Predictive Security Analysis Concepts, Implementation, first Results - - PowerPoint PPT Presentation

Predictive Security Analysis

Concepts, Implementation, first Results in Industrial Scenario Roland Rieke1 Romain Giot2 Chrystel Gaber2

1Fraunhofer SIT, Darmstadt, Germany

Email: roland.rieke@sit.fraunhofer.de

2France Télécom-Orange Labs, Caen, France

Email: romain.giot@orange.com, chrystel.gaber@orange.com

CYBER SECURITY & PRIVACY EU FORUM 2013, 19th April 2013

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 1

Overview

1

Advanced Security Information & Event Management

2

Predictive Security Analysis @ Runtime

3

Mobile Money Transfer Scenario

4

Conclusions

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 2

Advanced Security Information & Event Management

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 3

Advanced SIEM - tomorrow

Requirements High interoperability - heterogeneity of input sources High scalability - handle and processing of load peaks of events High elasticity - resources coupling the flow of events Features/Properties Multi-domain - different application areas Cross-layer - logical security, physical security and service layer Predictive security analysis Countermeasures selection and evaluation - RORI Trustworthiness and resilience framework

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 4

Example: Mobile Money Transfer

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 5

Requirements-driven System Design

Olympic games Business Process Application Infrastructure Money Transfer Managed Enterprise Critical Infra- structure A4 – Event, Process Models and Attack Models

Attack/response analysis Physical + logical events Unknown behavior Failure prediction A5 – Advanced SIEM Framework OSSIM/Prelude Integration Countermea- sure Support Resilient

• perations

A3 - Event and Information Collection Heterogenity Cross-layer Elasticity Scalability

D e s i n G u i d e l i n e s

Security

Compiler Technologies Legal Basis Trust- worthiness Event Processing

T e c h n i c a l i n t e g r a t i

• n

Close information gap Fit to problem space Resilient and affordable Breakdown to challenges Requirements Analysis Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 6

Knowledge is built on theory. The theory of knowledge teaches us that a statement, if it conveys knowledge, predicts future outcome, with risk of being wrong, and that it fits without failure

• bservations of the past.

— William Edwards Deming

Predictive Security Analysis @ Runtime

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 7

Operational Model of Process

event stream e1 e2 e3 process model e1 e2 e3 past time future time

1.

Discover process model Petri net, EPC

Event Process Instance

event stream e1 e2 e3 use process model to predict future actions a1, a2 a1 a2 past time future time

Predict close-future process behaviour

2.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 8

Adapt Process Model

event stream e1 e2 ex process model does not contain ex e1 e2 e3 e4 e5 past time future time

3.

Detect unknown pro- cess actions

event stream e1 e2 ex process model with ex e1 e2 e3 e4 e5 ex past time future time

Belief change w.r.t. process model

4.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 9

Predict Security Violations

event stream e1 e2 e4 use process model to predict future events e1 e2 e3 e4 e5 past time future time

5.

Detect missing events

process history and predicted actions ax a1 security require- ment related to a1 auth(ax, a1, agent) past time future time

Predict feasible se- curity violations

6.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 10

Predictive Security Analysis Tool

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 11

Mobile Money Transfer Scenario

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 12

Mobile Money Transfer Scenario

Internet End user Admin Mobile Money Transfer Platform

(http, https, ...)

Operator’s network

(GSM, UMTS, ...) (http, https, ...)

Channel User

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 13

Illustration of Money Laundering

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 14

PSA Configuration for Detection

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 15

PSA Behavior on Real Events - Obtained Transitions

big

439637

medium

98532

large

70719

huge

691

normal

37194

minuscule

48703

tiny

42204

small

36566 99543 360754 15131 224 152345 26332 38490 23208 73843 14387 60684 1090 11319 10988 11120 9022 702 560 1048 1785 672 219 238 200 43919 156699 11756 827 1096991 80693 416837 9762 4038 1168 1126 19 921 39903 16582 1572 5168 2166 1837 66 1888 18527 229296 2643 7303 2667 2136 51 2559 4127 5059 17137

start

135934 66447 39224 707 311465 13315 67514 4999

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 16

PSA Behavior on Real Events - Scaling

50 100 150 200 250 300 350 400 Processing time (minutes) 1000000 2000000 3000000 4000000 5000000 Events

Events Unexpected Events

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 17

PSA Behavior on Real Events - Facts

Simple EPC with alerts

4.5 millions of events treated in 6 hours 0.5 millions of alerts generated

Complete EPC without alerts

4.5 millions of events treated in 33 minutes 0 alerts generated

Facts ⇒ Processing time is minimal when no alerts have to be generated

PSA is able to manage in real time all the logs of an operational system

◮ Best case: 2272 events/second without alerts ◮ Worst case: 25 events/second with alerts

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 18

PSA Behavior on Simulated Events - Simulation

As we do not have a groundtruth on the real events

⇒ it is necessary to work with simulated events

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 19

PSA Behavior on Simulated Events - Results

huge large

4 3 167

small

4 5 105

tiny

105 111 103

start

1 48 23 33

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 20

PSA Behavior on Simulated Events - Deeper analysis

FR1 EU1 97 EU0 12 EU4 285 EU2 132 EU3 213 Ret1 Ret4 FR2 143 Ret2 EU38 274 426 64 Ret3 EU6 204 EU27 611 EU49 370 EU44 EU19 233 EU42 299 EU40 EU30 EU18 EU21 EU26 EU41

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 21

Conclusions

Money Transfer

MMTS analysis utilizes alerts generated by the uncertainty reasoning component of PSA to detect money laundering patterns. PSA is able to detect irregular events regarding the behavior of the user of the MMTS system. It is necessary to cope with False Alarms and make decisions regarding the alerts.

Critical Infra- structure Managed Enterprise Olympic games

MASSIF (http://www.massif-project.eu/) will analyse advantages

• f PSA with respect to “measuring” security and compliance @ runtime.

Advanced application-aware SIEM requires novel concepts such as PSA. Lesson learned: SoS need to be designed for security assessment @ runtime.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22

Conclusions

Money Transfer

MMTS analysis utilizes alerts generated by the uncertainty reasoning component of PSA to detect money laundering patterns. PSA is able to detect irregular events regarding the behavior of the user of the MMTS system. It is necessary to cope with False Alarms and make decisions regarding the alerts.

Critical Infra- structure Managed Enterprise Olympic games

MASSIF (http://www.massif-project.eu/) will analyse advantages

• f PSA with respect to “measuring” security and compliance @ runtime.

Advanced application-aware SIEM requires novel concepts such as PSA. Lesson learned: SoS need to be designed for security assessment @ runtime.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22

Conclusions

Money Transfer

MMTS analysis utilizes alerts generated by the uncertainty reasoning component of PSA to detect money laundering patterns. PSA is able to detect irregular events regarding the behavior of the user of the MMTS system. It is necessary to cope with False Alarms and make decisions regarding the alerts.

Critical Infra- structure Managed Enterprise Olympic games

MASSIF (http://www.massif-project.eu/) will analyse advantages

• f PSA with respect to “measuring” security and compliance @ runtime.

Advanced application-aware SIEM requires novel concepts such as PSA. Lesson learned: SoS need to be designed for security assessment @ runtime.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22

Conclusions

Money Transfer

MMTS analysis utilizes alerts generated by the uncertainty reasoning component of PSA to detect money laundering patterns. PSA is able to detect irregular events regarding the behavior of the user of the MMTS system. It is necessary to cope with False Alarms and make decisions regarding the alerts.

Critical Infra- structure Managed Enterprise Olympic games

MASSIF (http://www.massif-project.eu/) will analyse advantages

• f PSA with respect to “measuring” security and compliance @ runtime.

Advanced application-aware SIEM requires novel concepts such as PSA. Lesson learned: SoS need to be designed for security assessment @ runtime.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22