Predictive Security AnalysisConcepts, Implementation, first Results in Industrial Scenario

Roland Rieke1 Romain Giot2 Chrystel Gaber2

1Fraunhofer SIT, Darmstadt, GermanyEmail: roland.rieke@sit.fraunhofer.de

2France Télécom-Orange Labs, Caen, FranceEmail: romain.giot@orange.com, chrystel.gaber@orange.com

CYBER SECURITY & PRIVACY EU FORUM 2013, 19th April 2013

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 1

Overview

1 Advanced Security Information & Event Management

2 Predictive Security Analysis @ Runtime

3 Mobile Money Transfer Scenario

4 Conclusions

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 2

Advanced Security Information &Event Management

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 3

Advanced SIEM - tomorrow

Requirements

High interoperability - heterogeneity of input sources

High scalability - handle and processing of load peaks of events

High elasticity - resources coupling the flow of events

Features/Properties

Multi-domain - different application areas

Cross-layer - logical security, physical security and service layer

Predictive security analysis

Countermeasures selection and evaluation - RORI

Trustworthiness and resilience framework

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 4

Example: Mobile Money Transfer

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 5

Requirements-driven System Design

Olympic games

Business Process

Application

Infrastructure

Money Transfer

ManagedEnterprise

Critical Infra-structure

A4 – Event, Process Models and Attack

Models

Attack/response analysis

Physical + logical events

Unknown behavior

Failure prediction

A5 – Advanced SIEM Framework

OSSIM/PreludeIntegration

Countermea-sure Support

Resilient operations

A3 - Event and Information Collection

Heterogenity

Cross-layer

Elasticity

Scalability

D e s i n G u i d e l i n e sSecurity

Compiler Technologies

LegalBasis

Trust-worthiness

Event Processing

T e c h n i c a l i n t e g r a t i o n

Close information

gap

Fit to problem

space

Resilientand

affordable

Breakdown to challenges

RequirementsAnalysis

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 6

Knowledge is built on theory.The theory of knowledge teaches usthat a statement, if it conveys knowledge,predicts future outcome,with risk of being wrong, andthat it fits without failureobservations of the past.— William Edwards Deming

Predictive Security Analysis @Runtime

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 7

Operational Model of Process

event stream

e1

e2

e3

process model

e1

e2

e3

past time future time

1.Discover processmodel Petri net, EPC

Event

Process Instance

event streame1

e2

e3

use processmodel to predictfuture actions a1,a2

a1

a2

past time future time

Predict close-futureprocess behaviour

2.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 8

Adapt Process Model

event stream

e1

e2

ex

process modeldoes not containexe1

e2

e3 e4

e5

past time future time

3.

Detect unknown pro-cess actions

event stream

e1

e2

ex

process modelwith ex

e1

e2

e3 e4

e5

ex

past time future time

Belief change w.r.t.process model

4.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 9

Predict Security Violations

event stream

e1

e2

e4

use processmodel to predictfuture eventse1

e2

e3 e4

e5

past time future time

5.

Detect missingevents

process historyand predictedactions

ax

a1

security require-ment related to a1

auth(ax , a1, agent)

past time future time

Predict feasible se-curity violations

6.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 10

Predictive Security Analysis Tool

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 11

Mobile Money Transfer Scenario

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 12

Mobile Money Transfer Scenario

I n t e r n e t

End user

Admin

Mobi le MoneyTransfer Plat form

(http, https, ...)

Operator ’sn e t w o r k

(GSM, UMTS, ...)

(http, https, ...)

ChannelUser

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 13

Illustration of Money Laundering

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 14

PSA Configuration for Detection

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 15

PSA Behavior on Real Events - Obtained Transitions

big 439637

medium

98532

large70719

huge

691

normal

37194

minuscule

48703

tiny

42204

small

36566

99543

360754

15131

224

152345

26332

38490

23208

73843

14387

60684

1090

11319

1098811120

9022

702

560

1048

1785

672

219238

200

43919

156699

11756

827

1096991

80693 416837

9762

4038

1168

1126

19

921

39903

16582

1572

5168

2166

1837

66

1888

18527229296

2643

7303

2667

2136

51

2559

4127

5059

17137

start

135934

66447

39224

707

311465

13315

67514

4999

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 16

PSA Behavior on Real Events - Scaling

0 50 100 150 200 250 300 350 400Processing time (minutes)

0

1000000

2000000

3000000

4000000

5000000Events

EventsUnexpected Events

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 17

PSA Behavior on Real Events - Facts

Simple EPC with alerts4.5 millions of events treated in 6 hours

0.5 millions of alerts generated

Complete EPC without alerts4.5 millions of events treated in 33 minutes

0 alerts generated

Facts⇒ Processing time is minimal when no alerts have to be generated

PSA is able to manage in real time all the logs of an operational systemI Best case: 2272 events/second without alertsI Worst case: 25 events/second with alerts

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 18

PSA Behavior on Simulated Events - SimulationAs we do not have a groundtruth on the real events

⇒ it is necessary to work with simulated events

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 19

PSA Behavior on Simulated Events - Results

huge

large4

3167

small

45

105

tiny105111

103

start

1

48

23

33

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 20

PSA Behavior on Simulated Events - Deeper analysis

FR1

EU197

EU0

12

EU4

285

EU2

132

EU3

213

Ret1

Ret4

FR2

143

Ret2

EU37

EU38

EU23

274426

64

Ret3

EU6

204

EU27

611

EU49

370

EU44

EU19

233

EU42

299

EU11EU10

EU40

EU30

EU28

EU31

EU18

EU43

EU21

EU26

EU41

Figure: Illustration of the transactions

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 21

Conclusions

Money Transfer

MMTS analysis utilizes alerts generated by the uncertainty reasoningcomponent of PSA to detect money laundering patterns.

PSA is able to detect irregular events regarding the behavior of the user of theMMTS system.

It is necessary to cope with False Alarms and make decisions regarding thealerts.

Critical Infra-structure

ManagedEnterprise

Olympic games

MASSIF (http://www.massif-project.eu/) will analyse advantagesof PSA with respect to “measuring” security and compliance @ runtime.

Advanced application-aware SIEM requires novel concepts such as PSA.

Lesson learned: SoS need to be designed for security assessment @ runtime.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22

Conclusions

Money Transfer

MMTS analysis utilizes alerts generated by the uncertainty reasoningcomponent of PSA to detect money laundering patterns.

PSA is able to detect irregular events regarding the behavior of the user of theMMTS system.

It is necessary to cope with False Alarms and make decisions regarding thealerts.

Critical Infra-structure

ManagedEnterprise

Olympic games

MASSIF (http://www.massif-project.eu/) will analyse advantagesof PSA with respect to “measuring” security and compliance @ runtime.

Advanced application-aware SIEM requires novel concepts such as PSA.

Lesson learned: SoS need to be designed for security assessment @ runtime.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22

Conclusions

Money Transfer

MMTS analysis utilizes alerts generated by the uncertainty reasoningcomponent of PSA to detect money laundering patterns.

PSA is able to detect irregular events regarding the behavior of the user of theMMTS system.

It is necessary to cope with False Alarms and make decisions regarding thealerts.

Critical Infra-structure

ManagedEnterprise

Olympic games

MASSIF (http://www.massif-project.eu/) will analyse advantagesof PSA with respect to “measuring” security and compliance @ runtime.

Advanced application-aware SIEM requires novel concepts such as PSA.

Lesson learned: SoS need to be designed for security assessment @ runtime.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22

Conclusions

Money Transfer

MMTS analysis utilizes alerts generated by the uncertainty reasoningcomponent of PSA to detect money laundering patterns.

PSA is able to detect irregular events regarding the behavior of the user of theMMTS system.

It is necessary to cope with False Alarms and make decisions regarding thealerts.

Critical Infra-structure

ManagedEnterprise

Olympic games

MASSIF (http://www.massif-project.eu/) will analyse advantagesof PSA with respect to “measuring” security and compliance @ runtime.

Advanced application-aware SIEM requires novel concepts such as PSA.

Lesson learned: SoS need to be designed for security assessment @ runtime.

Roland Rieke, Romain Giot Predictive Security Analysis CSP’13 22