Abstract
Recently various electronic financial services are provided by development of electronic devices and communication technology. By diversified electronic financial services and channels, users of none face-to-face electronic financial transaction services continuously increase. At the same time, under financial security environment, leakage threats of inside information and security threats against financial transaction users steadily increase. Accordingly, in this paper, based on framework standards of financial transaction detection and response, digital forensics techniques that has been used to analyze system intrusion incidents traditionally is used to detect anomaly transactions that may occur in the user terminal environment during electronic financial transactions. Particularly, for the method to analyze user terminals, automated malware forensics techniques that is used as supporting tool for malware code detection and analysis is used, and for the method to detect anomaly prior behaviors and transaction patterns of users, moving average based on the statistical basis is applied. In addition, the risk point calculation model is proposed by scoring anomaly transaction cases in the detection step by items. This model logs calculated risk point results as well as maintains incident accountability, which can be utilized as basic data for establishing security incident response and security policies.
Similar content being viewed by others
Notes
Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
Pharming is a hacker’s attack intended to redirect a website’s traffic to another, bogus site. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software.
Moving average is one of the methods to determine the trend value. For time series of X 1, X 2,…X t , and moving average \( \overline{{{X_{\mathrm{m}}}}} \) in the period range of m at the time t is derived as follows. \( {{{\overline{X_m}}={{{\left( {{X_t}+{X_{t+1 }}+\ldots +{X_{{t+\left( {m-1} \right)}}}} \right)}} \left/ {m} \right.}}} \), (t = 1, 2,…, (t − m)). When new series of \( \overline{{{X_{m+1 }}}},\overline{{{X_{m+2 }}}} \) are made in this way, the change in current time series represents an even trend.
References
Ahnlab (2011) 3.4 DDoS analysis report
Hwan LY, Ryeol RH, Sung CK, Wook PC, Hyung PW, Ho KK (2012) A study on malware detection system model based on correlation analysis using live response techniques. Inf Sci Appl (ICISA), 2012 International Conference, pp 1–6. 5
IETF, Brezinski D (2002) Guidelines for evidence collection and archiving, IETF RFC 3227
INCA-CERT (2012) Internet banking malware, Google Code spread through the attempt to bypass the Google Code hosting, http://erteam.tistory.com/313
Jang DH (2007) ARP spoofing attack and countermeasures. Hanseo University
NIST, Kent K, Chevalier S, Grance T, Dang H (2006) Guide to integrating forensic techniques into incident response, NIST SP 800–86
Park HH, Park DW (2006) A study on new treatment way of a malicious code to use a DLL injection technique. J Korea Soc Comput Inf 11(5):251–258
Telecommunications Technology Association (TTA) (2011) Fraud detection and response framework in electronic financial transaction system, TTAK.KO-12.0178
The American Bankers Association (ABA) (2011) Survey: online banking surges, mobile lags. http://www.americanbanker.com/issues/176_175/online-banking-surges-1042001–1.html?zkPrintable=true
Acknowledgments
This work is supported by the Korea Information Security Agency (H2101-12-1001).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kim, A.C., Kim, S., Park, W.H. et al. Fraud and financial crime detection model using malware forensics. Multimed Tools Appl 68, 479–496 (2014). https://doi.org/10.1007/s11042-013-1410-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-013-1410-3