The significant growth of online banking frauds, fueled by the underground economy of malware, raised the need for effective defense systems. As a consequence, in last the years, banks have upgraded their security measures to protect online transactions from frauds. However, fraudsters have adapted to these countermeasures developing more and more sophisticated banking Trojans, malicious software that aims at stealing banking credentials and hijacking transactions. This dissertation details our research on Internet banking fraud and financial malware analysis, trying to correlate frauds with malware campaigns in order to provide a sound detection of the two key aspects of modern online frauds, anomalous transactions and malware activity. Our contribution, regarding Internet banking fraud analysis, focuses on modeling user's behavior through his or her interaction with the online banking services from different perspectives but with the common goal of recognizing anomalous activity. In particular, our research is inspired and rooted around the idea of constructing users’ profiles from historical data in order to detect suspicious deviations from them. First, we propose BankSealer, an unsupervised decision-support and fraud- analysis system capable of automatically ranking frauds and anomalies in the online-banking ecosystem. Besides demonstrating its effectiveness, we evaluate the influence on the detection quality of the granularity at which spending habits are modeled and its security against mimicry attacks. Besides demonstrating its effectiveness, we evaluate the influence on the detection quality of the granularity at which spending habits are modeled and its security against evasive attacks. Then, we analyze the distribution of transactions in the time domain and propose a framework that aims at detecting “legitimate-looking” frauds committed by repeatedly stealing small amounts of money over time, by exploiting a precise modeling of recurrent vs. non- recurrent spending patterns. In addition, we describe a tool for generating synthetic online banking data, whose properties are borrowed from a real dataset through a statistical model of each feature distribution. Finally, thanks to the feedbacks of banking analysts on detected anomalies, we present a supervised learning analysis of the frauds perpetrated by financial malware. Related to this task, we propose a supervised learning module able to exploit analysts’ knowledge through their feedbacks in order to automatically tune BankSealer parameters and improve the produced ranking. In addition, we describe a dynamic supervised learning module able to detect fraud patterns, minimizing a cost function that depends on the number and on the type of misclassification. The aforementioned tools have been tested over different synthetic and real- world datasets, leading to interesting results. Our contributions regarding financial malware analysis focus on studying the client-side behavior of financial Trojans that perform WebInjects. This research has the goal of characterizing the malicious activity of banking trojan and then use this acquired knowledge to find a methodology in order to detect and counter them. In particular, we describe a platform able to analyze advanced banking Trojans and to generate behavioral signatures of the WebInject component thanks to a “web-page differential analysis” The results of the evaluation on a real dataset show that our solution is capable of efficiently defending financial institution against sophisticated attacks. Finally, exploiting analysts' knowledge through their feedbacks on detected fraudulent transactions, we propose a supervised learning framework that automatically classify frauds and tunes BankSealer’s parameters to improve its detection performances (i.e., push real frauds higher in the ranking).
La crescita delle frodi nel contesto dell’Internet banking, alimentata dal mercato illecito, ha reso necessaria l’adozione di sistemi di difesa efficaci ed efficienti. Di conseguenza, negli ultimi anni, le istituzioni finanziarie hanno aggiornato le loro misure di sicurezza per proteggere le transazioni dall’attività fraudolenta. Tuttavia, i frodatori si sono adattati a queste contromisure sviluppando “banking Trojan” sempre più sofisticati: software malevoli che mirano a rubare informazioni sensibili e ad eseguire transazioni fraudolente. La seguente dissertazione illustra la ricerca relativa all’analisi e al rilevamento di frodi e di malware finanziari. Lo scopo di tale ricerca è quello di rilevare i due aspetti chiave delle frodi online: transazioni fraudolente e attività dei banking Trojan, in modo da poter correlare in maniera efficace le une alle altre. Il nostro contributo riguardo l’analisi delle frodi si focalizza sulla creazione di modelli che rappresentano il comportamento dell’utente nella sua interazione con i servizi di on-line banking, con l’obiettivo di rilevare le attività anomale. In particolare, la nostra ricerca ruota attorno all’idea di costruire profili utente a partire dallo storico delle transazioni così da poter rilevare eventuali scostamenti da tali modelli. In primo luogo, proponiamo BankSealer, un sistema non supervisionato di supporto alle decisioni e di rilevamento delle frodi in grado di ordinare le transazioni in base alla possibilità che siano effettivamente fraudolente. Oltre a dimostrare la sua efficacia, abbiamo valutato quanto la granularità dei modelli del profilo dell’utente influenzi le prestazioni di rilevamento e abbiamo sottoposto il sistema a “mimicry attack” al fine di stimarne la sicurezza. In aggiunta, il problema della mancanza di dati in questo ambito è stato mitigato attraverso lo sviluppo di uno strumento per la generazione di transazioni e frodi simulate, le cui proprietà sono estratte da un dataset reale attraverso una attenta analisi statistica della distribuzione degli attributi. Vista l’esistenza di frodi che, nel tentativo di apparire come legittime, rubano piccoli importi distribuiti nel tempo, e sono perciò difficilmente rilevabili, abbiamo analizzato la distribuzione delle transazioni nel dominio del tempo e sviluppato un sistema di rilevamento delle frodi attraverso la modellizzazione di profili di spesa ricorrenti e non ricorrenti. In ultimo, al fine di incrementare le prestazioni di BankSealer riducendo falsi negativi e incrementando i veri positivi, proponiamo un sistema di tipo supervisionato che, sfruttando la conoscenza dell’analista bancario attraverso i feedback relativi alle segnalazioni, classifica in modo automatico frodi e assegna un fattore di rischio maggiore a transazioni realmente fraudolente. La valutazione sperimentale su un dataset reale mostra che le soluzioni proposte sono in grado di difendere in modo efficiente le istituzioni finanziare anche da attacchi sofisticati. Il nostro contributo riguardo l’analisi di malware finanziari si focalizza sullo studio della loro attività sui computer degli utenti infettati. In particolare, presentiamo una piattaforma in grado di analizzare banking trojan, anche complessi, che effettuano “Web inject”, ovvero modifiche malevole alle pagine web al fine di rubare informazioni sensibili. Questo viene effettuato attraverso l’analisi differenziale delle pagine web.
Internet banking fraud analysis and detection
CARMINATI, MICHELE
Abstract
The significant growth of online banking frauds, fueled by the underground economy of malware, raised the need for effective defense systems. As a consequence, in last the years, banks have upgraded their security measures to protect online transactions from frauds. However, fraudsters have adapted to these countermeasures developing more and more sophisticated banking Trojans, malicious software that aims at stealing banking credentials and hijacking transactions. This dissertation details our research on Internet banking fraud and financial malware analysis, trying to correlate frauds with malware campaigns in order to provide a sound detection of the two key aspects of modern online frauds, anomalous transactions and malware activity. Our contribution, regarding Internet banking fraud analysis, focuses on modeling user's behavior through his or her interaction with the online banking services from different perspectives but with the common goal of recognizing anomalous activity. In particular, our research is inspired and rooted around the idea of constructing users’ profiles from historical data in order to detect suspicious deviations from them. First, we propose BankSealer, an unsupervised decision-support and fraud- analysis system capable of automatically ranking frauds and anomalies in the online-banking ecosystem. Besides demonstrating its effectiveness, we evaluate the influence on the detection quality of the granularity at which spending habits are modeled and its security against mimicry attacks. Besides demonstrating its effectiveness, we evaluate the influence on the detection quality of the granularity at which spending habits are modeled and its security against evasive attacks. Then, we analyze the distribution of transactions in the time domain and propose a framework that aims at detecting “legitimate-looking” frauds committed by repeatedly stealing small amounts of money over time, by exploiting a precise modeling of recurrent vs. non- recurrent spending patterns. In addition, we describe a tool for generating synthetic online banking data, whose properties are borrowed from a real dataset through a statistical model of each feature distribution. Finally, thanks to the feedbacks of banking analysts on detected anomalies, we present a supervised learning analysis of the frauds perpetrated by financial malware. Related to this task, we propose a supervised learning module able to exploit analysts’ knowledge through their feedbacks in order to automatically tune BankSealer parameters and improve the produced ranking. In addition, we describe a dynamic supervised learning module able to detect fraud patterns, minimizing a cost function that depends on the number and on the type of misclassification. The aforementioned tools have been tested over different synthetic and real- world datasets, leading to interesting results. Our contributions regarding financial malware analysis focus on studying the client-side behavior of financial Trojans that perform WebInjects. This research has the goal of characterizing the malicious activity of banking trojan and then use this acquired knowledge to find a methodology in order to detect and counter them. In particular, we describe a platform able to analyze advanced banking Trojans and to generate behavioral signatures of the WebInject component thanks to a “web-page differential analysis” The results of the evaluation on a real dataset show that our solution is capable of efficiently defending financial institution against sophisticated attacks. Finally, exploiting analysts' knowledge through their feedbacks on detected fraudulent transactions, we propose a supervised learning framework that automatically classify frauds and tunes BankSealer’s parameters to improve its detection performances (i.e., push real frauds higher in the ranking).| File | Dimensione | Formato | |
|---|---|---|---|
|
thesis.pdf
non accessibile
Descrizione: Testo della Tesi
Dimensione
8.18 MB
Formato
Adobe PDF
|
8.18 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/132107