Upload
taggedsocial
View
220
Download
0
Embed Size (px)
Citation preview
8/3/2019 A Million Mousetraps
1/20
A Million MousetrapsUsing Big Data and Little Loops to Build BetterDefenses
Allison Miller, Tagged
8/3/2019 A Million Mousetraps
2/20
Overview
Protecting customers on an openplatform
Big data + Little loops enableautomation via analytics
Decisions as defensesPutting your data to work
8/3/2019 A Million Mousetraps
3/20
the
interde en
8/3/2019 A Million Mousetraps
4/20
the
orous
8/3/2019 A Million Mousetraps
5/20
so, about
that
Spam
Credential
Theft
Malware
Bots
Accounttakeover
Fraud
DOSPhish
Griefers
Scammers
8/3/2019 A Million Mousetraps
6/20
The Better Mousetrap
Automates defensive action x-platform
- Fast
- Accurate
- Cheap
In Real TimeIn Time to MinimizeLossReasonable False
PositivesAs good as a humanspecialistReduces More Loss than Cost
CreatedCheaper thanManual intervention
Big Data &Little Loops
8/3/2019 A Million Mousetraps
7/20
123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/wpaper.gif HTTP/1.0" 200 6248"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:47 -0400] "GET /asctortf/ HTTP/1.0" 200 8130
"http://search.netscape.com/Computers/Data_Formats/Document/Text/RTF" "Mozilla/4.05 (Macintosh; I;PPC)"123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/5star2000.gif HTTP/1.0" 200 4005"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"[Tue Mar 9 22:02:41 2004] [info] created shared memory segment #10813446[Tue Mar 9 22:02:412004] [notice] Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c configured -- resuming normaloperations[Tue Mar 9 22:02:41 2004] [info] Server built: Mar 7 2004 13:38:59pausing[http://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling] for 50000 ms[TueMar 9 22:04:16 2004] [error] [client 218.93.92.137] mod_security: Access denied with code 200. Patternmatch "Basic" at HEADER.[Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security:Invalid character detected [4]
123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/1.0" 200 1031"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgi-bin/newcount?jafsof3&width=4&font=digital&noshow HTTP/1.0" 200 36 "http://www.jafsoft.com/asctortf/""Mozilla/4.05 (Macintosh; I; PPC)"[Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)[Tue Mar 9 22:03:262004] [error] [client 218.93.92.137] mod_security:[Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security: Invalid character detected [4]123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/1.0" 200 1031
"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgi-bin/newcount?jafsof3&width=4&font=digital& noshow HTTP/1.0" 200 36 "http://www.jafsoft.com/asctortf/""Mozilla/4.05 (Macintosh; I; PPC)"[Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)Big Data &
Little Loops
http://www.jafsoft.com/asctortf/http://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://www.jafsoft.com/asctortf/http://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling%5Dhttp://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling%5Dhttp://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling%5Dhttp://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling%5Dhttp://www.jafsoft.com/asctortf/http://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://www.jafsoft.com/asctortf/8/3/2019 A Million Mousetraps
8/20
APPLIED RISK ANALYTICS
Use of technology, data, research & statisticsto solve problems
associated with losses or costs due to
security vulnerabilities / gaps in a system
-- resulting in the deployment of optimizeddetection, prevention, or response capabilities.
8/3/2019 A Million Mousetraps
9/20
Decisions, Decisions
Authorize Block
Goodfalse
positive
Badfalse
negative
RESPONSE
POPULATION
Incorrect decisions have a cost
Correct decisions are free (usually)
GoodAction Gets
Blocked
Bad ActionGets
Through
DownstreamImpacts
8/3/2019 A Million Mousetraps
10/20
Applying Decisions
Risk management isdecision management
ACTORATTEMPTS
ACTIONSuSUBMIT
WHAT ISTHE
REQUEST
HOW TOHONOR
THE
REQUEST
SHOULDWE
HONOR?
RESULTACTIONOCCURS
8/3/2019 A Million Mousetraps
11/20
For example:
ACTORATTEMPTS
Payment
p (actor attemptingpayment is
accountholder)
Decision
Authorize
Review
Refer
RequestAuthentication
Decline
f(variable A + Variable B + ...)
SuSUBMIT
8/3/2019 A Million Mousetraps
12/20
Study history...User IP Country
Billing Country
Buying prepaidmobile phones
Add new shippingaddress in cart
However
Buyer = Phonereseller, static
machine ID
How much $$ isat risk?
What is normalfor thiscustomer?
What bad
profiles doesthis match?
8/3/2019 A Million Mousetraps
13/20
SHALL WE PLAY A GAME?INCE WE CANT PLAY CLUE FOR EVERYLOGIN
TRANSACTIONNEW USERMESSAGE
FRIENDREQUEST
ATTACHMENTPACKET
WINK
POKECLICK
WE BUILD RISK MODELS)
8/3/2019 A Million Mousetraps
14/20
Model Development Process
Target -> Yes/No questions best
Find Data, Variable Creation -> Best part
Data Prep -> Worst part
Model Training -> Pick an algorithm
Assessment -> Catch vs FP rate
Deployment -> Decisioning vs Detection
8/3/2019 A Million Mousetraps
15/20
User IP Country
Billing Country
Buying prepaidmobile phones
Add new shippingaddress in cart
Buyer = Phonereseller, staticmachine ID
How much $$ is at risk?
What is normal for this customer?
What bad profiles does this match?
GeolocateIP
Convert geoto country
code
Flag onMismatch
Cart
Category
MerchRisk
Level
DateAdded
AddressType
StringMatching
CustomeProfile
Device I
DeviceHistoryTXN-$-AMT
Churn Risk, C... TXNs, login
Stolen CC
8/3/2019 A Million Mousetraps
16/20
p-value of
significance, throwout if > .05
Variance in dependentvariable explained by
independent variables
Dependent
Variable
Independent
Variables
Factor odds ofdependent go up
when independent
var incremented
p-value shouldbe