Cyber forensics intro & requirement engineering cit dec 21,2013

12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 1

Prof. K. SubramanianSM(IEEE), SMACM, FIETE, LSMCSI,MAIMA,MAIS,MCFE,LM(CGAER)

Academic Advocate ISACA(USA) in IndiaProfessor & Former Director, Advanced Center for Informatics & Innovative Learning

(ACIIL), IGNOUHON.IT Adviser to CAG of India

& Ex-DDG(NIC), Min of Communications & Information Technol9ogyFormer President, Cyber Society of India

Founder President, eInformation Systems Security Audit Association (eISSA), India

Cyber Forensics An intro & Requirement Engineering


FRAUD& THEFT

SCAVENGINGVIRUS

ATTACK

ACCIDENTALDAMAGE

NATURAL DISASTER

UNAUTHORISED ACCESS

INTERCEPTION

TROJAN HORSES

INCOMPLETE PROGRAMCHANGES

HARDWARE /SOFTWARE

FAILURE

SOCIAL ENGINEERING

ATTACK

DATA DIDDLING

IS

PASSWORDS

ENCRYPTIONANTI-VIRUS

BACKUPS

HARDWARE MAINTENANCESECURITY

GUARDS

INPUT VALIDATIONS

AUDIT TRAILS

PROGRAM CHANGE DOCUMENTATION

AUTHORISATION

BUSINESS CONTINUITY PLAN

LOSING TO COMPETITION

LOSS OF CUSTOMERS

LOSS OF CREDIBILITY

EMBARRASSMENT

FINANCIALLOSS

12/14/13 2


Enterprise Management

12/14/13 3


Cyber/Information ForensicsNew Challenges

Evidence Collection Collation Organization Analysis Presentation Preservation Acceptable to Judiciary

Environment Encrypted/Non Encrypted

Identity Management Access Mechanism

Local Remote

Single network Multiple network

Access control Password controlled Token Controlled Bio-metric Controlled

4


Whose Responsibility?

Police/Investigators Prosecutors Auditors Technologists

Digital ForensicsWhat is required?

A highly trained manpower Appropriate tools Strong Cyber Law Certified Fraud Examiners

Methods: E-mail tracking Hard Disk forensics Decrypting of data Finding hidden/ embedded

links Tracing compromised source

servers

512/14/13


What could all this lead to?Loss of Confidential/ Secret InformationLoss of Confidential/ Secret Information

Loss of intellectual property Loss of intellectual property

Loss of customer confidenceLoss of customer confidence

Loss of RevenueLoss of Revenue

Implications on social set upImplications on social set up

CYBER TERRORISMCYBER TERRORISM

12/14/13 6


Auditors fail to discover Fraud because they are not looking for it!

Victims seldom squeal! It is not good form to be the whistle blower, the bad guy, one who reveals all.

Human nature: Hide failures not admit them Conceal problems not discuss them Defend wrong decisions not admit them Cover up mistakes not own up

12/14/13 7


What is Forensic Audit?Forensic – “Belonging to, used in or suitable to courts of judicature or to public discussion and debate.

Audit - the process which identifies the extent of conformance (or otherwise) of actual events with intended events and pre-determined norms for different activity segments in accordance with established criteria.

12/14/13 8


Forensic Auditing Forensic Auditing encompasses:

Fraud detection Fraud investigation Fraud prevention

Skills required of forensic accountants: Accounting/Finance expertise Fraud knowledge Knowledge of legal system Ability to work with people

12/14/13 9


Change in the focus of Forensic Audit

changing environment technological advances emerging expectations and the widening gap, and changes in the profile of the fraudster and frauds and

fraudster technologies themselves.

12/14/13 10


Financial Auditing vs. Fraud AuditingFraud Auditing

Not program oriented

“Think like a crook” approach (focus on IC weaknesses)

Focus on exceptions, oddities, and patterns of conduct

Financial Auditing Program procedural

approach Control risk

approach (focus on IC strengths)

Focus on errors and omissions

12/14/13 11


Financial Auditing vs. Fraud AuditingFraud Auditing

“Where there’s smoke, there’s fire.”

Illogical, behavioral motive, opportunity, integrity

Fraud examiner rate much higher because fraud auditors are only called in when fraud is known or highly suspected.

Financial Auditing Emphasis on

materiality Logical accounting and

auditing background Internal/external

auditors are credited with finding about 4% to 20% of uncovered fraud

12/14/13 12


Types of Frauds

Management Frauds Direct Illegal Acts Employee Frauds White collar crimes

Corruption and bribing

Cyber/Net frauds Cyber terrorism InfoTech Warfare

12/14/13 13


Forensic Audit should ensure that it is –

A means to an end

A guide to decision making

Enables improvement of society

Empowers decision makers with state of the art verifiable inputs

Enables enactment of effective laws

Promotes effective delivery of justice in accordance with the cannons and tenets

12/14/13 14Cyber security & Cyber forensics seminar CSI-IETE March 28, 2009


Tools & Technologies Certified tool & Proprietary tool Natural Methods of evidence Collection-

Built-in tools Centralized Vs Decentralized & Distributed

Investigative Data Mining and Problems in Fraud Detection Definitions Technical and Practical Problems

Existing Fraud Detection Methods Widely used methods

The Crime Detection Method Comparisons with Minority Report Classifiers as Precogs Combining Output as Integration

Mechanisms Cluster Detection as Analytical Machinery Visualization Techniques as Visual

Symbols

database, machine learning, neural networks, data visualization, statistics, distributed data

mining. Communication &

Network technologies Wired Wireless Mobile Web & Internet

12/14/13Cyber security & Cyber forensics seminar CSI-IETE March 28, 2009 15


Implementing the Crime Detection System:

Preparation components Investigation objectives Collected data Preparation of collected

data to achieve objectives

Action Components Which experiments

generate best predictions?

Which is the best insight?

How can the new models and insights be deployed within an organization?

12/14/13 16


Fraud Detection ProblemsTechnical & Practical

Technical• Imperfect data

– Usually not collected for data mining

– Inaccurate, incomplete, and irrelevant data attributes

• Highly skewed data – Many more legitimate than

fraudulent examples– Higher chances of over fitting

• Black-box predictions – Numerical outputs

incomprehensible to people

Practical• Lack of domain knowledge

– Important attributes, likely relationships, and known patterns

– Three types of fraud offenders and their modus operandi

• Assessing data mining potential– Predictive accuracy are useless for

skewed data sets• Great variety of fraud scenarios over

time– Soft fraud – Cost of investigation > Cost

of fraud– Hard fraud – Circumvents anti-fraud

measures12/14/13 17

12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 1812/14/13Cyber security & Cyber forensics seminar CSI-IETE March 28, 2009 18

Widely Used Methods in Fraud Detection• Insurance Fraud

– Cluster detection -> decision tree induction -> domain knowledge, statistical summaries, and visualisations

– Special case: neural network classification -> cluster detection

• Credit Card Fraud– Decision tree and naive Bayesian classification ->

stacking

• Telecommunications Fraud– Cluster detection -> scores and rules

12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 1912/14/13 19

The Crime Detection Method Comparisons with Minority Report

• Precogs– Foresee and prevent crime– Each precog contains multiple classifiers

• Integration Mechanisms– Combine predictions

• Analytical Machinery– Record, study, compare, and represent predictions in simple terms– Single “computer”

• Visual Symbols– Explain the final predictions– Graphical visualizations, numerical scores, and descriptive rules


Classifiers as PrecogsPrecog One: Naive Bayesian Classifiers

– Statistical paradigm– Simple and Fast– Redundant and not normally distributed attributes*

Precog Two: Classifiers– Computer metaphor– Explain patterns and quite fast– Scalability and efficiency

Precog Three: Back-propagation Classifiers– Brain metaphor– Long training times and extensive parameter tuning*

2012/14/13


Combining Output as Integration Mechanisms

• Cross Validation– Divides training data into eleven data partitions– Each data partition used for training, testing, and

evaluation once*– Slightly better success rate

• Bagging– Unweighted majority voting on each example or

instance– Combine predictions from same algorithm or different

algorithms*– Increases success rate


Combining Output as Integration Mechanisms

• Stacking– Meta-classifier – Base classifiers present predictions to meta-

classifier– Determines the most reliable classifiers


Cluster Detection as Analytical MachineryVisualisation Techniques as Visual Symbols

• Analytical Machinery: Self Organising Maps– Clusters high dimensional elements into more simple,

low dimensional maps– Automatically groups similar instances together– Do not specify an easy-to-understand model*

• Visual Symbols: Classification and Clustering Visualisations– Classification visualisation – confusion matrix

- naive Bayesian visualisation– Clustering visualisation - column grap


The Crime Detection System: Preparation Component• Problem Understanding

– Determine investigation objectives- Choose - Explain

– Assess situation- Available tools- Available data set- Cost model

– Determine data mining objectives- Max hits/Min false alarms

– Produce project plan- Time- Tools


The Crime Detection System: Preparation Component

Data Understanding Describe data

- Explore data- Claim trends by month- Age of vehicles- Age of policy holder

Verify data- Good data quality- Duplicate attribute, highly skewed attributes


The Crime Detection System: Preparation Component Data Preparation

Select data- All, except one attribute, are retained for analysis

Clean data- Missing values replaced - Spelling mistakes corrected

Format data- All characters converted to lowercase- Underscore symbol

Construct data- Derived attributes- - Numerical input

Partition data- Data multiplication or oversampling- For example, 50/50 distribution


Implementing the Crime Detection

System:Action Component


• Deployment– Plan deployment

- Manage geographically distributed databases using distributed data mining- Take time into account

– Plan monitoring and maintenance- Determined by rate of change in external environment and organisational requirements- Rebuild models when cost savings are below a certain percentage of maximum cost savings possible

12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2912/14/13

29

• New Crime Detection Method• Crime Detection System• Cost Model• Visualisations• Statistics• Score-based Feature• Extensive Literature Review• In-depth Analysis of Algorithms


• Imperfect data– Statistical evaluation and confidence intervals– Preparation component of crime detection system– Derived attributes– Cross validation

• Highly skewed data – Partitioned data with most appropriate distribution– Cost model

• Black-box predictions – Classification and clustering visualisation– Sorted scores and predefined thresholds, rules


• Lack of domain knowledge– Action component of crime detection system– Extensive literature review

• Great variety of fraud scenarios over time– SOM– Crime detection method– Choice of algorithms

• Assessing data mining potential– Quality and quantity of data– Cost model– z-scores


FOR FURTHER INFORMATION PLEASE CONTACT :-

E-MAIL: [email protected], [email protected];[email protected];

[email protected]

91-11-29533068

Fax:91-11-29533068

ACIIL, Block &, Room 16,

Maidan Garhi, IGNOU

New Delhi-110068

Open for Interaction?

12/14/13 32

mailto:[email protected]

mailto:[email protected];[email protected]

Date post:	27-Jan-2015
Category:	Technology
Upload:	subramanian-k
View:	106 times
Download:	0 times

Cyber forensics intro & requirement engineering cit dec 21,2013

Technology