Your SlideShare is downloading. ×
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Cyber forensics intro & requirement engineering cit dec 21,2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cyber forensics intro & requirement engineering cit dec 21,2013

593

Published on

requirement engineering for cyber forensics

requirement engineering for cyber forensics

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
593
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cyber Forensics An intro & Requirement Engineering Prof. K. Subramanian SM(IEEE), SMACM, FIETE, LSMCSI,MAIMA,MAIS,MCFE,LM(CGAER) Academic Advocate ISACA(USA) in India Professor & Former Director, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU HON.IT Adviser to CAG of India & Ex-DDG(NIC), Min of Communications & Information Technol9ogy Former President, Cyber Society of India Founder President, eInformation Systems Security Audit Association (eISSA), India 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 1
  • 2. LOSS OF CREDIBILITY INTERCEPTION SOCIAL ENGINEERING ATTACK ACCIDENTAL DAMAGE AUTHORISATION PROGRAM CHANGE SCAVENGING DOCUMENTATION PASSWORDS AUDIT TRAILS NATURAL DISASTER TROJAN HORSES DATA EMBARRASSMENT DIDDLING INPUT VALIDATIONS IS BACKUPS VIRUS ATTACK ANTI-VIRUS ENCRYPTION SECURITY GUARDS FINANCIAL INCOMPLETE LOSS PROGRAM CHANGES HARDWARE MAINTENANCE BUSINESS CONTINUITY PLAN UNAUTHORISED ACCESS HARDWARE / SOFTWARE FAILURE FRAUD & THEFT LOSS OF LOSING TO CUSTOMERS COMPETITION 2 12/14/13 2 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
  • 3. Enterprise Management 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 3 3
  • 4. Cyber/Information Forensics New Challenges  Evidence  Collection  Collation  Organization  Analysis  Presentation  Preservation  Acceptable to Judiciary  Environment  Identity Management  Access Mechanism   Local Remote  Single network  Multiple network  Access control    Password controlled Token Controlled Bio-metric Controlled  Encrypted/Non Encrypted 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 4 4
  • 5. Whose Responsibility? Digital Forensics  Police/Investigators  Prosecutors  Auditors  Technologists What is required?     A highly trained manpower Appropriate tools Strong Cyber Law Certified Fraud Examiners Methods:      12/14/13 E-mail tracking Hard Disk forensics Decrypting of data Finding hidden/ embedded links Tracing compromised source servers 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 5 5
  • 6. What could all this lead to? Loss of Confidential//Secret Information Loss of Confidential Secret Information Loss of intellectual property Loss of intellectual property Loss of customer confidence Loss of customer confidence Loss of Revenue Loss of Revenue Implications on social set up Implications on social set up CYBER TERRORISM CYBER TERRORISM 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 6 6
  • 7.  Auditors fail to discover Fraud because they are not looking for it!  Victims seldom squeal! It is not good form to be the whistle blower, the bad guy, one who reveals all.  Human nature:  Hide failures not admit them  Conceal problems not discuss them  Defend wrong decisions not admit them  Cover up mistakes not own up 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 7 7
  • 8. What is Forensic Audit? Forensic – “Belonging to, used in or suitable to courts of judicature or to public discussion and debate.   Audit - the process which identifies the extent of conformance (or otherwise) of actual events with intended events and pre-determined norms for different activity segments in accordance with established criteria. 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 8 8
  • 9. Forensic Auditing  Forensic Auditing encompasses:  Fraud detection  Fraud investigation  Fraud prevention  Skills required of forensic accountants:  Accounting/Finance expertise  Fraud knowledge  Knowledge of legal system  Ability to work with people 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 9 9
  • 10. Change in the focus of Forensic Audit  changing environment  technological advances  emerging expectations and the widening gap, and  changes in the profile of the fraudster and frauds and fraudster technologies themselves. 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 10 10
  • 11. Financial Auditing vs. Fraud Auditing Financial Auditing  Program procedural approach  Control risk approach (focus on IC strengths)  Focus on errors and omissions 12/14/13 Fraud Auditing  Not program oriented  “Think like a crook” approach (focus on IC weaknesses)  Focus on exceptions, oddities, and patterns of conduct 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 11 11
  • 12. Financial Auditing vs. Fraud Auditing Financial Auditing  Emphasis on materiality  Logical accounting and auditing background  Internal/external auditors are credited with finding about 4% to 20% of uncovered fraud 12/14/13 Fraud Auditing  “Where there’s smoke, there’s fire.”  Illogical, behavioral motive, opportunity, integrity  Fraud examiner rate much higher because fraud auditors are only called in when fraud is known or highly suspected. 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 12 12
  • 13. Types of Frauds  Management Frauds  Direct Illegal Acts  Employee Frauds  White collar crimes 12/14/13  Corruption and bribing  Cyber/Net frauds  Cyber terrorism  InfoTech Warfare 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 13 13
  • 14.  Forensic Audit should ensure that it is –  A means to an end  A guide to decision making  Enables improvement of society  Empowers decision makers with state of the art verifiable inputs  Enables enactment of effective laws  Promotes effective delivery of justice in accordance with the cannons and tenets 12/14/13 Cyber security & Cyber forensics seminar CSI-IETE March KS@2013 cit FDP coimbatore Dec 21,2013 12/14/13 Prof.28, 2009 14 14
  • 15. Tools & Technologies  database,  Certified tool & Proprietary tool  Natural Methods of evidence Collection-  Built-in tools  Centralized Vs Decentralized & Distributed  Investigative Data Mining and Problems in Fraud Detection  Definitions  Technical and Practical Problems  Existing Fraud Detection Methods  Widely used methods  The Crime Detection Method  Comparisons with Minority Report  Classifiers as Precogs  Combining Output as Integration Mechanisms  Cluster Detection as Analytical Machinery  Visualization Techniques as Visual Symbols 12/14/13 machine learning, neural networks, data visualization, statistics, distributed data mining.  Communication & Network technologies          Wired Wireless Mobile Web & Internet Cyber security & Cyber forensics seminar CSI-IETE March KS@2013 cit FDP coimbatore Dec 21,2013 12/14/13 Prof.28, 2009 15 15
  • 16. Implementing the Crime Detection System: Action Components Preparation components  Investigation objectives  Collected data  Preparation of collected data to achieve objectives 12/14/13  Which experiments generate best predictions?  Which is the best insight?  How can the new models and insights be deployed within an organization? 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 16 16
  • 17. Fraud Detection Problems Technical & Practical Practical Technical • Imperfect data • – Usually not collected for data mining – Inaccurate, incomplete, and irrelevant data attributes • Highly skewed data – Many more legitimate than • fraudulent examples – Higher chances of over fitting • Black-box predictions – Numerical outputs – Predictive accuracy are useless for • skewed data sets Great variety of fraud scenarios over time Soft fraud – Cost of investigation > Cost of fraud – Hard fraud – Circumvents anti-fraud coimbatore Dec 21,2013 17 17 12/14/13 Prof. KS@2013 cit FDP measures incomprehensible to people 12/14/13 Lack of domain knowledge – Important attributes, likely relationships, and known patterns – Three types of fraud offenders and their modus operandi Assessing data mining potential –
  • 18. Widely Used Methods in Fraud •Detection Insurance Fraud – Cluster detection -> decision tree induction -> domain knowledge, statistical summaries, and visualisations – Special case: neural network classification -> cluster detection • Credit Card Fraud – Decision tree and naive Bayesian classification -> stacking • Telecommunications Fraud – Cluster detection -> scores and rules 12/14/13 Cyber security & Cyber forensics seminar CSI-IETE March KS@2013 cit FDP coimbatore Dec 21,2013 12/14/13 Prof.28, 2009 18 18
  • 19. The Crime Detection Method Comparisons with Minority Report • Precogs – Foresee and prevent crime – Each precog contains multiple classifiers • Integration Mechanisms – Combine predictions • Analytical Machinery – Record, study, compare, and represent predictions in simple terms – Single “computer” • Visual Symbols – Explain the final predictions – Graphical visualizations, numerical scores, and descriptive rules 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 19 19
  • 20. Classifiers as Precogs Precog One: Naive Bayesian Classifiers – – – Statistical paradigm Simple and Fast Redundant and not normally distributed attributes* Precog Two: Classifiers – – – Computer metaphor Explain patterns and quite fast Scalability and efficiency Precog Three: Back-propagation Classifiers – – 12/14/13 Brain metaphor Long training times and extensive parameter tuning* 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 20 20
  • 21. Combining Output as Integration Mechanisms • Cross Validation – Divides training data into eleven data partitions – Each data partition used for training, testing, and evaluation once* – Slightly better success rate • Bagging – Unweighted majority voting on each example or instance – Combine predictions from same algorithm or different algorithms* – Increases success rate 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 21
  • 22. Combining Output as Integration Mechanisms • Stacking – Meta-classifier – Base classifiers present predictions to metaclassifier – Determines the most reliable classifiers 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 22 22
  • 23. Cluster Detection as Analytical Machinery Visualisation Techniques as Visual Symbols • Analytical Machinery: Self Organising Maps – Clusters high dimensional elements into more simple, low dimensional maps – Automatically groups similar instances together – Do not specify an easy-to-understand model* • Visual Symbols: Classification and Clustering Visualisations – Classification visualisation – confusion matrix - naive Bayesian visualisation – Clustering visualisation - column grap 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 23 23
  • 24. The Crime Detection System: •Preparation Component Problem Understanding – Determine investigation objectives - Choose - Explain – Assess situation - Available tools - Available data set - Cost model – Determine data mining objectives - Max hits/Min false alarms – Produce project plan - Time - Tools 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 24 24
  • 25. The Crime Detection System: Preparation Component  Data Understanding  Describe data - Explore data - Claim trends by month - Age of vehicles - Age of policy holder  Verify data - Good data quality - Duplicate attribute, highly skewed attributes 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 25 25
  • 26. The Crime Detection System: Preparation Component  Data Preparation  Select data - All, except one attribute, are retained for analysis  Clean data - Missing values replaced - Spelling mistakes corrected  Format data - All characters converted to lowercase - Underscore symbol  Construct data - Derived attributes - - Numerical input  Partition data - Data multiplication or oversampling - For example, 50/50 distribution 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 26 26
  • 27. Implementing the Crime Detection System: Action Component 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 27 27
  • 28. • Deployment – Plan deployment - Manage geographically distributed databases using distributed data mining - Take time into account – Plan monitoring and maintenance - Determined by rate of change in external environment and organisational requirements - Rebuild models when cost savings are below a certain percentage of maximum cost savings possible 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 28 28
  • 29. • • • • • • • • New Crime Detection Method Crime Detection System Cost Model Visualisations Statistics Score-based Feature Extensive Literature Review In-depth Analysis of Algorithms 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 29 29
  • 30. • Imperfect data – – – – Statistical evaluation and confidence intervals Preparation component of crime detection system Derived attributes Cross validation • Highly skewed data – Partitioned data with most appropriate distribution – Cost model • Black-box predictions – Classification and clustering visualisation – Sorted scores and predefined thresholds, rules 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 30 30
  • 31. • Lack of domain knowledge – Action component of crime detection system – Extensive literature review • Great variety of fraud scenarios over time – SOM – Crime detection method – Choice of algorithms • Assessing data mining potential – Quality and quantity of data – Cost model – z-scores 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 31 31
  • 32.  FOR FURTHER INFORMATION PLEASE CONTACT :- E-MAIL: ksdir@nic.in, ks@eissa.org;ksmanian@ignou.ac.in;   ksmanian48@gmail.com  91-11-29533068  Fax:91-11-29533068  ACIIL, Block &, Room 16,  Maidan Garhi, IGNOU  Open for Interaction? New Delhi-110068 12/14/13 12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 32 32

×