predictive security analysis
play

Predictive Security Analysis Concepts, Implementation, first Results - PowerPoint PPT Presentation

Predictive Security Analysis Concepts, Implementation, first Results in Industrial Scenario Roland Rieke 1 Romain Giot 2 Chrystel Gaber 2 1 Fraunhofer SIT, Darmstadt, Germany Email: roland.rieke@sit.fraunhofer.de 2 France Tlcom-Orange Labs,


  1. Predictive Security Analysis Concepts, Implementation, first Results in Industrial Scenario Roland Rieke 1 Romain Giot 2 Chrystel Gaber 2 1 Fraunhofer SIT, Darmstadt, Germany Email: roland.rieke@sit.fraunhofer.de 2 France Télécom-Orange Labs, Caen, France Email: romain.giot@orange.com, chrystel.gaber@orange.com CYBER SECURITY & PRIVACY EU FORUM 2013, 19th April 2013 Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 1

  2. Overview Advanced Security Information & Event Management 1 Predictive Security Analysis @ Runtime 2 Mobile Money Transfer Scenario 3 Conclusions 4 Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 2

  3. Advanced Security Information & Event Management Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 3

  4. Advanced SIEM - tomorrow Requirements High interoperability - heterogeneity of input sources High scalability - handle and processing of load peaks of events High elasticity - resources coupling the flow of events Features/Properties Multi-domain - different application areas Cross-layer - logical security, physical security and service layer Predictive security analysis Countermeasures selection and evaluation - RORI Trustworthiness and resilience framework Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 4

  5. Example: Mobile Money Transfer Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 5

  6. Requirements-driven System Design Business Process Olympic Money Managed Critical Infra- games Transfer Enterprise structure Application n G u i i d s e e l Infrastructure i D n e s Security Requirements Compiler Trust- l i n t e a g r c a Analysis i Technologies n t i h o worthiness c n e T Event Legal Close Resilient Fit to Processing Basis problem information and space gap affordable Physical + Resilient Scalability logical events operations Unknown Elasticity Countermea- behavior sure Support Breakdown to Failure Cross-layer challenges prediction OSSIM/Prelude Integration Attack/response Heterogenity analysis A3 - Event and A4 – Event, Process A5 – Advanced SIEM Information Models and Attack Framework Collection Models Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 6

  7. Knowledge is built on theory. The theory of knowledge teaches us that a statement, if it conveys knowledge, predicts future outcome, with risk of being wrong, and that it fits without failure observations of the past. — William Edwards Deming Predictive Security Analysis @ Runtime Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 7

  8. Operational Model of Process Discover process e 2 1. model Petri net, EPC process model e 3 Process Instance e 1 e 2 event stream e 3 e 1 Event past time future time use process a 2 model to predict Predict close-future a 1 future actions a 1 , a 2 process behaviour e 2 event stream 2. e 3 e 1 past time future time Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 8

  9. Adapt Process Model Detect unknown pro- e 2 e 5 process model cess actions does not contain e 3 e 4 e x e 1 3. e 2 event stream e x e 1 past time future time e 2 e 5 process model Belief change w.r.t. e 3 with e x e 4 e 1 e x process model e 2 event stream 4. e x e 1 past time future time Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 9

  10. Predict Security Violations Detect missing e 2 e 5 use process events model to predict e 3 e 4 future events e 1 5. e 2 event stream e 4 e 1 past time future time auth ( a x , a 1 , agent ) security require- Predict feasible se- ment related to a 1 curity violations a x process history 6. and predicted a 1 actions past time future time Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 10

  11. Predictive Security Analysis Tool Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 11

  12. Mobile Money Transfer Scenario Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 12

  13. Mobile Money Transfer Scenario (GSM, UMTS, ...) End user Operator’s network Channel User (http, https, ...) Mobile Money Transfer Platform Admin Internet (http, https, ...) Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 13

  14. Illustration of Money Laundering Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 14

  15. PSA Configuration for Detection Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 15

  16. PSA Behavior on Real Events - Obtained Transitions tiny 16582 229296 18527 minuscule 39903 5059 1572 2643 4127 small 921 17137 80693 1888 416837 9762 38490 2166 26332 2559 1168 normal 66 1096991 2667 19 238 23208 219 156699 200 152345 5168 4038 48703 42204 51 1837 827 1126 7303 11120 medium 360754 672 10988 67514 36566 2136 13315 560 37194 224 9022 43919 4999 11756 311465 11319 huge 99543 1785 98532 14387 702 691 15131 1048 66447 big 707 439637 1090 73843 70719 large 60684 135934 39224 start Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 16

  17. PSA Behavior on Real Events - Scaling 5000000 Events Unexpected Events 4000000 3000000 Events 2000000 1000000 0 0 50 100 150 200 250 300 350 400 Processing time (minutes) Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 17

  18. PSA Behavior on Real Events - Facts Simple EPC with alerts 4.5 millions of events treated in 6 hours 0.5 millions of alerts generated Complete EPC without alerts 4.5 millions of events treated in 33 minutes 0 alerts generated Facts ⇒ Processing time is minimal when no alerts have to be generated PSA is able to manage in real time all the logs of an operational system ◮ Best case: 2272 events/second without alerts ◮ Worst case: 25 events/second with alerts Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 18

  19. PSA Behavior on Simulated Events - Simulation As we do not have a groundtruth on the real events ⇒ it is necessary to work with simulated events Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 19

  20. PSA Behavior on Simulated Events - Results tiny 103 111 105 small 105 33 23 5 start 4 48 1 large 167 3 4 huge Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 20

  21. PSA Behavior on Simulated Events - Deeper analysis EU18 EU19 EU42 EU4 EU49 Ret4 EU40 EU44 Ret1 EU41 370 EU30 EU2 285 233 EU0 EU21 64 EU26 204 611 FR2 132 12 EU6 EU27 426 274 143 Ret3 299 FR1 213 97 EU1 EU3 Ret2 Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 21 EU38

  22. Conclusions Money Transfer MMTS analysis utilizes alerts generated by the uncertainty reasoning component of PSA to detect money laundering patterns. PSA is able to detect irregular events regarding the behavior of the user of the MMTS system. It is necessary to cope with False Alarms and make decisions regarding the alerts. Critical Infra- Managed Olympic structure Enterprise games MASSIF ( http://www.massif-project.eu/ ) will analyse advantages of PSA with respect to “measuring” security and compliance @ runtime. Advanced application-aware SIEM requires novel concepts such as PSA. Lesson learned: SoS need to be designed for security assessment @ runtime. Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22

  23. Conclusions Money Transfer MMTS analysis utilizes alerts generated by the uncertainty reasoning component of PSA to detect money laundering patterns. PSA is able to detect irregular events regarding the behavior of the user of the MMTS system. It is necessary to cope with False Alarms and make decisions regarding the alerts. Critical Infra- Managed Olympic structure Enterprise games MASSIF ( http://www.massif-project.eu/ ) will analyse advantages of PSA with respect to “measuring” security and compliance @ runtime. Advanced application-aware SIEM requires novel concepts such as PSA. Lesson learned: SoS need to be designed for security assessment @ runtime. Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22

  24. Conclusions Money Transfer MMTS analysis utilizes alerts generated by the uncertainty reasoning component of PSA to detect money laundering patterns. PSA is able to detect irregular events regarding the behavior of the user of the MMTS system. It is necessary to cope with False Alarms and make decisions regarding the alerts. Critical Infra- Managed Olympic structure Enterprise games MASSIF ( http://www.massif-project.eu/ ) will analyse advantages of PSA with respect to “measuring” security and compliance @ runtime. Advanced application-aware SIEM requires novel concepts such as PSA. Lesson learned: SoS need to be designed for security assessment @ runtime. Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22

Recommend


More recommend