Change search
Link to record
Permanent link

Direct link
BETA
Axelsson, Stefan
Publications (10 of 16) Show all publications
Ghorbanian, S., Fryklund, G. & Axelsson, S. (2015). DO DATA LOSS PREVENTION SYSTEMS REALLY WORK?. In: ADVANCES IN DIGITAL FORENSICS XI: . Paper presented at 11th IFIP WG 11.9 International Conference on Digital Forensics, JAN 26-28, 2015, Orlando, FL (pp. 341-357).
Open this publication in new window or tab >>DO DATA LOSS PREVENTION SYSTEMS REALLY WORK?
2015 (English)In: ADVANCES IN DIGITAL FORENSICS XI, 2015, p. 341-357Conference paper, Published paper (Refereed)
Abstract [en]

The threat of insiders stealing valuable corporate data continues to escalate. The inadvertent exposure of internal data has also become a major problem. Data loss prevention systems are designed to monitor and block attempts at exposing sensitive data to the outside world. They have become very popular, to the point where forensic investigators have to take these systems into account. This chapter describes the first experimental analysis of data loss prevention systems that attempts to ascertain their effectiveness at stopping the unauthorized exposure of sensitive data and the ease with which the systems could be circumvented. Four systems are evaluated (three of them in detail). The results point to considerable weaknesses in terms of general effectiveness and the ease with which the systems could be disabled.

Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238 ; 462
Keywords
Data leakage prevention systems; evaluation; forensic implications
National Category
Computer Sciences
Identifiers
urn:nbn:se:bth-11174 (URN)10.1007/978-3-319-24123-4_20 (DOI)000364655200020 ()978-3-319-24123-4 (ISBN)
Conference
11th IFIP WG 11.9 International Conference on Digital Forensics, JAN 26-28, 2015, Orlando, FL
Available from: 2015-12-11 Created: 2015-12-11 Last updated: 2018-01-10Bibliographically approved
Osekowska, E., Axelsson, S. & Carlsson, B. (2015). Potential fields in modeling transport over water. Operations Research/Computer Science Interfaces Series, 58, 259-280
Open this publication in new window or tab >>Potential fields in modeling transport over water
2015 (English)In: Operations Research/Computer Science Interfaces Series, ISSN 1387-666X, Vol. 58, p. 259-280Article in journal (Refereed) Published
Abstract [en]

Without an explicit road-like regulation, following the proper sailing routes and practices is still a challenge mostly addressed using seamen’s know-how and experience. This chapter focuses on the problem of modeling ship movements over water with the aim to extract and represent this kind of knowledge. The purpose of the developed modeling method, inspired by the theory of potential fields, is to capture the process of navigation and piloting through the observation of ship behaviors in transport over water on narrow waterways. When successfully modeled, that knowledge can be subsequently used for various purposes. Here, the models of typical ship movements and behaviors are used to provide a visual insight into the actual normal traffic properties (maritime situational awareness) and to warn about potentially dangerous traffic behaviors (anomaly detection). A traffic modeling and anomaly detection prototype system STRAND implements the potential field based method for a collected set of AIS data. A quantitative case study is taken out to evaluate the applicability and performance of the implemented modeling method. The case study focuses on quantifying the detections for varying geographical resolution of the detection process. The potential fields extract and visualize the actual behavior patterns, such as right-hand sailing rule and speed limits, without any prior assumptions or information introduced in advance. The display of patterns of correct (normal) behavior aids the choice of an optimal path, in contrast to the anomaly detection which notifies about possible traffic incidents. A tool visualizing the potential fields may aid traffic surveillance and incident response, help recognize traffic regulation and legislative issues, and facilitate the process of waterways development and maintenance. © Springer International Publishing Switzerland 2015.

National Category
Computer Sciences
Identifiers
urn:nbn:se:bth-10656 (URN)10.1007/978-3-319-16133-4_14 (DOI)2-s2.0-84930617045 (Scopus ID)
Available from: 2015-09-17 Created: 2015-09-15 Last updated: 2018-01-11Bibliographically approved
Lopez-Rojas, E. A. & Axelsson, S. (2015). Using the RetSim Fraud Simulation Tool to set Thresholds for Triage of Retail Fraud. In: Sonja Buchegger, Mads Dam (Ed.), SECURE IT SYSTEMS, NORDSEC 2015: . Paper presented at 20th Nordic Conference, NordSec 2015 Stockholm, Sweden (pp. 156-171). Springer, 9417
Open this publication in new window or tab >>Using the RetSim Fraud Simulation Tool to set Thresholds for Triage of Retail Fraud
2015 (English)In: SECURE IT SYSTEMS, NORDSEC 2015 / [ed] Sonja Buchegger, Mads Dam, Springer, 2015, Vol. 9417, p. 156-171Conference paper, Published paper (Refereed)
Abstract [en]

The investigation of fraud in business has been a staple for the digital forensics practitioner since the introduction of computers in business. Much of this fraud takes place in the retail industry. When trying to stop losses from insider retail fraud, triage, i.e. the quick identification of sufficiently suspicious behaviour to warrant further investigation, is crucial, given the amount of normal, or insignificant behaviour. It has previously been demonstrated that simple statistical threshold classification is a very successful way to detect fraud~\cite{Lopez-Rojas2015}. However, in order to do triage successfully the thresholds have to be set correctly. Therefore, we present a method based on simulation to aid the user in accomplishing this, by simulating relevant fraud scenarios that are foreseeing as possible and expected, to calculate optimal threshold limits. This method gives the advantage over arbitrary thresholds that it reduces the amount of labour needed on false positives and gives additional information, such as the total cost of a specific modelled fraud behaviour, to set up a proper triage process. With our method we argue that we contribute to the allocation of resources for further investigations by optimizing the thresholds for triage and estimating the possible total cost of fraud. Using this method we manage to keep the losses below a desired percentage of sales, which the manager consider acceptable for keeping the business properly running.

Place, publisher, year, edition, pages
Springer, 2015
Series
Lecture Notes in Computer Science, ISSN 0302-9743
National Category
Computer Systems
Identifiers
urn:nbn:se:bth-10868 (URN)10.1007/978-3-319-26502-5 (DOI)000374098500011 ()978-3-319-26502-5 (ISBN)978-3-319-26501-8 (ISBN)
Conference
20th Nordic Conference, NordSec 2015 Stockholm, Sweden
Funder
Knowledge Foundation, 20140032
Available from: 2015-10-23 Created: 2015-10-23 Last updated: 2017-06-19Bibliographically approved
Nilsson, A., Andersson, M. & Axelsson, S. (2014). Key-hiding on the ARM platform. Digital Investigation. The International Journal of Digital Forensics and Incident Response, 11(Supplement 1), S63-S67
Open this publication in new window or tab >>Key-hiding on the ARM platform
2014 (English)In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 11, no Supplement 1, p. S63-S67Article in journal (Refereed) Published
Abstract [en]

To combat the problem of encryption key recovery from main memory using cold boot-attacks, various solutions has been suggested, but most of these have been implemented on the x86 architecture, which is not prevalent in the smartphone market, where instead ARM dominates. One existing solution does exist for the ARM architecture but it is limited to key sizes of 128 bits due to not being able to utilise the full width of the CPU registers used for key storage. We developed a test-implementation of CPU-bound key storage with 256-bit capacity, without using more hardware resources than the previous solution. We also show that access to the key can be restricted for programs executing outside the kernel space.

Place, publisher, year, edition, pages
Elsevier, 2014
Keywords
cold-boot, cryptography, computer architechture, ARM
National Category
Computer Sciences
Identifiers
urn:nbn:se:bth-6664 (URN)10.1016/j.diin.2014.03.008 (DOI)000335438900008 ()oai:bth.se:forskinfoEAA76B6DFD8A9D1EC1257CDA003124AC (Local ID)oai:bth.se:forskinfoEAA76B6DFD8A9D1EC1257CDA003124AC (Archive number)oai:bth.se:forskinfoEAA76B6DFD8A9D1EC1257CDA003124AC (OAI)
Note

Special issue of the journal Digital Investigation (The proceedings of the first annual DFRWS Europe conference)

Available from: 2014-07-17 Created: 2014-05-16 Last updated: 2018-01-11Bibliographically approved
Lopez-Rojas, E. A. & Axelsson, S. (2014). Social Simulation of Commercial and Financial Behaviour for Fraud Detection Research. In: Miguel, Amblard, Barceló & Madella (Ed.), Advances in Computational Social Science and Social Simulation: . Paper presented at Social Simulation Conference. Bellaterra, Cerdanyola del Valles, 1a : 2014. Barcelona
Open this publication in new window or tab >>Social Simulation of Commercial and Financial Behaviour for Fraud Detection Research
2014 (English)In: Advances in Computational Social Science and Social Simulation / [ed] Miguel, Amblard, Barceló & Madella, Barcelona, 2014Conference paper, Published paper (Refereed)
Abstract [en]

We present a social simulation model that covers three main financialservices: Banks, Retail Stores, and Payments systems. Our aim is toaddress the problem of a lack of public data sets for fraud detectionresearch in each of these domains, and provide a variety of fraudscenarios such as money laundering, sales fraud (based on refunds anddiscounts), and credit card fraud. Currently, there is a general lackof public research concerning fraud detection in the financial domainsin general and these three in particular. One reason for this is thesecrecy and sensitivity of the customers data that is needed toperform research. We present PaySim, RetSim, and BankSim asthree case studies of social simulations for financial transactionsusing agent-based modelling. These simulators enable us to generatesynthetic transaction data of normal behaviour of customers, and alsoknown fraudulent behaviour. This synthetic data can be used to furtheradvance fraud detection research, without leaking sensitiveinformation about the underlying data. Using statistics and socialnetwork analysis (SNA) on real data we can calibrate the relationsbetween staff and customers, and generate realistic synthetic datasets. The generated data represents real world scenarios that arefound in the original data with the added benefit that this data canbe shared with other researchers for testing similar detection methodswithout concerns for privacy and other restrictions present when usingthe original data.

Place, publisher, year, edition, pages
Barcelona: , 2014
Keywords
Privacy; Anonymization; Multi-Agent-Based Simulation; MABS; ABS; Retail Store; Fraud Detection; Synthetic Data
National Category
Computer Systems
Identifiers
urn:nbn:se:bth-12931 (URN)
Conference
Social Simulation Conference. Bellaterra, Cerdanyola del Valles, 1a : 2014
Available from: 2016-08-20 Created: 2016-08-20 Last updated: 2017-01-31Bibliographically approved
Westphal, F., Axelsson, S., Neuhaus, C. & Polze, A. (2014). VMI-PL: A monitoring language for virtual platforms using virtual machine introspection. Digital Investigation. The International Journal of Digital Forensics and Incident Response, 11, S85-S94 Supplement: 2
Open this publication in new window or tab >>VMI-PL: A monitoring language for virtual platforms using virtual machine introspection
2014 (English)In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 11, p. S85-S94 Supplement: 2Article in journal (Refereed) Published
Abstract [en]

With the growth of virtualization and cloud computing, more and more forensic investigations rely on being able to perform live forensics on a virtual machine using virtual machine introspection (VMI). Inspecting a virtual machine through its hypervisor enables investigation without risking contamination of the evidence, crashing the computer, etc. To further access to these techniques for the investigator/researcher we have developed a new VMI monitoring language. This language is based on a review of the most commonly used VMI-techniques to date, and it enables the user to monitor the virtual machine's memory, events and data streams. A prototype implementation of our monitoring system was implemented in KVM, though implementation on any hypervisor that uses the common x86 virtualization hardware assistance support should be straightforward. Our prototype outperforms the proprietary VMWare VProbes in many cases, with a maximum performance loss of 18% for a realistic test case, which we consider acceptable. Our implementation is freely available under a liberal software distribution license.

Place, publisher, year, edition, pages
Elsevier, 2014
Keywords
Virtualization, Security, Monitoring language, Live forensics, Introspection, Classification
National Category
Computer Sciences
Identifiers
urn:nbn:se:bth-6582 (URN)10.1016/j.diin.2014.05.016 (DOI)000340301000011 ()oai:bth.se:forskinfo0A0A78B4664692A1C1257D6D003DE867 (Local ID)oai:bth.se:forskinfo0A0A78B4664692A1C1257D6D003DE867 (Archive number)oai:bth.se:forskinfo0A0A78B4664692A1C1257D6D003DE867 (OAI)
Available from: 2014-10-10 Created: 2014-10-10 Last updated: 2018-02-02Bibliographically approved
Axelsson, S., Bajwa, K. A. & Srikanth, M. V. (2013). File Fragment Analysis Using Normalized Compression Distance. In: : . Paper presented at International Conference on Digital Forensics. Orlando: Springer
Open this publication in new window or tab >>File Fragment Analysis Using Normalized Compression Distance
2013 (English)Conference paper, Published paper (Refereed)
Abstract [en]

The first step when recovering deleted files using file carving is to identify the file type of a block, also called file fragment analysis. Several researchers have demonstrated the applicability of Kolmogorov complexity methods such as the normalized compression distance (NCD) to this problem. NCD methods compare the results of compressing a pair of data blocks with the compressed concatenation of the pair. One parameter that is required is the compression algorithm to be used. Prior research has identified the NCD compressor properties that yield good performance. However, no studies have focused on its applicability to file fragment analysis. This paper describes the results of experiments on a large corpus of files and file types with different block lengths. The experimental results demonstrate that, in the case of file fragment analysis, compressors with the desired properties do not perform statistically better than compressors with less computational complexity.

Place, publisher, year, edition, pages
Orlando: Springer, 2013
Keywords
Compression algorithms, Deleted files, File carving, File fragments, Kolmogorov complexity, Large corpora, Normalized compression distance
National Category
Software Engineering
Identifiers
urn:nbn:se:bth-6667 (URN)10.1007/978-3-642-41148-9_12 (DOI)000329976600012 ()oai:bth.se:forskinfo798E57976774FEB9C1257C2E00342805 (Local ID)9783642411472 (ISBN)oai:bth.se:forskinfo798E57976774FEB9C1257C2E00342805 (Archive number)oai:bth.se:forskinfo798E57976774FEB9C1257C2E00342805 (OAI)
Conference
International Conference on Digital Forensics
Available from: 2014-07-17 Created: 2013-11-25 Last updated: 2018-01-11Bibliographically approved
Osekowska, E., Axelsson, S. & Carlsson, B. (2013). Potential fields in maritime anomaly detection. In: : . Paper presented at Proceedings of the 3rd International Conference on Models and Technologies for Intelligent Transport Systems. Dresden: TUD Press
Open this publication in new window or tab >>Potential fields in maritime anomaly detection
2013 (English)Conference paper, Published paper (Refereed)
Abstract [en]

This paper presents a novel approach for pattern extraction and anomaly detection in mari- time vessel traffic, based on the theory of potential fields. Potential fields are used to rep- resent and model normal, i.e. correct, behaviour in maritime transportation, observed in historical vessel tracks. The recorded paths of each maritime vessel generate potentials based on metrics such as geographical location, course, velocity, and type of vessel, resulting in a potential-based model of maritime traffic patterns. A prototype system STRAND, developed for this study, computes and displays distinctive traffic patterns as potential fields on a geographic representation of the sea. The system builds a model of normal behaviour, by collating and smoothing historical vessel tracks. The resulting visual presentation exposes distinct patterns of normal behaviour inherent in the recorded maritime traffic data. Based on the created model of normality, the system can then perform anomaly detection on current real-world maritime traffic data. Anomalies are detected as conflicts between vessel’s potential in live data, and the local history-based potential field. The resulting detection performance is tested on AIS maritime tracking data from the Baltic region, and varies depending on the type of potential. The potential field based approach contributes to maritime situational awareness and enables automatic detection. The results show that anomalous behaviours in maritime traffic can be detected using this method, with varying performance, necessitating further study.

Place, publisher, year, edition, pages
Dresden: TUD Press, 2013
Keywords
Anomaly Detection, Maritime Traffic, Potential Fields
National Category
Computer Sciences
Identifiers
urn:nbn:se:bth-6417 (URN)oai:bth.se:forskinfo1A9F575FF8EB6F16C1257D96003EF055 (Local ID)978-3-944331-34-8 (ISBN)oai:bth.se:forskinfo1A9F575FF8EB6F16C1257D96003EF055 (Archive number)oai:bth.se:forskinfo1A9F575FF8EB6F16C1257D96003EF055 (OAI)
Conference
Proceedings of the 3rd International Conference on Models and Technologies for Intelligent Transport Systems
Available from: 2015-02-17 Created: 2014-11-20 Last updated: 2018-01-11Bibliographically approved
Lopez-Rojas, E. A., Gorton, D. & Axelsson, S. (2013). RetSim: A ShoeStore Agent-Based Simulation for Fraud Detection. In: 25th European Modeling and Simulation Symposium, EMSS 2013: . Paper presented at 25th European Modeling and Simulation Symposium, EMSS 2013; Athens; Greece (pp. 25-34).
Open this publication in new window or tab >>RetSim: A ShoeStore Agent-Based Simulation for Fraud Detection
2013 (English)In: 25th European Modeling and Simulation Symposium, EMSS 2013, 2013, p. 25-34Conference paper, Published paper (Refereed)
Abstract [en]

RetSim is an agent-based simulator of a shoe store basedon the transactional data of one of the largest retail shoesellers in Sweden. The aim of RetSim is the generationof synthetic data that can be used for fraud detection re-search. Statistical and a Social Network Analysis (SNA)of relations between staff and customers was used to de-velop and calibrate the model. Our ultimate goal is forRetSim to be usable to model relevant scenarios to gen-erate realistic data sets that can be used by academia, andothers, to develop and reason about fraud detection meth-ods without leaking any sensitive information about theunderlying data. Synthetic data has the added benefit ofbeing easier to acquire, faster and at less cost, for exper-imentation even for those that have access to their owndata. We argue that RetSim generates data that usefullyapproximates the relevant aspects of the real data.

Keywords
Multi-Agent Based Simulation, Retail Store, Fraud Detection, Synthetic Data.
National Category
Computer Systems
Identifiers
urn:nbn:se:bth-12929 (URN)9788897999225 (ISBN)
Conference
25th European Modeling and Simulation Symposium, EMSS 2013; Athens; Greece
Available from: 2016-08-20 Created: 2016-08-20 Last updated: 2017-01-31Bibliographically approved
Lopez-Rojas, E. A. & Axelsson, S. (2012). Money Laundering Detection using Synthetic Data. In: : . Paper presented at Annual workshop of the Swedish Artificial Intelligence Society (SAIS). Örebro, Sweden: Linköping University Electronic Press, Linköpings universitet
Open this publication in new window or tab >>Money Laundering Detection using Synthetic Data
2012 (English)Conference paper, Published paper (Refereed)
Abstract [en]

Criminals use money laundering to make the proceeds from their illegal activities look legitimate in the eyes of the rest of society. Current countermeasures taken by financial organizations are based on legal requirements and very basic statistical analysis. Machine Learning offers a number of ways to detect anomalous transactions. These methods can be based on supervised and unsupervised learning algorithms that improve the performance of detection of such criminal activity. In this study we present an analysis of the difficulties and considerations of applying machine learning techniques to this problem. We discuss the pros and cons of using synthetic data and problems and advantages inherent in the generation of such a data set. We do this using a case study and suggest an approach based on Multi-Agent Based Simulations (MABS).

Place, publisher, year, edition, pages
Örebro, Sweden: Linköping University Electronic Press, Linköpings universitet, 2012
Keywords
Machine Learning, Anti-Money Laundering, Money Laundering, Anomaly Detection, Synthetic Data, Multi-Agent Based Simulation
National Category
Computer Sciences
Identifiers
urn:nbn:se:bth-7119 (URN)oai:bth.se:forskinfoEB952EA69906EE79C1257AC6003BB536 (Local ID)oai:bth.se:forskinfoEB952EA69906EE79C1257AC6003BB536 (Archive number)oai:bth.se:forskinfoEB952EA69906EE79C1257AC6003BB536 (OAI)
Conference
Annual workshop of the Swedish Artificial Intelligence Society (SAIS)
Note

Linkoping Press http://www.ep.liu.se/ecp_article/index.en.aspx?issue=071;article=005

Available from: 2012-12-06 Created: 2012-11-30 Last updated: 2018-01-11Bibliographically approved
Organisations

Search in DiVA

Show all publications