Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.

Slides:

Advertisements

Similar presentations

User-centric Handling of Identity Agent Compromise Daisuke Mashima Dr. Mustaque Ahamad Swagath Kannan College of Computing Georgia Institute of Technology.

Advertisements

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.

Probabilistic Skyline Operator over Sliding Windows Wenjie Zhang University of New South Wales & NICTA, Australia Joint work: Xuemin Lin, Ying Zhang, Wei.

MedVault: Ensuring Security and Privacy for Medical Data Mustaque Ahamad, Douglas Blough, Ling Liu, David Bauer, Apurva Mohan, Daisuke Mashima, Bhuvan.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

System Design System Design - Mr. Ahmad Al-Ghoul System Analysis and Design.

Gaurav Lahoti University of Illinois at Urbana-Champaign, IL, USA Daisuke Mashima Wei-Peng Chen Fujitsu Laboratories of America Inc., USA Customer-centric.

USign—A Security Enhanced Electronic Consent Model Yanyan Li 1 Mengjun Xie 1 Jiang Bian 2 1 University of Arkansas at Little Rock 2 University of Arkansas.

Continuous Audit at Insurance Companies

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Management Information Systems

1 Preserving Privacy in Collaborative Filtering through Distributed Aggregation of Offline Profiles The 3rd ACM Conference on Recommender Systems, New.

The Effectiveness of a QoE - Based Video Output Scheme for Audio- Video IP Transmission Shuji Tasaka, Hikaru Yoshimi, Akifumi Hirashima, Toshiro Nunome.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Expert COSYSMO Update Raymond Madachy USC-CSSE Annual Research Review March 17, 2009.

Report on statistical Intrusion Detection systems By Ganesh Godavari.

Crossroads: A Practical Data Sketching Solution for Mining Intersection of Streams Jun Xu, Zhenglin Yu (Georgia Tech) Jia Wang, Zihui Ge, He Yan (AT&T.

Auditing A Risk-Based Approach To Conducting A Quality Audit

1 Presenter: Chien-Chih Chen Proceedings of the 2002 workshop on Memory system performance.

Network security policy: best practices

Facial Recognition CSE 391 Kris Lord.

Security Guidelines and Management

Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.

WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.

INTRODUCTION Coined in 1996 by computer hackers. Hackers use to fish the internet hoping to hook users into supplying them the logins, passwords.

Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)

General Awareness Training

Fraud Detection McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Copyright © 2005, SAS Institute Inc. All rights reserved. Quantifying and Controlling Operational Risk with SAS OpRisk VaR Donald Erdman April 11, 2005.

Where Are the Nuggets in System Audit Data? Wenke Lee College of Computing Georgia Institute of Technology.

Towards A User-Centric Identity-Usage Monitoring System - ICIMP Daisuke Mashima and Mustaque Ahamad College of Computing Georgia Institute of Technology.

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

1 Designing Substantive Procedures The auditor “must plan and perform the audit to reduce the audit risk to an acceptably low level that is consistent.

An Agent-based Bayesian Forecasting Model for Enhancing Network Security J. PIKOULAS, W.J. BUCHANAN, Napier University, Edinburgh, UK. M. MANNION, Glasgow.

Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Online Learning for Collaborative Filtering

A Formal Analysis of Conservative Update Based Approximate Counting Gil Einziger and Roy Freidman Technion, Haifa.

Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao, Yinglian Xie, Fang Yu, Qifa Ke, Yuan Yu, Yan Chen, and Eliot Gillum Speaker: 林佳宜.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

©2009 Mladen Kezunovic. Improving Relay Performance By Off-line and On-line Evaluation Mladen Kezunovic Jinfeng Ren, Chengzong Pang Texas A&M University,

Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University July 21, 2008WODA.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.

Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.

REU 2009-Traffic Analysis of IP Networks Daniel S. Allen, Mentor: Dr. Rahul Tripathi Department of Computer Science & Engineering Data Streams Data streams.

Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Sampling and Sampling Distribution

A Generic Approach to Big Data Alarms Prioritization

Experience Report: System Log Analysis for Anomaly Detection

ISSeG Integrated Site Security for Grids WP2 - Methodology

MadeCR: Correlation-based Malware Detection for Cognitive Radio

Online Conditional Outlier Detection in Nonstationary Time Series

Technology & Analytics

Patterns extraction from process executions

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.

Detecting Insider Information Theft Using Features from File Access Logs Every action, on your phone, on your computer, online, has some risk associated.

Red Flags Rule An Introduction County College of Morris

A mobile single sign-on system

Uncertainty-driven Ensemble Forecasting of QoS in Software Defined Networks Kostas Kolomvatsos1, Christos Anagnostopoulos2, Angelos Marnerides3, Qiang.

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of Technology Atlanta, GA, USA ACM DIM 2009, Chicago, IL, 2009

2 Increasing Risk of Identity Theft Variety of online identity credentials –Passwords, certificates, SSN, credit card number, etc. –Loss and theft are possible and common Consequence of online identity theft –Impersonation –Disclosure of sensitive information –Financial loss

3 To counter such threats… Online service providers are required to –Analyze huge amount of log records to identify suspicious service accesses –Investigate identified records extensively In reality… –Significant reliance on human experts –Not processed in real-time basis Automated mechanism to monitor identity usage (service accesses) is desired.

4 Outline Observations from real data sets Our approach Anomaly-based risk scoring scheme Preliminary evaluation Conclusion / Future Work

5 Buzzport Access Log

6 Contain only –(Anonymized) User ID –Login timestamp –Logout timestamp , 24/08/ :07:05, 24/08/ :18: , 27/08/ :01:14, 27/08/ :02: , 27/08/ :04:36, 27/08/ :16: , 27/08/ :05:36, 27/08/ :18: , 31/08/ :31:43, 31/08/ :38:08

7 Another data set Log records of a portal of online trading company The following items are available: –User ID –Coarse Action Type (Login / Logout) –Timestamp –IP Address –Organization Name etc.

8 Observations and Considerations Available information is quite limited. –Typical fraud detection systems rely on much richer information Data are not labeled. –Supervised techniques are not available. Limited types of events can be observed. –Schemes relying on event sequence or state transition have limited applicability.

9 Our Approach Utilize attributes derived from an individual identity usage record –Timestamp (day-of–week etc.), IP address, etc. –Focus on categorical attributes Build user profile based on occurrence frequency of each attribute value Determine risk scores based on frequency information

10 User Profile Management Defined as a frequency distribution of attribute values (categories) –One profile for one attribute –Multiple profiles can be defined per user. Day-of-week profile, hour-of-day profile, and so forth… Updated upon receipt of each log record –Simply increment occurrence counters corresponding to the attribute values in the record Data aging can be easily implemented –Periodically multiply all counters with some decay factor

11 Base Score and Weight Base score represents how unlikely an observed user’s access is. –BaseScore = -log (RelativeFrequency) Score weight quantifies the “effectiveness” of each attribute for profiling. –When an attribute well characterizes user’s identity usage pattern, the value should be high. How can we quantify it?

12 Score Weight Use “distance” between the frequency distribution and uniform distribution as weight –Bhattacharyya Distance etc. –Data aging is necessary.

13 Score Aggregation Sub Score (a product of a base score and the corresponding weight) are computed. –Sub Score is computed for each profile. How can we combine Sub Scores? –Pick the MAX of Sub Scores –Weighted sum of Sub Scores –Others? １０８９９

14 Setting of Experiments Buzzport data set Profiling attributes –Week of month (5 categories) –Day of week (7 categories) –Hour of Day (24 categories) Scale Sub Scores in [0, 100) Use MAX of 3 Sub Scores as output

15 Trends of Risk Scores

16 Trends of Risk Scores with Data Aging Decay Factor = 0.5 is applied monthly.

17 False Positive / True Positive Analysis Randomly pick 5 users with different access frequency Split each user’s log records into two: –Test data: last 1 month –Training data: Rest of them Analyze False Positive rate by using the same user’s training data and test data Analyze True Positive rate by using different users’ data sets (a.k.a Cross Profiling)

18 False Positive / True Positive Results * Each user’s threshold is determined based on the score range of the training data.

19 Time / Storage Cost Measured on Linux PC with Intel Core 2 Duo E6600 and 3GM RAM Average time per record: 5ms –Good enough for real-time processing Storage space per user: 1.4KB –Potential to accommodate a large number of users

20 Conclusion Defined design principles for risk scoring based on identity usage logs Proposed a way to compute anomaly- based risk scores in real-time basis Presented a prototype system using time stamp information and showed that it has reasonably good accuracy

21 Future Work Investigate other attributes (E.g. location) Conduct detailed experiments –Evaluate with other data sets –Find the optimum configuration Integrate into other security mechanisms

22 Questions? Thank you very much.