12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 1
Prof. K. SubramanianSM(IEEE), SMACM, FIETE, LSMCSI,MAIMA,MAIS,MCFE,LM(CGAER)
Academic Advocate ISACA(USA) in IndiaProfessor & Former Director, Advanced Center for Informatics & Innovative Learning
(ACIIL), IGNOUHON.IT Adviser to CAG of India
& Ex-DDG(NIC), Min of Communications & Information Technol9ogyFormer President, Cyber Society of India
Founder President, eInformation Systems Security Audit Association (eISSA), India
Cyber Forensics An intro & Requirement Engineering
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2
FRAUD& THEFT
SCAVENGINGVIRUS
ATTACK
ACCIDENTALDAMAGE
NATURAL DISASTER
UNAUTHORISED ACCESS
INTERCEPTION
TROJAN HORSES
INCOMPLETE PROGRAMCHANGES
HARDWARE /SOFTWARE
FAILURE
SOCIAL ENGINEERING
ATTACK
DATA DIDDLING
IS
PASSWORDS
ENCRYPTIONANTI-VIRUS
BACKUPS
HARDWARE MAINTENANCESECURITY
GUARDS
INPUT VALIDATIONS
AUDIT TRAILS
PROGRAM CHANGE DOCUMENTATION
AUTHORISATION
BUSINESS CONTINUITY PLAN
LOSING TO COMPETITION
LOSS OF CUSTOMERS
LOSS OF CREDIBILITY
EMBARRASSMENT
FINANCIALLOSS
12/14/13 2
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 3
Enterprise Management
12/14/13 3
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 4
Cyber/Information ForensicsNew Challenges
Evidence Collection Collation Organization Analysis Presentation Preservation Acceptable to Judiciary
Environment Encrypted/Non Encrypted
Identity Management Access Mechanism
Local Remote
Single network Multiple network
Access control Password controlled Token Controlled Bio-metric Controlled
4
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 5
Whose Responsibility?
Police/Investigators Prosecutors Auditors Technologists
Digital ForensicsWhat is required?
A highly trained manpower Appropriate tools Strong Cyber Law Certified Fraud Examiners
Methods: E-mail tracking Hard Disk forensics Decrypting of data Finding hidden/ embedded
links Tracing compromised source
servers
512/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 6
What could all this lead to?Loss of Confidential/ Secret InformationLoss of Confidential/ Secret Information
Loss of intellectual property Loss of intellectual property
Loss of customer confidenceLoss of customer confidence
Loss of RevenueLoss of Revenue
Implications on social set upImplications on social set up
CYBER TERRORISMCYBER TERRORISM
12/14/13 6
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 7
Auditors fail to discover Fraud because they are not looking for it!
Victims seldom squeal! It is not good form to be the whistle blower, the bad guy, one who reveals all.
Human nature: Hide failures not admit them Conceal problems not discuss them Defend wrong decisions not admit them Cover up mistakes not own up
12/14/13 7
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 8
What is Forensic Audit?Forensic – “Belonging to, used in or suitable to courts of judicature or to public discussion and debate.
Audit - the process which identifies the extent of conformance (or otherwise) of actual events with intended events and pre-determined norms for different activity segments in accordance with established criteria.
12/14/13 8
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 9
Forensic Auditing Forensic Auditing encompasses:
Fraud detection Fraud investigation Fraud prevention
Skills required of forensic accountants: Accounting/Finance expertise Fraud knowledge Knowledge of legal system Ability to work with people
12/14/13 9
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 10
Change in the focus of Forensic Audit
changing environment technological advances emerging expectations and the widening gap, and changes in the profile of the fraudster and frauds and
fraudster technologies themselves.
12/14/13 10
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 11
Financial Auditing vs. Fraud AuditingFraud Auditing
Not program oriented
“Think like a crook” approach (focus on IC weaknesses)
Focus on exceptions, oddities, and patterns of conduct
Financial Auditing Program procedural
approach Control risk
approach (focus on IC strengths)
Focus on errors and omissions
12/14/13 11
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 12
Financial Auditing vs. Fraud AuditingFraud Auditing
“Where there’s smoke, there’s fire.”
Illogical, behavioral motive, opportunity, integrity
Fraud examiner rate much higher because fraud auditors are only called in when fraud is known or highly suspected.
Financial Auditing Emphasis on
materiality Logical accounting and
auditing background Internal/external
auditors are credited with finding about 4% to 20% of uncovered fraud
12/14/13 12
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 13
Types of Frauds
Management Frauds Direct Illegal Acts Employee Frauds White collar crimes
Corruption and bribing
Cyber/Net frauds Cyber terrorism InfoTech Warfare
12/14/13 13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 14
Forensic Audit should ensure that it is –
A means to an end
A guide to decision making
Enables improvement of society
Empowers decision makers with state of the art verifiable inputs
Enables enactment of effective laws
Promotes effective delivery of justice in accordance with the cannons and tenets
12/14/13 14Cyber security & Cyber forensics seminar CSI-IETE March 28, 2009
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 15
Tools & Technologies Certified tool & Proprietary tool Natural Methods of evidence Collection-
Built-in tools Centralized Vs Decentralized & Distributed
Investigative Data Mining and Problems in Fraud Detection Definitions Technical and Practical Problems
Existing Fraud Detection Methods Widely used methods
The Crime Detection Method Comparisons with Minority Report Classifiers as Precogs Combining Output as Integration
Mechanisms Cluster Detection as Analytical Machinery Visualization Techniques as Visual
Symbols
database, machine learning, neural networks, data visualization, statistics, distributed data
mining. Communication &
Network technologies Wired Wireless Mobile Web & Internet
12/14/13Cyber security & Cyber forensics seminar CSI-IETE March 28, 2009 15
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 16
Implementing the Crime Detection System:
Preparation components Investigation objectives Collected data Preparation of collected
data to achieve objectives
Action Components Which experiments
generate best predictions?
Which is the best insight?
How can the new models and insights be deployed within an organization?
12/14/13 16
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 17
Fraud Detection ProblemsTechnical & Practical
Technical• Imperfect data
– Usually not collected for data mining
– Inaccurate, incomplete, and irrelevant data attributes
• Highly skewed data – Many more legitimate than
fraudulent examples– Higher chances of over fitting
• Black-box predictions – Numerical outputs
incomprehensible to people
Practical• Lack of domain knowledge
– Important attributes, likely relationships, and known patterns
– Three types of fraud offenders and their modus operandi
• Assessing data mining potential– Predictive accuracy are useless for
skewed data sets• Great variety of fraud scenarios over
time– Soft fraud – Cost of investigation > Cost
of fraud– Hard fraud – Circumvents anti-fraud
measures12/14/13 17
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 1812/14/13Cyber security & Cyber forensics seminar CSI-IETE March 28, 2009 18
Widely Used Methods in Fraud Detection• Insurance Fraud
– Cluster detection -> decision tree induction -> domain knowledge, statistical summaries, and visualisations
– Special case: neural network classification -> cluster detection
• Credit Card Fraud– Decision tree and naive Bayesian classification ->
stacking
• Telecommunications Fraud– Cluster detection -> scores and rules
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 1912/14/13 19
The Crime Detection Method Comparisons with Minority Report
• Precogs– Foresee and prevent crime– Each precog contains multiple classifiers
• Integration Mechanisms– Combine predictions
• Analytical Machinery– Record, study, compare, and represent predictions in simple terms– Single “computer”
• Visual Symbols– Explain the final predictions– Graphical visualizations, numerical scores, and descriptive rules
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 20
Classifiers as PrecogsPrecog One: Naive Bayesian Classifiers
– Statistical paradigm– Simple and Fast– Redundant and not normally distributed attributes*
Precog Two: Classifiers– Computer metaphor– Explain patterns and quite fast– Scalability and efficiency
Precog Three: Back-propagation Classifiers– Brain metaphor– Long training times and extensive parameter tuning*
2012/14/13
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2112/14/13 21
Combining Output as Integration Mechanisms
• Cross Validation– Divides training data into eleven data partitions– Each data partition used for training, testing, and
evaluation once*– Slightly better success rate
• Bagging– Unweighted majority voting on each example or
instance– Combine predictions from same algorithm or different
algorithms*– Increases success rate
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2212/14/13 22
Combining Output as Integration Mechanisms
• Stacking– Meta-classifier – Base classifiers present predictions to meta-
classifier– Determines the most reliable classifiers
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2312/14/13 23
Cluster Detection as Analytical MachineryVisualisation Techniques as Visual Symbols
• Analytical Machinery: Self Organising Maps– Clusters high dimensional elements into more simple,
low dimensional maps– Automatically groups similar instances together– Do not specify an easy-to-understand model*
• Visual Symbols: Classification and Clustering Visualisations– Classification visualisation – confusion matrix
- naive Bayesian visualisation– Clustering visualisation - column grap
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2412/14/13 24
The Crime Detection System: Preparation Component• Problem Understanding
– Determine investigation objectives- Choose - Explain
– Assess situation- Available tools- Available data set- Cost model
– Determine data mining objectives- Max hits/Min false alarms
– Produce project plan- Time- Tools
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2512/14/13 25
The Crime Detection System: Preparation Component
Data Understanding Describe data
- Explore data- Claim trends by month- Age of vehicles- Age of policy holder
Verify data- Good data quality- Duplicate attribute, highly skewed attributes
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2612/14/13 26
The Crime Detection System: Preparation Component Data Preparation
Select data- All, except one attribute, are retained for analysis
Clean data- Missing values replaced - Spelling mistakes corrected
Format data- All characters converted to lowercase- Underscore symbol
Construct data- Derived attributes- - Numerical input
Partition data- Data multiplication or oversampling- For example, 50/50 distribution
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2712/14/13 27
Implementing the Crime Detection
System:Action Component
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2812/14/13 28
• Deployment– Plan deployment
- Manage geographically distributed databases using distributed data mining- Take time into account
– Plan monitoring and maintenance- Determined by rate of change in external environment and organisational requirements- Rebuild models when cost savings are below a certain percentage of maximum cost savings possible
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 2912/14/13
29
• New Crime Detection Method• Crime Detection System• Cost Model• Visualisations• Statistics• Score-based Feature• Extensive Literature Review• In-depth Analysis of Algorithms
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 3012/14/13 30
• Imperfect data– Statistical evaluation and confidence intervals– Preparation component of crime detection system– Derived attributes– Cross validation
• Highly skewed data – Partitioned data with most appropriate distribution– Cost model
• Black-box predictions – Classification and clustering visualisation– Sorted scores and predefined thresholds, rules
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 3112/14/13 31
• Lack of domain knowledge– Action component of crime detection system– Extensive literature review
• Great variety of fraud scenarios over time– SOM– Crime detection method– Choice of algorithms
• Assessing data mining potential– Quality and quantity of data– Cost model– z-scores
12/14/13 Prof. KS@2013 cit FDP coimbatore Dec 21,2013 32
FOR FURTHER INFORMATION PLEASE CONTACT :-
E-MAIL: [email protected], [email protected];[email protected];
91-11-29533068
Fax:91-11-29533068
ACIIL, Block &, Room 16,
Maidan Garhi, IGNOU
New Delhi-110068
Open for Interaction?
12/14/13 32
Top Related