1. Cyber Forensics
An intro & Requirement Engineering
Prof. K. Subramanian
SM(IEEE), SMACM, FIETE, LSMCSI,MAIMA,MAIS,MCFE,LM(CGAER)
Academic Advocate ISACA(USA) in India
Professor & Former Director, Advanced Center for Informatics & Innovative Learning
(ACIIL), IGNOU
HON.IT Adviser to CAG of India
& Ex-DDG(NIC), Min of Communications & Information Technol9ogy
Former President, Cyber Society of India
Founder President, eInformation Systems Security Audit Association (eISSA), India
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
1
4. Cyber/Information Forensics
New Challenges
Evidence
Collection
Collation
Organization
Analysis
Presentation
Preservation
Acceptable to Judiciary
Environment
Identity Management
Access Mechanism
Local
Remote
Single network
Multiple network
Access control
Password controlled
Token Controlled
Bio-metric Controlled
Encrypted/Non Encrypted
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
4
4
5. Whose Responsibility?
Digital Forensics
Police/Investigators
Prosecutors
Auditors
Technologists
What is required?
A highly trained manpower
Appropriate tools
Strong Cyber Law
Certified Fraud Examiners
Methods:
12/14/13
E-mail tracking
Hard Disk forensics
Decrypting of data
Finding hidden/ embedded
links
Tracing compromised source
servers
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
5
5
6. What could all this lead to?
Loss of Confidential//Secret Information
Loss of Confidential Secret Information
Loss of intellectual property
Loss of intellectual property
Loss of customer confidence
Loss of customer confidence
Loss of Revenue
Loss of Revenue
Implications on social set up
Implications on social set up
CYBER TERRORISM
CYBER TERRORISM
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
6
6
7. Auditors fail to discover Fraud because they are
not looking for it!
Victims seldom squeal! It is not good form to be
the whistle blower, the bad guy, one who reveals
all.
Human nature:
Hide failures not admit them
Conceal problems not discuss them
Defend wrong decisions not admit them
Cover up mistakes not own up
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
7
7
8. What is Forensic Audit?
Forensic – “Belonging to, used in or suitable to
courts of judicature or to public discussion and
debate.
Audit - the process which identifies the extent of
conformance (or otherwise) of actual events with
intended events and pre-determined norms for
different activity segments in accordance with
established criteria.
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
8
8
9. Forensic Auditing
Forensic Auditing encompasses:
Fraud detection
Fraud investigation
Fraud prevention
Skills required of forensic accountants:
Accounting/Finance expertise
Fraud knowledge
Knowledge of legal system
Ability to work with people
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
9
9
10. Change in the focus of Forensic Audit
changing environment
technological advances
emerging expectations and the widening gap, and
changes in the profile of the fraudster and frauds and
fraudster technologies themselves.
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
10
10
11. Financial Auditing vs. Fraud Auditing
Financial Auditing
Program procedural
approach
Control risk
approach (focus on
IC strengths)
Focus on errors and
omissions
12/14/13
Fraud Auditing
Not program
oriented
“Think like a crook”
approach (focus on
IC weaknesses)
Focus on exceptions,
oddities, and
patterns of conduct
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
11
11
12. Financial Auditing vs. Fraud Auditing
Financial Auditing
Emphasis on
materiality
Logical accounting and
auditing background
Internal/external
auditors are credited
with finding about 4%
to 20% of uncovered
fraud
12/14/13
Fraud Auditing
“Where there’s smoke,
there’s fire.”
Illogical, behavioral
motive, opportunity,
integrity
Fraud examiner rate
much higher because
fraud auditors are only
called in when fraud is
known or highly
suspected.
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
12
12
13. Types of Frauds
Management Frauds
Direct Illegal Acts
Employee Frauds
White collar crimes
12/14/13
Corruption and
bribing
Cyber/Net frauds
Cyber terrorism
InfoTech Warfare
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
13
13
14. Forensic Audit should ensure that it is –
A means to an end
A guide to decision making
Enables improvement of society
Empowers decision makers with state of the art
verifiable inputs
Enables enactment of effective laws
Promotes effective delivery of justice in accordance
with the cannons and tenets
12/14/13
Cyber security & Cyber forensics seminar CSI-IETE
March KS@2013 cit FDP coimbatore Dec 21,2013
12/14/13 Prof.28, 2009
14
14
15. Tools & Technologies
database,
Certified tool & Proprietary tool
Natural Methods of evidence Collection-
Built-in tools
Centralized Vs Decentralized & Distributed
Investigative Data Mining and Problems
in Fraud Detection
Definitions
Technical and Practical Problems
Existing Fraud Detection Methods
Widely used methods
The Crime Detection Method
Comparisons with Minority Report
Classifiers as Precogs
Combining Output as Integration
Mechanisms
Cluster Detection as Analytical Machinery
Visualization Techniques as Visual
Symbols
12/14/13
machine learning,
neural networks,
data visualization,
statistics,
distributed data
mining.
Communication &
Network
technologies
Wired
Wireless
Mobile
Web & Internet
Cyber security & Cyber forensics seminar CSI-IETE
March KS@2013 cit FDP coimbatore Dec 21,2013
12/14/13 Prof.28, 2009
15
15
16. Implementing the Crime
Detection System:
Action Components
Preparation components
Investigation objectives
Collected data
Preparation of collected
data to achieve
objectives
12/14/13
Which experiments
generate best
predictions?
Which is the best
insight?
How can the new
models and insights be
deployed within an
organization?
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
16
16
17. Fraud Detection Problems
Technical & Practical
Practical
Technical
•
Imperfect data
•
– Usually not collected for data
mining
– Inaccurate, incomplete, and
irrelevant data attributes
•
Highly skewed data
– Many more legitimate than
•
fraudulent examples
– Higher chances of over fitting
•
Black-box predictions
– Numerical outputs
– Predictive accuracy are useless for
•
skewed data sets
Great variety of fraud scenarios over
time
Soft fraud – Cost of investigation > Cost
of fraud
– Hard fraud – Circumvents anti-fraud
coimbatore Dec 21,2013
17
17
12/14/13 Prof. KS@2013 cit FDP measures
incomprehensible to people
12/14/13
Lack of domain knowledge
– Important attributes, likely
relationships, and known
patterns
– Three types of fraud offenders
and their modus operandi
Assessing data mining potential
–
18. Widely Used Methods in Fraud
•Detection
Insurance Fraud
– Cluster detection -> decision tree induction -> domain
knowledge, statistical summaries, and visualisations
– Special case: neural network classification -> cluster
detection
• Credit Card Fraud
– Decision tree and naive Bayesian classification ->
stacking
• Telecommunications Fraud
– Cluster detection -> scores and rules
12/14/13
Cyber security & Cyber forensics seminar CSI-IETE
March KS@2013 cit FDP coimbatore Dec 21,2013
12/14/13 Prof.28, 2009
18
18
19. The Crime Detection Method
Comparisons with Minority Report
• Precogs
– Foresee and prevent crime
– Each precog contains multiple classifiers
• Integration Mechanisms
– Combine predictions
• Analytical Machinery
– Record, study, compare, and represent predictions in simple terms
– Single “computer”
• Visual Symbols
– Explain the final predictions
– Graphical visualizations, numerical scores, and descriptive rules
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
19
19
20. Classifiers as Precogs
Precog One: Naive Bayesian Classifiers
–
–
–
Statistical paradigm
Simple and Fast
Redundant and not normally distributed attributes*
Precog Two: Classifiers
–
–
–
Computer metaphor
Explain patterns and quite fast
Scalability and efficiency
Precog Three: Back-propagation Classifiers
–
–
12/14/13
Brain metaphor
Long training times and extensive parameter tuning*
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
20
20
21. Combining Output as Integration Mechanisms
• Cross Validation
– Divides training data into eleven data partitions
– Each data partition used for training, testing, and
evaluation once*
– Slightly better success rate
• Bagging
– Unweighted majority voting on each example or
instance
– Combine predictions from same algorithm or different
algorithms*
– Increases success rate
12/14/13
12/14/13
Prof. KS@2013 cit FDP coimbatore Dec 21,2013
21
22. Combining Output as Integration Mechanisms
• Stacking
– Meta-classifier
– Base classifiers present predictions to metaclassifier
– Determines the most reliable classifiers
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
22
22
23. Cluster Detection as Analytical Machinery
Visualisation Techniques as Visual Symbols
• Analytical Machinery: Self Organising Maps
– Clusters high dimensional elements into more simple,
low dimensional maps
– Automatically groups similar instances together
– Do not specify an easy-to-understand model*
• Visual Symbols: Classification and Clustering
Visualisations
– Classification visualisation – confusion matrix
- naive Bayesian visualisation
– Clustering visualisation
- column grap
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
23
23
24. The Crime Detection System:
•Preparation Component
Problem Understanding
– Determine investigation objectives
- Choose
- Explain
– Assess situation
- Available tools
- Available data set
- Cost model
– Determine data mining objectives
- Max hits/Min false alarms
– Produce project plan
- Time
- Tools
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
24
24
25. The Crime Detection System:
Preparation Component
Data Understanding
Describe data
- Explore data
- Claim trends by month
- Age of vehicles
- Age of policy holder
Verify data
- Good data quality
- Duplicate attribute, highly skewed attributes
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
25
25
26. The Crime Detection System:
Preparation Component
Data Preparation
Select data
- All, except one attribute, are retained for analysis
Clean data
- Missing values replaced
- Spelling mistakes corrected
Format data
- All characters converted to lowercase
- Underscore symbol
Construct data
- Derived attributes
- - Numerical input
Partition data
- Data multiplication or oversampling
- For example, 50/50 distribution
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
26
26
28. • Deployment
– Plan deployment
- Manage geographically distributed databases using
distributed data mining
- Take time into account
– Plan monitoring and maintenance
- Determined by rate of change in external environment
and organisational
requirements
- Rebuild models when cost savings are below a certain
percentage of maximum
cost savings possible
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
28
28
29. •
•
•
•
•
•
•
•
New Crime Detection Method
Crime Detection System
Cost Model
Visualisations
Statistics
Score-based Feature
Extensive Literature Review
In-depth Analysis of Algorithms
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
29
29
30. • Imperfect data
–
–
–
–
Statistical evaluation and confidence intervals
Preparation component of crime detection system
Derived attributes
Cross validation
• Highly skewed data
– Partitioned data with most appropriate distribution
– Cost model
• Black-box predictions
– Classification and clustering visualisation
– Sorted scores and predefined thresholds, rules
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
30
30
31. • Lack of domain knowledge
– Action component of crime detection system
– Extensive literature review
• Great variety of fraud scenarios over time
– SOM
– Crime detection method
– Choice of algorithms
• Assessing data mining potential
– Quality and quantity of data
– Cost model
– z-scores
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
31
31
32.
FOR FURTHER INFORMATION PLEASE CONTACT :-
E-MAIL: ksdir@nic.in,
ks@eissa.org;ksmanian@ignou.ac.in;
ksmanian48@gmail.com
91-11-29533068
Fax:91-11-29533068
ACIIL, Block &, Room 16,
Maidan Garhi, IGNOU
Open for Interaction?
New Delhi-110068
12/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013
32
32