Transcript NORDUnet_smarter_security_analytics_IoPx

Towards Smarter Security Analytics for the Internet of People
Gerard Frankowski, Maciej Miłostan
PSNC Cybersecurity Department
NORDUNET 2016 Conference – Helsinki, 21.09.2016
Agenda
•
•
•
•
•
•
•
•
Welcome!
Internet of people and current threats
Threats and protection
Network perspective
Graph model and graph databases
Adding the user dimension
Exemplary opportunities
Privacy issues
2
Welcome!
Where are we from?
•
•
•
•
Operator of PIONIER (Polish NREN) and
POZMAN networks
European and Polish R&D Projects
R&D together with science, industry,
finance, administration, government, …
Main areas of interest
–
–
–
–
New generation networks (NGN)
New data processing architectures
Internet of Things services
Security of systems and networks
3
Welcome!
What we do about cybersecurity in PSNC?
• PSNC Cybersecurity Department:
– Since 1996 (formerly PSNC Security Team)
– Currently 10 security specialists
– Main areas of activity:
• Securing PSNC, PIONIER, POZMAN
infrastructure
• Security tasks in R&D projects
• Knowledge transfer
• Vulnerability and security research
• External services
4
Internet of People, Internet of Things
Source: http://comtechies.com/what-does-iot-internet-of-things-really-mean.html
5
Real threats out of cyber world
REALITY ENVIRONMENT
PC-Security, Viruses, Trojans
Risk of abuse and exploitation by taking/publishing pictures
Threats resulting from own conduct
– Content,
– Contact,
– Conduct
Content related
Violent content
Copyright infringement
INTERNET
Racism
Internet addiction
Infringement of pers. rights
Commercial fraud
Loosing money / phishing
Identity theft
Bullying
Disclosing private information
Profiling
Grooming
Contact related
Threats resulting from conduct of others
• Online threats
Risk of exploitation and sexual abuse
Based on: High-tech Tots: Childhood in a Digital World, Ilene R. Berson,Michael J. Berso
6
Network perspective
7
Network perspective – the graph model
Initial Graph Model
8
Implementation of the model = graph DB
• The natural place to put graph model into action is Graph Database
• Graph DBs are NoSQL kind of databases
• Graph oriented models are around for years (dates back to mainframe
world)
• But first commercial graph database (DB) management systems hit the
market around 2003
• Addresses the need of storing highly connected data: e.g. Social
networks, financial transactions, relationships between digital assets
(web-pages, documents etc.), NetFlows in IP networks
9
10
Graph DBs – characteristics
•
•
•
•
•
•
•
Based on property graph model
‘’Schema less” – new entities can be
created on the fly
Data object is represented as labeled
vertex /node in the graph
Data attributes are represented as
properties of the node
Relationships represented by arcs / edges
Label of node corresponds to entity table
Property of the arc / relationship
corresponds to attribute of the join table
11
Relational DB
vs.
Graph DB
12
Graph vs Relational Databases
• More intuitive representation of real observations
– information is by nature interrelated and not “contained in tables”
• No need to introduce artificial primary keys
• Flexibility
• Better support for graph operations (e.g. shortest path computation)
„A traditional relational database may tell you
the average age of everyone at this conference, but
a graph database will tell you
who is most likely to buy you a beer.”
Source: http://info.neo4j.com/rs/neotechnology/images/WhatisNeo4j.pdf
13
No SQL, so what?
• SQL
• Cypher (Neo4j)
SELECT name
FROM Person
LEFT JOIN Person_Department ON
Person.Id =
Person_Department.PersonId
LEFT JOIN Department ON
Department.Id =
Person_Department.DepartmentId
WHERE Department.name = "IT
Department"
MATCH (p:Person)<-[:EMPLOYEE](d:Department)
WHERE d.name = "IT Department"
RETURN p.name
• Gremlin (Titan, Apache
TinkerPop3/TinkerGraph) in
Groovy (superset of Java)
14
Network perspective: network flows (NetFlows) in graph
15
Examples of simplified NetFlow graphs
DARPA sets
HTTP+SSH vs. SMTP
16
Graph edges dynamics
Example for attack scenario show earlier
• E.g. number of new edges corresponding to UDP connections created
after the considered NetFlow dump
17
Topological changes
18
Increased traffic volume
Number of octets in flows
Aggregated volume information
are also stored as properties of
edge
19
How to add user context to initial model?
20
User dimension
How to add the user context?
LDAP log
U:John Smith
IP:172.16.115.87
Time: 12:00:00,5.06.2016
Action: Authentication
Mail log
WebApp log
U:John Smith
E-mail from:
[email protected]
E-mail to: [email protected]
Client IP:172.16.115.87
Server IP:172.16.110.80
Time: 12:10:10,5.06.2016
Action: Sent mail
U:John Smith
IP:172.16.115.87
Time: 12:05:00,5.06.2016
Action: File upload
21
User dimension
• Additional graph objects and
properties are added
associated with users and links
22
Discovery of links
User activity/
timestamp
IP/Service
NetFlow/timestamp
IP/Service
User activity/
timestamp
John Smith
Inferred human link
osmith
23
Additional possibilities
• Discovery of profiles of user activities
– May be useful in some criminal cases
• Detection of security breaches in communities
for early warnings
– Frauds
– Malware propagation
– Directed attacks
• Global alarming beyond the victim community
24
Privacy threats
As usually, you can use a tool but also abuse it
• Profiling user behaviors and preferences
• Building community structures (members,
roles…)
• Collecting excess information about users
– Potential data leak
25
Main countermeasures against privacy threats
• Appropriate user agreements
• Anonymization techniques
– Not all anonymization methods are suitable,
e.g. generalization
• Defence-in-depth for the analytic system
• Accounting mechanisms for reaching the
collected data
26
Example of data anonymization
User 248
John Smith
User 81
osmith
Warn osmith
and John
Smith!
ID
User
81
osmith
248
John Smith
Warn
user 81
and 248!
27
Future plans
PROTECTIVE H2020 project
• Proactive Risk Management through Improved Situational Awareness
• Two main goals:
– Increasing CSIRT threat awareness through improved monitoring and sharing
– Prioritizing security alerts according to the bussines relevance of endangered
assets
• Applying and extending the research results for:
– Increasing detection rate in structured communities (organizations, branches,
teams etc.)
– Improving prioritization due to better threat assessment (e.g. how big /
important is the affected community?)
28
Questions?
Thank you for your attention!
Our emails:
maciej.milostan,
gerard.fankowski,
marek.pawlowski,
mikolaj.dobski
[@man.poznan.pl]
29
Poznań Supercomputing and Networking Center
affiliated to the Institute of Bioorganic Chemistry of the Polish Academy of Sciences,
ul. Noskowskiego 12/14, 61-704 Poznań, POLAND,
Office: phone center: (+48 61) 858-20-00, fax: (+48 61) 852-59-54,
e-mail: [email protected], http://www.psnc.pl