Machine Learning Forensics Forensic Framework 2 Collection Identify and collect digital evidence selective acquisition? cloud storage? Generate data subset for examination? Examination of evidence String search? Pattern matching? Data visualization (time- line analysis)? Analysis Forensic Framework 3 Data mining? cluster analysis discriminant analysis rule mining Presentation Analysis determine data significance and draw conclusion Attribution: “Who did it?” (source) Authentication: synthetic data? forgery? Forensics Problems Data is evidence Collect data from every sources (credit card transactions, cell call, email, chat, browser history, documents, data stored in db, …) Web and wireless crimes (digital) Big volume, high velocity, heterogeneous in nature Recognize patterns, analyze data: require huge manpower 4
18
Embed
Forensic Framework Forensics Problemsnflaw/EIE4114Sem22018-19/part3s.pdf · Computational Forensics Computational methods to forensics Large-scale investigations Large volumes of
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Machine Learning Forensics
Forensic Framework
2
Collection Identify and collect
digital evidence
selective acquisition?cloud storage?Generate data subset for
examination?
Examination of evidenceString search?Pattern matching?Data visualization (time-
line analysis)?Analysis
Forensic Framework
3
Data mining?cluster analysisdiscriminant analysisrule mining
Presentation
Analysisdetermine data significance and draw conclusion
Attribution: “Who did it?” (source)Authentication:
synthetic data?forgery?
Forensics Problems Data is evidence
Collect data from every sources (credit card transactions, cell call, email, chat, browser history, documents, data stored in db, …)
Web and wireless crimes (digital) Big volume, high velocity, heterogeneous in nature
Computational Forensics Computational methods to forensics
Large-scale investigations Large volumes of data from a wide range of
sources E.g., malware traces: identify patterns
Automation Simple triangulation method to estimate location
of an IP address within one-to-two minutes Analysis: machine learning
Machine Learning “gives computers the ability to learn without
being explicitly programmed” “provides systems the ability to automatically
learn and improve from experience” Process of learning begins with observations or
data (examples, direct experience) in order to look for patterns in data and make better decisions in the future based on the examples that are provided
6
Machine Learning Forensics Analyze vast amounts of data to discover
risk and to detect criminal behaviour(recognize patterns of criminal activities)
Seeks to learn from experience/data to predict future criminal behaviour (prevent digital crimes or real-time countermeasures in response)
7
Incorporate ML in Forensics
Analysis: use of machine learning to derive knowledge that addresses the purpose of the investigation
8
Incorporate ML in Forensics Reporting/Presentation
Describe the actions used, explain how tools and procedures are selected, determine what other actions need to be performed (e.g., examine additional data sources, attributes and variables, securing identified vulnerabilities, providing recommendations for improvement to policies, procedures, tools etc)
9
Example: Fraud Detection Step 1: understand the investigation objective
Know the requirements from a business or law enforcement perspectives
Convert into a forensic problem definition Draft a preliminary plan, outline benefits of the machines
learning approach Step 2: understand the data
Understand the fraud or crime that needs to be detected ensure appropriate data sets to be collected
Identify data quality problems and see how that will impact the results obtained
form hypotheses
10
Example: Fraud Detection Step 3: data preparation strategy
Data attribute selection Data cleaning/transformation: how to deal with missing values
Step 4: Forensic modeling Several approaches are possible for the same fraud detection Construction of multiple models/approaches to compare error
rates Used in co-operation?
Step 5: Investigation Evaluation Evaluate the results and review the steps used to construct
them High no of false positives?
Customer will get upset Business process may be delayed
Any model is required to have a commitment to continuous learning and improvement, automated monitoring
Refresh the model to capture ever-changing characteristics of criminal avoidance
E.g., fraudsters’ patterns changed rapidly for a purely rules-based approach to be effective
12
Example https://www.ncr.com/financial-
services/enterprise-fraud-prevention/fractals
13 14
Terminology Machine Learning
Learn from past experiences: Past experiences are represented by the data
Methods Supervised
Data are labeled with pre-defined categories, give supervision
Unsupervised Data are unlabeled, want to identify patterns
15
Terminology Extractive Forensics
Goal: extract relationships, discover networks of associations, find key concepts from unstructured content
Link analysis, text mining Inductive Forensics
Clustering incidents and crimes Unsupervised learning: determine how the data are
organized Deductive Forensics
Decision tree, rule generators
16
17
Application example
A credit card company receives thousands of applications for new cards. Each application contains information about an applicant, age Marital status annual salary outstanding debts credit rating, …
Problem: to decide whether an application should be approved, or to classify applications into two categories, approved and not approved.
18
Application example
Machine Learning Forensics Earliest applications: employed by credit
card issuers Monitor and detect potential credit card
theft Dataset: contains both legal and illegal
transactions Learn from these transactions, make predictions
for “future transactions”
19 20
An example statement Data: Credit card application data Task: Predict whether an application
should be approved or not. Performance measure: accuracy.No learning: classify all future applications
(test data) to the majority class (i.e., Yes):
Accuracy = 9/15 = 60%. We can do better than 60% with learning.
Extractive ForensicsLink Analysis and Text Mining
Link Analysis Aim: uncover hidden associations
“who knew whom, where and when” Initial type of analysis
analyze cell phone calls (numbers that have been dialed), emails, text messages between suspects and associates, transactions during a given time frame
Circles/nodes: individuals/companies Link (edges): convey strengths of relationships
The stronger the link, the thicker the line connecting them Provides a graphical network displaying crucial relationships Hope: simplifies and narrows the scope of investigation
Search for outliers, understand known patterns, discover new patterns
22
Link Analysis
23
Example (Handout) A list of suspects: {Able, Baker,
Charley, David, Edwards and Frank} Participated in various activities Baker was involved in “weapons theft”
and “bombing” Charley was involved in “weapons theft” Edwards was in “bombing”
Example Case Study: major drug case
https://www.youtube.com/watch?v=FzmrLDHXJ50
Visualizing call data record https://www.youtube.com/watch?v=J38tKqq9kpY
Analyze criminal network using Link Analysis https://www.youtube.com/watch?v=UYdXOXpT9wM
25
Link Analysis Two roles for investigators
Enables visualization of relationship Lead to the discovery of different types of node
associations Weakness:
Requires human interpretation Example usage:
Dept of homeland security: use link analysis to create networks of associations in the travelers’ screenings
MarketVisual: provides online visual relationship mapping. This website can discover relationships of companies or persons under investigation (http://www.marketvisual.com/)
27
Case Study (ex 1 and ex 2)
Text Mining Aim: sorting and organizing massive amounts of
unstructured info Documents, notes, emails, chat, web forms, voice
Age Yes No entropy(Di)young 2 3 0.971middle 3 2 0.971old 4 1 0.722
2 24 4 1 1log log 0.7225 5 5 5
5 5 50.971 0.971 0.772 0.88815 15 15
Tree Design Entropy_{has_job}(D) Has_job: True, false
Entropy(TRUE) = Entropy(FALSE) =
Entropy_{has_job}(D)=
61
has_job Yes No entropy(Di)TRUEFALSE
Tree Design Entropy_{own_house}(D) Own_house: True, false
Entropy(TRUE) = Entropy(FALSE) =
Entropy_{own_house}(D)=
62
house Yes No entropy(Di)TRUEFALSE
Tree Design Entropy_{credit_rating}(D) credit_rating : fair, good, excellent
Entropy(fair) Entropy(good) Entropy(excellent)
Entropy_{credit_rating}(D)=
63
Age Yes No entropy(Di)fairgoodexcellent
Tree Design: info gain
Entropy(class) = 0.971 Entropy_{age}(D)=0.888
Info gain from “Age” = 0.971 – 0.888 = 0.083 Entropy_{has_job}(D)=0.647
Info gain from “job” = 0.324 Entropy_{own_house}(D)=0.551
Info gain from “house” = 0.42 Entropy_{credit_rating}(D)=0.608
Info gain from “credit” = 0.363
64
own-_house!
Case Study (Violent Crime –Example 6)
Crimes Red: an arrest for a violent crime Yellow: an arrest for a crime that is not violent Green: no arrest
Factors: Age No of prior arrests
Can use for prediction: cases with unknown outcomes
65 66
67
Case Study (Predicting Crime – Example 7)
Crime records from 2005-2015 Offence, no of male students, no of female
students, no of 100 level students, no of 200 level students, no of 300 level students and no of 400+ level students Programme, sex, offence, expulsion period and
Develop preventive measures to prevent crimes from taking place
Link Analysis: discover knowledge from connections/relationships, characterize relationships, identify group/subgroups Facilitate crime investigation, social network investigation Human intervention
70
Summary Text mining
Discover knowledge from textual data (keyword extraction)
Handling the velocity of big textual data Clustering & Decision tree
Discover patterns from historical data Supervised: data are labeled
Used for prediction Unsupervised: data are unlabeled