Suspicious activity reporting using dynamic bayesian networks

AbstractSuspicious activity reporting has been a crucial part of anti-money laundering systems. Financial transactions are considered suspicious when they deviate from the regular behavior of their customers. Money launderers pay special attention to keep their transactions as normal as possible to disguise their illicit nature. This may deceive the classical deviation based statistical methods for finding anomalies. This study presents an approach, called SARDBN (Suspicious Activity Reporting using Dynamic Bayesian Network), that employs a combination of clustering and dynamic Bayesian network (DBN) to identify anomalies in sequence of transactions. SARDBN applies DBN to capture patterns in a customer’s monthly transactional sequences as well as to compute an anomaly index called AIRE (Anomaly Index using Rank and Entropy). AIRE measures the degree of anomaly in a transaction and is compared against a pre-defined threshold to mark the transaction as normal or suspicious. The presented approach is tested on a real dataset of more than 8 million banking transactions and has shown promising results

Comprehensive Security Framework for Global Threats Analysis

Cyber criminality activities are changing and becoming more and more professional. With the growth of financial flows through the Internet and the Information System (IS), new kinds of thread arise involving complex scenarios spread within multiple IS components. The IS information modeling and Behavioral Analysis are becoming new solutions to normalize the IS information and counter these new threads. This paper presents a framework which details the principal and necessary steps for monitoring an IS. We present the architecture of the framework, i.e. an ontology of activities carried out within an IS to model security information and User Behavioral analysis. The results of the performed experiments on real data show that the modeling is effective to reduce the amount of events by 91%. The User Behavioral Analysis on uniform modeled data is also effective, detecting more than 80% of legitimate actions of attack scenarios

Evidence-Based Analysis of Cyber Attacks to Security Monitored Distributed Energy Resources

This work proposes an approach based on dynamic Bayesian networks to support the cybersecurity analysis of network-based controllers in distributed energy plants. We built a system model that exploits real world context information from both information and operational technology environments in the energy infrastructure, and we use it to demonstrate the value of security evidence for time-driven predictive and diagnostic analyses. The innovative contribution of this work is in the methodology capability of capturing the causal and temporal dependencies involved in the assessment of security threats, and in the introduction of security analytics supporting the configuration of anomaly detection platforms for digital energy infrastructures

Real-time classification of malicious URLs on Twitter using Machine Activity Data

Massive online social networks with hundreds of millions of active users are increasingly being used by Cyber criminals to spread malicious software (malware) to exploit vulnerabilities on the machines of users for personal gain. Twitter is particularly susceptible to such activity as, with its 140 character limit, it is common for people to include URLs in their tweets to link to more detailed information, evidence, news reports and so on. URLs are often shortened so the endpoint is not obvious before a person clicks the link. Cyber criminals can exploit this to propagate malicious URLs on Twitter, for which the endpoint is a malicious server that performs unwanted actions on the person’s machine. This is known as a drive-by-download. In this paper we develop a machine classification system to distinguish between malicious and benign URLs within seconds of the URL being clicked (i.e. ‘real-time’). We train the classifier using machine activity logs created while interacting with URLs extracted from Twitter data collected during a large global event – the Superbowl – and test it using data from another large sporting event – the Cricket World Cup. The results show that machine activity logs produce precision performances of up to 0.975 on training data from the first event and 0.747 on a test data from a second event. Furthermore, we examine the properties of the learned model to explain the relationship between machine activity and malicious software behaviour, and build a learning curve for the classifier to illustrate that very small samples of training data can be used with only a small detriment to performance

DScentTrail: A new way of viewing deception

The DScentTrail System has been created to support and demonstrate research theories in the joint disciplines of computational inference, forensic psychology and expert decision-making in the area of counter-terrorism. DScentTrail is a decision support system, incorporating artificial intelligence, and is intended to be used by investigators. The investigator is presented with a visual representation of a suspect‟s behaviour over time, allowing them to present multiple challenges from which they may prove the suspect guilty outright or receive cognitive or emotional clues of deception. There are links into a neural network, which attempts to identify deceptive behaviour of individuals; the results are fed back into DScentTrail hence giving further enrichment to the information available to the investigator

A Comprehensive Survey of Data Mining-based Fraud Detection Research

This survey paper categorises, compares, and summarises from almost all published technical and review articles in automated fraud detection within the last 10 years. It defines the professional fraudster, formalises the main types and subtypes of known fraud, and presents the nature of data evidence collected within affected industries. Within the business context of mining the data to achieve higher cost savings, this research presents methods and techniques together with their problems. Compared to all related reviews on fraud detection, this survey covers much more technical articles and is the only one, to the best of our knowledge, which proposes alternative data and solutions from related domains.Comment: 14 page

Malware in the Future? Forecasting of Analyst Detection of Cyber Events

There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate cyber attacks. A common approach is time-series forecasting of cyber attacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyber attacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are analyst-detected and -verified occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately seven years. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number for resource allocation, estimation of security resources, and the development of effective risk-management strategies. We used a Bayesian State Space Model for forecasting and found that events one week ahead could be predicted. To quantify bursts, we used a Markov model. Our findings of systematicity in analyst-detected cyber attacks are consistent with previous work using other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity.Comment: Revised version resubmitted to journa