Cyber forensics intro & requirement engineering cit dec 21,2013

Cyber Forensics
An intro & Requirement Engineering
Prof. K. Subramanian
SM(IEEE), SMACM, FIETE, LSMCSI,MAIMA,MAIS,MCFE,LM(CGAER)
Academic Advocate ISACA(USA) in India

Professor & Former Director, Advanced Center for Informatics & Innovative Learning
(ACIIL), IGNOU

HON.IT Adviser to CAG of India
& Ex-DDG(NIC), Min of Communications & Information Technol9ogy
Former President, Cyber Society of India

Founder President, eInformation Systems Security Audit Association (eISSA), India
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013

1

LOSS OF
CREDIBILITY
INTERCEPTION
SOCIAL
ENGINEERING
ATTACK

ACCIDENTAL
DAMAGE
AUTHORISATION

PROGRAM
CHANGE
SCAVENGING
DOCUMENTATION

PASSWORDS
AUDIT TRAILS

NATURAL
DISASTER
TROJAN
HORSES

DATA EMBARRASSMENT
DIDDLING

INPUT
VALIDATIONS

IS

BACKUPS

VIRUS
ATTACK

ANTI-VIRUS
ENCRYPTION
SECURITY
GUARDS

FINANCIAL INCOMPLETE
LOSS PROGRAM
CHANGES

HARDWARE
MAINTENANCE
BUSINESS
CONTINUITY
PLAN

UNAUTHORISED
ACCESS

HARDWARE /
SOFTWARE
FAILURE

FRAUD
& THEFT

LOSS OF
LOSING TO
CUSTOMERS
COMPETITION
2
12/14/13
2

Enterprise
Management

12/14/13


3
3

Cyber/Information Forensics
New Challenges
 Evidence
 Collection
 Collation
 Organization
 Analysis
 Presentation
 Preservation
 Acceptable to Judiciary
 Environment

 Identity Management
 Access Mechanism



Local
Remote
 Single network
 Multiple network

 Access control




Password controlled
Token Controlled
Bio-metric Controlled

 Encrypted/Non Encrypted


4
4

Whose Responsibility?
Digital Forensics

 Police/Investigators
 Prosecutors
 Auditors
 Technologists

What is required?





A highly trained manpower
Appropriate tools
Strong Cyber Law
Certified Fraud Examiners

Methods:






12/14/13

E-mail tracking
Hard Disk forensics
Decrypting of data
Finding hidden/ embedded
links
Tracing compromised source
servers


5
5

What could all this lead to?
Loss of Confidential//Secret Information
Loss of Confidential Secret Information
Loss of intellectual property
Loss of intellectual property
Loss of customer confidence
Loss of customer confidence
Loss of Revenue
Loss of Revenue
Implications on social set up
Implications on social set up
CYBER TERRORISM
CYBER TERRORISM

12/14/13


6
6

 Auditors fail to discover Fraud because they are

not looking for it!
 Victims seldom squeal! It is not good form to be
the whistle blower, the bad guy, one who reveals
all.
 Human nature:
 Hide failures not admit them
 Conceal problems not discuss them
 Defend wrong decisions not admit them
 Cover up mistakes not own up

12/14/13


7
7

What is Forensic Audit?
Forensic – “Belonging to, used in or suitable to
courts of judicature or to public discussion and
debate.

Audit - the process which identifies the extent of
conformance (or otherwise) of actual events with
intended events and pre-determined norms for
different activity segments in accordance with
established criteria.

12/14/13


8
8

Forensic Auditing

 Forensic Auditing encompasses:
 Fraud detection
 Fraud investigation
 Fraud prevention
 Skills required of forensic accountants:
 Accounting/Finance expertise
 Fraud knowledge
 Knowledge of legal system
 Ability to work with people

12/14/13


9
9

Change in the focus of Forensic Audit
 changing environment
 technological advances
 emerging expectations and the widening gap, and
 changes in the profile of the fraudster and frauds and
fraudster technologies themselves.

12/14/13


10
10

Financial Auditing vs. Fraud Auditing
Financial Auditing
 Program procedural

approach
 Control risk
approach (focus on
IC strengths)
 Focus on errors and
omissions

12/14/13

Fraud Auditing

 Not program

oriented
 “Think like a crook”
approach (focus on
IC weaknesses)
 Focus on exceptions,
oddities, and
patterns of conduct


11
11

Financial Auditing vs. Fraud Auditing
Financial Auditing
 Emphasis on
materiality
 Logical accounting and
auditing background
 Internal/external
auditors are credited
with finding about 4%
to 20% of uncovered
fraud

12/14/13

Fraud Auditing
 “Where there’s smoke,
there’s fire.”
 Illogical, behavioral
motive, opportunity,
integrity
 Fraud examiner rate
much higher because
fraud auditors are only
called in when fraud is
known or highly
suspected.


12
12

Types of Frauds
 Management Frauds
 Direct Illegal Acts
 Employee Frauds
 White collar crimes

12/14/13

 Corruption and

bribing
 Cyber/Net frauds
 Cyber terrorism
 InfoTech Warfare


13
13

 Forensic Audit should ensure that it is –
 A means to an end
 A guide to decision making
 Enables improvement of society
 Empowers decision makers with state of the art

verifiable inputs
 Enables enactment of effective laws
 Promotes effective delivery of justice in accordance

with the cannons and tenets

12/14/13

Cyber security & Cyber forensics seminar CSI-IETE

March KS@2013 cit FDP coimbatore Dec 21,2013
12/14/13 Prof.28, 2009

14
14

Tools & Technologies
 database,

 Certified tool & Proprietary tool
 Natural Methods of evidence Collection-

 Built-in tools
 Centralized Vs Decentralized & Distributed

 Investigative Data Mining and Problems

in Fraud Detection

 Definitions
 Technical and Practical Problems

 Existing Fraud Detection Methods
 Widely used methods

 The Crime Detection Method

 Comparisons with Minority Report
 Classifiers as Precogs
 Combining Output as Integration

Mechanisms
 Cluster Detection as Analytical Machinery
 Visualization Techniques as Visual
Symbols

12/14/13

machine learning,
neural networks,
data visualization,
statistics,
distributed data
mining.
 Communication &
Network
technologies











Wired
Wireless
Mobile
Web & Internet


12/14/13 Prof.28, 2009

15
15

Implementing the Crime
Detection System:
Action Components

Preparation components
 Investigation objectives
 Collected data
 Preparation of collected
data to achieve
objectives

12/14/13

 Which experiments

generate best
predictions?
 Which is the best
insight?
 How can the new
models and insights be
deployed within an
organization?


16
16

Fraud Detection Problems
Technical & Practical
Practical
Technical

•

Imperfect data

•

– Usually not collected for data

mining
– Inaccurate, incomplete, and
irrelevant data attributes

•

Highly skewed data
– Many more legitimate than

•

fraudulent examples
– Higher chances of over fitting

•

Black-box predictions
– Numerical outputs

– Predictive accuracy are useless for

•

skewed data sets
Great variety of fraud scenarios over
time

Soft fraud – Cost of investigation > Cost
of fraud
– Hard fraud – Circumvents anti-fraud
coimbatore Dec 21,2013
17
17
12/14/13 Prof. KS@2013 cit FDP measures

incomprehensible to people

12/14/13

Lack of domain knowledge
– Important attributes, likely
relationships, and known
patterns
– Three types of fraud offenders
and their modus operandi
Assessing data mining potential

–

Widely Used Methods in Fraud
•Detection
Insurance Fraud

– Cluster detection -> decision tree induction -> domain
knowledge, statistical summaries, and visualisations
– Special case: neural network classification -> cluster
detection

• Credit Card Fraud
– Decision tree and naive Bayesian classification ->
stacking

• Telecommunications Fraud
– Cluster detection -> scores and rules
12/14/13


12/14/13 Prof.28, 2009

18
18

The Crime Detection Method
Comparisons with Minority Report
• Precogs
– Foresee and prevent crime
– Each precog contains multiple classifiers

• Integration Mechanisms
– Combine predictions

• Analytical Machinery
– Record, study, compare, and represent predictions in simple terms
– Single “computer”

• Visual Symbols
– Explain the final predictions
– Graphical visualizations, numerical scores, and descriptive rules

12/14/13


19
19

Classifiers as Precogs

Precog One: Naive Bayesian Classifiers
–
–
–

Statistical paradigm
Simple and Fast
Redundant and not normally distributed attributes*

Precog Two: Classifiers
–
–
–

Computer metaphor
Explain patterns and quite fast
Scalability and efficiency

Precog Three: Back-propagation Classifiers
–
–

12/14/13

Brain metaphor
Long training times and extensive parameter tuning*

20
20

Combining Output as Integration Mechanisms
• Cross Validation
– Divides training data into eleven data partitions
– Each data partition used for training, testing, and
evaluation once*
– Slightly better success rate

• Bagging
– Unweighted majority voting on each example or
instance
– Combine predictions from same algorithm or different
algorithms*
– Increases success rate
12/14/13

12/14/13

Prof. KS@2013 cit FDP coimbatore Dec 21,2013

21

Combining Output as Integration Mechanisms
• Stacking
– Meta-classifier
– Base classifiers present predictions to metaclassifier
– Determines the most reliable classifiers

12/14/13


22
22

Cluster Detection as Analytical Machinery
Visualisation Techniques as Visual Symbols
• Analytical Machinery: Self Organising Maps
– Clusters high dimensional elements into more simple,
low dimensional maps
– Automatically groups similar instances together
– Do not specify an easy-to-understand model*

• Visual Symbols: Classification and Clustering
Visualisations
– Classification visualisation – confusion matrix
- naive Bayesian visualisation
– Clustering visualisation
- column grap
12/14/13


23
23

The Crime Detection System:
•Preparation Component
Problem Understanding
– Determine investigation objectives
- Choose
- Explain
– Assess situation
- Available tools
- Available data set
- Cost model
– Determine data mining objectives
- Max hits/Min false alarms
– Produce project plan
- Time
- Tools
12/14/13


24
24

Preparation Component

 Data Understanding
 Describe data
- Explore data
- Claim trends by month
- Age of vehicles
- Age of policy holder
 Verify data
- Good data quality
- Duplicate attribute, highly skewed attributes
12/14/13


25
25

Preparation Component
 Data Preparation
 Select data

- All, except one attribute, are retained for analysis
 Clean data
- Missing values replaced
- Spelling mistakes corrected
 Format data
- All characters converted to lowercase
- Underscore symbol
 Construct data
- Derived attributes
- - Numerical input
 Partition data

- Data multiplication or oversampling
- For example, 50/50 distribution
12/14/13


26
26

Implementing the
Crime Detection
System:
Action Component

12/14/13


27
27

• Deployment
– Plan deployment
- Manage geographically distributed databases using
distributed data mining
- Take time into account
– Plan monitoring and maintenance
- Determined by rate of change in external environment
and organisational
requirements
- Rebuild models when cost savings are below a certain
percentage of maximum
cost savings possible

12/14/13


28
28

•
•
•
•
•
•
•
•

New Crime Detection Method
Crime Detection System
Cost Model
Visualisations
Statistics
Score-based Feature
Extensive Literature Review
In-depth Analysis of Algorithms

12/14/13


29
29

• Imperfect data
–
–
–
–

Statistical evaluation and confidence intervals
Preparation component of crime detection system
Derived attributes
Cross validation

• Highly skewed data
– Partitioned data with most appropriate distribution
– Cost model

• Black-box predictions
– Classification and clustering visualisation
– Sorted scores and predefined thresholds, rules
12/14/13


30
30

• Lack of domain knowledge
– Action component of crime detection system
– Extensive literature review

• Great variety of fraud scenarios over time
– SOM
– Crime detection method
– Choice of algorithms

• Assessing data mining potential
– Quality and quantity of data
– Cost model
– z-scores
12/14/13


31
31



FOR FURTHER INFORMATION PLEASE CONTACT :-

E-MAIL: ksdir@nic.in,
ks@eissa.org;ksmanian@ignou.ac.in;




ksmanian48@gmail.com



91-11-29533068



Fax:91-11-29533068



ACIIL, Block &, Room 16,



Maidan Garhi, IGNOU



Open for Interaction?

New Delhi-110068

12/14/13


32
32

Cyber forensics intro & requirement engineering cit dec 21,2013

More Related Content

What's hot

Viewers also liked

Similar to Cyber forensics intro & requirement engineering cit dec 21,2013

More from subramanian K

Recently uploaded

Cyber forensics intro & requirement engineering cit dec 21,2013