[Federal Register Volume 76, Number 79 (Monday, April 25, 2011)]
[Pages 22925-22926]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-9877]



Assumption Buster Workshop: Abnormal Behavior Detection Finds 
Malicious Actors

AGENCY: The National Coordination Office (NCO) for the Networking and 
Information Technology Research and Development (NITRD) Program, 
National Science Foundation.

ACTION: Call for participation.



DATES: Workshop: June 20, 2011; Deadline: May 13, 2011. Apply via e-
mail to [email protected]. Travel expenses will be paid at 
the government rate for selected participants who live more than 50 
miles from Washington DC.
SUMMARY: The NCO, on behalf of the Special Cyber Operations Research 
and Engineering (SCORE) Committee, an interagency working group that 
coordinates cyber security research activities in support of national 
security systems, is seeking expert participants in a day-long workshop 
on abnormal and malicious behavior detection. The workshop will be held 
June 20, 2011 in the Washington DC area. Applications will be accepted 
until 5 p.m. EDT, May 13, 2011. Accepted participants will be notified 
by May 25, 2011.

    Overview: This notice is issued by the National Coordination Office 
for the Networking and Information Technology Research and Development 
(NITRD) Program on behalf of the SCORE Committee.
    There is a strong and often repeated call for research to provide 
novel cyber security solutions. The rhetoric of this call is to elicit 
new solutions that are radically different from existing solutions. 
Continuing research that achieves only incremental improvements is a 
losing proposition. We are lagging behind and need technological leaps 
to get, and keep, ahead of adversaries who are themselves rapidly 
improving attack technology. To answer this call, we must examine the 
key assumptions that underlie current security architectures. 
Challenging those assumptions both opens up the possibilities for novel 
solutions that are rooted in a fundamentally different understanding of 
the problem and provides an even stronger basis for moving forward on 
those assumptions that are well-founded. The SCORE Committee is 
conducting a series of four workshops to begin the assumption

[[Page 22926]]

buster process. The assumptions that underlie this series are that 
cyber space is an adversarial domain, that the adversary is tenacious, 
clever, and capable, and that re-examining cyber security solutions in 
the context of these assumptions will result in key insights that will 
lead to the novel solutions we desperately need. To ensure that our 
discussion has the requisite adversarial flavor, we are inviting 
researchers who develop solutions of the type under discussion, and 
researchers who exploit these solutions. The goal is to engage in 
robust debate of topics generally believed to be true to determine to 
what extent that claim is warranted. The adversarial nature of these 
debates is meant to ensure the threat environment is reflected in the 
discussion in order to elicit innovative research concepts that will 
have a greater chance of having a sustained positive impact on our 
cyber security posture.
    The fourth topic to be explored in this series is ``Abnormal 
Behavior Detection Finds Malicious Actors.'' The workshop on this topic 
will be held in the Washington, DC area on June 20, 2011.
    Assertion: ``Abnormal Behavior Detection Finds Malicious Actors.''
    In an effort to reduce losses due to fraud, financial services 
companies have been fairly successful in establishing fraud detection 
analytics, based on abnormal behavior identification, which identify 
financial transactions that seem out of norm for a particular financial 
services customer. For example, credit card companies acting on this 
information will contact cardholders to validate anomalous behavior, or 
if costs are high, and users unavailable, can freeze accounts until the 
anomaly is investigated. In this way, they can curtail the loss due to 
prolonged invalid use of a credit card. Fraud detection algorithms 
(based on user behavior models) and procedures immediately set off 
account alarms and/or deny additional transactions after they have 
detected a fraudulent or suspicious transaction. Depending upon the 
fraud method (e.g., automated gasoline purchase), they may not always 
block the first fraudulent transaction on a given card.
    Online banking financial institutions employ similar behavioral 
models to monitor the size and destinations of financial transfers, 
and/or on-line transactions (such as change of address or payee) will 
delay transfers until the customer can be reached to confirm the 
transactions and/or provide additional authentication. Despite the use 
of best available behavior modeling and monitoring, financial 
institutions continue to sustain significant financial loss from fraud. 
Can the field of fraud detection (and cybersecurity in general) be 
improved by new technology and approaches?
    Fraud detection works on the assumption that malicious fiscal 
behavior is a subset of abnormal behavior--if the fraudulent user 
mimics the financial behavior of the authorized user, these methods do 
not work. Detection methods do not assume that malicious behavior is 
automatically distinguishable from unusual behavior on the part of 
authorized users. The fraud detection algorithms use the financial 
services customer's history to build a profile of ``normal'' 
transactions and develop thresholds for unusual behavior. The volume of 
transactions allows for reasonable thresholds to be established. Fraud 
detection methods rely on strong models of normal behavior, or known 
criminal behavior characteristics. The development of many of these 
models is aided by the fact that the value of a transaction is numeric 
and allows sets of values to be analyzed with well understood 
algorithms. For example, credit card purchases have relatively small 
and fixed semantics: Store names are typed, businesses are categorized, 
relationships among businesses and purchases by card users are fairly 
easy to establish (e.g., people who buy plane tickets may also purchase 
luggage, or may eat out more when they are away, or may spend more in 
general while traveling). These models enable gradual change in 
behavior to be learned and help drive down false alerts.
    Many cyber intrusion detection techniques, or insider threat 
detection techniques, aim to achieve similar results by using abnormal 
behavior detection as a starting point. Yet, it is an open question 
whether these techniques can expect to attain the same broad-based 
success when applied in the broader cyber security domain. The domains 
share an adversarial dynamic that might indicate that similar analyses 
could be effective. But do the assumptions of the relationship between 
malicious and normal behavior hold true? Can we establish a solid 
footing in terms of models of normal transaction semantics and 
transaction value? Does the real time nature of cyber decision making, 
and the ease of dynamic changes in the criminal's attack signature, 
present insurmountable challenges for behavioral techniques?
    In this workshop, representatives from government and industry 
financial organizations will present different financial services fraud 
detection mechanisms, strengths, and areas needing further development. 
This will allow workshop participants to have a common understanding of 
the state of fraud detection practice.

How To Apply

    If you would like to participate in this workshop, please submit 
(1) a resume or curriculum vita of no more than two pages which 
highlights your expertise in this area and (2) a one-page paper stating 
your opinion of the assertion and exploring new ideas to improve fraud 
detection specifically, and malicious cyber behavior in general. The 
workshop will accommodate no more than 60 participants, so these brief 
documents need to make a compelling case for your participation. 
Applications should be submitted to [email protected] no 
later than 5 p.m. EDT on May 13, 2011.
    Selection and Notification:
    The SCORE committee will select an expert group that reflects a 
broad range of opinions on the assertion. Accepted participants will be 
notified by e-mail no later than May 25, 2011. We cannot guarantee that 
we will contact individuals who are not selected, though we will 
attempt to do so unless the volume of responses is overwhelming.
    Submitted by the National Science Foundation for the National 
Coordination Office (NCO) for Networking and Information Technology 
Research and Development (NITRD) on April 19, 2011.

Suzanne H. Plimpton,
Reports Clearance Officer, National Science Foundation.
[FR Doc. 2011-9877 Filed 4-22-11; 8:45 am]