Periodic Reporting for period 2 - ASTRID (AddreSsing ThReats for virtualIseD services)
Période du rapport: 2019-05-01 au 2021-06-30
The growing adoption of cloud technologies and the trend to virtualise applications are inexorably re-shaping the traditional security paradigms, due to the increasing usage of infrastructures outside of the enterprise perimeter and shared with other users.
The need for more agility in software development and maintenance has also fostered the transition to micro-services architectures, and the wide adoption of this paradigm has led service developers to protect their virtualised applications by including virtualised instances of security appliances in their design. Unfortunately, this often results in security being managed by people without enough skills or specific expertise, it may not be able to cope with threats coming from the virtualization layer itself (e.g. hypervisor bugs), and also exposes security appliances to the same threats as the other application components. It also complicates legal interception and investigation when some applications or services are suspected of illegal activity.
To overcome the above limitations, the ASTRID project aims at shifting the detection and analysis logic outside of the service graph, by leveraging descriptive context models and their usage in ever smarter orchestration logic, hence shifting the responsibility for security, privacy, and trustworthiness from developers or end users to service providers. Overall, the main benefits from the ASTRID approach will be better visibility over cloud-based services and more automation in the detection and response processes. In this respect, specific technical objectives to achieve the overall goal are:
• Decoupling the service business logic from the (necessary) security management, by shifting the detection logic outside the service graph and deploying pervasive, capillary, and programmable security hooks in the execution environment.
• Automate security management and response to threats, security incidents, attacks, by leveraging orchestration to automatically change the behaviour of the system (monitoring, inspection, detection, reaction) according to specific strategies expressed as security policies.
• Reduce the run-time overhead of security processing, by introducing efficient technologies for local monitoring, inspection, and aggregation of security-related data and events.
The need for more agility in software development and maintenance has also fostered the transition to micro-services architectures, and the wide adoption of this paradigm has led service developers to protect their virtualised applications by including virtualised instances of security appliances in their design. Unfortunately, this often results in security being managed by people without enough skills or specific expertise, it may not be able to cope with threats coming from the virtualization layer itself (e.g. hypervisor bugs), and also exposes security appliances to the same threats as the other application components. It also complicates legal interception and investigation when some applications or services are suspected of illegal activity.
To overcome the above limitations, the ASTRID project aims at shifting the detection and analysis logic outside of the service graph, by leveraging descriptive context models and their usage in ever smarter orchestration logic, hence shifting the responsibility for security, privacy, and trustworthiness from developers or end users to service providers. Overall, the main benefits from the ASTRID approach will be better visibility over cloud-based services and more automation in the detection and response processes. In this respect, specific technical objectives to achieve the overall goal are:
• Decoupling the service business logic from the (necessary) security management, by shifting the detection logic outside the service graph and deploying pervasive, capillary, and programmable security hooks in the execution environment.
• Automate security management and response to threats, security incidents, attacks, by leveraging orchestration to automatically change the behaviour of the system (monitoring, inspection, detection, reaction) according to specific strategies expressed as security policies.
• Reduce the run-time overhead of security processing, by introducing efficient technologies for local monitoring, inspection, and aggregation of security-related data and events.
The main results from the Project can by briefly summarized as follows:
1) The system architecture, built on the Elastic Stack, made of security agents and a remote platform for detection and analysis.
2) The definition of an enrichment process, which augments an existing service template with security agents, for automatic deployment.
3) The definition of a programming model that defines a chain of collection, transformation, delivery, processing and storage elements which configuration can be changed in order to implement different analytics pipelines.
4) A Dashboard that allows to define detection and analytics processes and to automate their instantiation. The Dashboard also includes Kibana for visual analytics.
5) The definition and implementation of an abstraction layer that hides the technical details of the security agents and exposes a REST interface for their configuration.
6) The development of new algorithms for network anomaly detection, DoS detection, integrity verification and control flow attestation.
7) Demonstration and validation in two Use Cases: i) a VoIP service, which includes forensics services, vulnerability scanning, integrity verification and control flow attestation; ii) a virtualised instance of 5G network, to demonstrate detection and mitigation of network attacks at its edge.
Most relevant results have been described in a large number of scientific publications in both international conferences and journals. In a nutshell, ASTRID delivered a total of 46 research papers, of which 17 jointly authored by more partners, 7 involving industries and/or SMEs, and 17 jointly authored with external organizations. Preliminary demonstration of ASTRID technologies was shown in 3 international events, while videos that showcase the final demonstrators will be made available soon in the YouTube channel.
Regarding communication activities, it is worth noting the great effort in clustering with other EU projects. ASTRID co-organized several international workshops (3 editions of SecSoft, 2 editions of CYSARM, 1 edition of DeSecSys), which collectively involved 16sister projects in the field of cybersecurity.
1) The system architecture, built on the Elastic Stack, made of security agents and a remote platform for detection and analysis.
2) The definition of an enrichment process, which augments an existing service template with security agents, for automatic deployment.
3) The definition of a programming model that defines a chain of collection, transformation, delivery, processing and storage elements which configuration can be changed in order to implement different analytics pipelines.
4) A Dashboard that allows to define detection and analytics processes and to automate their instantiation. The Dashboard also includes Kibana for visual analytics.
5) The definition and implementation of an abstraction layer that hides the technical details of the security agents and exposes a REST interface for their configuration.
6) The development of new algorithms for network anomaly detection, DoS detection, integrity verification and control flow attestation.
7) Demonstration and validation in two Use Cases: i) a VoIP service, which includes forensics services, vulnerability scanning, integrity verification and control flow attestation; ii) a virtualised instance of 5G network, to demonstrate detection and mitigation of network attacks at its edge.
Most relevant results have been described in a large number of scientific publications in both international conferences and journals. In a nutshell, ASTRID delivered a total of 46 research papers, of which 17 jointly authored by more partners, 7 involving industries and/or SMEs, and 17 jointly authored with external organizations. Preliminary demonstration of ASTRID technologies was shown in 3 international events, while videos that showcase the final demonstrators will be made available soon in the YouTube channel.
Regarding communication activities, it is worth noting the great effort in clustering with other EU projects. ASTRID co-organized several international workshops (3 editions of SecSoft, 2 editions of CYSARM, 1 edition of DeSecSys), which collectively involved 16sister projects in the field of cybersecurity.
Compared to existing products and services, there are some interesting innovations both in terms of processes and technologies that are not claimed by any competitor in the cyber-security market segment of detection and analytics:
• Broader scope for monitoring, inspection, and tracing processes, by instrumenting cloud native applications. ASTRID has designed and developed new technologies to replace conventional Endpoint Detection and Response (EDR) tools that cannot be easily or efficiently deployed in cloud native applications.
• Automatic deployment and configuration of security analytics pipelines for detection and analytics. ASTRID enables service providers to define their own detection and analytics services at deployment time, by augmenting existing pods defined in the service template with security agents, without affecting the CI/CD pipeline.
• Unified control and management interface to remote agents. ASTRID leverages a REST-based API to expose agent models, following the modern patterns of service-oriented architectures.
• New mechanisms to ensure run-time integrity beyond load-time integrity, for detecting any unexpected variation in the configuration and behaviour of the software. ASTRID does not rely on the continuous loading and monitoring of (exploit) signature files, that poses a significant overhead to the deployed services/workloads, but it leverages multi-level tracing of behavioural information and binary images to provide verifiable evidence on the health state specific to the deployed workloads.
• Combination of advanced monitoring and introspection functionalities for the dynamic tracing of a system’s control- and information-flow graphs. ASTRID leverages both the extended Berkeley Filters (eBPF) and Intel PT tracing capabilities to inspect both kernel-level properties (shared libraries, system calls, shared data and memory address space) and control flow graph of binaries.
ASTRID technologies are expect the following technical impacts:
- Boost the uptake of cloud technologies, by providing faster and more effective integration of security analytics with existing Continuous Integration/Continuous Delivery pipelines for cloud native applications.
- Boost new cloud models based on serverless functions, thanks to embedded monitoring and tracing capabilities.
- Increase the resilience to attacks, by leveraging cloud orchestration for automatic mitigation and response.
- Make security processes simpler to define and implement, even for small organizations that cannot afford highly-skilled personnel.
Main benefits for the societies with a long-term perspective include the following aspects:
- Make the Internet more secure, by allowing detection and mitigation of network attacks from botnets at the network edge.
- Improve the security of critical infrastructures and services, which are increasingly migrating to cloud native solutions.
- Make forensics and legal investigation simpler for cloud applications.
• Broader scope for monitoring, inspection, and tracing processes, by instrumenting cloud native applications. ASTRID has designed and developed new technologies to replace conventional Endpoint Detection and Response (EDR) tools that cannot be easily or efficiently deployed in cloud native applications.
• Automatic deployment and configuration of security analytics pipelines for detection and analytics. ASTRID enables service providers to define their own detection and analytics services at deployment time, by augmenting existing pods defined in the service template with security agents, without affecting the CI/CD pipeline.
• Unified control and management interface to remote agents. ASTRID leverages a REST-based API to expose agent models, following the modern patterns of service-oriented architectures.
• New mechanisms to ensure run-time integrity beyond load-time integrity, for detecting any unexpected variation in the configuration and behaviour of the software. ASTRID does not rely on the continuous loading and monitoring of (exploit) signature files, that poses a significant overhead to the deployed services/workloads, but it leverages multi-level tracing of behavioural information and binary images to provide verifiable evidence on the health state specific to the deployed workloads.
• Combination of advanced monitoring and introspection functionalities for the dynamic tracing of a system’s control- and information-flow graphs. ASTRID leverages both the extended Berkeley Filters (eBPF) and Intel PT tracing capabilities to inspect both kernel-level properties (shared libraries, system calls, shared data and memory address space) and control flow graph of binaries.
ASTRID technologies are expect the following technical impacts:
- Boost the uptake of cloud technologies, by providing faster and more effective integration of security analytics with existing Continuous Integration/Continuous Delivery pipelines for cloud native applications.
- Boost new cloud models based on serverless functions, thanks to embedded monitoring and tracing capabilities.
- Increase the resilience to attacks, by leveraging cloud orchestration for automatic mitigation and response.
- Make security processes simpler to define and implement, even for small organizations that cannot afford highly-skilled personnel.
Main benefits for the societies with a long-term perspective include the following aspects:
- Make the Internet more secure, by allowing detection and mitigation of network attacks from botnets at the network edge.
- Improve the security of critical infrastructures and services, which are increasingly migrating to cloud native solutions.
- Make forensics and legal investigation simpler for cloud applications.