The financial fraud security model
Today at the SAS annual Executive Conference Day for Government
, we heard of a novel use for that company's financial analytics software: Watching for network intrusions. The Naval Research Lab runs a test version of SAS software that watches for anomalous events that happen on the network, using detection rules established by the banking industry.
"We've been trying to apply the financial fraud model to network security," said Keith Rohwer, who is the section head of the lab's Network Security Section, in a presentation.
In this model, "You're looking for bad activity that is hidden in the clear," he said.
Today, most network security software relies on signatures, or characterizations of malicious activity, to notice wrong-doing on the network. This approach is far too static for the ever-evolving arms race between malicious hackers and security specialists, though, especially when the stakes are critical . The serious attackers change up their methods as soon as these approaches are identified.
And this turns out to be very close to the behavior that banks see with credit card fraud. Fraudsters are quick to figure out the rules that the banks come up with to thwart nefarious activities, and then operate just underneath that threshold.
As one attendee we talked to noted, banks are required to report any cash deposits of $10,000 or more, so a money launderer may skirt detection by making multiple deposits of $9,999.99.
"Once your adversary knows your defense mechanisms, they are very quick to adapt. They get at the same information they were [trying to get] yesterday or the week before, but they try a little bit different method," Rohwer said.
To adapt to this new model, the lab's Prometheus demo loads log data into a data warehouse, and looks for spikes in abnormal behavior, such as a surge of activity coming from one outside IP address, or directed towards one Web-facing application. Not all abnormal behavior is malicious, but it is worth looking into.
Although this project has been going on for several years, it does seem like the military has been trying on new ways of thinking
about network security of late, perhaps recognizing its growing importance in readiness overall. Much of what we do today in relation to network security revolves around installing patches and filing reports, neither of which is really actively defending the network. What the Navy wants to do is pursue a more vigorous approach to network defense, Rohwer said. The lab hopes to field Prometheus within the year.
Posted by Joab Jackson on May 19, 2008 at 9:39 AM