Embed Size (px)
DESCRIPTION
This work presents the description of the architecture of a novel enterprise security system, still in development, which can prevent and deal with the security flaws derived from the users in a company. Thus, the Multiplatform Usable Endpoint Security system (MUSES) considers diverse factors such as the information distribution, the type of accesses, the context where the users are, the category of users, or the mix between personal and private data, among others. This system includes an event correlator and a risk and trust analysis engine to perform the decision process. MUSES follows a set of defined security rules, according to the enterprise security policies, but it is able to self-adapt the decisions and even create new security rules depending on the user behaviour, the specific device, and the situation or context. To this aim MUSES applies machine learning and computational intelligence techniques which can also be used to predict potential unsafe or dangerous user’s behaviour.
Citation preview
Project No. 318508 FP7-ICT-2011-8
A corporate user-centric system which applies
computational intelligence methods
Antonio Mora, Paloma de las Cuevas, J.J. Merelo Sergio Zamarripa, Anna I. Esparcia, Miguel Juan Markus Burvall, Henrik Arfwedson Zardost Hodaie
The 29th Annual ACM Symposium on Applied Computing, SAC 2014
Track on Trust, Reputation, Evidence and other Collaboration Know-how (TRECK 2014)
Gyeongju (Korea) - 25 March 2014
• MUSES Project Aims.
• Architecture Overview.
• Client Architecture.
• Server Architecture.
• Example
• Self-adaptive Event Correlation.
Index
2 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
Why? - Motivation
• Perception of the user as “the enemy” in corporate security.
• Users’ perception of security as a hindrance.
• Need to engage users in security issues: – in a friendly way
– respecting their privacy
– increasing their trust
• New challenges: multiple devices, mobility, BYOD policies, vanishing borders between personal & work environments…
3 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
What? - Solution
• A corporate security system that is – device independent – user-centric – self-adaptive – able to analyse risk and trust in real time – multiplatform – open source
• Takes into account the corporate, technical, legal,
social and economic contexts.
4 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
Architecture Overview
5 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
• High computational power will be needed:
– Real-Time Event Correlation + Risk and Trust analysis.
– Data mining and Computational Intelligence methods.
• There are two different sides in the system:
– Mobile and portable devices (client).
– Enterprise (server).
Client/Server Rationale
6 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
Architecture Overview
Web
MUSES Client MUSES Server
Secure Channel HTTPS / REST / Web Service
Connection Manager
Connection Manager
7 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
• Online (device can connect with the MUSES server):
– It is possible to request the server to make a decision.
• Offline (device cannot connect with the MUSES server):
– All the decisions should be made in the device.
– The information gathered should be stored for later submission (when a connection is available).
Working Modes
8 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
General Architecture Overview
9 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
Client Architecture
MUSES Client Connection Manager
10 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
Client Architecture. Modules
z
MUSES Aware App
Non MUSES aware
App OS
MUSES User
Interface
Access Control System
(MusACS)
Device Monitor (MusDM)
Local Database
Info DB
Info SS
Info M
Info CT
Info U
Info U Info AP
Info AP
Info SS*
Connection Manager
Info D
External
Communications
Internal Communications
Developed by MUSES
Not entirely developed by
MUSES
Info OS
11
Client Architecture. Submodules
Security Policy
Receiver
MUSES Aware App
Non MUSES aware
App OS
MUSES User
Interface
MusACS
User, Context, Event Handler
Decision Maker
MusDM
Local Database
Event Cache
Decision Table
Local Security Info DB
Info D
Info SS
Info D
User Context Monitoring
System Actuator
Info M
Info CT
Info DC
Info U
Info U Info AP
Info U
Info OS
Info SS*
Connection Manager
External
Communications
Internal Communications
Developed by MUSES
Not entirely developed by
MUSES
12
Server Architecture
MUSES Server Connection
Manager
13 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
Server Architecture. Modules
Security Policies/Risk Management
Info PV
Info PD
Privacy Enhancing
System
Info SS
User, Context, Event
Data Receiver
Info DB Info M Info DB-RT
Info SS*
Info M
DATABASE
Enterprise Security
Log Security
Rules Event
Correlation User
Behaviour
Trust Data and
Profiles
Connection Manager
Info KN Info DB
Knowledge Refinement System (MusKRS)
Continuous Real-Time Event Processor (MusCRTEP)
RT2AE (Real Time - Risk
and Trust Analysis Engine)
External
Communications
Internal Communications
Developed by MUSES
Not entirely developed by
MUSES
14
Server Architecture. Submodules
Security Policies/Risk Management
Info PV
Info PD
Privacy Enhancing
System
Info SS
User, Context, Event
Data Receiver
Info DB Info M Info DB-RT
Info SS*
MusKRS
Knowledge Compiler
Data Miner
Info DM
MusCRTEP
Event Processor
RT2AE Policy Selector
Policy Transmitter
Info E
Info D
Info M
DATABASE
Enterprise Security
Log Security
Rules Event
Correlation User
Behaviour
Trust Data and
Profiles
Connection Manager
Info RT
Info KN Info DB
External
Communications
Internal Communications
Developed by MUSES
Not entirely developed by
MUSES
15
16
Web
User’s Device Company Server
Non-Secure Connection Connection Manager
Connection Manager
Workflow Example: Attempt to upload file via a non-secure connection
SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
v
System Actuator
Event Cache
Local Security
Workflow Example: Attempt to upload file using a MUSES-aware application via a non-secure connection
Security Policy Receiver
Non MUSES aware
App OS
MUSES User
Interface
MusACS
Decision Maker
MusDM
Local Database
Decision Table
Connection Manager
User, Context, Event Handler
User Context Monitoring
MUSES Aware App
17
v
System Actuator
Event Cache
Local Security
Workflow Example: Attempt to upload file using a MUSES-aware application via a non-secure connection
Security Policy Receiver
Non MUSES aware
App OS
MUSES User
Interface
MusACS
Decision Maker
MusDM
Local Database
Decision Table
Connection Manager
User, Context, Event Handler
User Context Monitoring
MUSES Aware App
18
Security Policies/Risk Management
Privacy Enhancing
System
MusKRS
Knowledge Compiler
Data Miner
MusCRTEP
RT2AE Policy Selector
Policy Transmitter
DATABASE
Enterprise Security
Log Security
Rules Event
Correlation User
Behaviour
Trust Data and
Profiles
Connection Manager
User, Context, Event
Data Receiver
Workflow Example: Attempt to upload file using a MUSES-aware application via a non-secure connection
Event Processor
19
g
Security Policies/Risk Management
Privacy Enhancing
System
MusKRS
Knowledge Compiler
Data Miner
MusCRTEP
Event Processor
RT2AE Policy Selector
Policy Transmitter
DATABASE
Enterprise Security
Log Security
Rules Event
Correlation User
Behaviour
Trust Data and
Profiles
Connection Manager
User, Context, Event
Data Receiver
Workflow Example: Attempt to upload file using a MUSES-aware application via a non-secure connection
20
Event Cache
Local Security
v
User Context Monitoring
MUSES Aware App
Non MUSES aware
App OS
MUSES User
Interface
MusACS MusDM
Local Database
Decision Table
Connection Manager System Actuator
Security Policy Receiver
Workflow Example: Attempt to upload file using a MUSES-aware application via a non-secure connection
User, Context, Event Handler
Decision Maker
21
v
User Context Monitoring
Local Security
Event Cache
Security Policy
Receiver
MUSES Aware App
Non MUSES aware
App OS
MUSES User
Interface
MusACS MusDM
Local Database
Decision Table
Connection Manager
User, Context, Event Handler
System Actuator
Workflow Example: Attempt to upload file using a MUSES-aware application via a non-secure connection
Decision Maker
22
Self-adaptive Event Correlation
23 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
Rule refinement example
– Application: Corporate application that takes pictures and it uploads them to a server.
– Policy: Any employee of the company is allowed to take and upload pictures to corporate servers, only using corporate applications.
– Long term observation: If the application is used outside of the building, some security risks are observed.
– Proposed refined rules would require stronger authentication depending on location, to allow uploading pictures
24 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
Conceptual model (1)
Initial rules
Data mining
Rule refinement
Rule adjustment
Evaluation
25 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
Conceptual model (2)
Knowledge Compiler
Data Miner
KRS
Big D
ata
Event Processor
Policy Selector
Refined rules
Event Event Event
RT2AE
26 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
• Data Miner: – Classification assign classes to new patterns. – Clustering group similar patterns (search for anomalous) – Feature Selection remove less significant variables. – Data Visualization show data information for a controller
• Knowledge Compiler:
– Adapt existing rules adjust them to improve the pattern covering (Evolutionary Algorithms).
– Infer/create new rules to deal with new detected situations (Genetic Programming).
Knowledge Refinement System
27 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
THANK YOU!
QUESTIONS?
Knowledge Refinement System
28 SAC 2014 – TRECK – Gyeongju (Korea) - 25 March 2014
