predictive security analysis - csp · pdf file · 2013-08-29roland rieke1 romain...
TRANSCRIPT
Predictive Security AnalysisConcepts, Implementation, first Results in Industrial Scenario
Roland Rieke1 Romain Giot2 Chrystel Gaber2
1Fraunhofer SIT, Darmstadt, GermanyEmail: [email protected]
2France Télécom-Orange Labs, Caen, FranceEmail: [email protected], [email protected]
CYBER SECURITY & PRIVACY EU FORUM 2013, 19th April 2013
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 1
Overview
1 Advanced Security Information & Event Management
2 Predictive Security Analysis @ Runtime
3 Mobile Money Transfer Scenario
4 Conclusions
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 2
Advanced Security Information &Event Management
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 3
Advanced SIEM - tomorrow
Requirements
High interoperability - heterogeneity of input sources
High scalability - handle and processing of load peaks of events
High elasticity - resources coupling the flow of events
Features/Properties
Multi-domain - different application areas
Cross-layer - logical security, physical security and service layer
Predictive security analysis
Countermeasures selection and evaluation - RORI
Trustworthiness and resilience framework
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 4
Example: Mobile Money Transfer
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 5
Requirements-driven System Design
Olympic games
Business Process
Application
Infrastructure
Money Transfer
ManagedEnterprise
Critical Infra-structure
A4 – Event, Process Models and Attack
Models
Attack/response analysis
Physical + logical events
Unknown behavior
Failure prediction
A5 – Advanced SIEM Framework
OSSIM/PreludeIntegration
Countermea-sure Support
Resilient operations
A3 - Event and Information Collection
Heterogenity
Cross-layer
Elasticity
Scalability
D e s i n G u i d e l i n e sSecurity
Compiler Technologies
LegalBasis
Trust-worthiness
Event Processing
T e c h n i c a l i n t e g r a t i o n
Close information
gap
Fit to problem
space
Resilientand
affordable
Breakdown to challenges
RequirementsAnalysis
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 6
Knowledge is built on theory.The theory of knowledge teaches usthat a statement, if it conveys knowledge,predicts future outcome,with risk of being wrong, andthat it fits without failureobservations of the past.— William Edwards Deming
Predictive Security Analysis @Runtime
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 7
Operational Model of Process
event stream
e1
e2
e3
process model
e1
e2
e3
past time future time
1.Discover processmodel Petri net, EPC
Event
Process Instance
event streame1
e2
e3
use processmodel to predictfuture actions a1,a2
a1
a2
past time future time
Predict close-futureprocess behaviour
2.
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 8
Adapt Process Model
event stream
e1
e2
ex
process modeldoes not containexe1
e2
e3 e4
e5
past time future time
3.
Detect unknown pro-cess actions
event stream
e1
e2
ex
process modelwith ex
e1
e2
e3 e4
e5
ex
past time future time
Belief change w.r.t.process model
4.
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 9
Predict Security Violations
event stream
e1
e2
e4
use processmodel to predictfuture eventse1
e2
e3 e4
e5
past time future time
5.
Detect missingevents
process historyand predictedactions
ax
a1
security require-ment related to a1
auth(ax , a1, agent)
past time future time
Predict feasible se-curity violations
6.
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 10
Predictive Security Analysis Tool
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 11
Mobile Money Transfer Scenario
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 12
Mobile Money Transfer Scenario
I n t e r n e t
End user
Admin
Mobi le MoneyTransfer Plat form
(http, https, ...)
Operator ’sn e t w o r k
(GSM, UMTS, ...)
(http, https, ...)
ChannelUser
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 13
Illustration of Money Laundering
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 14
PSA Configuration for Detection
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 15
PSA Behavior on Real Events - Obtained Transitions
big 439637
medium
98532
large70719
huge
691
normal
37194
minuscule
48703
tiny
42204
small
36566
99543
360754
15131
224
152345
26332
38490
23208
73843
14387
60684
1090
11319
1098811120
9022
702
560
1048
1785
672
219238
200
43919
156699
11756
827
1096991
80693 416837
9762
4038
1168
1126
19
921
39903
16582
1572
5168
2166
1837
66
1888
18527229296
2643
7303
2667
2136
51
2559
4127
5059
17137
start
135934
66447
39224
707
311465
13315
67514
4999
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 16
PSA Behavior on Real Events - Scaling
0 50 100 150 200 250 300 350 400Processing time (minutes)
0
1000000
2000000
3000000
4000000
5000000Events
EventsUnexpected Events
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 17
PSA Behavior on Real Events - Facts
Simple EPC with alerts4.5 millions of events treated in 6 hours
0.5 millions of alerts generated
Complete EPC without alerts4.5 millions of events treated in 33 minutes
0 alerts generated
Facts⇒ Processing time is minimal when no alerts have to be generated
PSA is able to manage in real time all the logs of an operational systemI Best case: 2272 events/second without alertsI Worst case: 25 events/second with alerts
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 18
PSA Behavior on Simulated Events - SimulationAs we do not have a groundtruth on the real events
⇒ it is necessary to work with simulated events
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 19
PSA Behavior on Simulated Events - Results
huge
large4
3167
small
45
105
tiny105111
103
start
1
48
23
33
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 20
PSA Behavior on Simulated Events - Deeper analysis
FR1
EU197
EU0
12
EU4
285
EU2
132
EU3
213
Ret1
Ret4
FR2
143
Ret2
EU37
EU38
EU23
274426
64
Ret3
EU6
204
EU27
611
EU49
370
EU44
EU19
233
EU42
299
EU11EU10
EU40
EU30
EU28
EU31
EU18
EU43
EU21
EU26
EU41
Figure: Illustration of the transactions
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 21
Conclusions
Money Transfer
MMTS analysis utilizes alerts generated by the uncertainty reasoningcomponent of PSA to detect money laundering patterns.
PSA is able to detect irregular events regarding the behavior of the user of theMMTS system.
It is necessary to cope with False Alarms and make decisions regarding thealerts.
Critical Infra-structure
ManagedEnterprise
Olympic games
MASSIF (http://www.massif-project.eu/) will analyse advantagesof PSA with respect to “measuring” security and compliance @ runtime.
Advanced application-aware SIEM requires novel concepts such as PSA.
Lesson learned: SoS need to be designed for security assessment @ runtime.
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22
Conclusions
Money Transfer
MMTS analysis utilizes alerts generated by the uncertainty reasoningcomponent of PSA to detect money laundering patterns.
PSA is able to detect irregular events regarding the behavior of the user of theMMTS system.
It is necessary to cope with False Alarms and make decisions regarding thealerts.
Critical Infra-structure
ManagedEnterprise
Olympic games
MASSIF (http://www.massif-project.eu/) will analyse advantagesof PSA with respect to “measuring” security and compliance @ runtime.
Advanced application-aware SIEM requires novel concepts such as PSA.
Lesson learned: SoS need to be designed for security assessment @ runtime.
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22
Conclusions
Money Transfer
MMTS analysis utilizes alerts generated by the uncertainty reasoningcomponent of PSA to detect money laundering patterns.
PSA is able to detect irregular events regarding the behavior of the user of theMMTS system.
It is necessary to cope with False Alarms and make decisions regarding thealerts.
Critical Infra-structure
ManagedEnterprise
Olympic games
MASSIF (http://www.massif-project.eu/) will analyse advantagesof PSA with respect to “measuring” security and compliance @ runtime.
Advanced application-aware SIEM requires novel concepts such as PSA.
Lesson learned: SoS need to be designed for security assessment @ runtime.
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22
Conclusions
Money Transfer
MMTS analysis utilizes alerts generated by the uncertainty reasoningcomponent of PSA to detect money laundering patterns.
PSA is able to detect irregular events regarding the behavior of the user of theMMTS system.
It is necessary to cope with False Alarms and make decisions regarding thealerts.
Critical Infra-structure
ManagedEnterprise
Olympic games
MASSIF (http://www.massif-project.eu/) will analyse advantagesof PSA with respect to “measuring” security and compliance @ runtime.
Advanced application-aware SIEM requires novel concepts such as PSA.
Lesson learned: SoS need to be designed for security assessment @ runtime.
Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22