Intrusion and Fraud Detection

Presentation at SWITS-IV Vadstena, June 7-8 2004

Hkan Kvarnstrm
Department of Computer Engineering Chalmers University of Technology

URL: http://www.ce.chalmers.se/staff/hkv

Bildnummer 1

Outline
! ! ! ! ! ! ! ! ! ! !

Why do we need IDS/FDS? Security countermeasures Definitions History of fraud How do we detect intrusions and fraud? Detection mechanisms IDS vs. FDS Attacks against IDS/FDS A fraud detection example Some results from my own research Problems to be solved

Time: approx. 50 minutes

Bildnummer 2

Intrusion and fraud detection

Automated analysis of events to detect intrusion and fraud

Bildnummer 3

Bilden uppgjord av Ulf Lindqvist

Similar to a burgular alarm

!

Intrusion and fraud detection complements preventive mechanisms such as firewalls and OS-security.

Preventive mechanisms
By Ulf Lindqvist
Bildnummer 4

Alarm

Why intrusion and fraud detection?

Prevention Detection Recovery Response

! ! ! !

It is hard to design completely secure systems IDS/FDS have the capability to detect unauthorized use of information and resources Even authorized entities may become corrupt Offers early-warning capabilities

Bildnummer 5

Security countermeasures
Prevention Detection Recovery Response

Missed attacks Undiscovered Attacks alarm Preventive mechanisms By Emilie Lundin Barse
Bildnummer 6

Affected System

Detection

Remaining Recovery attacks Active countermeasures

Detection capabilites

By Ulf Lindqvist

Bildnummer 7

IDS Trivia

Question: There is at least one type of attack that an IDS cannot detect?

Answer: Passive attacks, such as decrypting/breaking an encrypted packet/stream

Bildnummer 8

Definition of intrusion

An attack in which a vulnerability is exploited, resulting in a violation of the implicit or explicit security policy

Bildnummer 9

Definition of fraud
An intentional deception or misrepresentation that an individual knows to be false that results in some unauthorized benefit to himself or another person
!

The definition includes insiders ! Fraud can be seen as an application specific form of intrusion

Bildnummer 10

History of telecom fraud Celebrities

! John Draper, 1972 ! Used a toy whistle (2600 Hz) from a box of Capn Crunch cereal to manipulate AT&Ts phone switches (Blue boxing). He was able to route new calls by signalling the phone system into operator mode

! Kevin Poulsen, 1990 ! Won a Porsche 944 S2 by taking over all incoming phone lines going to LA radio station KIIS-FM. (102nd caller) ! He continued to win A second Porsche, $22.000, two trips to Hawaii and 3 years in prison.

Bildnummer 11

History lesson - Fraud

!

Cell phone fraud

! ! ! !

Eavesdropping. The NMT-system did not use encryption. Tumbling. Rapidly changing a cell phones serial number gave free access to the network. Was common in US. Cloning. Duplication of SIM-cards and terminal serial numbers. The legitimate subscriber is billed for the services used. Subscription fraud. Signing up for a subscription under a false name and address.

Computer related fraud

! ! !

Electronic banking and payment. Not so common yet Illegal downloading and distribution of digital content. Very common. Phising. Attackers trying to fish for private information. Mostly using spam as a vehicle.

Bildnummer 12

Interesting reading
!

P. Hoath. Telecoms fraud, the gory details. Computer Fraud & Security 20(1) 1998.

Bildnummer 13

An intrusion/fraud detection system

A formalization of the security policy

Detection policy

Response policy

Rule-based Anomaly-based

Decision function
Raw input events

Response function

Network packets(IP) Application logs OS-logs

Collection function
Raw data

Target

Bildnummer 14

Classification of fraudulent activities

Bildnummer 15

Interesting reading
!

H. Debar, M. Dacier and A. Wespi. Towards an Taxonomy of Intrusion Detection Systems. Computer Networks 31(8) 1999 L. R. Halme, K. R. Bauer. AINT misbehaving a taxonomy of anti-intrusion techniques. Proceedings of the 18th National Information Systems Security Conference, 1995.

Bildnummer 16

Rule based (signature) vs. anomali based

Normal behaviour
Known Unknown
New services Well-known fraud in similar services

Fraudulent behaviour

Known

Well-known services Well-known fraud

Rule based IDS/FMS

Well-known services New types of fraud New types of services New types of fraud

Unknown

Anomali based IDS/FMS

Bildnummer 17

Detection mechanisms
! ! ! ! ! ! ! !

Signatures Visualization Thresholds Clustering and classification Statistical analysis Bayesian networks Neural networks Markov models

Commercial User

Domestic User

Low Income

Customer churn

Propensity to Fraud

Bad Debt

G
Pr{A} Pr{D|A} Pr{E|A,B,x} Pr{E|A,B,C} Pr{F|B,x} Pr{G|D,E} Pr{G|D,E} Pr{H|E} Pr{I|E,F} Pr{I|E,F} = 0.76 = 0.27 = 0.01 = 0.02 = 0.00 = 0.03 = 0.84 = 0.58 = 0.02 =1

Profile Change

Hot Destinations

Revenue Loss

Pr{B} Pr{D|A}

= 0.24 = 0.73

Pr{C}

= 0.74

Pr{E|A,B,C} Pr{F|B,C} Pr{G|D,E} Pr{G|D,E} Pr{H|E} Pr{I|E,F} Pr{I|E,F}

= 0.04 = 0.01 = 0.72 = 0.96 = 0.42 = 0.98 =1

Pr{E|A,x,x} Pr{F|B,C}

= 0.03 = 0.04

Bildnummer 18

Visualization
Service Users

Find patterns and deviating behavior ! Use the power of the brain!

Suspects Premium Rate Services

Bildnummer 19

FDS vs. IDS

Telecom fraud management systems (FMS) Intrusion detection systems (IDS)
OS and application log files

Input:
Call Detail Records (CDR)
A-number, B-number, Duration, Call Path, Timestamps, (>40 parameters)

Network traffic

Detection:
Thresholds

Customer profiles

Signatures

Anomaly detection

Bildnummer 20

FDS vs. IDS

Telecom fraud management systems (FMS) Intrusion detection systems (IDS)
Correlation of alarms

Post processing:
Case building

Response:
Identify fraud case Many people involved in investigation process Not interested in low-cost frauds Identification of known attack or description of suspicious event, active response Small resources for investigation -> limit number of alarms Difficult to sort out insignificant attacks

Bildnummer 21

Attacks against signature based IDS

!

The IDS and the target system interpret the input data stream differently! ! Possible to avoid detection of an attack by crafting packets/data carefully
Hacker Raaa^h^h^hoot IDS Raaa^h^h^hoot Harmless string Target system Raaa^h^h^hoot

root

Bildnummer 22

Attacks against signature based IDS

!

Insertion attack

Bildnummer 23

Attacks against signature based IDS

!

IP Fragmentation reassembly behavior (Overlaps)

Operating System

Overlap Behavior

WindowsNT 4.4BSD

Always Favors Old Data Favors New Data for Forward Overlap Linux Favors New Data for Forward Overlap Always Favors Old Data Favors New Data for Forward Overlap Favors New Data for Forward Overlap

Solaris 2.6 HP-UX 9.01 Irix 5.3

Bildnummer 24

Attacks against anomaly based IDS

!

Slow changes in user behavior can be hard to detect! ! Wait for a time-slot where an event would be considered normal behavior

Bildnummer 25

Interesting reading
!

T. Ptacek and T. Newsham. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. 1998 ! M. Handley, Vern Paxson and C. Kreibich. Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics. USENIX security symposium 2001. ! D. Wagner and P. Soto. Mimicry attacks on host based Intrusion detection systems. Proceedings of the Ninth ACM Conference of Computer and Communications Security. 2002.

Bildnummer 26

FDS - Video-on-demand example

!

Log data:
! ! ! ! !

User

Settop-box logins Movie orders Delivery notifications Router statistics per IP-addr. DHCP Requests

router DHCP server Internet Provider

database video-on-demand- applicationserver server

Bildnummer 27

Neural network detector

!

Neuralt ntverk
! !

! !

One net per fraud type 7 input nodes 1. Sum of successful login attempt 2. Sum of failed login attempt 3. Sum of successful movie orders 4. Sum of failed movie orders 5. Sum of movie delivery notifications 6. Sum of billing notifications 7. Upload/Download ratio 1 output node ! Likelihood (0-1) of fraud An exponential trace memory was used to model temporal sequences of input

1 2 3 4 5 6 7

Bildnummer 28

Synthetic data generation

1. Data collection

Papers B, C
1.

Authentic data

2.
2. Data analysis

3.
Statistics Data generation:

4. 5.

3.

Profile generation

User profiles

Collection of logdata from real users Analyze collected data (statistics) Create profiles Model users and attackers Model the target systems

4.

User and attack modelling

User simulator

Attacker simulator

5.

System modelling

Target system simulator

Bildnummer 29

Training and detection tests

Authentic data
Detection results - Billing fraud in authentic data 1 0.8 Detected Fraud Actual Fraud 1.2 1

Synthetic data
Detection results - Billing fraud in synthetic data Detected Fraud Fraudulent period

Fraud likelihood

Fraud likelihood

Billing fraud

0.8 0.6 0.4 0.2 0

0.6 0.4 0.2 0 0 10 20 30 40 50 60 Days since epoch Detection results - Breakin fraud in authentic data 1.2 1 Detected Fraud Actual Fraud

20

30

40

50

60

70

80

Days since epoch Detection results - Breakin fraud in synthetic data 1.2 1 Detected Fraud Fraudulent period

Fraud likelihood

Break-in fraud

0.8 0.6 0.4 0.2 0 0 10 20 30 40 50 60 70 80 90 Days since epoch

Fraud likelihood

0.8 0.6 0.4 0.2 0 0 10 20 30 40 50 60 70 80 90 Days since epoch

Bildnummer 30

Confidentiality issues in different architectures Confidentiality of input events

D

High

A
D

A
D

Our research problem!

D

?
A

A D

Low
A D

A
D A D

Low
D = Data collection

High
A
= Security domain

Confidentiality of the detection policy

Bildnummer 31

= Analysis

Detection policy protection

A mechanism for protecting the confidentiality
of security policies, such as:
A detection policy in an IDS A filtering policy in a firewall

We do this by encoding the policy as a

finite state machine (DFA) which then is obfuscated using one-way functions

Bildnummer 32

Why is this useful?

IDS example

Heavily distributed intrusion detection architectures

impose a threat on the target systems
Parts of the detection policy needs to be confidential to
prevent disclosure of target specific weaknesses and oddities.

Loss of confidentiality is irreversible. Loss of

availability is not! Deploying IDS in highly distributed environments may result in a vast number of entities having knowledge about the policy, Hence we need security mechanisms to allow distribution of policies without risk of compromising its confidentiality

Bildnummer 33

Benefits to an IDS
An intruder can learn only what he can observe Exhaustive search is possible, but computationally
intractable for reasonably sized input data.

Prevents reverse engineering of the detection system

Does the hacker community know about attack XYZ ? A conventional IDS would reveal XYZ if confidentiality is
broken

The knowledge of the attack is the key to

unlocking the policy

Bildnummer 34

Some related techniques

Prevention against reverse engineering
Sander & Tschudin (1998, 1999)
Encrypted evaluation of polynomial functions

Barak et. al (2001)

Showed the (im)possibility of achieving program obfuscation

Policy encryption
NIDES

Neumann (1995)

Secure multi-party computation

Goldreich et.al (1987)
How to play any mental game
Bildnummer 35

How does it work?

A set of valid state-machines are hidden in a possible
large and random state-space

Transitions to the next state is controlled by:

The current state The recursive sum of previous inputs (using a 1-way fkn)

Only the knowledge of the correct sequence of inputs

will results in the traversal of a valid state machine

A state-matrix is used to hold the transition functions

Bildnummer 36

Simple state machine

L( M ) = {x ABBA is a substring of x}
*

Bildnummer 37

Traversal
X1=32 X2=226 X3=114 X4=43 X5=93 X6=148 X7=7 X8=148 X9=12

Bildnummer 38

The state-matrix

Bildnummer 39

Calculating the state-matrix

The state value is a function of the current and all previous input The state value is a random number

Bildnummer 40

Some problems to be solved

!

Find a correlation between log-data and the attacks that can be found
!

What should we log?

How to design a detection system that combines the advantages of signature-based and anomaly-based systems
!

Less false alarms and the capability to find new attacks Reduce the false alarm rate Automated risk analysis Understanding advanced attack scenarios A conflict between the users privacy and the system owners interest in identifying bad guys

Efficient and reliable correlation of event sources and alarms

! ! !

How can we ensure user privacy?

!

How can we provide a tighter integration with other countermeasures?

!

Response and recovery is still a highly manual process

Bildnummer 41

Recent dissertations and licentiate thesis

!

Jaakko Hollmn. User Profiling and Classification for fraud detection in mobile communications networks. PhD thesis 2000, Helsinki University of Technology Dan Gorton. Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance. Licentiate thesis 2003, Chalmers University of Technology Hkan Kvarnstrm. On the Implementation and Protection of Fraud Detection Systems. PhD thesis 2004, Chalmers University of Technology

Soon in a library near you ! Emilie Lundin Barse. Logging for intrusion and fraud detection. PhD thesis 2004, Chalmers University of Technology.

Bildnummer 42

Contact info
Hkan Kvarnstrm URL: http://ww.ce.chalmers.se/staff/hkv Mail: hakan.kvarnstrom@teliasonera.com Chalmers Computer Security Group: URL: http://www.ce.chalmers.se/research/Security

Bildnummer 43