Impossible Fraud Use Case v1.1

Summary:

The ArcSight Center of Excellence (ACE) Use Case Submission Form outlines a method for detecting impossible fraud in user login patterns by assessing both the speed and physical locations from which logins occur. This use case, titled "Impossible Fraud Login Detection," is categorized under general security and was submitted by Duy Tran in October 2011. The primary objective of this use case is to identify when a user account has logged into the same network from multiple geographically distant locations within a short time frame. The process involves tracking users' ID, last login timestamp, IP address, latitude, and longitude. A rule calculates the physical distance between these two locations using great circle calculation, which measures the true distance between points on Earth. Additionally, it calculates the time difference between the successful logins at these locations. If the calculated distance is greater than what would be expected for a typical mode of transportation (assumed to be around 500-600 MPH), and if this travel time seems "impossible" given the short timeframe, an alert flags potential fraudulent activity. Assumptions made in this use case include that authentication events are being logged and sent to the Enterprise Security Manager (ESM), that successful logins via VPN are being considered, and that event categorization for these authentication events is accurate. It also assumes a properly configured network model with correctly defined locations. This method helps in detecting fraudulent activities such as identity theft or unauthorized access attempts by analyzing login patterns indicative of impossible travel distances within short time intervals. The document outlines a system for detecting fraudulent login attempts using specific parameters and resources. Key components include configuring an e-mail server for notifications, setting up notification groups, and regularly updating geographical locations. The required data feeds consist of operating systems' login events, applications requiring authentication, and devices needing authentication. The main focus is on the Impossible Fraud Detection use case as detailed in the APS_ImpossibleFraudDetection.arb file: 1. **Rule: User Logins** - This rule selects all successful login events from users. 2. **Rule: Impossible Fraud Login** - This specific rule handles fraud detection by focusing on logins that seem impossible, typically defined by geographical location changes and time differences. Notifications are sent to SOC operators (Security Operations Center). 3. **Customization Parameters**: The adjustable field "Device Custom Floating Point1" or speed is crucial for this use case; typical values might be set around 500 mph in a practical setting. 4. **Consumables**: There are four consumable resources: two rules, one active list, and one filter. - **Filter** (Resource 1): Selects all successful login events. - **Active List** (Resource 2): Tracks user logins with details like username, IP address, latitude, longitude, and last login time. - **Rule** (Resource 3): Triggered by the 'Successful Login' filter, it updates the 'Account Last Login' active list. The document also provides descriptions for each resource, highlighting their functions within the system designed to detect fraudulent logins based on location changes post successful authentication attempts. To summarize the given information, we have several variables and concepts related to user logins and geographical locations. Here's a breakdown of what each term represents and how they are used in relation to detecting "Impossible Fraud" in an account: 1. **Geographical Coordinates**: - **Long1** and **Long2**: Represent the longitude values at two different locations, converted into radians for precise calculations. - **Lat1** and **Lat2**: Similarly, represent latitude coordinates, also converted to radians. 2. **Time Differences**: - **getLastLogin1**: Represents the last login time from an account's "Account Last Login" field. - **loginTimeDiff**: The difference in hours between two successive logins. 3. **Distance Calculation**: - Using great circle distance formula to calculate the physical distance between points A (first location) and B (second location). This is done by comparing **Lat1** vs **Lat2** and **Long1** vs **Long2**. The result is multiplied by a factor to convert it from radians to miles. 4. **Speed Calculation**: - Speed = Distance / Time, where time in this case is the difference between **getLastLogin1** and **getLastLogin2**, converted into hours for consistency with speed units (miles per hour). 5. **Rule Evaluation**: - If distance exceeds a set threshold (e.g., 600 miles) or if speed exceeds a predefined value like 500 MPH, the rule flags an alert indicating possible fraudulent activity. The use case is designed to catch unusual patterns in login locations and times that are unlikely under normal circumstances but can be indicative of unauthorized access attempts, thereby helping in early detection of potential fraud.

Details:

The ArcSight Center of Excellence (ACE) Use Case Submission Form outlines a method for detecting impossible fraud in user login patterns by assessing both the speed and physical locations from which logins occur. This use case, titled "Impossible Fraud Login Detection," is categorized under general security and was submitted by Duy Tran in October 2011. The primary objective of this use case is to identify when a user account has logged into the same network from multiple geographically distant locations within a short time frame. The process involves tracking users' ID, last login timestamp, IP address, latitude, and longitude. A rule calculates the physical distance between these two locations using great circle calculation, which measures the true distance between points on Earth. Additionally, it calculates the time difference between the successful logins at these locations. If the calculated distance is greater than what would be expected for a typical mode of transportation (assumed to be around 500-600 MPH), and if this travel time seems "impossible" given the short timeframe, an alert flags potential fraudulent activity. Assumptions made in this use case include that authentication events are being logged and sent to the Enterprise Security Manager (ESM), that successful logins via VPN are being considered, and that event categorization for these authentication events is accurate. It also assumes a properly configured network model with correctly defined locations. This method helps in detecting fraudulent activities such as identity theft or unauthorized access attempts by analyzing login patterns indicative of impossible travel distances within short time intervals. The document outlines a system for detecting fraudulent login attempts using specific parameters and resources. Key components include configuring an e-mail server for notifications, setting up notification groups, and regularly updating geographical locations. The required data feeds consist of operating systems' login events, applications requiring authentication, and devices needing authentication. The main focus is on the Impossible Fraud Detection use case as detailed in the APS_ImpossibleFraudDetection.arb file: 1. **Rule: User Logins** - This rule selects all successful login events from users. 2. **Rule: Impossible Fraud Login** - This specific rule handles fraud detection by focusing on logins that seem impossible, typically defined by geographical location changes and time differences. Notifications are sent to SOC operators (Security Operations Center). 3. **Customization Parameters**: The adjustable field "Device Custom Floating Point1" or speed is crucial for this use case; typical values might be set around 500 mph in a practical setting. 4. **Consumables**: There are four consumable resources: two rules, one active list, and one filter.

• **Filter** (Resource 1): Selects all successful login events.

• **Active List** (Resource 2): Tracks user logins with details like username, IP address, latitude, longitude, and last login time.

• **Rule** (Resource 3): Triggered by the 'Successful Login' filter, it updates the 'Account Last Login' active list.

The document also provides descriptions for each resource, highlighting their functions within the system designed to detect fraudulent logins based on location changes post successful authentication attempts. To summarize the given information, we have several variables and concepts related to user logins and geographical locations. Here's a breakdown of what each term represents and how they are used in relation to detecting "Impossible Fraud" in an account: 1. **Geographical Coordinates**:

• **Long1** and **Long2**: Represent the longitude values at two different locations, converted into radians for precise calculations.

• **Lat1** and **Lat2**: Similarly, represent latitude coordinates, also converted to radians.

2. **Time Differences**:

• **getLastLogin1**: Represents the last login time from an account's "Account Last Login" field.

• **loginTimeDiff**: The difference in hours between two successive logins.

3. **Distance Calculation**:

• **distance_m**: This is calculated using a Great-Circle method, which measures the shortest distance over Earth’s surface between two points on its surface given their longitudes and latitudes.

4. **Speed Calculation**:

• **speed**: This is derived from the formula: `(distance_m / 1000) * loginTimeDiff`. Here, distance is in meters (converted from kilometers), and speed is calculated based on time difference between logins.

5. **Variable Conversions**:

• **timeDiffString**: Converts numerical values of time differences into a string format for easier interpretation or display.

### Rule Explanation:

• The rule named "Impossible Fraud" specifically triggers when a correlated event indicating a user login occurs and the calculated speed exceeds 500 MPH (miles per hour). This scenario suggests that there might be fraudulent activity attempting to log into an account from physically distant locations within a short time frame.

• The rule is designed to alert security operators about possible fraud attempts where accounts are seen logging in from vastly different geographical locations compared to the previous login, making it highly improbable for a user to travel such distances instantaneously and still be at the second location.

• This rule helps in detecting suspicious activities that would not normally warrant an alert under typical circumstances but are indicative of fraudulent intent. The goal is to monitor logins closely and flag situations where accounts might have been accessed from remote locations, which could signal identity theft or other types of fraud.

In summary, the "Impossible Fraud" rule in this context uses geographical coordinates and time differences to detect improbable login patterns that may suggest unauthorized access or fraudulent activity, helping security teams respond promptly to potential threats.