PERPETRATORS, PROFILING, POLICING: Theory - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

PERPETRATORS, PROFILING, POLICING: Theory

Description:

PERPETRATORS, PROFILING, POLICING: Theory & Practice ... be advanced through applying Criminal Profiling to Information Systems research ... – PowerPoint PPT presentation

Number of Views:73
Avg rating:3.0/5.0
Slides: 14
Provided by: kjrlan
Category:

less

Transcript and Presenter's Notes

Title: PERPETRATORS, PROFILING, POLICING: Theory


1
PERPETRATORS, PROFILING, POLICING Theory
Practice 8th International Investigative
Psychology Conference
  • Coordinated Cyber Attacks Towards Norway in 2004
  • December 15, 2005

2
Introduction Cyber Attacks Incidents
  • Continuous growth in cyber crime and its related
    losses
  • Definition of cyber attacks versus cyber
    incidents
  • Terrorists may conduct attacks via or towards
    ICTs
  • Protection of the Critical Infrastructure of
    major importance
  • Information gathering and profiling used to
    reduce the amount of data
  • Profiling as part of technical tools for
    detecting anomaly behaviour (IDS and AML)
  • Behavioural profiling and investigative
    psychology for categorising and linking offenders
    and for advancing searches
  • The current study is profiling cyber incidents to
    improve insight into to how they are done, by
    whom and why

3
Relevant Research and Gap in Literature
  • Much research on technical security
  • Excludes the wider social and behavioural context
  • Emergence of information systems research from
    the social science tradition
  • Criminology and psychology may be used in the
    information systems security domain
  • There is a gap in inductive profiling of cyber
    incidents much due to little statistics and
    information gathering
  • Information gathering from technical systems that
    may be used for behavioural profiling come from
    IDS and Firewall logs, forensic evidence etc.
  • Inductive profiling may draw on expert statements
    when little theory is developed in the area

4
Theoretical Framework
  • The current analysis builds on Howards (1997)
    category of cyber incidents
  • Attacker
  • Tool
  • Access
  • Result
  • Objective
  • Including the target and opportunity factor
    (Willison and Backhouse, 2005)
  • Target
  • Opportunity
  • Differences between attackers and types of attack
    (Kjaerland, 2005)
  • Expert statements may be related to objective or
    opportunity of attack (as created by the target)

5
Research Problem and Question
  • Much data in systems, that may be reduced though
    inductive (or statistical) profiling
  • Differentiate between incidents through the use
    of multidimensional scaling techniques (MDS)
  • Systematic analysis of attack/incident
    characteristics in order to distinguish between
    type of attacks (method of operation) and type of
    source (source or attacker)
  • The research problem is to profile cyber
    incidents in order to improve the understanding
    of cyber incidents, how they are done, by whom
    and why?
  • In other words, what is the structure of
    coordinated attacks, and what type of attacks are
    most characteristic from different types of
    countries?

6
Design and Method
  • Smallest Space Analysis (SSA) is used to
    understand more about the relationship between
  • type of attack (method of operation)
  • country of attack (source or attacker)
  • These categories may be seen as variants of
    Howards (1997) typology
  • SSA is often used in relation to Facet theory,
    which allows for the reworking of a definitional
    system
  • SSA can also be used in an exploratory manner
    when a subject is not well featured in the
    literature
  • The current method is used to look at type of
    attack and country as categorical data
    (non-metric)
  • The current analysis may help improve future
    analysis by looking at the categories and the
    relationships between the variables

7
Dataset and Facets
  • Data come from an international oil company
    (Statoil) that cooperates on the project Warning
    System for Critical Infrastructure (VDI)
    coordinated by the National Authorities in Norway
  • 205 coordinated attacks towards the critical
    infrastructure in 2004 are analysed using
    Smallest Space Analysis (SSA)
  • The attacks must hit at least 5 companies
    simultaneously for them to classify as
    coordinated attacks
  • The attack type variables are Root,
    Reconnaissance, Denial of Service (DoS), and Worm
  • There are 21 countries in the analysis forming 35
    variables of countries and type of attack

8
Results - SSA
  • The analysis gave a Jaccards coefficient of 0.12
    in 42 iterations
  • Norway and Root are close in geographical space,
    indicating that they are closely related
  • Slovenia and Root are not close in geographical
    space, indicating that they do not often appear
    together
  • Breaking and Entering Norway, Japan, Germany,
    and Turkey
  • Random Scans Virus/Worm Italy, Israel, and
    Brazil
  • Crashing/Hanging Programs Services China,
    Canada, UK, Malaysia, and Taiwan

9
Results - Frequencies
  • Incident
  • Reconnaissance 190 of 205 cases (92.7)
  • Worm 112 of 205 cases (54.6)
  • Root compromise 85 of 205 cases (41.5)
  • DoS 20 of 205 cases (9.8)
  • Country
  • US 71 of 205 attacks (34.6)
  • China 54 of 205 attacks (26.3)
  • Canada 10 of 205 (4.9)
  • Japan 9 of 205 attacks (4.4)
  • Norway 9 of 205 attacks (4.4)
  • UK 7 of 205 incidents (3.4).

10
SSA Plot Percentage Ranges
11
SSA plot Grouping Coordinated Attacks
Breaking Entering
Random Scans Virus/Worm
Crashing/Hanging Programs Services
12
Summary and Conclusion
  • Countries frequently attacking the critical
    infrastructure are US, China, Canada, Japan,
    Norway, and UK
  • Less industrialised countries use more worms,
    viruses, and scanning (stepping stones), whereas
    more industrialised countries use Root and DoS
    attacks
  • Some countries that were not previously
    industrialised are up-ad-coming with attacks
    similar to industrialised countries
  • The understanding of cyber incidents may be
    advanced through improved collection and analysis
    of information, as well as through sharing of
    information
  • Future research in the area may be advanced
    through applying Criminal Profiling to
    Information Systems research
  • There are possibilities for more research in the
    area of Inductive Profiling of Cyber Incidents

13
Thank you for your attention!
Write a Comment
User Comments (0)
About PowerShow.com