Fraud Detection in ERP Systems Using Scenario Matching

ERP systems generally implement controls to prevent certain common kinds of fraud. In addition however, there is an imperative need for detection of more sophisticated patterns of fraudulent activity as evidenced by the legal requirement for company audits and the common incidence of fraud. This paper describes the design and implementation of a framework for detecting patterns of fraudulent activity in ERP systems. We include the description of six fraud scenarios and the process of specifying and detecting the occurrence of those scenarios in ERP user log data using the prototype software which we have developed. The test results for detecting these scenarios in log data have been verified and confirm the success of our approach which can be generalized to ERP systems in general.

[1]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[2]  David Corderre Fraud Detection: Using Data Analysis Techniques to Detect Fraud , 2000 .

[3]  Ulrich Flegel,et al.  Privacy-Respecting Intrusion Detection (Advances in Information Security) , 2007 .

[4]  George M. Mohay,et al.  Computer and Intrusion Forensics , 2003 .

[5]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[7]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[8]  Günter Müller Emerging Trends in Information and Communication Security , 2006, Lecture Notes in Computer Science.

[9]  Michael Meier,et al.  A Model for the Semantics of Attack Signatures in Misuse Detection Systems , 2004, ISC.

[10]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[11]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[12]  Jean-Philippe Pouzol,et al.  From Declarative Signatures to Misuse IDS , 2001, Recent Advances in Intrusion Detection.

[13]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[14]  George M. Mohay,et al.  Automated recognition of event scenarios for digital forensics , 2006, SAC '06.

[15]  Ulrich Flegel,et al.  Simplifying Signature Engineering by Reuse , 2006, ETRICS.

[16]  Erland Jonsson,et al.  A Synthetic Fraud Data Generation Methodology , 2002, ICICS.

[17]  Hartmut König,et al.  Improving the Efficiency of Misuse Detection , 2005, DIMVA.

[18]  Ulrich Flegel,et al.  Privacy-Respecting Intrusion Detection , 2007, Advances in Information Security.

[19]  Ludovic Mé,et al.  ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection , 2001, SEC.

[20]  Sushil Jajodia,et al.  CARDS: A Distributed System for Detecting Coordinated Attacks , 2000, SEC.