦ We do this by encoding the policy as afinite state machine (DFA) which then isobfuscated using one-way functions
![Page 33: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/33.jpg)
Bildnummer 33
Why is this useful?
♦ Heavily distributed intrusion detection architecturesimpose a threat on the target systems
♦ Parts of the detection policy needs to be confidential to prevent disclosure of target specific weaknesses and oddities.
♦ Loss of confidentiality is irreversible. Loss of availability is not!
Deploying IDS in highly distributed environments may result in avast number of entities having knowledge about the policy, Hencewe need security mechanisms to allow distribution of policies without risk of compromising its confidentiality
IDS example
![Page 34: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/34.jpg)
Bildnummer 34
Benefits to an IDS
♦ An intruder can learn only what he can observe ♦ Exhaustive search is possible, but computationally
intractable for reasonably sized input data.
♦ Prevents reverse engineering of the detection system♦ Does the hacker community know about attack XYZ ?♦ A conventional IDS would reveal XYZ if confidentiality is
broken
♦ The knowledge of the attack is the key to unlocking the policy
![Page 35: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/35.jpg)
Bildnummer 35
Some related techniques♦ Prevention against reverse engineering
♦ Sander & Tschudin (1998, 1999)Encrypted evaluation of polynomial functions
♦ Barak et. al (2001)Showed the (im)possibility of achieving program obfuscation
♦ Policy encryption♦ Neumann (1995)
NIDES
♦ Secure multi-party computation♦ Goldreich et.al (1987)
How to play any mental game
![Page 36: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/36.jpg)
Bildnummer 36
How does it work?
♦ A set of valid state-machines are hidden in a possiblelarge and random state-space
♦ Transitions to the next state is controlled by:♦ The current state♦ The recursive sum of previous inputs (using a 1-way fkn)
♦ Only the knowledge of the correct sequence of inputswill results in the traversal of a valid state machine
♦ A state-matrix is used to hold the transition functions
![Page 37: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/37.jpg)
Bildnummer 37
Simple state machine
}{ )( * xofsubstringaisABBAxML Σ∈=
![Page 38: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/38.jpg)
Bildnummer 38
TraversalX1=32
X2=226
X3=114
X4=43
X5=93
X6=148
X7=7
X8=148
X9=12
![Page 39: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/39.jpg)
Bildnummer 39
The state-matrix
![Page 40: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/40.jpg)
Bildnummer 40
Calculating the state-matrix
The state value is a function of the current and all previous input
The state value is a random number
![Page 41: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/41.jpg)
Bildnummer 41
Some problems to be solved…! Find a correlation between log-data and the attacks that can be
found! What should we log?
! How to design a detection system that combines the advantages of signature-based and anomaly-based systems! Less false alarms and the capability to find new attacks
! Efficient and reliable correlation of event sources and alarms! Reduce the false alarm rate! Automated “risk analysis”! Understanding advanced attack scenarios
! How can we ensure user privacy?! A conflict between the user’s privacy and the system owner’s interest in
identifying “bad guys”! How can we provide a tighter integration with other
countermeasures?! Response and recovery is still a highly manual process
![Page 42: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/42.jpg)
Bildnummer 42
Recent dissertations and licentiate thesis
! Jaakko Hollmén. User Profiling and Classification for fraud detection in mobile communications networks. PhD thesis 2000, Helsinki University of Technology
! Dan Gorton. Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance. Licentiate thesis 2003, Chalmers University of Technology
! Håkan Kvarnström. On the Implementation and Protection of Fraud Detection Systems. PhD thesis 2004, Chalmers University of Technology
Soon in a library near you…! Emilie Lundin Barse. Logging for intrusion and fraud detection. PhD
thesis 2004, Chalmers University of Technology.
![Page 43: Intrusion and Fraud Detection](https://reader030.vdocuments.net/reader030/viewer/2022020718/5465696fb4af9fda3f8b4b7c/html5/thumbnails/43.jpg)
Bildnummer 43
Contact info
Håkan KvarnströmURL: http://ww.ce.chalmers.se/staff/hkvMail: [email protected]
Chalmers Computer Security Group:URL: http://www.ce.chalmers.se/research/Security