. One method for detecting fraud is to check for suspicious changes in user behavior. This paper describes the automatic design of user profiling methods for the purpose of fraud detection, using a series of data mining techniques. Specifically, we use a rule-learning program to uncover indicators of fraudulent behavior from a large database of customer transactions. Then the indicators are used to create a set of monitors, which profile legitimate customer behavior and indicate anomalies. Finally, the outputs of the monitors are used as features in a system that learns to combine evidence to generate high-confidence alarms. The system has been applied to the problem of detecting cellular cloning fraud based on a database of call records. Experiments indicate that this automatic approach performs better than hand-crafted methods for detecting fraud. Furthermore, this approach can adapt to the changing conditions typical of fraud detection environments. Keywords: fraud detection, rule l...

The 1998 DARPA intrusion detection evaluation created the first standard corpus for evaluating computer intrusion detection systems. This corpus was designed to evaluate both false alarm rates and detection rates of intrusion detection systems using many types of both known and new attacks embedded in a large amount of normal background traffic. The corpus was collected from a simulation network that was used to automatically generate realistic traffic---including attempted attacks. The focus

Psychological acceptability has been mentioned as a requirement for secure systems for as long as least privilege and fail safe defaults, but until now has been all but ignored in the actual design of secure systems. We place this principle at the center of our design for Adage, an authorization service for distributed applications. We employ usability design techniques to specify and test the features of our authorization language and the corresponding administrative GUI. Our testing results reinforce our initial design center and suggest directions for deployment of our authorization services. A modular architecture allows us to experiment with our design during short term integration, and evolve it for longer term exploration. An RBAC foundation enables coherent design of flexible authorization constraints and queries. We discuss lessons learned from the implementation of this service through a planned deployment in a context that must balance new research in risk management with dependencies on legacy services.

Abstract. One method for detecting fraud is to check for suspicious changes in user behavior. This paper describes the automatic design of user profiling methods for the purpose of fraud detection, using a series of data mining techniques. Specifically, we use a rule-learning program to uncover indicators of fraudulent behavior from a large database of customer transactions. Then the indicators are used to create a set of monitors, which profile legitimate customer behavior and indicate anomalies. Finally, the outputs of the monitors are used as features in a system that learns to combine evidence to generate high-confidence alarms. The system has been applied to the problem of detecting cellular cloning fraud based on a database of call records. Experiments indicate that this automatic approach performs better than hand-crafted methods for detecting fraud. Furthermore, this approach can adapt to the changing conditions typical of fraud detection environments.

The ability to detect intruders in computer systems increases in importance as computers are increasingly integrated into the systems that we rely on for the correct functioning of society. This paper reviews the history of research in intrusion detection as performed in software in the context of operating systems for a single computer, a distributed system, or a network of computers. There are two basic approaches: anomaly detection and misuse detection. Both have been practiced since the 1980s. Both have naturally scaled to use in distributed systems and networks.

To appropriately address the problem of large-scale distributed intrusion assessment/detection, issues such as information exchange, work division and coordination amongst various Intrusion Detection Systems (IDS) must be addressed. An approach based on autonomous local IDS agents performing event processing coupled with cooperative global problem resolution is preferred. However, it is not clear how autonomous the local IDS agents should be and what constitutes the theme that drives multiple IDS to work together. We believe that focusing on the intruder's intent (attack strategy) provides the theme that drives how various IDS components work together. Analysis on attack strategy also provides an opportunity to perform pro-active look ahead adaptive auditing. This paper presents a high-level conceptual architecture view for such an approach. The Battleground Management Analogy Today's large-scale distributed intrusion detection (ID) shares many common traits and challenges with the ta...

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. This paper proposes the development of an Intrusion Detection Program (IDP) which could detect known attack patterns. An IDP does not eliminate the use of any preventive mechanism but it works as the last defensive mechanism in securing the system. Three variants of genetic programming techniques namely Linear Genetic

The intrinsic nature of wireless ad hoc networks makes them vulnerable to various passive or active attacks. Thus, there is no guarantee that a routed communication path is free of malicious nodes that will not comply with the employed protocol and attempt to interfere the network operations. In this paper, we survey the problem of secure routing in ad hoc wireless networks, and discuss the related techniques of cryptographic key distribution. However, no matter how secure the routing protocol is, it is still possible that some nodes are comprimised and become malicious. The presence of comprimised nodes, especially in nodes that are communication bottlenecks, limit the effectiveness of the described secure routing protocols. We therefore consider the problem of intrusion detection for such nodes. The intrusion detection problem and some solutions are described in detail for a concrete queueing model of medium access. The extensions of the solutions to address the problem in more general scenarios are also discussed.

We introduce a new method for detecting intrusions based on the temporal behavior of applications. It builds on an existing method of application intrusion detection developed at the University of New Mexico that uses a system call sequence as a signature. Intrusions are detected by comparing the signature of the intrusion and that of the normal application. But when the system call sequences generated by the intrusion and the normal application are sufficiently similar, this method cannot work. By extending system call signature to incorporate temporal information related to the application, we form a richer signature. Analysis shows that the temporal behavior for many applications is relatively stable. We exclude high variance data when creating a normal database to characterize an application with a temporal signature. It can then be the basis for future comparisons in an intrusion detection system. This paper discusses experiments that test the effectiveness of the temporal signature on different applications, alternative intrusions, and in various environments. The results show that by choosing appropriate analysis methods and experimentally adjusting the parameters, intrusions are readily detected. Finally, we give some comparisons between the temporal signature method and the system call method.

Abstract not found