2. Introduction
• Existing work on intrusion detection have mainly
focused on network intrusion and host-based attacks
• The earliest proposals for intrusion detection were
based on the use of audit data from the host being
monitored
• Audit data is provided by the operating system or
other applications running in the host
• Host based intrusion detection (HIDS) is performed
at the operating system level by comparing expected
and observed system resource usage
12/6/2017 Hitesh Mohapatra Ph.D 2
3. Introduction
• Network intrusion detection systems (NIDSs) observe the
network traffic that goes to and from the systems being
monitored
• NIDSs are positioned at various points in a network to detect
any attack on the hosts of that network
• To capture most of the data passing through the network, we
need to position the IDS at the entry and exit point of the
network to the outside world
• Some more IDSs may also be placed in the internal network,
depending on the level of security needed
• This approach has the advantage is that even a single and
properly placed NIDS can monitor a number of hosts
12/6/2017 Hitesh Mohapatra Ph.D 3
4. Limitations of HIDSs
• The information sources for HIDSs reside on the host,
that is targeted by attackers. So, the IDS itself may be
attacked and thereby disabled during the attack
• In addition, HIDSs require resources of the host to
operate and are harder to manage as information must
be configured and managed for every host individually
• An HIDS can only be trusted up to the point till the
system/host is not compromised:
– A secure logging mechanism is necessary to prevent logs from
being erased if the attacker compromises the machine
– An attacker obtaining super user privilege on the host can
disable the HIDS
– HIDS may become ineffective during DoS attacks
12/6/2017 4Hitesh Mohapatra Ph.D
5. Limitations of NIDSs
• Cannot see attacks arriving over a path that does not
traverse the network segment being monitored
• Cannot observe actions that occur inside a host (miss
local attacks)
• Use of encryption mechanisms during transmission
make NIDSs ineffective because they cannot examine
the contents of encrypted communications
12/6/2017 5Hitesh Mohapatra Ph.D
6. Database IDS (DIDS)
• Organizations use Data Base Management Systems
(DBMS) as the main data management technology for
storing and accessing information
• Ability to access information and carry out on-line
transactions from anywhere using the Internet and web-
based applications increases the chances of attacks on
database systems
• It is found that 75% of the attacks on the Web occur at
the application level
• Concern regarding the security of databases has thus
become more crucial in all information infrastructures
12/6/2017 Hitesh Mohapatra Ph.D 6
7. Database IDS (DIDS)
• Traditional database security mechanisms provide security
features such as authentication, authorization, access control,
data encryption and auditing
• Despite the use of such prevention-based security
mechanisms for enforcing organizational security, they are not
sufficient for protection of data against syntactically correct
but semantically damaging transactions
• Moreover, in databases, some of the attributes are more
sensitive to malicious modifications as compared to others
• The development of an effective DIDS is essential for
protecting sensitive and confidential (proprietary) information
stored in DBMSs
12/6/2017 Hitesh Mohapatra Ph.D 7
8. Application-Specific IDS (AppIDS)
• AppIDS detect intrusions more accurately in context of
the application by considering the semantics (domain
knowledge) of the application and various application-
specific rules
• This type of IDS uses a large number of domain related
attributes for profile building which makes the profile
difficult to be guessed by the outside intruders as well
as by the insiders
• Intrusion detection is required at the application level
for facilitating accurate detection of frauds in specific
domains like credit card payment system, mobile
communication networks, medical/automobile
insurance, etc.
12/6/2017 Hitesh Mohapatra Ph.D 8
9. Requirements of Application-Specific
(AppIDS) and Database IDS (DIDS)
• At the level of database, a file has an inherent structure
which is subdivided into tables, rows and columns
• HIDSs and NIDSs cannot detect changes to the structure
or rows of the tables
– For example, if data is stored in a file, then the OS level IDS can
only determine whether or not the file as a whole has changed.
It cannot identify any malicious updates/deletes made to
attributes/records of the file
• A DIDS/AppIDS can identify database level changes easily
and thus are able to detect more critical attacks such as
those carried out by internal intruders
12/6/2017 Hitesh Mohapatra Ph.D 9
10. Database IDS (DIDS)
• The attributes corresponding to a single transaction are
known as intra-transactional (Eg. query type, accessed table
name(s), accessed attribute name(s), transaction location and
transaction time, etc.)
• Attributes related to multiple transactions are called inter-
transactional (Eg. which types of queries are invoked after
which types of queries, which tables/attributes are accessed
after which tables/attributes, time gap between successive
transactions by the same user, etc.)
• An IDS which detects intrusion only based on intra-
transactional features like cannot identify the attacks in which
the individual transactions are quite similar to that of normal
transactions
• When an attacker requests multiple transactions, it is possible
to identify inter-transactional deviation
12/6/2017 10Hitesh Mohapatra Ph.D
11. CASE STUDY OF AN APPIDS: CREDIT
CARD FRAUD DETECTION SYSTEM
12/6/2017 Hitesh Mohapatra Ph.D 11
12. Credit Card Fraud Detection System
• Specific application of Intrusion Detection System
• Fraudulent transactions on credit cards is a common
problem especially with respect to online
transactions
• Thieves obtain card numbers by shoulder surfing,
packet intercepting, database stealing, etc.
• The problem is expected to multiply many-folds in
the future
12/6/2017 12Hitesh Mohapatra Ph.D
13. Types of Credit Card Purchases
• Credit card purchases can be done in two ways:
– Physical card purchases: Cardholder presents his card
physically to a merchant for making a payment
– Virtual card purchases: Only some important
information about a card (card number, name on card,
expiration date, secure code, etc.) is required to be
entered for making the payment which are done on
the Internet or over phone
12/6/2017 Hitesh Mohapatra Ph.D 13
14. Types of Credit Card Fraud
• According to the type of purchase, credit card frauds can
be categorized into two types:
1) Physical Card Fraud:
– To carry out fraudulent transactions in this kind of purchase, an attacker
has to steal or clone the credit card
– If the cardholder does not realize the loss of card, it can lead to a
substantial financial loss to the credit card company
2) Virtual Card Fraud:
– To commit fraud in these types of purchases, a fraudster requires to
know the card details
– The genuine cardholder may not aware that someone else has seen or
stolen his card information
– The only way to detect this kind of fraud is to analyze the spending
patterns on every card and to figure out any inconsistency with respect
to the “normal” spending patterns (profile)
12/6/2017 Hitesh Mohapatra Ph.D 14
15. 15
Credit Card Fraud Detection
• Credit card fraud detection is a specific application of
intrusion detection in databases
• Credit card fraud is increasing rapidly resulting in loss
of billions of dollars every year
• Effective technologies are required to detect fraud in
order to maintain the viability of the payment system
• Usually, every cardholder has a certain shopping
behavior which establishes an activity/normal profile
for him/her
12/6/2017 Hitesh Mohapatra Ph.D
16. 16
Credit Card Fraud Detection
• As a result of personal needs or seasonal needs, patterns
of legitimate behavior may change over time
• Systems that cannot “evolve” or “learn” soon become
outdated resulting in large number of false alarms
• The fraudster can also attempt new types of attacks so as
to bypass the Credit Card Fraud Detection System
(CCFDS)
• Thus, there is a need for developing a CCFDS which can:
– Combine multiple evidences including patterns of genuine
cardholders as well as fraudsters
– Adapt to the change of spending patterns of cardholders
12/6/2017 Hitesh Mohapatra Ph.D
17. Challenges in Credit card Fraud
Detection
• Orders could be shipped to a different address than the
billing address (normally while gifting to someone)
• Orders could be shipped to a single address but made on
multiple cards
• The genuine transactions could be interspersed with the
fraudulent transactions
• Number of fraudulent transactions is quite less as
compared to the volume of genuine transactions (class
imbalance problem)
• The company incurs a finite cost in the event of check
back (manual confirmation with actual cardholder)
• The customer may not be always contactable
12/6/2017 17Hitesh Mohapatra Ph.D
18. Limitations of Existing CCFDS
• Existing approaches on CCFD are either anomaly or
misuse-based systems
• Anomaly-based FDSs raise large number of false alarms
and misuse-based FDSs cannot detect new fraud patterns:
– Deviation in access behavior of genuine cardholders due to
special requirements raise false alarms (Anomaly CCFDS)
– New fraud types that the detection system is not aware of,
mostly go undetected (Misuse CCFDS)
• Objective: A hybrid CCFD model that integrates the
advantages of both anomaly and misuse-based systems so
as to achieve high detection rate along with minimized
false alarms
1812/6/2017 Hitesh Mohapatra Ph.D
19. 19
Case Study: Credit Card Fraud Detection
• Suvasini Panigrahi, Amaln Kundu, Shamik Sural and
A. K. Majumdar, “Credit Card Fraud Detection: A
Fusion Approach using Dempster-Shafer Theory
and Bayesian Learning”, Information Fusion
(Special Issue on Information Fusion in Computer
Security), Elsevier, Vol. 10, No. 4, Pages 354-363,
2009
12/6/2017 Hitesh Mohapatra Ph.D
20. Case Study: Credit Card Fraud Detection
• The basic idea of our approach is that:
– Fraudsters are usually not completely familiar with the
cardholder’s normal spending profile
– Their aim is to gain maximum profit in a limited amount of
time before they get caught
• Transactions carried out by a fraudster usually show
some deviation in terms of transaction amount as
well as time gap between successive transactions
(carrying out high value transactions frequently),
which needs to be captured by our CCFDS
12/6/2017 Hitesh Mohapatra Ph.D 20
21. 21
Proposed CCFD System
• We have proposed a two-stage CCFDS that combines
evidences from:
– Cardholder’s current activity patterns (First Stage)
– Cardholder’s past transaction profile as well as the
history of fraudulent activities available to the card
issuing bank (Second Stage)
• The evidences are combined using the Dempster-Shafer
theory and an initial belief (P(h)) is computed
• An incoming transaction is classified as genuine,
fraudulent or suspicious depending on the value of P(h)
12/6/2017 Hitesh Mohapatra Ph.D
22. Proposed CCFD System
• Two preset threshold values lower threshold (ѲLT) and
upper threshold (ѲUT) are determined experimentally are
used for taking decision about an incoming transaction
• If a transaction is determined to be genuine or
fraudulent, it is not processed further
• If a transaction is found to be suspicious, the initial belief
is updated using Bayesian learning based on additional
evidence obtained from transaction history databases
• Proposed CCFDS integrates anomaly detection and
misuse detection techniques to improve the accuracy of
the system
12/6/2017 Hitesh Mohapatra Ph.D 22
23. Proposed CCFD System
• To meet the required functionality, the
proposed CCFDS is designed with the
following four components:
Rule-based Filter (RBF)
Dempster-Shafer Adder (D-S Adder)
Transaction History Database (THD)
Bayesian Learner (BL)
12/6/2017 Hitesh Mohapatra Ph.D 23
24. 24
Rule-Based Filter
• Generic and customer-specific rules are used to
monitor behavioral patterns of a cardholder
• Each Rule Ri measures intrusiveness of a
transaction by assigning basic probabilities mi(h)
• The current model uses two rule-based techniques
at this component:
– Address Mismatch
– Outlier Detection
12/6/2017 Hitesh Mohapatra Ph.D
25. Rule-Based Filter
1) Address Mismatch(R1):
• Orders could be shipped to a different address (shipping
address) than the billing address
• A transaction that clears this check can be classified as
genuine with very high probability
• The transactions that violate this check are labeled as
suspect
2) Outlier Detection(R2):
• A fraudster is likely to deviate from the customer’s profile,
his transactions can thus be detected as outliers
• We have used DBSCAN (Density Based Spatial Clustering of
Applications with Noise) [3] algorithm to filter out outliers
• Any transaction detected as an outlier gives evidence that it
could be fraudulent
2512/6/2017 Hitesh Mohapatra Ph.D
26. 26
Rule-Based Filter
• In the current work, we have used “transaction amount”
as an attribute for detecting outliers
• The rule-based filter is essential since it separates out
most of the genuine transactions so that the FDS do not
have to unnecessarily investigate millions of regular
legitimate transactions
• This component is kept flexible so that new rules can
always be added according to existing trends, further
enriching its functionality
12/6/2017 Hitesh Mohapatra Ph.D
27. 27
D-S Adder
• The role of the D-S adder is to combine evidences from
the rules R1 and R2 at the RBF in order to compute the
initial belief P(h) for each transaction
• The D-S adder uses the Dempster-Shafer theory (D-S
theory) of evidence to combine information
• The D-S theory assumes a Universe of Discourse U, also
called Frame of Discernment, which is a set of mutually
exclusive and exhaustive possibilities
12/6/2017 Hitesh Mohapatra Ph.D
28. 28
D-S Adder
• For every incoming transaction, the rules R1 and R2 share their
independent observations about the behavior of the
transaction
• The observations are combined to form a decision about the
transaction’s genuineness
• Two basic probability assignments m1(h) and m2(h) are
combined into a third basic probability assignment m(h) by
the Dempster’s rule for combination as follows:
yx
hyx
ymxm
ymxm
hmhmhmhP
)(*)(1
)(*)(
)()()()(
21
21
21
12/6/2017 Hitesh Mohapatra Ph.D
29. 29
D-S Adder
• For the credit card fraud detection problem, U consists of two
possible values for any suspected transaction:
U = {fraud, ¬fraud}
• For this U, the power set has three possible elements:
h = {fraud} Transaction is fraudulent (Fraud)
= {¬fraud} Transaction is not fraudulent (Genuine)
(h, ) => Transaction is either fraudulent or genuine
(Suspicious)
h
12/6/2017 Hitesh Mohapatra Ph.D
h
30. First Stage Decision Making
Decision making occurs in two stages in the proposed
system
First level inferences are made based on the initial belief
If initial belief < lower threshold (ѲLT), transaction is
genuine
If initial belief > upper threshold (ѲUT), transaction is
fraudulent
If lower threshold ≤ initial belief ≤ upper threshold,
transaction is suspicious
12/6/2017 Hitesh Mohapatra Ph.D 30
31. Transaction History Databases (THD)
For tracking suspicious transactions, two transaction
history databases are built:
• Good Transaction History (GTH) – from customer’s past
behavior (customer specific)
• Fraud Transaction History (FTH) – from different types of
past fraudulent data (generic)
Past spending behavior is observed in terms of
frequency of transactions in a specific time gap
12/6/2017 Hitesh Mohapatra Ph.D 31
32. Transaction History Databases
• Transaction gap is divided into four mutually exclusive and
exhaustive events - D1, D2, D3 and D4
• Occurrence of each event (transaction) depends on the time
since last purchase (transaction gap ρ) on any particular card
3212/6/2017 Hitesh Mohapatra Ph.D
33. Transaction History Databases
• Conditional probabilities (evidence) and are
determined from the transaction history databases FTH and
GTH respectively:
• We have created two look-up tables FFT (Fraud Frequency
Table) and GFT (Good Frequency Table) to maintain the values
of the conditional probabilities
12/6/2017 Hitesh Mohapatra Ph.D 33
34. Bayesian Learning
The general idea of belief revision is that, whenever new
information becomes available, it may require updating of
prior beliefs
The prior/initial belief P(h) can be updated by using Bayes’
Rule after getting the new information Di from the THD
Posterior belief (P(h| Di)) of a suspicious transaction is
computed using Bayesian learning based on evidence from
THD
3412/6/2017 Hitesh Mohapatra Ph.D
35. Bayesian Learning
• The goal of Bayesian learning is to find the most probable
hypothesis hmap given the training data (Maximum A Posteriori
Hypothesis)
• Depending on which of the posterior values is greater, the
future actions are decided by the FDS
12/6/2017 Hitesh Mohapatra Ph.D 35
36. Second Stage Decision Making
• Suspicion score (ψ) of transaction is updated by
combining its posterior belief and initial belief
• For the first suspicious transaction on a card,
suspicion score is same as its initial belief
• Final decision is made about the transaction
according to its suspicion score
3612/6/2017 Hitesh Mohapatra Ph.D
37. Initial Belief
Analysis
FFTFTH (Generic)
TRANSACTION HISTORY
DATABASE
P(h)
Genuine/Fraudulent
suspect table
Suspicious
BPA_R1, BPA_R2
Incoming Transaction T on card Ck
)|(),|( EhPEhP
P(h) Suspicion
Score Analysis
D-S ADDER
BAYESIAN LEARNER
D-S ADDER
RULE-BASED FILTER
Genuine/Fraudulent
Event E
occurs
Ck, P(Ck)
)RoundLast(
GTH (User specific) GFT
)|(),|( hEPhEP
)RoundCurrent(
UTLT ,
UTLT ,
Flow of Events in the Proposed CCFD System
3712/6/2017 Hitesh Mohapatra Ph.D
38. Mobile Telecommunication Fraud
Detection
• Extension of the proposed approach was developed with new
features such as “transaction type” for fraud detection in
mobile communication networks by considering the domain-
related issues and also including the various application-
specific changes [4]
– Suvasini Panigrahi, Amaln Kundu, Shamik Sural and A. K. Majumdar,
“Use of Dempster-Shafer Theory and Bayesian Inferencing for Fraud
Detection in Mobile Communication Networks”, Lecture Notes in
Computer Science (LNCS-4586), Springer Verlag, Australasian
Conference on Information Security and Privacy (ACISP), Townsville,
Queensland, Australia, Pages 446-460, 2007
12/6/2017 Hitesh Mohapatra Ph.D 38
39. Database Intrusion Detection
• Generalization of the proposed approach for intrusion
detection in databases by applying an extension of
Dempster-Shafer theory and Bayesian inferencing
• Sensitivity of attributes is also taken into consideration
for tracking against malicious modifications
– Published in
• IEEE Symposium on Computational Intelligence in Cyber
Security (CICS 2009) [5]
• Information Systems Frontiers (Special Issue on Security
Management and Technologies for Protecting Against
Internal Data Leakages), Springer, 2010 [6]
12/6/2017 Hitesh Mohapatra Ph.D 39
40. 40
References
1. A. C. Murray, “The Threat From Within, Network Computing”, URL –
http://www.networkcomputing.com/data-protection/the-threat-from-
within/229616352, August 2005
2. Suvasini Panigrahi, Amaln Kundu, Shamik Sural and A. K. Majumdar,
“Credit Card Fraud Detection: A Fusion Approach using Dempster-
Shafer Theory and Bayesian Learning”, Information Fusion (Special
Issue on Information Fusion in Computer Security), Elsevier, Vol. 10,
No. 4, Pages 354-363, 2009
3. M. Ester, H. P. Kriegel, J. Sander and X. Xu, “A Density-Based Algorithm
for Discovering Clusters in Large Spatial Databases with Noise”, In
Proceedings of the 2nd International Conference on Knowledge
Discovery and Data Mining (KDD),Pages: 226-231, 1996
12/6/2017 Hitesh Mohapatra Ph.D
41. References
4. Suvasini Panigrahi, Amaln Kundu, Shamik Sural and A. K. Majumdar,
“Use of Dempster-Shafer Theory and Bayesian Inferencing for Fraud
Detection in Mobile Communication Networks”, Lecture Notes in
Computer Science (LNCS-4586), Springer Verlag, Australasian
Conference on Information Security and Privacy (ACISP), Townsville,
Queensland, Australia, Pages 446-460, 2007
5. Suvasini Panigrahi, Shamik Sural and A. K. Majumdar, “Detection of
Intrusive Activity in Databases by Combining Multiple Evidences and
Belief Update”, IEEE Symposium on Computational Intelligence in Cyber
Security (CICS 2009), Nashville, Tennessee, USA, Pages 83-90, 2009
6. Suvasini Panigrahi, Shamik Sural and A. K. Majumdar, “Two-Stage
Database Intrusion Detection by Combining Multiple Evidence and
Belief Update”, Information Systems Frontiers (Special Issue on Security
Management and Technologies for Protecting Against Internal Data
Leakages), Springer, DOI: 10.1007/s10796-010-9252-2, Pages 1-19,
Online First 11th August 2010
12/6/2017 Hitesh Mohapatra Ph.D 41