Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sharing eCrime Data Across National Borders

Published byGwen Anderson Modified over 6 years ago

Similar presentations

Presentation on theme: "Sharing eCrime Data Across National Borders"— Presentation transcript:

1

2 Sharing eCrime Data Across National Borders
Patrick Cain Resident Research Fellow

3 Agenda Overview of Event Collection Event Collection Evolution
Old Solutions, New Problems A Plan Current Status

4 A Look Backwards Many years ago, we started a block list of phishing ‘site’ URLs We ignored spam, malware, etc., sites But phishing is now smushed with everything else – one lure gets you a phish, malware, and other prizes Having the URL is nice, but is no longer complete It didn’t help us find the ‘bad guy’

5 So we expanded the dataset
We convinced people to send in more than the URL Spam source, collector DNS data, etc. Crafted a common format. ;) Lets us send/receive data with others with little additional work Initial pain The tools got more complex New data ‘types’ appeared – cyber bullying, extortion,…

6 It’s time to play nice with others
The data collectors are exchanging datasets Data from phishing lure sources that also do other things Data correlation has lead down new paths Others were using our datasets to generate interesting correlations We needed to start thinking bigger, or at least more complex, about our datasets

7 Our definition of ‘data’ changed
CRIME? INCIDENT (Correlation) ARTIFACT IP Address + Timestamp EVENT (Context) Phishing URL, spam source, etc. ARTIFACT IP Address + Timestamp EVENT (Context) Phishing URL, spam source, etc. ARTIFACT IP Address + Timestamp EVENT CONTEXT Phishing URL, spam source, etc. EVENT (Context) Phishing URL, spam source, etc. IP Address + Timestamp ARTIFACT IP Address + Timestamp ARTIFACT IP Address + Timestamp ARTIFACT

8 Our definition of ‘data’ changed
Artifacts: IP Address, Timestamp Events Artifacts with context IP address + phish + collector data + metadata Incident Events with large-area correlation E.g., 5680 events from same server ->> 2 banks Crime?

9 New challenges We know how to combine artifacts into an event
We know how to relate events into an incident Could we correlate events into a ‘crime’? Where ‘crime’ is: Enough data to identify the actor(s) behind the activity Support ‘Group Forensics’sm Solid data to help/direct the police/polita/cop/bob/etc. Private industry still does the brunt of the discovery work How do we talk/share with the cops (intel vs. evidence)

10 New problems; Old solutions
What is ‘crime’? No good universal definitions for fraud, etc. What specific data is required to completely describe How does a ‘crime report’ move around? Are there new integrity constraints? The standard barriers to trust get invoked What is an acceptable format? XML must be the answer.  Do the current privacy and security models still work?

11 The racetrack for success
Every time we talk about sharing data electronically we run the same obstacle course: What are we trying to share Are there required data items Are there sensitive data items Is there already a format to share the data Has someone or group already defined these things If not, where is the expertise to figure it out If so, what can we do to help get it operational or useful

12 Our partners’ efforts We thought judiciary types would be all over this We’re kind of right Most treaty organizations have an effort underway EUROPOL announced a new analysis center recently UN, ENISA, OSCE, OECD, G8, etc., all have on-going efforts Many are not making headway or are stuck on the challenges slide We’re wondering if there is a ‘problem’ to ‘solve’ And, if so, what is it?

13 The challenges Cops don’t speak geek & geeks don’t speak cop
Discovering a common language is hard! Currently a techie is always the interface Identifying eCrime that would benefit from aggregation Botz? Spam? attacks? Defining the data elements to put into a ‘report’ Required and optional and descriptive

14 Our (optimistic) Work Plan
Get everyone to speak the same language Gather common definitions (IPC) Propose a taxonomy (IPC + Research dept) Identify impediments for common data sharing IEEE/APWG Stop-eCrime WG is tackling ‘Collect’ some of the crime data Like the global phishing report does Leverage the unofficial data to move sharing ahead

15 Taxonomy

16 Status of our efforts The APWG has been doing some of the ‘thinking’
Trying to develop a CONOPS (flow diagrams) on how this would work Developing some acceptable crime definitions Exploring inter-organization impediments Using our partners efforts to see if we’re going down the right path Most of those efforts are awaiting funding or direction Thinking about a test case (longer-term thought) Maybe using our bot reporting system

17 How *you* can help i.e.: FIRST-24 theme “crime is not an island”
We’d love to talk to you if: you have thought about correlating incidents into crimes, Particularly if you’ve written down your thoughts you are aware of an existing group effort to do this work especially people who are *doing*, not talking

18 Info: global phishing report 2H11

19 Pat Cain (pcain@apwg.org) Resident Research Fellow APWG
Thank you Pat Cain Resident Research Fellow APWG

Download ppt "Sharing eCrime Data Across National Borders"

Similar presentations

Strategies to Measure Student Writing Skills in Your Disciplines Joan Hawthorne University of North Dakota.

Strategies to Measure Student Writing Skills in Your Disciplines Joan Hawthorne University of North Dakota.
1 Understanding Web Services Presented By: Woodas Lai.

1 Understanding Web Services Presented By: Woodas Lai.
Breaking Trust On The Internet

Breaking Trust On The Internet
SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.
Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)

Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)
1 Information Gathering (Requirements Elicitation) Remember: distinguish “requirements” from “design” (big issue here?) Requirements are about “black box”

1 Information Gathering (Requirements Elicitation) Remember: distinguish “requirements” from “design” (big issue here?) Requirements are about “black box”
Standardization of Data A Pragmatic View for a Complex Process Forum on e-Business Interoperability and Standardization May 14, 2004 C.K. Wong iASPEC Technologies.

Standardization of Data A Pragmatic View for a Complex Process Forum on e-Business Interoperability and Standardization May 14, 2004 C.K. Wong iASPEC Technologies.
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”

How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”
IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.

IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.
Tunis International Centre for Environmental Technologies Small Seminar on Networking Technology Information Centers UNFCCC secretariat offices Bonn, Germany.

Tunis International Centre for Environmental Technologies Small Seminar on Networking Technology Information Centers UNFCCC secretariat offices Bonn, Germany.
Page 1 Informatics Pilot Project EDRN Knowledge System Working Group San Antonio, Texas January 21, 2001 Steve Hughes Thuy Tran Dan Crichton Jet Propulsion.

Page 1 Informatics Pilot Project EDRN Knowledge System Working Group San Antonio, Texas January 21, 2001 Steve Hughes Thuy Tran Dan Crichton Jet Propulsion.
Global JXDM Executive Briefing National Information Exchange Model.

Global JXDM Executive Briefing National Information Exchange Model.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
WorldCat Delivery Pilot WorldCat Delivery Pilot Sarah McHugh Statewide Projects Librarian Montana State Library Jennifer Pearson Global.

WorldCat Delivery Pilot WorldCat Delivery Pilot Sarah McHugh Statewide Projects Librarian Montana State Library Jennifer Pearson Global.
Consistency in Reporting Data Breaches

Consistency in Reporting Data Breaches
Data Integration Hanna Zhong Department of Computer Science University of Illinois, Urbana-Champaign 11/12/2009.

Data Integration Hanna Zhong Department of Computer Science University of Illinois, Urbana-Champaign 11/12/2009.
Fostering Parent and Professional Collaboration: Partnership Strategies © PACER Center, 2008.

Fostering Parent and Professional Collaboration: Partnership Strategies © PACER Center, 2008.
E - safety By Jacob Jack Luca. How to stay safe on the internet.  Only speak to people that you know and if you don’t know them don’t contact them in.

E - safety By Jacob Jack Luca. How to stay safe on the internet.  Only speak to people that you know and if you don’t know them don’t contact them in.
Statistical Data and Metadata Exchange SDMX Metadata Common Vocabulary Status of project and issues (2004-2005) Marco Pellegrino Eurostat

Statistical Data and Metadata Exchange SDMX Metadata Common Vocabulary Status of project and issues ( ) Marco Pellegrino Eurostat

Similar presentations

Ads by Google