INTERACTIVE ANALYSIS OF COMPUTER CRIMES

1
INTERACTIVE ANALYSIS OF COMPUTER CRIMES

• PRESENTED FOR
• CS-689
• ON 10/12/2000
• BY NAGAKALYANA ESKALA

2
OUTLINE

• Crime analysis is a critical component of modern
  policing, and law enforcement agencies are
  increasingly using computerized analysis tools.
• The system which I am going to propose adapts
  computerized techniques for analyzing
  conventional crimes for use by law enforcement
  agencies in the Internet age.

3
OVERVIEW

• Motivation
• Background
• Analysis Framework
• Deliverables

4
MOTIVATION

• The increase in computer crimes over the past
  decade requires enhanced and sophisticated crime
  analysis tools to address new types of crimes.
• Further Internet time requires crime analysis
  at faster rates and in significantly smaller time
  interval

5

• Attack Sophistication vs. Intruder Technical
  Knowledge  

6
(No Transcript)
7
GOAL

• The proposed Crime analysis system can link
  criminal activities by location, time and method
  it also can detect significant changes in
  criminal activity and discover criminal
  preferences to aid in predicting future threats.

8
BACKGROUND

• Our framework is based mainly on both University
  of Virginias Regional Crime Analysis Program
  (RECAP) and John Howards (Professor, Carnegie
  Mellon University) security recommendations.
• Recap users can link related records, analyze
  trends in space and time, detect changes in those
  trends, and look for areas with a high density of
  criminal events called Hot spots

9
Recaps Components
10
ANALYSIS FRAMEWORK

• Clustering and Associating Computer Crimes
• Data association
• Concept hierarchies
• Adjusting Weight Importance
• Preference Discovery
• Crime Prediction and Threat assessment
• Multiagent modeling

11
Data Association

• To automate identifying the associated set of
  incidents we use Data Association methodology.
• Depends on the measure of similarity
• Defines the limits of an investigation
• Provides insights into crime prevention measures

12
denote the similarity of
attribute k between criminal incident records A
and B and wk denote the weighing attribute of k.
So we compute the Total Similarity Measure,
TSM(A,B) between records A and B as a weighed sum
of the attribute similarity measure
Analysts define the relevant attributes
collected in incident reports, then they
standardize the values they obtain from different
agencies
13
Concept hierarchies

• Used to Link the values in different reports
• Define an association function. Use crime
  analysis data to develop mappings from the values
  in each report to a real number in the interval
  0,1. For ex. Lets say that the attribute
  method of solicitation has three categorical
  values email, chat room and mail. Analysis
  reveals that solicitation in chat room has 0.7
  similarity with a solicitation by email and that
  a solicitation by mail has a 0.001 similarity
  with either of the other two methods.

14
Adding Weight Importance

• We first optimize the weights in the equation
  using cases that we know are associated.
• Essentially we solve for the values of the
  weights wk in the equation that minimize the
  classification error where this error is computed
  as the number of times we fail to join the
  incidents that should be joined or times we join
  incidents that should not be joined.

15

• Investigators cluster the results of the total
  similarity measure to estimate the number of
  individuals or groups involved in cyber attacks.
  We hierarchical agglomerative method with
  complete linkage. In this method
• if the similarity index of two entities is
  greater than a certain fixed value, or cut off
  value, the entities from a cluster
• if one or both of the entities is a cluster,
  then all of the entities in both of the clusters
  have a similarity index that is greater than the
  cut off value

16
Preference Discovery

• A major goal of crime analysis is to understand
  the criminal processes at work in a region well
  enough to allow proactive policing activities.
  This means discovering areas and persons under
  threat and taking action to reduce the threat.
• The following figure shows the basic components
  of preference discovery approach.

17
Shows relationship between the incident time,
incident location, and clusters developed in
feature space
18

• From the basic components of the approach, we
  observe criminal incidents in time and across the
  network topology, and we map these incidents into
  a feature space, which is defined by the relevant
  attributes of all incidents.
• We develop a density estimate for the decision
  surface, which represents the criminals
  preference for specific attributes, across
  feature space. These surfaces then become the
  basis for modeling a criminals behavior in
  future attacks.

19
Crime Prediction and Threat Assessment

• This integrates all the pieces into one system.
  The database derived from multiple agency
  databases is the basis for the analysis. We
  employ data association to group incidents and
  use feature selection to select a set of features
  of the preference discovery. These methods then
  generate the decision models for the criminal
  agents in our simulations.

20
(No Transcript)
21
Multi agent modeling

• Multi agent models provide an effective tool for
  predicting the behavior of computer criminals.
  These models use artificial agents, which can
  interact with their environment and with each
  other.
• To construct a multi agent model to simulate
  computer crime, we derive the number and type of
  agents from the raw data audit, then we derive
  the criminals preferences from the raw data. We
  use derived preferences to create the criminal
  agents.

22
Conclusion

• Our analysis method uses data association to
  determine the number of criminal agents, then it
  uses feature selection to determine the
  preference of the identified agents. Since this
  method is automatable, analysts can use it in
  situations in which there is a vast wealth of
  data. Thus, this method is particularly useful
  in the computer crime domain, where data
  collection is relatively easy but data analysis
  is more difficult

23
Deliverables

• Security personnel can use this method as the
  data source for a multiagent model that simulates
  future attacks without exposing new systems to
  the outside world.
• Analysts can estimate no. of attackers to predict
  future attacks