Upload
christophe-feltus
View
218
Download
0
Embed Size (px)
Citation preview
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
1/20
1
Conviction Model for Incident Reaction Architecture
Monitoring based on Automatic Sensors Alert
Detection
Christophe Feltus - Djamel Khadraoui
Public Research Centre Henri Tudor, Luxembourg-Kirchberg, Luxembourg
October 13-16, 2013
mailto:[email protected]:[email protected]:[email protected]:[email protected]8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
2/20
Table of contents
2
Introduction
Leading Case Study
Modelling the agents responsibility
Conviction analysis
Case Study validation
Conclusions
October 2013 SMC IEEE conference
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
3/20
Introduction
- CI are infrastructure essential for the functioning of a society and
economy
- CI are monitored and protected by SCADA system (Supervisory
Control and Data Acquisition)
- SCADA operates at different abstraction levels of the CI and aregenerally composed of agents system which needs to accurately
collaborate
We observe :
- No integrated approach to support the agents behavior in crisissituationsi.e. no guarantee about the agent ability to perform its
responsibilities after delegation/assignment
October 2013 SMC IEEE conference 3
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
4/20
Leading Case
October 2013 SMC IEEE conference 4
PEP (Policy Enforcement Point)
enforces security policies
provided by the PDP
PIE (Policy Instantiation
Engine) is the agent that
receives information about
attacks from the ACE and
instantiates new security
policies to react to the
attack
PDP (Policy Decision Point) receives the new
security policies defined by the PIE and deploys
(validates) them at the enforcement points
(PEP);
ACE (Agent Correlation
Engine) is the agent in
charge of receiving alerts
coming from network nodes,
to correlates the information
and to forward confirmedalert to the PIE
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
5/20
SCADA inside
5
Conviction of
responsibility
performance ?
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
6/20
The Agent Responsibility model
6
Commitment
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
7/20
Responsibility concepts definitions
The taskis an action to use or transform an object performed by an agent
The responsibilityis a state assigned to an agent to signify him its
obligations and accountabilities regarding a task
The accountability is a duty tojustify the performance of a task to someone
else under threat of sanction. Accountability is a type of obligation to report
the achievement, maintenance or avoidance of some given state to an
authority and, as consequence, is associated to an obligation.
The assignment is the action of linking an agent to a responsibility.
Delegation process is the transfer of an agents responsibility assignment to
another agent.
7
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
8/20
Responsibility concepts definitions
The capabilitydescribes the requisite qualities, skills or resources
necessary to perform a task. Capability may be declined through knowledge
or know-how, possessed by the agent such as ability to make decision, its
processing time, its faculty to analyze a problem, and its position on the
network.
The rightencompasses facilities required by an agent to fulfill his obligations
e.g. the access right that the agent gets once he is assigned responsible.The commitment pledged by the agent related to this assignment represents
his required engagement to fulfill a task and the conviction that he does it
in respect of good practices.
The trust is the reliance that an agent act as it is requested.
For didactic reason, we consider in this paper that a trust level of 10 is
high and a trust level of 0 is low.
8
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
9/20
Agent responsibility in the case study
Because of the size of the paper, only the four most importantconcepts are instantiated requirements
The obligations concerning the task (in red),
The capabilities (in blue),
The rights (in green),
The Commitment represented as a trust value (in black).
Cf tables
9
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
10/20
Case study PEPs requierments
10
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
11/20
11
Case study PDPs and ACEs requierments
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
12/20
Guarantee about the agent ability to
perform its responsibilities
It is necessary, for an agent, that:
Rights:should be appropriate to satisfy the agents obligations.
Capability: should be below its capability. Moreover such capability should enable it to fulfill
its obligations
Level of Trust: should be higher or equal to the minimum level required specified
Based on the value of the Right, the Capability and the Trust:
The Conviction A for fulfillment of Obligation O by an Agent with right R,
Capability C and Trust T is:
A0(R, C, T) = 0 if (R0R) (C0C) (TpT)
Otherwise:
A0(R, C, T) = 1
12
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
13/20
Case study analysis:
If a failing PEP needs to delegate O1: Must retr ieve the logs fromthe component i t moni tors to another PEP, the latter must
have at least the following capability:
- be on the same network than the component to control (C1),
- have enough computing resource to monitor the component to
control (C4),
- be able to encrypt data (C6)
- be able to communicate securely with the ACE (C7).
13October 2013 SMC IEEE conference
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
14/20
The PEP must also have the following rights to perform O1 :
- R1: is allowed to read log file on the concerned network
component
- R2: is allowed to write log in the central logs database
- R4: is allowed to read and write in the alert database.
The minimum level for the trust parameter expected from the PEP
is set to 3.
14October 2013 SMC IEEE conference
Case study analysis:
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
15/20
Validation for the case study
15
However, in practice, we observed :
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
16/20
As a result, in the case of the PEP, the obligation to provide animmediate reaction is hampered by the fact that the
PEP lacks the capability to communicate with the PDP (C2).
This means that any appropriate responsibility cannot be
assigned to the PEP and be implemented in case of abnormally
within the system.
16October 2013 SMC IEEE conference
Case study analysis:
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
17/20
Validation for the case study
17
Equally, the value for the other agents are
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
18/20
CI are more and more present and need to be seriously managed and monitorregarding the increasing amount of threats.
This paper presents a solution to automatically react after an incident on a
wireless network based on MAS architecture.
The system initially based on static assignments of function to agents needed
more dynamicity in order to stay aligned with the new arising risks:
We provide a conceptual representation of the agent responsibilities
Based on that definition of the agents responsibilities, a conviction level
can be estimated in order to determine the confidence that the agent can
meet its responsibilities. In the event of such conviction level being low,
decisions can be made to shift the fulfillmentof such a responsibility to a
different agent.
18October 2013 SMC IEEE conference
Conclusions
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
19/20
Acknowledgments
The research described in this paper is funded by the
CockpitCI research project within the 7th frameworkProgramme (FP7) of the European Union (EU) (topic SEC-
2011.2.5-1Cyber-attacks against critical infrastructures
Capability Project).
8/12/2019 Conviction Model for Incident Reaction Architecture Monitoring Based on Automatic Sensors Alert Detection
20/20
Thank you for your attention !
Any questions ?