Professional Documents
Culture Documents
Abstract
This paper introduces the usage and application of data
warehousing in detecting and fighting cybercrime. A
brief overview of data mining techniques with the
different type of cybercrime is presented. The paper
then describes the basic mechanism behind Intrusion
Detection System which are useful to improve cyber
security and in detection of threats. The paper also
highlights some specific Intrusion Detection System that
are in use.
Survey of Literature
The report by Mary DeRosa [1] has provided a basic
description of the working and application of data-mining
techniques and the privacy implications involved. Data
mining process has been described as “discover useful,
previously unknown knowledge by analyzing large and
complex” data sets. The report also explains the basis
for models used for “Automated data analysis” which is
the process of applying or using those patterns to
analyze data and make predictions. The importance of
automated data analysis has also been explained by
Timothy [8] as a means to discriminate criminals in larger
data set based urban areas.
1
Data warehousing to counter cybercrime
2
Data warehousing to counter cybercrime
3
Data warehousing to counter cybercrime
4
Data warehousing to counter cybercrime
5
Data warehousing to counter cybercrime
6
Data warehousing to counter cybercrime
7
Data warehousing to counter cybercrime
generalization, normalization,
data reduction and data
refreshing.
4 Evaluation and Interpretation of transformed
. Presentation data and effective presentation.
8
Data warehousing to counter cybercrime
9
Data warehousing to counter cybercrime
10
Data warehousing to counter cybercrime
11
Data warehousing to counter cybercrime
12
Data warehousing to counter cybercrime
13
Data warehousing to counter cybercrime
14
Data warehousing to counter cybercrime
15
Data warehousing to counter cybercrime
USTAT
USTAT is a real-time intrusion detection system. This
system was developed for UNIX. USTAT stands for State
Transition Analysis Tool for UNIX. “STAT employs rule-
based analysis of the audit trails of multi-user computer
systems. In STAT, an intrusion is identified as a
sequence of state changes that lead the computer
system from some initial state to a target compromised
16
Data warehousing to counter cybercrime
NSTAT
NSTAT or network State Transition Analysis Tool
performs real-time network-based intrusion detection. IT
uses the analysis technique of state transition for the
networked environment. The system is composed of
complex networks which has a number of sub-networks
in it. In it state transition diagrams are used for the
representation of network attacks. Use of these state
transition diagrams involves advantages such as the
automatic determination of the data to be collected so
that intrusion analysis is carried out, which would further
result implementation of the network probes that would
be lightweight and scalable in nature. [10]
IDES
It is real-time intrusion-detection expert system (IDES).
IDES examines user actions on one or more monitored
computer systems and marks suspicious events and it is
basically a stand-alone system. Activities of individual
users, groups, remote hosts and complete systems are
monitored by IDES. Suspected security violations by
insiders and outsiders that occur are detected by IDES.
17
Data warehousing to counter cybercrime
NIDES
“NIDES is an intrusion-detection system that performs
real-time user activity monitoring on multiple target
systems connected via Ethernet. NIDES runs on its own
workstation (the NIDES host) and analyzes audit data
collected from various interconnected systems. It
searches for activities that may indicate unusual and/or
malicious user behavior. Two complimentary detection
units perform the analysis: a rule-based signature
analysis subsystem and a statistical profile-based
anomaly-detection subsystem. The NIDES rule-base
employs expert rules to characterize known intrusive
activity represented in activity logs, and raises alarms as
matches are identified between the observed activity
logs and the rule encodings. The statistical subsystem
maintains historical profiles of usage per user and raises
an alarm when observed activity departs from
established patterns of usage for an individual. The
alarms generated by the two analysis units are screened
by a resolver component, which filters and displays
warnings as necessary through the NIDES host X-window
interface.” [18]
18
Data warehousing to counter cybercrime
EMERALD
“EMERALD is Event Monitoring Enabling Responses to
Anomalous Live Disturbances. Detection methods used
in EMRERALD usually use anomaly detection involving
recognition of deviations from expected normal behavior
and secondly misuse detection that involves the
detection of various types of misuse. The system targets
both external and internal threats that attempt to
misuse the system. It generally combines signature-
based and statistical analysis components with a
resolver that interprets the analysis results. EMERALD
has a recursive framework for gathering data from the
distributed monitors to provide a global detection and
response capability that can counter attacks occurring
across an entire network. It does real-time detection of
patterns in network operations to detect malicious
activity, and responds to this activity through automated
countermeasures.
Analysis units for EMERALD include profiler engines,
signature engines and resolver. Profiler engines perform
statistical profile-based anomaly detection given a
generalized event stream of an analysis target.
Signature engines require minimal state-management
and employ a rule-coding scheme to provide a
distributed signature-analysis model. Resolver performs
the coordination of the monitor's external reporting
system and implements the response policy. EMERALD
has a hierarchically layered approach with three layers
where firstly service analysis, secondly domain wide
analysis and thirdly enterprise wide analysis is done. In
service analysis, check for misuse of individual
components and network services, within the boundary
of a single domain, is done. Then, domain wide analysis
checks the misuse which is visible across multiple
19
Data warehousing to counter cybercrime
Haystack
To detect intrusions Haystack system employs two
methods of detection: anomaly detection and signature
based detection. The anomaly detection is organized
around two concepts; per user models of how users have
behaved in the past, and pre-specified generic user
group models that specify generic acceptable behavior
for a particular group of users. The combination of these
two methods solves many of the problems associated
with the application of any one of them in intrusion
detection systems. [20]. The system works as shown below
in fig.2
20
Data warehousing to counter cybercrime
JAM
“JAM is distributed, scalable and portable agent-based
data mining system that employs a general approach to
scaling data mining applications that is called meta-
learning to learn models of fraud and intrusive behavior.
21
Data warehousing to counter cybercrime
References
22
Data warehousing to counter cybercrime
23
Data warehousing to counter cybercrime
24