intrusion and fraud detection

Bildnummer 1

Intrusion and Fraud Detection

Presentation at SWITS-IVVadstena, June 7-8 2004

Håkan KvarnströmDepartment of Computer EngineeringChalmers University of Technology

URL: http://www.ce.chalmers.se/staff/hkv

Bildnummer 2

Outline

! Why do we need IDS/FDS?! Security countermeasures! Definitions! History of fraud! How do we detect intrusions and fraud?! Detection mechanisms! IDS vs. FDS! Attacks against IDS/FDS! A fraud detection example! Some results from my own research! Problems to be solved

Time: approx. 50 minutes

Bildnummer 3

Intrusion and fraud detection

! Automated analysis of events to detect intrusion and fraud

Bilden uppgjord av Ulf Lindqvist

Bildnummer 4

Similar to a burgular alarm

! Intrusion and fraud detection complements preventive mechanisms such as firewalls and OS-security.

Alarm Preventivemechanisms

By Ulf Lindqvist

Bildnummer 5

Why intrusion and fraud detection?

Prevention RecoveryDetection Response

! It is hard to design completely secure systems! IDS/FDS have the capability to detect unauthorized use

of information and resources! Even authorized entities may become corrupt! Offers early-warning capabilities

Bildnummer 6

Security countermeasures

Prevention RecoveryDetection Response

AffectedSystemAttacks

Preventivemechanisms

Detection Activecountermeasures

Recovery

Undiscovered

Remainingattacks

alarm

Missedattacks

By Emilie Lundin Barse

Bildnummer 7

Detection capabilites

By Ulf Lindqvist

Bildnummer 8

IDS Trivia

Question:There is at least one type of attack that an IDS cannot detect?

Answer: Passive attacks, such as decrypting/breaking an encrypted packet/stream

Bildnummer 9

Definition of ”intrusion”

”An attack in which a vulnerability is exploited,resulting in a violation of the implicit or explicitsecurity policy”

Bildnummer 10

Definition of ”fraud”

”An intentional deception or misrepresentationthat an individual knows to be false that results insome unauthorized benefit to himself or anotherperson”

! The definition includes “insiders”! “Fraud” can be seen as an application specific

form of “intrusion”

Bildnummer 11

History of telecom fraud – Celebrities

!John Draper, 1972! Used a toy whistle (2600 Hz) from a box of

Cap’n Crunch cereal to manipulate AT&T’s phoneswitches (Blue boxing). He was able to route newcalls by signalling the phone system into ”operator mode”

!Kevin Poulsen, 1990! Won a Porsche 944 S2 by taking over all incoming

phone lines going to LA radio station KIIS-FM. (102nd caller)

! He continued to ”win”… A second Porsche, $22.000, two trips to Hawaii… … and 3 years in prison.

Bildnummer 12

History lesson - Fraud

! Cell phone fraud! Eavesdropping. The NMT-system did not use encryption. ! Tumbling. Rapidly changing a cell phone’s serial number gave free

access to the network. Was common in US.! Cloning. Duplication of SIM-cards and terminal serial numbers. The

legitimate subscriber is billed for the services used.! Subscription fraud. Signing up for a subscription under a false name and

address.

! Computer related fraud! Electronic banking and payment. Not so common… yet! Illegal downloading and distribution of digital content. Very common.! Phising. Attackers trying to “fish” for private information. Mostly using

spam as a vehicle.

Bildnummer 13

Interesting reading

! P. Hoath. Telecoms fraud, the gory details. Computer Fraud & Security 20(1) 1998.

Bildnummer 14

An intrusion/fraud detection system

• Network packets(IP)• Application logs• OS-logs

• A formalization of the security policy

• Rule-based• Anomaly-based

Target

Collectionfunction

Responsefunction

Decisionfunction

Detectionpolicy

Responsepolicy

Raw input events

Raw data

Bildnummer 15

Classification of fraudulent activities

Bildnummer 16

Interesting reading

! H. Debar, M. Dacier and A. Wespi.Towards an Taxonomy of Intrusion Detection Systems. Computer Networks 31(8) 1999

! L. R. Halme, K. R. Bauer.AINT misbehaving – a taxonomy of anti-intrusion techniques.Proceedings of the 18th National Information Systems Security Conference, 1995.

Bildnummer 17

Rule based (signature) vs. anomali based

Normal behaviourFr

audu

lent

beh

avio

ur

Known UnknownKn

own

Unk

now

n

• Well-known services• Well-known fraud

• New services• Well-known fraud in

similar services

• Well-known services• New types of fraud

• New types of services• New types of fraud

Rule based IDS/FMS

Anomali based IDS/FMS ?

Bildnummer 18

Detection mechanisms

! Signatures! Visualization! Thresholds! Clustering and

classification! Statistical analysis! Bayesian networks! Neural networks! Markov models

H I

ED

A B

G

F

DomesticUser

CommercialUser

Customerchurn

ProfileChange

‘Hot’Destinations

RevenueLoss

Propensityto Fraud

BadDebt

C LowIncome

Pr{A} = 0.76 Pr{B} = 0.24 Pr{C} = 0.74

Pr{D|¬A} = 0.27 Pr{D|A} = 0.73

Pr{E|¬A,¬B,x} = 0.01

Pr{E|¬A,B,¬C} = 0.02 Pr{E|¬A,B,C} = 0.04 Pr{E|A,x,x} = 0.03

Pr{F|¬B,x} = 0.00 Pr{F|B,¬C} = 0.01 Pr{F|B,C} = 0.04

Pr{G|¬D,¬E} = 0.03 Pr{G|¬D,E} = 0.72

Pr{G|¬D,E} = 0.84 Pr{G|D,E} = 0.96

Pr{H|¬E} = 0.58 Pr{H|E} = 0.42

Pr{I|¬E,¬F} = 0.02 Pr{I|¬E,F} = 0.98

Pr{I|E,¬F} = 1 Pr{I|E,F} = 1

Bildnummer 19

Visualization

! Find patterns and deviating behavior! Use the power of the brain!

Suspects

Premium Rate Services

Service Users

Bildnummer 20

FDS vs. IDSTelecom fraud management systems (FMS)

Intrusion detection systems (IDS)

Input: • Call Detail Records (CDR)

A-number, B-number, Duration, Call Path, Timestamps, … (>40 parameters)

• OS and application log files • Network traffic

Detection: • Thresholds • Customer profiles

• Signatures • Anomaly detection

Bildnummer 21

FDS vs. IDSTelecom fraud management systems (FMS)

Intrusion detection systems (IDS)

Post processing: • Case building • Correlation of alarms

Response: • Identify fraud case • Many people involved in

investigation process • Not interested in low-cost

frauds

• Identification of known attack or description of suspicious event, active response

• Small resources for investigation -> limit number of alarms

• Difficult to sort out “insignificant” attacks

Bildnummer 22

Attacks against signature based IDS

! The IDS and the target system interpret the inputdata stream differently!

! Possible to avoid detection of an attack by crafting packets/data carefully

Hacker IDS Target system

Raaa^h^h^hoot Raaa^h^h^hoot Raaa^h^h^hoot

Harmlessstring

root

Bildnummer 23

Attacks against signature based IDS

! Insertion attack

Bildnummer 24

Attacks against signature based IDS

! IP Fragmentation reassembly behavior (Overlaps)

Operating System Overlap Behavior

WindowsNT Always Favors Old Data

4.4BSD Favors New Data for Forward Overlap Linux FavorsNew Data for Forward Overlap

Solaris 2.6 Always Favors Old Data

HP-UX 9.01 Favors New Data for Forward Overlap

Irix 5.3 Favors New Data for Forward Overlap

Bildnummer 25

Attacks against anomaly based IDS

! Slow changes in user behavior can be hard to detect!! Wait for a time-slot where an event would be

considered “normal behavior”

Bildnummer 26

Interesting reading

! T. Ptacek and T. Newsham.Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. 1998

! M. Handley, Vern Paxson and C. Kreibich. Network intrusion detection: evasion, traffic normalization, andend-to-end protocol semantics. USENIX security symposium 2001.

! D. Wagner and P. Soto.Mimicry attacks on host based Intrusion detection systems.Proceedings of the Ninth ACM Conference of Computer and Communications Security. 2002.

Bildnummer 27

FDS - Video-on-demand example

! Log data:! Settop-box logins! Movie orders! Delivery notifications! Router statistics per IP-addr.! DHCP Requests DHCP

server

router

video-on-demand-server

application-server

database

Internet

User

Provider

Bildnummer 28

Neural network detector

! Neuralt nätverk! One net per fraud type! 7 input nodes

1. Sum of successful login attempt2. Sum of failed login attempt3. Sum of successful movie orders4. Sum of failed movie orders5. Sum of movie delivery notifications6. Sum of billing notifications7. Upload/Download ratio

! 1 output node! Likelihood (0-1) of fraud

! An exponential trace memory was used to model temporal sequences of input

1

2

3

4

5

6

7

Bildnummer 29

Synthetic data generation Papers B, C

Data collection

Data analysis

Profile generation

Authentic data

Statistics

User and attackmodelling

System modelling

1.

2.

5.

4.

3.

Data generation:

User simulator

Attackersimulator

Target systemsimulator

Userprofiles

1. Collection of log-data from real users

2. Analyze collected data (statistics)

3. Create profiles4. Model users and

attackers5. Model the target

systems

Bildnummer 30

Training and detection testsAuthentic data Synthetic data

0

0.2

0.4

0.6

0.8

1

0 10 20 30 40 50 60

Fra

ud li

kelih

ood

Days since epoch

Detection results - Billing fraud in authentic data

Detected FraudActual Fraud

0

0.2

0.4

0.6

0.8

1

1.2

20 30 40 50 60 70 80

Fra

ud li

kelih

ood

Days since epoch

Detection results - Billing fraud in synthetic data

Detected FraudFraudulent period

Billingfraud

0

0.2

0.4

0.6

0.8

1

1.2

0 10 20 30 40 50 60 70 80 90

Fra

ud li

kelih

ood

Days since epoch

Detection results - Breakin fraud in authentic data

Detected FraudActual Fraud

0

0.2

0.4

0.6

0.8

1

1.2

0 10 20 30 40 50 60 70 80 90

Fra

ud li

kelih

ood

Days since epoch

Detection results - Breakin fraud in synthetic data

Detected FraudFraudulent period

Break-infraud

Bildnummer 31

Confidentiality issues in different architectures

Confidentiality of the detection policyLow High

Low

High

Con

fiden

tialit

y of

inpu

t eve

nts

D A= Data collection = Analysis = Security domain

D

D

A

D

D

D

D

A

A A?

D

D

A

D

A

A A

Our research problem!

Bildnummer 32

Detection policy protection

♦ A mechanism for protecting the confidentialityof security policies, such as:♦ A detection policy in an IDS♦ A filtering policy in a firewall♦ …

♦ We do this by encoding the policy as afinite state machine (DFA) which then isobfuscated using one-way functions

Bildnummer 33

Why is this useful?

♦ Heavily distributed intrusion detection architecturesimpose a threat on the target systems

♦ Parts of the detection policy needs to be confidential to prevent disclosure of target specific weaknesses and oddities.

♦ Loss of confidentiality is irreversible. Loss of availability is not!

Deploying IDS in highly distributed environments may result in avast number of entities having knowledge about the policy, Hencewe need security mechanisms to allow distribution of policies without risk of compromising its confidentiality

IDS example

Bildnummer 34

Benefits to an IDS

♦ An intruder can learn only what he can observe ♦ Exhaustive search is possible, but computationally

intractable for reasonably sized input data.

♦ Prevents reverse engineering of the detection system♦ Does the hacker community know about attack XYZ ?♦ A conventional IDS would reveal XYZ if confidentiality is

broken

♦ The knowledge of the attack is the key to unlocking the policy

Bildnummer 35

Some related techniques♦ Prevention against reverse engineering

♦ Sander & Tschudin (1998, 1999)Encrypted evaluation of polynomial functions

♦ Barak et. al (2001)Showed the (im)possibility of achieving program obfuscation

♦ Policy encryption♦ Neumann (1995)

NIDES

♦ Secure multi-party computation♦ Goldreich et.al (1987)

How to play any mental game

Bildnummer 36

How does it work?

♦ A set of valid state-machines are hidden in a possiblelarge and random state-space

♦ Transitions to the next state is controlled by:♦ The current state♦ The recursive sum of previous inputs (using a 1-way fkn)

♦ Only the knowledge of the correct sequence of inputswill results in the traversal of a valid state machine

♦ A state-matrix is used to hold the transition functions

Bildnummer 37

Simple state machine

}{ )( * xofsubstringaisABBAxML Σ∈=

Bildnummer 38

TraversalX1=32

X2=226

X3=114

X4=43

X5=93

X6=148

X7=7

X8=148

X9=12

Bildnummer 39

The state-matrix

Bildnummer 40

Calculating the state-matrix

The state value is a function of the current and all previous input

The state value is a random number

Bildnummer 41

Some problems to be solved…! Find a correlation between log-data and the attacks that can be

found! What should we log?

! How to design a detection system that combines the advantages of signature-based and anomaly-based systems! Less false alarms and the capability to find new attacks

! Efficient and reliable correlation of event sources and alarms! Reduce the false alarm rate! Automated “risk analysis”! Understanding advanced attack scenarios

! How can we ensure user privacy?! A conflict between the user’s privacy and the system owner’s interest in

identifying “bad guys”! How can we provide a tighter integration with other

countermeasures?! Response and recovery is still a highly manual process

Bildnummer 42

Recent dissertations and licentiate thesis

! Jaakko Hollmén. User Profiling and Classification for fraud detection in mobile communications networks. PhD thesis 2000, Helsinki University of Technology

! Dan Gorton. Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance. Licentiate thesis 2003, Chalmers University of Technology

! Håkan Kvarnström. On the Implementation and Protection of Fraud Detection Systems. PhD thesis 2004, Chalmers University of Technology

Soon in a library near you…! Emilie Lundin Barse. Logging for intrusion and fraud detection. PhD

thesis 2004, Chalmers University of Technology.

Bildnummer 43

Contact info

Håkan KvarnströmURL: http://ww.ce.chalmers.se/staff/hkvMail: hakan.kvarnstrom@teliasonera.com

Chalmers Computer Security Group:URL: http://www.ce.chalmers.se/research/Security