<p>A review of publications treating security in Internet banking systems has uncovered a practice that finds security by obscurity just as important as actual security measures. The key reason for this is that security measures do not provide a sufficient return on investment by fraud and misuse detection. Hence, the banks have so far taken the risk of providing poor security in their systems, and instead compensated the compromised users. This introduces the need for a cost-efficient, non-intrusive and customizable novel fraud and misuse detection system. This report describes the work done in researching such a system, based on audit data from a highly customized system, and using machine learning methods to provide functionality. By choosing to use audit data as the primary source of information, data can be gathered from the system in close to real-time, without interfering with the existing functionality. Audit mechanisms are commonly present in any system, thus they are the primary source from which a non-intrusive solution can be obtained. This report proposes the use of profiles to learn a baseline of the normal interaction between a user and the system. Each profile looks at the available data at different levels of abstraction so that different properties in the behavior can be learned. By using these profiles, each profile can be refined to learn its level of abstraction, while still providing a complete picture of a user's behavior. Machine learning methods can be used to automatically learn a baseline for normal behavior based on a set of historical data. The learned behavior can then be used to compare new instances against the baseline in order to classify them as normal or abnormal. Abnormal behavior would then be an indication that a user is conducting illegitimate activity. The results of our proposed solution are satisfactory. We are able to detect anomalies by different profiles and data sources. However, there are issues when it comes to evaluating the solution. Since we are trying to detect novel fraud and misuse behavior, there is no apparent test set to compare against. Some options for evaluation of anomaly detection exist. However, we found none of these to be satisfactory. Further research needs to be conducted in this area before a functional solution can be created. This report uses results and experiences to create a foundation for such further research.</p>
| Identifer | oai:union.ndltd.org:UPSALLA/oai:DiVA.org:ntnu-9731 |
| Date | January 2008 |
| Creators | Karlsen, Kåre Nordvik, Killingberg, Tarje |
| Publisher | Norwegian University of Science and Technology, Department of Computer and Information Science, Norwegian University of Science and Technology, Department of Computer and Information Science, Institutt for datateknikk og informasjonsvitenskap |
| Source Sets | DiVA Archive at Upsalla University |
| Language | English |
| Detected Language | English |
| Type | Student thesis, text |
Page generated in 0.0164 seconds