Beruflich Dokumente
Kultur Dokumente
URL: http://www.ce.chalmers.se/staff/hkv
Bildnummer 1
Outline
! ! ! ! ! ! ! ! ! ! !
Why do we need IDS/FDS? Security countermeasures Definitions History of fraud How do we detect intrusions and fraud? Detection mechanisms IDS vs. FDS Attacks against IDS/FDS A fraud detection example Some results from my own research Problems to be solved
Bildnummer 2
Bildnummer 3
Intrusion and fraud detection complements preventive mechanisms such as firewalls and OS-security.
Preventive mechanisms
By Ulf Lindqvist
Bildnummer 4
Alarm
! ! ! !
It is hard to design completely secure systems IDS/FDS have the capability to detect unauthorized use of information and resources Even authorized entities may become corrupt Offers early-warning capabilities
Bildnummer 5
Security countermeasures
Prevention Detection Recovery Response
Missed attacks Undiscovered Attacks alarm Preventive mechanisms By Emilie Lundin Barse
Bildnummer 6
Affected System
Detection
Detection capabilites
By Ulf Lindqvist
Bildnummer 7
IDS Trivia
Question: There is at least one type of attack that an IDS cannot detect?
Bildnummer 8
Definition of intrusion
An attack in which a vulnerability is exploited, resulting in a violation of the implicit or explicit security policy
Bildnummer 9
Definition of fraud
An intentional deception or misrepresentation that an individual knows to be false that results in some unauthorized benefit to himself or another person
!
The definition includes insiders ! Fraud can be seen as an application specific form of intrusion
Bildnummer 10
! Kevin Poulsen, 1990 ! Won a Porsche 944 S2 by taking over all incoming phone lines going to LA radio station KIIS-FM. (102nd caller) ! He continued to win A second Porsche, $22.000, two trips to Hawaii and 3 years in prison.
Bildnummer 11
Eavesdropping. The NMT-system did not use encryption. Tumbling. Rapidly changing a cell phones serial number gave free access to the network. Was common in US. Cloning. Duplication of SIM-cards and terminal serial numbers. The legitimate subscriber is billed for the services used. Subscription fraud. Signing up for a subscription under a false name and address.
Electronic banking and payment. Not so common yet Illegal downloading and distribution of digital content. Very common. Phising. Attackers trying to fish for private information. Mostly using spam as a vehicle.
Bildnummer 12
Interesting reading
!
P. Hoath. Telecoms fraud, the gory details. Computer Fraud & Security 20(1) 1998.
Bildnummer 13
Detection policy
Response policy
Rule-based Anomaly-based
Decision function
Raw input events
Response function
Collection function
Raw data
Target
Bildnummer 14
Bildnummer 15
Interesting reading
!
H. Debar, M. Dacier and A. Wespi. Towards an Taxonomy of Intrusion Detection Systems. Computer Networks 31(8) 1999 L. R. Halme, K. R. Bauer. AINT misbehaving a taxonomy of anti-intrusion techniques. Proceedings of the 18th National Information Systems Security Conference, 1995.
Bildnummer 16
Fraudulent behaviour
Known
Unknown
Bildnummer 17
Detection mechanisms
! ! ! ! ! ! ! !
Signatures Visualization Thresholds Clustering and classification Statistical analysis Bayesian networks Neural networks Markov models
Commercial User
Domestic User
Low Income
Customer churn
Propensity to Fraud
Bad Debt
G
Pr{A} Pr{D|A} Pr{E|A,B,x} Pr{E|A,B,C} Pr{F|B,x} Pr{G|D,E} Pr{G|D,E} Pr{H|E} Pr{I|E,F} Pr{I|E,F} = 0.76 = 0.27 = 0.01 = 0.02 = 0.00 = 0.03 = 0.84 = 0.58 = 0.02 =1
Profile Change
Hot Destinations
Revenue Loss
Pr{B} Pr{D|A}
= 0.24 = 0.73
Pr{C}
= 0.74
Pr{E|A,x,x} Pr{F|B,C}
= 0.03 = 0.04
Bildnummer 18
Visualization
Service Users
Find patterns and deviating behavior ! Use the power of the brain!
Bildnummer 19
Input:
Call Detail Records (CDR)
A-number, B-number, Duration, Call Path, Timestamps, (>40 parameters)
Network traffic
Detection:
Thresholds
Customer profiles
Signatures
Anomaly detection
Bildnummer 20
Post processing:
Case building
Response:
Identify fraud case Many people involved in investigation process Not interested in low-cost frauds Identification of known attack or description of suspicious event, active response Small resources for investigation -> limit number of alarms Difficult to sort out insignificant attacks
Bildnummer 21
The IDS and the target system interpret the input data stream differently! ! Possible to avoid detection of an attack by crafting packets/data carefully
Hacker Raaa^h^h^hoot IDS Raaa^h^h^hoot Harmless string Target system Raaa^h^h^hoot
root
Bildnummer 22
Insertion attack
Bildnummer 23
Operating System
Overlap Behavior
WindowsNT 4.4BSD
Always Favors Old Data Favors New Data for Forward Overlap Linux Favors New Data for Forward Overlap Always Favors Old Data Favors New Data for Forward Overlap Favors New Data for Forward Overlap
Bildnummer 24
Slow changes in user behavior can be hard to detect! ! Wait for a time-slot where an event would be considered normal behavior
Bildnummer 25
Interesting reading
!
T. Ptacek and T. Newsham. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. 1998 ! M. Handley, Vern Paxson and C. Kreibich. Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics. USENIX security symposium 2001. ! D. Wagner and P. Soto. Mimicry attacks on host based Intrusion detection systems. Proceedings of the Ninth ACM Conference of Computer and Communications Security. 2002.
Bildnummer 26
Log data:
! ! ! ! !
User
Settop-box logins Movie orders Delivery notifications Router statistics per IP-addr. DHCP Requests
Bildnummer 27
Neuralt ntverk
! !
! !
One net per fraud type 7 input nodes 1. Sum of successful login attempt 2. Sum of failed login attempt 3. Sum of successful movie orders 4. Sum of failed movie orders 5. Sum of movie delivery notifications 6. Sum of billing notifications 7. Upload/Download ratio 1 output node ! Likelihood (0-1) of fraud An exponential trace memory was used to model temporal sequences of input
1 2 3 4 5 6 7
Bildnummer 28
Papers B, C
1.
Authentic data
2.
2. Data analysis
3.
Statistics Data generation:
4. 5.
3.
Profile generation
User profiles
Collection of logdata from real users Analyze collected data (statistics) Create profiles Model users and attackers Model the target systems
4.
User simulator
Attacker simulator
5.
System modelling
Bildnummer 29
Synthetic data
Detection results - Billing fraud in synthetic data Detected Fraud Fraudulent period
Fraud likelihood
Fraud likelihood
Billing fraud
0.6 0.4 0.2 0 0 10 20 30 40 50 60 Days since epoch Detection results - Breakin fraud in authentic data 1.2 1 Detected Fraud Actual Fraud
20
30
40
50
60
70
80
Days since epoch Detection results - Breakin fraud in synthetic data 1.2 1 Detected Fraud Fraudulent period
Fraud likelihood
Break-in fraud
Fraud likelihood
Bildnummer 30
High
A
D
A
D
?
A
A D
Low
A D
A
D A D
Low
D = Data collection
High
A
= Security domain
= Analysis
Bildnummer 32
Bildnummer 33
Benefits to an IDS
An intruder can learn only what he can observe Exhaustive search is possible, but computationally
intractable for reasonably sized input data.
Bildnummer 34
Policy encryption
NIDES
Neumann (1995)
The current state The recursive sum of previous inputs (using a 1-way fkn)
Bildnummer 36
L( M ) = {x ABBA is a substring of x}
*
Bildnummer 37
Traversal
X1=32 X2=226 X3=114 X4=43 X5=93 X6=148 X7=7 X8=148 X9=12
Bildnummer 38
The state-matrix
Bildnummer 39
The state value is a function of the current and all previous input The state value is a random number
Bildnummer 40
Find a correlation between log-data and the attacks that can be found
!
How to design a detection system that combines the advantages of signature-based and anomaly-based systems
!
Less false alarms and the capability to find new attacks Reduce the false alarm rate Automated risk analysis Understanding advanced attack scenarios A conflict between the users privacy and the system owners interest in identifying bad guys
Bildnummer 41
Jaakko Hollmn. User Profiling and Classification for fraud detection in mobile communications networks. PhD thesis 2000, Helsinki University of Technology Dan Gorton. Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance. Licentiate thesis 2003, Chalmers University of Technology Hkan Kvarnstrm. On the Implementation and Protection of Fraud Detection Systems. PhD thesis 2004, Chalmers University of Technology
Soon in a library near you ! Emilie Lundin Barse. Logging for intrusion and fraud detection. PhD thesis 2004, Chalmers University of Technology.
Bildnummer 42
Contact info
Hkan Kvarnstrm URL: http://ww.ce.chalmers.se/staff/hkv Mail: hakan.kvarnstrom@teliasonera.com Chalmers Computer Security Group: URL: http://www.ce.chalmers.se/research/Security
Bildnummer 43