300 likes | 436 Views
Combating Computer Crime: why its hard. George Mohay Information Security Institute Queensland University of Technology April 2009. Agenda. Introduction –trends in computer crime The Information Age and Real Virtuality The Nature of Cybercrime Digital and Network Forensics Challenges
E N D
Combating Computer Crime: why its hard George Mohay Information Security Institute Queensland University of Technology April 2009
Agenda • Introduction –trendsincomputer crime • The Information Age and Real Virtuality • The Nature of Cybercrime • Digital and Network Forensics • Challenges • QUT research projects
Introduction – trends in computer crime Its increasing – and increasingly the threats are: • From external sources • For financial gain • Organized • Ideologically or politically motivated
e.g., ShadowCrew and Operation Firewall • ‘Moderators’ hosted online forums, members could share tips for making fake IDs or ask questions about creating credible phishing e-mail • Below them were ‘reviewers’ who vetted stolen information such as credit-card numbers for quality and value • The largest group, the ‘vendors’, sold the goods to other gang members, often in online auctions. Speed was essential, since credit-card numbers had to be used quickly before they were cancelled.
Agenda • Introduction –trends in computer crime • The Information Age and Real Virtuality • The Nature of Cybercrime • Digital and Network Forensics • Challenges • QUT research projects
“The Information Age: Economy, Society and Culture” Manuel Castells’ celebrated trilogy (2nd Ed, 2000) - a sociologist’s bible for the 21st century (Van Dijk on Castells) The 60s and 70s have resulted in:- • the “network society” (Castells’ “the Net” ) • “networked forms of organisation replacing hierarchies as the dominant form of social organization” (Wikipedia) • a global information economy • a culture of “real virtuality” - “… a system in which reality itself is entirely captured … in a virtual image setting … in which appearances are not just on the screen, through which experience is communicated, but they become the experience” (Castells)
So … how has the ‘Information Age’ and Real Virtuality transformed criminal behaviour? • “Cybercrime: The Transformation of Crime in the Information Age” by David S Wall • Particular transformations that affect criminal opportunity are, after Castells: • the growth in networking through the convergence of technologies • the importance of informational transfer and brokering (acquisition of information but also dataveillance through data mining)* • globalization
New forms of old crimes and new crimes • New forms of old crimes • Inexorable trend to cyber-physical systems • many and varied • Theft, sabotage, privacy violations, extortion, … • New crimes • Attacks on computers and networks, new by definition • “Armaments Sales” – the underground economy • Scareware • Phishing – but really new form of old … • And many more, grey areas … e.g., ML, …
Transnational Crime • The Internet is transnational, law enforcement and legal jurisdictions are national • detecting CC can be difficult • Investigating CC can be difficult • prosecuting CC can be difficult • new opportunities for CC arise - can be new forms of old crime or new crime e.g., money laundering
Agenda • Introduction –trends in computer crime • The Information Age and Real Virtuality • The Nature of Cybercrime • Digital and Network Forensics • Challenges • QUT research projects
Computer Crime/Cybercrime - Some of the problems • CC inconsistently reported (Wall) • CC under-reported (Wall) • CC is transnational but harmonization is slow (Li) … • concensus on CC criminal law has not been achieved • a critical challenge relates to extradition and the double criminality requirement • Participation level of countries in the CoE Convention on Cybercrime is relatively limited
We need to define CC • need to better understand the nature and extent of the problem that cybercrime poses to developed and developing economies • UK All Party Internet Group in May 2004 when it reviewed the Computer Misuse Act 1990: 'The first thing we have to do is find out the extent of the problem … get the crimes recorded.' (APIG chairman Derek Wyatt, cited by Broersma, 2004)” • what do you record? And to report meaningfully on them needs clear, consistent definitions.
WIP at QUT: a complete classification of CC needs ... • not just: • The type of cybercrime: which type or types of cybercrime have been committed (Cybercrime Type I/II ) • but also some context re: • Motive • The offender relationship • The victim • ... WIP
Agenda • Introduction –trends in computer crime • The Information Age and Real Virtuality • The Nature of Cybercrime • Digital and Network Forensics • Challenges • QUT research projects
Some Challenges in Digital & Network Forensics • Financial fraud: early detection of fraud and misuse • Volume & Complexity of Digital Evidence: Large and heterogeneous evidence datasets - models and approaches to adddress this • Network traffic analysis: to detect changes in traffic and their root cause • Intrusion Detection
Digital Forensics Projects • Fraud detection • Computer profiling • Framework for dealing with heterogeneous Digital Evidence • Event mining and event correlation
Fraud Detection • funded by Australian Research Council (2007-2010), collaboration with SAP • identification of fraud scenarios in enterprise financial systems • user and role profiling to detect anomalous transaction patterns • adapts role mining algorithms for transaction mining • ongoing project
Computer Profiling • disk-based profiling of computer activity and history • model of computer activity: • principal objects, application objects, content objects, system objects • framework for identifying: • relationships between objects • inferred events • inconsistencies • working prototype
Framework for dealing with diverse, heterogeneous DE Each source has a different story to tell… and uses a different language … Objectives: • to unify heterogeneous units of DE so as to be able to identify across-unit correlations • framework to develop timelines automatically across different forms of DE
Event mining and event correlation • funded by DSTO – Defence Science and Technology Organization [2003-2007] • offline correlation of heterogeneous event data for forensic purposes Two projects: • Event mining to identify misuse/acceptable use • profiling user activity based upon sessions, applications, file accesses, etc. • ECF software – Event Correlation for Forensics software • Signature based misuse detection using windows logs, linux logs, browser logs, Apache server logs, door logs
Network Forensics Projects • Honeypot traffic analysis • Darknet traffic analysis • Multi-sensor signature based IDS
Honeypot and darknet traffic analysis Honeypots and darknets - flexible network devices for capturing unsolicited or attack traffic Honeypot project #1 • funded by DEST - Dept of Education, Science and Training [2004-2008] • collaboration with Institute Eurecom, France • Leurre.com project: worldwide collection of low-interaction honeypots • investigation of data analysis techniques • clusters and cliques • packet inter-arrival time analysis • explored trade-offs of interactivity versus what you can learn
Honeypot and darknet traffic analysis Honeypot project #2 • uses Principal Component Analysis (PCA) techniques to detect new attacks or new traffic on honeypots • a new attack is flagged if its computed (PCA) characteristics differ from those of previous attacks • low overhead • may be used as part of an operational network detection system.
Honeypot and darknet traffic analysis Darknet project: • uses a variant of change point analysis • detects abrupt changes in network traffic • one of the key indicators of a potential network flooding attack • can detect so-called “nested” changes • the commencement of a new session of anomalous activity whilst another anomalous activity is occurring
Multi-sensor signature based IDS Representation of events derived from heterogeneous sources • AET – Abstract Event Tree: a hierarchic event abstraction model for events collected from heterogeneous sources • preserves all low-level information as well as providing high-level information in the form of abstract events • designed independently of any particular IDS and thus may be used by any IDS, intrusion forensic tools, or monitoring tools
So can we expect to succeed in combating CC? • yes … a qualified yes – pretty much as with Wiki – “Wikipedia usually, eventually gets things right” • But it’s always catch-up • The technology can – does – work for us • ‘instantaneous’ communication of mugshots, Paypal, auto-download of updated software and AV signatures, traffic analysis & filtering, … • we have to make smart use of the technology
Brave New World But society needs a balanced approach to (over-) regulation else Scott Adams’ prophecy will come true: 'new technology will allow the police to solve 100 percent of all crimes. The bad news is that we'll realize 100 percent of the population are criminals, including the police' (1998: 194). (From David Wall’s book) THANK YOU