Abstract
The increased technological transformation pushed service providers in re-designing their services and also transforming classical services into e-services. This opens the door for cyber criminals with a range of possibilities of committing fraud. Therefore, risk analysis of e-service fraud is an important requirement to prevent the fraud before it produces an actual loss. Traditional risk analysis approaches are prone to a number of problems due to the increased time consumption to identify threat scenarios through brainstorming, the high dependency on the competence of the people involved in the analysis, the lack of usability and re-usability of past experiences. Considering these problems, in this paper, we propose a framework for a Model-driven and Pattern-based Risk Analysis of e-service fraud (MP-RA), which aims to increase understanding of the target of assessment (ToA) by representing using graphical models, identify potential threat scenarios from the perspective of fraudsters using existing threat models and estimate the damage of threat scenarios for the main actor by which the analysis is intended for. The ultimate goal of the proposed framework is to increase the efficiency of decision makers to give informed decisions.
You have full access to this open access chapter, Download conference paper PDF
1 Introduction
The emergence of service-oriented architectures has transformed classical services into e-services by using technological means including the Internet. It has also pushed service providers in re-designing their services. Due to this effect, it opens the door for cyber criminals with a wide range of possibilities of committing security attacks and misuses, resulting in a number of security and fraud risks, which have led to a loss of an estimated $600 billion just in 2017 [1]. e-services are collaborations of different systems with a process of delivering services to users by using one or more technological means. e-service fraud is the use of services without willing to pay or the misuse of services to gain personal or organized benefits [2,3,4]. Therefore, it is an important requirement to perform risk analysis from the perspective of fraudsters to reduce the damage and prevent risks [5].
Traditionally, the process of risk analysis is performed with a group of people by brainstorming on a service under assessment (target of assessment – ToA), finding out the possible threat scenarios and calculating the risks for each threat scenarios manually. This process is exposed to a number of drawbacks: (1) the fact that the knowledge about the ToA is only available in the minds of the risk analysts means the process always requires domain experts, (2) it is a manual process that mostly leads to leaving some threat scenarios out unintentionally, which are supposed to be identified, (3) estimating the risk requires a number of variables so calculating the risk manually means wasting a lot of time and could also producing inaccurate estimation.
In order to enhance the process of risk analysis, a model-based risk analysis approach is required which takes the representation of the ToA model and existing threat models to identify threat scenarios, estimate the threat scenarios considering both the context information of a fraudster and a defender. Thus, the main contribution of the paper is a framework that enhances the process of fraud risk analysis through representation of ToA with minimum number of modeling concepts, automatically identify threat scenarios using existing threat model (which we call them fraud risk patterns – FRPs) and estimate the damage to calculate the highest risks of ToA. FRPs are recurrent problems of e-services comprised to give a threat model [6].
The rest of the paper is organized as follows. Section 2 provides related works; Sect. 3 discusses the methodology followed to propose the approach; Sect. 4 presents the proposed MP-RA framework in detail; Sect. 5 discusses the strength and weaknesses of the framework; and finally Sect. 6 provides concluding remarks and future works.
2 Related Work
System models are widely used to represent and design a system to a certain abstraction level so as to create a common understanding between different stakeholders [7, 8], e.g., requirement engineers and software developers. In the state-of-the-art, there are efforts in using models to visualize risk analysis outcomes and collect security requirements [9,10,11,12]. In this section, we highlight only some of them that we thought they have strong relation to our work.
CORAS [9] is a model-based risk assessment approach based on the ISO/IEC 27002 standard. It consists of eight steps: steps 1 to 4 are about establishing the context of the ToA with the help of customers, and the rest of the steps are about risk identification, estimation, evaluation and treatment. CORAS is a powerful and general-purpose risk modeling approach which relies more on the competence of the analysts to do and produce manually risk assessment models: asset, threat, risk and treatment model. Our approach rather uses FRPs as a threat model, to enhance the identification of threat scenarios automatically and to optimize the fraud risk estimation based on the damage on the services.
The socio-technical security modeling language (sts-ml) [10, 12], is a goal-oriented security requirement language to generate security requirements of a socio-technical system from three model perspectives: information, social and authorization view. sts-ml is mainly used to represent security needs of a socio-technical system in the form of security requirements. Our approach rather represents action-based modeling of e-services to identify and analyze possible fraud threats from the perspective of fraudsters. In doing so, it is possible to identify what actions can a fraudster do to commit a specific fraud.
From this perspective, the framework enhances the state-of-the-art by proposing an action-based modeling of the ToA with a minimum amount of information yet helps to identify the threat scenarios with the help of already known fraud threat model – FRPs from the perspective of fraudsters.
3 Methodology
To propose the MP-RA framework, we follow the following steps. Based on the requirements collected for a model-driven approach in the previous studies [5, 13], we first identify the inputs and expected output for each framework component. Mainly, the framework consists three components: conceptual model designer, fraud threat identifier and risk estimator. We then design the meta-data for the conceptual model designer using class diagram, which produces a model which can be expressed using XML (Extensible Markup Language) format. Then, we design the process of identifying threat scenarios from the perspective of fraudsters. We use FRPs to support the identification process of fraud threat scenarios and produce a list of possible threat scenarios related to the ToA. Lastly, we identify the variables needed to estimate the consequence and likelihood of e-service fraud risks produced from the threat scenarios. The expected outcome of this component is, therefore, a list of estimated threat scenarios.
4 MP-RA: The Framework
The MP-RA framework (cf. Fig. 1) is comprised of three basic components: the conceptual model designer (CME), fraud threat identifier and the risk estimator component. The CME represents the service-related concepts of the target of the assessment (ToA) graphically and translates it into an XML document. Fraud threat identifier and risk estimator identifies the potential threat scenarios from the CME model using fraud risk patterns and estimates the damage and likelihood for each threat scenario using the risk metrics of e-services respectively. The following sections describe each component.
The MP-RA framework
4.1 Conceptual Model Designer
The aim of this component is to represent the ToA to the intended level of abstraction that allows to identify and analyze the potential threats in the other framework components. The ToA describes an e-service under assessment. The output of the conceptual model designer is a CME model, which is also expressed using XML format. The CME model represents entities of the ToA which are actors, their associated actions and assets, infrastructures, and the relationships between these entities in terms of connections. We describe each entity as follows.
Actor. An actor represents human and organizational actors. In an e-service domain, there are at least two actors involved: a customer and a service provider. Each of them has different actions/functionalities and assets. A customer-service, for example, is an actor which is part of a service provider (an organizational actor).
The relationships between an actor and other entities are described in terms of either containment or line connections. The relationship between an actor to one or more actions/assets is represented in the model as containment to indicate that an actor possesses one or more actions or assets. The relationship of an actor with the rest of model components is represent using line connections.
Asset. An asset constitutes entities valuable to an actor. The specific services provided by a service provider and the customer credentials used to login into a payment service are examples of assets. Assets can be direct (service or income) and indirect (credentials or identity information).
Action. An action represents a behavioral aspect of an actor indicating the permitted activity on one or more of its assets and the possible actions in an infrastructure. An action is, therefore, an entity associated with an actor or infrastructure in the form of possession relationship and can be time-dependent or time-independent based on the time value of the action. While time-dependent actions are constrained by a time limit, time-independent actions are performed without any time constraint.
Connection. A connection is created based on the relationships between two entities. A relationship connects two model components to indicate their contract agreements, possession, service usage, part-of relationship, type of communication and payment flow. An agreement relation indicates the service contracts between two actors. While the possession indicates the ownership of an asset by an actor, usage represents whether an actor use it. An actor could be part-of another actor to indicate the services could distributed to the actor in this connection. The communication indicates the medium of communication. Lastly, payment represents the payment flow between two entities.
Infrastructure. A hardware or a software component in the ToA is an infrastructure. A high-level description of infrastructure helps to understand the technological context of the ToA in combination with other model components. This includes the description of an infrastructure by specifying the possible actions an actor can perform at this infrastructure in terms of its authorization level.
Process. A process is a set of meaningful actions in the ToA. For example, creating a subscription contract with a service provider.
The conceptual model designer: meta-model
The conceptual model designer: prototype
4.2 Risk Analysis
The aim of the risk analysis is to identify the potential threats in the CME model and estimate the potential damages to calculate the associated risk. Traditionally, identification of threats is performed manually or by brainstorming within a group of people. Thus, to enhance the efficiency, we introduced the concept of FRPs – threat models which are recurrently occur to e-services and help to automatically produce fraud threats [6] (a brief description of FRPs is shown in Table 2). A FRP expressed in terms of its goal, target and an algorithm to achieve the goal. For instance, an impersonation (cf. Table 1) has the goal of using the service without payment and getting money out the misuse. In the CME model, this FRP targets actors (e.g. service providers and customers).
The risk analysis component contains two main sub-components: fraud threat identifier and risk estimator.
Fraud Threat Identifier. The threat identification process in MP-RA is performed from the perspective of a fraudster who has the goal leads to commit the fraud and the target entity in the CME model. The threat identifier takes the CME model in XML format, the goal and the target as inputs to construct the possible combinations of threat scenarios by mapping the rules/algorithms of FRPs stored in the database with the given CME model. Mapping of the FRPs with the CME model is the construction of likely threat scenarios which fulfil the specification of FRPs from the service-related concepts in the CME model.
The output of the fraud threat identification is a list of fraud threat scenarios where each of them will further be analyzed for their impact on the important assets of the e-service and evaluated using their level of damage on the main actor in the model. A fraud threat is described by its fraud agent, type of threat, targeted entity and owner of targeted entity.
Risk Estimator. Given a list of threat scenarios identified by the threat identifier, the aim of risk estimator is to calculate the impact/consequence of each threat and the likelihood of a fraudster to succeed committing the threat. The product of the impact and the likelihood provides the risk of a threat.
The impact of a threat is calculated by assessing the consequence on the targeted asset in terms of asset value (e.g. money). While direct assets (services, money) are calculated using asset valuation of money, indirect assets (credentials and identity) are calculated using their contribution to the direct assets.
In order to analyze risks using MP-RA, it is important to take the fraudsters profile into consideration. A rational fraudster perpetrates a fraud only when it brings him a positive outcome. Thus, the likelihood of a threat has two dimensions: (1) the possibility of a fraudster to succeed, called fraudster profile and (2) the possibility of targeted CME model components to defend themselves from fraudsters, called defender profile. Fraudster profile is measured using an inclusive risk metrics of skill level. A skill of a fraudster can have three levels: expert, intermediate and basic. The more skill level the fraudster has the likely the threat could be executed. The more skill level the defender has the higher the chance the threat fails to succeed. In the CME model, the defender is one of the targeted components – actor, infrastructure, communication medium or action (cf. Table 3). The risk estimator then pre-computes all possible combinations in the CME model using the risk metrics and produce list of estimated risks.
5 Discussion
The economic impact of cyber crimes including fraud is predicted to increase in the coming years [1]. Thus, risk analysis of services at the design level is utmost importance besides the the fraud detection systems. In this regard, our framework enhances the traditional risk analysis approaches in several aspects:
-
the CME model increases understanding of the service under analysis and its contextual information with only important service-related concepts;
-
the framework also increases usability and re-usability of the model and FRPs across different ToAs;
-
the risk identification process is based on recurrent fraud model which increases the efficiency of risk identification by reducing the time spent in brainstorming threat scenarios;
-
the impact analysis is based on the consequence of a threat in terms of asset values and the likelihood is comprised of both the fraudster and defender profile which makes the risk metrics inclusive.
In general, the process of the fraud risk analysis guides decision makers to give informed decisions. Additionally, to showcase the framework, we have implemented prototypes for both conceptual model designer (cf. Fig. 3) and threat identifier using the eclipse modeling framework and JavaFootnote 1.
6 Conclusion and Future Research Directions
Risk analysis is an important requirement in preventing fraud while designing services and associated systems. Enhancing the current state of fraud risk analysis approaches is necessary due to the increased economic impact of cyber crimes. Thus, we have presented our model-driven risk analysis framework based on risk patterns which increases representation of service-related concepts to the intended level of abstraction, identify potential fraud threat scenarios from the perspective of fraudsters and estimate the damage to calculate the expected risks. In doing so, it provides decision makers indications to have informed decisions on which part of the model they have to prevent the risks. In future, we plan to incorporate a fully automated implementation of the framework and evaluate the approach with different e-service domains.
References
McAfee CSIS: Net Losses: Estimating the Global Cost of Cybercrime. Technical report, McAfee and the Center for Strategic and International Studies (2018)
Abdallah, A., Maarof, M.A., Zainal, A.: Fraud detection system: a survey. J. Netw. Comput. Appl. 68, 90–113 (2016)
Sahin, M., Francillon, A., Gupta, P., Ahamad, M.: Sok: fraud in telephony networks. In: IEEE Security and Privacy (EuroS&P), pp. 235–250 (2017)
CFCA: Global telecom fraud report. Technical report, Communications Fraud Control Association (2017)
Yesuf, A.S., Wolos, L., Rannenberg, K.: Fraud risk modelling: requirements elicitation in the case of telecom services. In: Za, S., Drăgoicea, M., Cavallari, M. (eds.) IESS 2017. LNBIP, vol. 279, pp. 323–336. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56925-3_26
Yesuf, A.S., Serna-Olvera, J., Rannenberg, K.: Using fraud patterns for fraud risk assessment of e-services. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IFIP AICT, vol. 502, pp. 553–567. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_37
Da Silva, A.R.: Model-driven engineering: a survey supported by the unified conceptual model. Comput. Lang. Syst. Struct. 43, 139–155 (2015)
Embley, D.W., Thalheim, B. (eds.): Handbook of Conceptual Modeling. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-15865-0
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12323-8
Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: STS-tool: socio-technical security requirements through social commitments. In: 2012 20th IEEE International Requirements Engineering Conference (RE). IEEE (2012)
Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BPMDS/EMMSAD 2014. LNBIP, vol. 175, pp. 200–214. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43745-2_14
Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P., et al.: Modelling security requirements in socio-technical systems with sts-tool. In: CAiSE Forum, vol. 855, pp. 155–162. Citeseer (2012)
Yesuf, A.S.: A review of risk identification approaches in the telecommunication domain. In: International Conference on Information Systems Security and Privacy (ICISSP) (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Yesuf, A.S. (2018). MP-RA: Towards a Model-Driven and Pattern-Based Risk Analysis of e-Service Fraud. In: Yang, A., et al. Services – SERVICES 2018. SERVICES 2018. Lecture Notes in Computer Science(), vol 10975. Springer, Cham. https://doi.org/10.1007/978-3-319-94472-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-94472-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94471-5
Online ISBN: 978-3-319-94472-2
eBook Packages: Computer ScienceComputer Science (R0)