MUSES WP5 Final Conclusions
Download as PPTX, PDF0 likes2,830 views
This document summarizes work from Project No. 318508 FP7-ICT-2011-8 on self-adaptive event correlation (WP5). The objectives were to collect monitoring activity, identify policy violations in real-time, coordinate policy transmission, and perform automated rule extraction. The work included defining requirements, developing a domain-specific event correlation engine, extracting and adapting rules, and evolving the engine to be self-adaptive using rule learning. The Knowledge Rule System was refined using two trials datasets to infer new rules through machine learning algorithms. This advanced the state of the art by improving automation of rule refinement using real data compared to previous limited and static approaches. Three deliverables were provided on prototypes of the self-adaptive system.
MUSES WP5 Final Conclusions
- 1. Project No. 318508 FP7-ICT-2011-8 Final Review, November 11th 2015 WP5: Self-adaptive Event Correlation
- 2. 2 MUSES research areas Corporate security Monitoring & context observation Human-computer interaction Self adaptive event correlation Usability for mobile devices Legal aspects Risk , trust & privacy
- 3. 3 Index • Objective of WP5 • Work done • Main results /advance over SotA • Deliverables
- 4. 4 Objectives of WP5 • Collect monitoring activity • Identify policy violation patterns in RT • Coordinate device policy transmission • Automated rule extraction
- 5. 5 Work Done T5.1 T5.2 T5.3 T5.4 Definition of requirements, integration and validation mechanisms Design and development of a domain-specific event correlation engine Extraction and adaptation of rules Evolution of the correlation engine to a self-adaptive rule learning engine
- 6. 6 Work Done - Use trials data to infer new rules - Pre-selection phase to select algorithms - Rule-based and decision tree algorithms - Qualitative results analysis - Knowledge Compiler compares with existing rules and proposes candidate rules T5.3 Extraction and adaptation of rules
- 7. 7 Work Done - Identification of new types of policies - Integration with the selection of algorithms providing better results (Data Miner) - Integration of Knowledge Compiler: new rules as draft - MUSES Server Risk Management (Security-oriented GUI) T5.4 Evolution of the correlation engine to a self-adaptive rule learning engine
- 9. 1. Security corporate policies 2. DRL event correlation rules 3. Identify policy violations with context 4. Analyse risk 5. Compose device policy 9 EP: Device policies in real time Policies DRL rules Adapt with context Risk analysis Device policy
- 10. EP: Policies Asset on unsecure WiFi Asset on secure WiFi Not sensitive asset Blacklists Required applications Email policy Virus 10 Password protection Screen lock Accesibility Access Control List Anti-virus Assets in corporate folders Bluetooth
- 11. EP: Policies Trusted antivirus installed Rooted devices Use of required applications Application categories by pattern in package name (p2p, torrent) Email and virus 11
- 12. More policies… 12 • Encryption enforcement Encryption • External storage Use of pendrives • Sessions in different devices Cross- contamination • Check connection properties Usert typing a password • Emas: Notes are not allowed when unsecure wifi Muses Aware App • Device wipe Security incident
- 13. 13 EP:Identification of security violations
- 14. 14 Identification of security violations
- 15. • Traditional PDP systems 15 EP:Advance beyond SotA • MUSES Continuous Real-Time Event Processor PDPAccess Request Permit Deny Policy compliance XACML Policy Expressive PDP + Risk Analysis Access Request • Policy compliance • Risk analysis • Adapted to current context Device Policy XACML Policy Additional context
- 16. 16 KRS Timeline January 15 April 15 May 15 June 15 October 15 Trials 1 start Development of KRS during trials, first version by the end of the trials. Offline processing and KRS refinement. Stockholm, May 2015 - Database improvement. KRS working during Trials 2, online processing. Offline processing and enhancements. SRM development.
- 17. •Automated Machine Learning: Rule generation 17 KRS – Data Miner CLASSIFICATION (JRIP, REPTREE, PART, J48) ASSOCIATION (Apriori) DATASET (defined patterns with decisions) EXISTING SET OF SECURITY RULES OBTAINED SET OF CLASSIFICATION/ ASSOCIATION RULES PROPOSED NEW RULES (draft) IMPROVED SET OF SECURITY RULES
- 18. 18 What is considered as Interesting (attributes)? MUSES DB Device information (10) OS, owner, model, trust value, among others. App information (3) name, vendor, and MUSES awareness. Asset information (4) name, location, confidentiality, and value. Other information (6) decision, detection time, silent mode, event type, among others. Connection sensor information (4) Mail sensor information (4) User information (4) role, trust, account enabled, and username. Password lexical properties (4).
- 19. • In terms of data 19 Trials 1 Vs. Trials 2 Trials 1 Trials 2 Number of gathered events 215552 136340 Number of covered attributes 30/40 37/40
- 20. 20 Applying Clustering Techniques • Identified groups by the K-means algorithm 63 % of patterns. Algorithm applied label GRANTED 22% of patterns. Algorithm applied label STRONGDENY
- 21. 21 Analysing Clusters: BYOD or COPE? UserRoles
- 22. 22 Analysing Clusters: BYOD or COPE? DeviceOS
- 23. 23 KRS – New rules • Rule candidates – 14 correct rules • Validated rules:3 OPEN ASSET public UNSECURE WIFI ALLOW OPEN ASSET public UNSECURE WIFI DENY BYOD
- 24. 24 KRS – New rules OPEN ASSET public UNSECURE WIFI ALLOW OPEN ASSET public UNSECURE WIFI DENY BYOD
- 25. 25 KRS – New rules OPEN ASSET public UNSECURE WIFI ALLOW OPEN ASSET public UNSECURE WIFI ALLOW COPE
- 26. 26 KRS – New rules OPEN ASSET confidential UNSECURE WIFI OPEN ASSET confidential UNSECURE WIFI DENY Security role ALLOW
- 27. 27 State of the Art • State of the art: – Rule adjustment • Pros: Applied over real environments (IDS) • Cons: Limited (rule structure is static) – Rule refinement • Pros: Take variability of input data into account. Rule structure might be changed • Cons: Lack of automation over real environments
- 28. KRS:Advance beyond SotA 28 • Improved automation (rule refinement) • Rule structure is not static • Rule refinement applied to security policies • Global security rule optimization not addressed before • Classification and feature extraction methods applied to real data from employees
- 29. 29 Deliverables Requirements and conceptual model of self-adaptive event correlation system (M12) First prototype of the self-adaptive event correlation system (M18) Second prototype of self-adaptive event correlation system (M28) D5.1 D5.2 D5.3 D5.3e Second prototype of self-adaptive event correlation system (EXTENDED VERSION)
Editor's Notes
- #5: Collect monitoring activity (user, device, applications) Identify policy violation patterns in real time, according to corporate policies Coordinate device policy transmission Automated rule extraction
- #8: New types of policies: Detection of rooted devices Use of resources depending on the device located in specific zones Use of restricted external data storage like USB pendrives Enforcement of data encryption Use of bluetooth Detection of password insertion
- #10: Partimos de las políticas básicas en XACML, que usualmente no son demasiado completas. Las transformamos en reglas básicas de Drools. Mejoramos las reglas gracias a la observación de contexto que tiene lugar en los momentos en los que se produce la situación descrita en la política básica. Gracias a ese contexto, podemos detallar la situación y proporcionar mejores respuestas al usuario, más adaptadas a la situación actual del dispositivo en consonancia con su petición actual. Adicionalmente, damos paso al cálculo del riesgo, proporcionando las pistas más útiles para el cálculo de la probabilidad de las amenazas. Este cálculo del riesgo es el que finalmente valora la decisión final. 4. Finalmente, se envía la política de dispositivo.
- #11: New types of policies: Detection of rooted devices Use of resources depending on the device located in specific zones Use of restricted external data storage like USB pendrives Enforcement of data encryption Use of bluetooth Detection of password insertion
- #12: New types of policies: Detection of rooted devices Use of resources depending on the device located in specific zones Use of restricted external data storage like USB pendrives Enforcement of data encryption Use of bluetooth Detection of password insertion
- #13: New types of policies: Detection of rooted devices Use of resources depending on the device located in specific zones Use of restricted external data storage like USB pendrives Enforcement of data encryption Use of bluetooth Detection of password insertion
- #21: K-means uses Euclidean distance
- #22: Resulting clusters from simple K-means application to 5 selected features, including the label, used as class. The horizontal axis represents the device owner, and the vertical axis, the user role.
- #23: Resulting clusters from simple K-means application to 5 selected features, including the label, used as class. The horizontal axis represents the device owner, and the vertical axis, the device operating system.
- #28: Rule based systems have an advantage from the self-adaptation perspective, since knowledge (rules) is separated from the inference engine, which alllows to refine and improve the rules independently of the mechanisms to correlate events. Again, real time is important in MUSES. Other systems like case-based correlation are not suitable for real-time orientations. One important question in the process is whether or not the refining system uses the same process used to develop the initial knowledge base, in other words, the rules that an expert has defined according to his existing background of the domain system. (e.g. Look for context events showing a relationship with threats associated to policies (e.g. Confidential data leaks or integrity data loss might be associated to unencrypted wifis or use of USB sticks)
- #29: The application of classification and feature extraction methods to real data in real companies is not usual (researchers consider synthetic data/testbeds). The creation/adaptation of rules in the KRS is based on the user’s behaviour (data from events produced by the employees of the company), rather than the common consideration of external threats. The optimisation of global security rules has not been addressed before from this point of view. Data Mining has been usually applied aiming for a specific general objective (detection of threats, recognition of anomalies), but it has not been linked with a following process (refinement) to improve the system.
- #30: Due to the fact that the delivery date of the initial document of D5.3 was on M28, we have extended the deliverable in order to describe the final version of both KRS and EP components, while also including the final results analysis. In fact, it is at the end of the project, where a bigger amount of data has been analyzed through the execution of 2 rounds of trials, where we have more significant and relevant results. These results have been gathered and analyzed on the final D5.3 extended version, which was not planned at first, but we considered that it would provide a more precise snapshot of the achieved results, especially for the KRS and the way we present results to the CSO in the MUSES SRM.
- #32: Emphasise: real data environments