Periodic Reporting for period 2 - GUARD (A cybersecurity framework to GUArantee Reliability and trust for Digital service chains)
Reporting period: 2020-11-01 to 2022-04-30
Today, the ICT industry is introducing new architectures that bring more agility in the creation and management of new services. As a matter of fact, the implementation of applications is progressively moving from the traditional “writing and linking the code” pattern to more modern paradigms based on “chaining of elementary services”.
While a lot of progress has been made in recent years in the field of virtualization and open interfaces for remote management and self-provisioning, cyber-security paradigms are still mostly stuck to legacy models that do not take into account the dynamicity and multi-tenancy nature of modern business chains. Without this evolution, organizations will remain reluctant to move their processes to the cloud, while customers will continue to have privacy and confidentiality concerns.
The GUARD project has investigated the feasibility of integrating security controls into management/control APIs of digital resources. While the range of security services for digital business chains is very broad, the GUARD project has focused on attack detection and prevention, including both service availability and data sovereignty. Under this challenging scenario, the GUARD objectives mostly revolved around the three main concepts of visibility, detection and traceability to improve awareness.
Demonstration and validation of the proposed solution was carried out in two relevant Use Cases. The first Use Case addressed public transportation and an application which collects data from buses for smart mobility services, with a clear focus on the integrity of the service and exchanged messages. The second Use Case implemented a medical application for sharing data between physicians in different departments of an hospital and with external entities, and focused on tracking the propagation of sensitive information and applying sharing controls based on user’s preferences.
While a lot of progress has been made in recent years in the field of virtualization and open interfaces for remote management and self-provisioning, cyber-security paradigms are still mostly stuck to legacy models that do not take into account the dynamicity and multi-tenancy nature of modern business chains. Without this evolution, organizations will remain reluctant to move their processes to the cloud, while customers will continue to have privacy and confidentiality concerns.
The GUARD project has investigated the feasibility of integrating security controls into management/control APIs of digital resources. While the range of security services for digital business chains is very broad, the GUARD project has focused on attack detection and prevention, including both service availability and data sovereignty. Under this challenging scenario, the GUARD objectives mostly revolved around the three main concepts of visibility, detection and traceability to improve awareness.
Demonstration and validation of the proposed solution was carried out in two relevant Use Cases. The first Use Case addressed public transportation and an application which collects data from buses for smart mobility services, with a clear focus on the integrity of the service and exchanged messages. The second Use Case implemented a medical application for sharing data between physicians in different departments of an hospital and with external entities, and focused on tracking the propagation of sensitive information and applying sharing controls based on user’s preferences.
The GUARD framework is essentially an evolution of typical SIEM tools, which is conceived to give more flexibility in creating and updating detection processes. It allows to discover, configure, and pipeline security agents to a centralized set of detection and analytics engines, which usually play the role of detectors. This largely removes the need for manual configuration and the difficulty to follow the evolution of large, distributed and ephemeral cyber-physical systems.
The whole framework extends the well-known Elastic Stack architecture with: i) an abstraction layer that provides a uniform view of heterogeneous security agents (CB-Manager); ii) a smart controller that carries out configuration, response, and mitigation actions (Security Controller); iii) a token-based authentication and authorization framework for accessing security functions exposed by third-party providers (AA module); iv) a control interface that discovers security capabilities and configures them (GUARD API).
In addition to the GUARD platform itself a number of ancillary components were also developed. Specifically, the current implementation includes a set of agents that covers the need for collection of log files, system metrics and network measures: Filebeat, Metricbeat, Packetbeat, and vDPI; additionally, local detection is possible with the AMiner. A number of complementary detectors have been developed that use ML and other AI-based techniques for the detection of known attacks and anomalies in network traffic and system/application logs. The demonstration setup has considered DDoS attacks against HTTP servers, replication and other anomalies in LoRa messages, attacks against LoRa gateways, MQTT attacks, web attacks. An alert aggregation approach was developed that automatically generates actionable and shareable CTI in form of attack patterns derived from heterogenous alerts from various IDSs analysing several data sources. Finally, periodic signature update from the Network Telescope was considered to reduce the vulnerability due to zero-day attacks.
Detection of attacks to the LoRa network and cloud services (applications, message queues) was performed in a smart mobility application deployed in the city of Wolfsburg, which includes a mix of IoT, network, and cloud resources. Secure sharing of sensitive data and detection of DoS attacks were demonstrated for an eHealth application developed for UNITOV, which allows physicians to digitalize medical records of their patients and keep track of sharing policies.
The whole framework extends the well-known Elastic Stack architecture with: i) an abstraction layer that provides a uniform view of heterogeneous security agents (CB-Manager); ii) a smart controller that carries out configuration, response, and mitigation actions (Security Controller); iii) a token-based authentication and authorization framework for accessing security functions exposed by third-party providers (AA module); iv) a control interface that discovers security capabilities and configures them (GUARD API).
In addition to the GUARD platform itself a number of ancillary components were also developed. Specifically, the current implementation includes a set of agents that covers the need for collection of log files, system metrics and network measures: Filebeat, Metricbeat, Packetbeat, and vDPI; additionally, local detection is possible with the AMiner. A number of complementary detectors have been developed that use ML and other AI-based techniques for the detection of known attacks and anomalies in network traffic and system/application logs. The demonstration setup has considered DDoS attacks against HTTP servers, replication and other anomalies in LoRa messages, attacks against LoRa gateways, MQTT attacks, web attacks. An alert aggregation approach was developed that automatically generates actionable and shareable CTI in form of attack patterns derived from heterogenous alerts from various IDSs analysing several data sources. Finally, periodic signature update from the Network Telescope was considered to reduce the vulnerability due to zero-day attacks.
Detection of attacks to the LoRa network and cloud services (applications, message queues) was performed in a smart mobility application deployed in the city of Wolfsburg, which includes a mix of IoT, network, and cloud resources. Secure sharing of sensitive data and detection of DoS attacks were demonstrated for an eHealth application developed for UNITOV, which allows physicians to digitalize medical records of their patients and keep track of sharing policies.
The GUARD approach goes beyond the scope of existing Cloud Access Security Brokers (CASB), because it is intended to create multi-domain detection processes in a SIEM-like approach, rather than barely integrate heterogeneous security functions from different domains.
At the architecture level, the Project concept is progressing beyond the current state of the art in the following way:
• GUARD advocates an extension of management interfaces to account for security aspects as well, which allows to “orchestrate” them in a similar manner to the composition of complex chains of digital services;
• more context is included in security API beyond plain configuration, including the nature, composition and relationships between the execution environments of each service;
• the management of trust relationships between the different entities that provide digital resources, create and operate value-added services, and implement security processes;
• new models for sharing private and confidential data, based on the concept of open data spaces.
The concrete implementation resulted in a GUARD platform and an ecosystem of agents and detectors which scope includes both service integrity and data sovereignty:
• machine learning techniques for the identification of anomalies and denial of service in the network;
• dynamic parsing to extract relevant features from application logs and system metrics;
• risk assessment computed from discovered internal and external vulnerabilities;
• filtering of data propagation within a data space, according to user-defined policies.
GUARD removes many of existing concerns in the adoption of cloud technologies and the implementation of cyber-physical systems. The Project has already achieved all the technical impacts, by fulfilling its original objectives and delivering the expected results. A short-term impact is expected on standardization with the publication of the Smart Data Model implemented by the GUARD interface to security functions. Business opportunities are seen in the mid- to long-term, after interfaces to security functions become widely adopted by service providers.
At the architecture level, the Project concept is progressing beyond the current state of the art in the following way:
• GUARD advocates an extension of management interfaces to account for security aspects as well, which allows to “orchestrate” them in a similar manner to the composition of complex chains of digital services;
• more context is included in security API beyond plain configuration, including the nature, composition and relationships between the execution environments of each service;
• the management of trust relationships between the different entities that provide digital resources, create and operate value-added services, and implement security processes;
• new models for sharing private and confidential data, based on the concept of open data spaces.
The concrete implementation resulted in a GUARD platform and an ecosystem of agents and detectors which scope includes both service integrity and data sovereignty:
• machine learning techniques for the identification of anomalies and denial of service in the network;
• dynamic parsing to extract relevant features from application logs and system metrics;
• risk assessment computed from discovered internal and external vulnerabilities;
• filtering of data propagation within a data space, according to user-defined policies.
GUARD removes many of existing concerns in the adoption of cloud technologies and the implementation of cyber-physical systems. The Project has already achieved all the technical impacts, by fulfilling its original objectives and delivering the expected results. A short-term impact is expected on standardization with the publication of the Smart Data Model implemented by the GUARD interface to security functions. Business opportunities are seen in the mid- to long-term, after interfaces to security functions become widely adopted by service providers.