GCN Tech Blog

By GCN Staff

Blog archive

The financial fraud security model

Today at the SAS annual Executive Conference Day for Government, we heard of a novel use for that company's financial analytics software: Watching for network intrusions. The Naval Research Lab runs a test version of SAS software that watches for anomalous events that happen on the network, using detection rules established by the banking industry.

"We've been trying to apply the financial fraud model to network security," said Keith Rohwer, who is the section head of the lab's Network Security Section, in a presentation.

In this model, "You're looking for bad activity that is hidden in the clear," he said.

Today, most network security software relies on signatures, or characterizations of malicious activity, to notice wrong-doing on the network. This approach is far too static for the ever-evolving arms race between malicious hackers and security specialists, though, especially when the stakes are critical . The serious attackers change up their methods as soon as these approaches are identified.

And this turns out to be very close to the behavior that banks see with credit card fraud. Fraudsters are quick to figure out the rules that the banks come up with to thwart nefarious activities, and then operate just underneath that threshold.

As one attendee we talked to noted, banks are required to report any cash deposits of $10,000 or more, so a money launderer may skirt detection by making multiple deposits of $9,999.99.

"Once your adversary knows your defense mechanisms, they are very quick to adapt. They get at the same information they were [trying to get] yesterday or the week before, but they try a little bit different method," Rohwer said.

To adapt to this new model, the lab's Prometheus demo loads log data into a data warehouse, and looks for spikes in abnormal behavior, such as a surge of activity coming from one outside IP address, or directed towards one Web-facing application. Not all abnormal behavior is malicious, but it is worth looking into.

Although this project has been going on for several years, it does seem like the military has been trying on new ways of thinking about network security of late, perhaps recognizing its growing importance in readiness overall. Much of what we do today in relation to network security revolves around installing patches and filing reports, neither of which is really actively defending the network. What the Navy wants to do is pursue a more vigorous approach to network defense, Rohwer said. The lab hopes to field Prometheus within the year.

Posted by Joab Jackson on May 19, 2008 at 9:39 AM


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.