Media Sharing Protection - Cisco...Media Sharing Protection uses data-science techniques to predict where sharing occurs. A likelihood score is given for each type of sharing. Below

EDCS-11522793 Rev. 2.00, 01 January 2017

Cisco Confidential Cisco Only

Media Sharing Protection

Example Report for CES

Cisco Confidential Cisco Only

Trademark Acknowledgments

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.

Third party trademarks mentioned are the property of their respective owners.

The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Publication Disclaimer

Cisco Systems, Inc. assumes no responsibility for errors or omissions that may appear in this publication. We reserve the right to change this publication at any time without notice. This document is not to be construed as conferring by implication, estoppel, or otherwise any license or right under any copyright or patent, whether or not the use of any information in this document employs an invention claimed in any existing or later issued patent. A printed copy of this document is considered uncontrolled. Refer to the online version for the latest revision.

Copyright

© 2017 Cisco and/or its affiliates. All rights reserved.

Information in this publication is subject to change without notice. No part of this publication may be reproduced or transmitted in any form, by photocopy, microfilm, xerography, or any other means, or incorporated into any information retrieval system, electronic or mechanical, for any purpose, without the express permission of Cisco Systems, Inc.

Americas Headquarters Cisco Systems, Inc. San Jose, CA

Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore

Europe Headquarters Cisco Systems International BV Amsterdam The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Total pages: 16

Media Sharing Protection Example Report for CES

EDCS-11522793

Rev. 2.00, 01 January 2017

Owner: Steve Epstein Reviewer: Marcelo Blatt

Author: Yechiel Lewis

Contents Page 3

EDCS-11522793 Rev. 2.00 Cisco Confidential

Media Sharing Protection: Example Report for CES

Contents

1 Introduction ......................................................................................... 4

2 General Analysis ................................................................................... 5

3 Conclusions .......................................................................................... 6

4 Examples of Sharing Accounts ............................................................... 9 4.1 Example 1—Likely Sharing ............................................................................ 9 4.2 Example 2—Likely Sharing ..........................................................................11 4.3 Example 3—Suspicious Sharing ..................................................................12 4.4 Example 4—Suspicious Sharing ..................................................................13

5 Summary ............................................................................................ 16

Introduction Page 4



1 Introduction Credential sharing results in a significant loss of business to service providers. Sharing may be performed by a multiplicity of users with a variety of motivations. Cisco’s new product Media Sharing Protection identifies these types of sharing so that service providers can mediate this business loss.

Media Sharing Protection uses data-science techniques to predict where sharing occurs. A likelihood score is given for each type of sharing. Below in this document, we provide charts and maps using real data from a sharing analysis report of an anonymous service provider. We explain the chart and map data to provide an understanding and valuable insights of our innovative, new product.

The report is generated automatically, based on our patent-pending big-data and machine-learning software deployed in the cloud.

In addition to this report, Cisco can provide real-time dashboards, which show sharing on a daily basis. These dashboards include alerts and trend analysis, as well as a policy-enforcement engine. This engine can be integrated into the service-provider system to suspend or apply other policies to any account whose sharing score is greater than a predefined threshold for each sharing type.

General Analysis Page 5



2 General Analysis This section shows several plots in order to explain some of the basic analysis that Cisco performs and to give perspective to the overall data.

The following scatterplot shows some of the analysis that we perform and our conclusions.

This scatterplot below compares the number of devices per account with the numbers of cities per account. We note the following:

Accounts with many devices and very few cities could potentially be large families or test accounts with many devices and not necessarily sharers.

Accounts with many cities and very few devices may be the accounts of travelers moving from one location to the next, and not necessarily sharers.

On the other hand, accounts with both a large number of cities and a large number devices are extremely suspicious, and are most likely accounts that are violating the terms and conditions of the service provider and sharing illegally.

Large Families?

still in

Traveler?

Extremely Suspicious

Conclusions Page 6



3 Conclusions The following cumulative distribution function (CDF) depicts the amount of sharing in the system.

We believe that:

Accounts with a sharing score between 500 and 750 (10% of population) are suspicious, and sharing activity needs to be further verified.

Accounts above 750 (1% of population) are almost definitely sharers and should have a policy enforced based on the business reasoning of the service provider.

Furthermore, using principal component analysis to compress the multi-dimensional features down to two dimensions, one can see clearly from the chart below who the high and medium sharers are, as described in the CDF function above.

Conclusions Page 7



For further analysis, we perform a multi-class classification on all high and medium sharers. Using very advanced techniques and a whole new set of features, we divide the sharers into separate categories:

Casual sharers: People who share based on the motivation to help a friend or family member

Business sharers: People who share based on the motivation to save or make money (swappers, poolers, sellers)

Stolen accounts: People who buy others passwords on the DarkNet and use those credentials illegally without knowledge of the account owner

Conclusions Page 8



In the above chart, the largest class of sharers (8.92% out of 10%) are casual sharers, who tend to share their passwords to assist a friend and for profit motives (business sharing). Likewise, only a small portion of the population (0.02%) are stealing accounts by purchasing credentials over the DarkNet or other such fraudulent networks.

The chart below provides some level of interpretability to the anomalous activity of the illegal projected sharers delineated in the pie chart above.

Examples of Sharing Accounts Page 9



4 Examples of Sharing Accounts In this section, we show in detail four accounts with different ratings and classifications that we derived from our analysis of all accounts in this service provider’s system. The summary of our analysis of these accounts is depicted in the following table.

Account Classification Sharing Score Interpretation

Anonymous 1 Stolen Account 999 Likely

Anonymous 2 Casual 997 Likely

Anonymous 3 Casual 780 Suspicious

Anonymous 4 Casual 610 Suspicious

The maps and charts in the examples below depict data collected over a three-month period.

4.1 Example 1—Likely Sharing

One of the largest sharing accounts that we found, which has been classified as a stolen account, shows the massive proliferation of one account’s credentials to a multitude of users. The sharing score for this account is 999, and the following charts and maps explain the reasoning.

The map below depicts a multitude of locations where video has been watched over a three-month period within the same account.

Sharing Score: 999




The chart below depicts a multitude of distinct device/IP combinations—what we term households—that have viewed video from this worst account within the three-month period.

This account is clearly a stolen account, given the proliferation of viewing across so many households.

In the set of box plots below, one can see that out of all the properties that define this account, the number of households is the most anomalous.




4.2 Example 2—Likely Sharing

This example describes another extreme case of casual sharing where the sharing score is 997.

The map below depicts a casual sharing account that is based in five areas, at least two of which have significant usage.

From the following bipartite chart, one can further see that two to three of the five areas or households has a tremendous amount of activity, yet there is no intersection between any devices or IP addresses.

It is likely that in the left-most household, a parent is sharing an account with a child in a university dorm who uses separate devices but returns home occasionally.

Finally, one can see from the following set of box plots that the primary anomalous activity that made this account stand out and give it such a high score was the total number of sessions across the entire account.

Sharing Score: 997




4.3 Example 3—Suspicious Sharing

In this sharing account, we switch to an account with a sharing score of 780— a suspicious account as opposed to a definite sharer. Unlike the previous examples, in the map below, we see fewer locations—only four, yet spread across a very wide area.

When looking at the bipartite graph below, we see six very distinct households. One of the households has a single device communicating over many IP addresses—a traveler or a mobile user; another household has many devices communicating over various IP addresses representative of a co-located family; the other households have a single device communicating over the same one or two IP address consistently—a connected TV or possible a

Sharing Score: 780




desktop. However, given the lack of intersection between the IP addresses of the various devices, there is plenty of reason to suspect that this is a casual sharing account.

Finally, the properties that most depict this account as being a suspicious sharer (as shown in the box plot below) are:

Number of households

Number of devices per day

Number of time zones

Yet, these properties are not nearly as anomalous as the two other previous examples, which we depicted as being almost definite sharing accounts.

4.4 Example 4—Suspicious Sharing

In this sharing account, we switch to an account with a sharing score of 610— a mildly suspicious account, as opposed to a definite sharer. Unlike the




previous examples, in the map below, we see only three locations in fairly close proximity.

Unlike the other displayed accounts, this account has only two households, each representing fairly typical family behavior.

The fact that there are two households and some activity outside the service provider’s country of origin, as depicted by the box plot below, makes this account anomalous and suspicious even though the sharing score is quite low.

Sharing Score: 610




Summary Page 16



5 Summary As described in the conclusions in section 3, there is significant amount of sharing in this anonymous service-provider’s system. The sharing with high scores is almost definitely from sharers, based on the multitude of varied suspicious activity. Sharing with medium scores may also point to sharing behavior, which makes these account suspicious.

By investigating these accounts, the service provider can counteract sharing and recoup much lost revenue.

Documents

Media Sharing Protection - Cisco...Media Sharing Protection uses data-science techniques to predict where sharing occurs. A likelihood score is given for each type of sharing. Below