The GUARD framework is essentially an evolution of typical SIEM tools, which is conceived to give more flexibility in creating and updating detection processes. It allows to discover, configure, and pipeline security agents to a centralized set of detection and analytics engines, which usually play the role of detectors. This largely removes the need for manual configuration and the difficulty to follow the evolution of large, distributed and ephemeral cyber-physical systems.
The whole framework extends the well-known Elastic Stack architecture with: i) an abstraction layer that provides a uniform view of heterogeneous security agents (CB-Manager); ii) a smart controller that carries out configuration, response, and mitigation actions (Security Controller); iii) a token-based authentication and authorization framework for accessing security functions exposed by third-party providers (AA module); iv) a control interface that discovers security capabilities and configures them (GUARD API).
In addition to the GUARD platform itself a number of ancillary components were also developed. Specifically, the current implementation includes a set of agents that covers the need for collection of log files, system metrics and network measures: Filebeat, Metricbeat, Packetbeat, and vDPI; additionally, local detection is possible with the AMiner. A number of complementary detectors have been developed that use ML and other AI-based techniques for the detection of known attacks and anomalies in network traffic and system/application logs. The demonstration setup has considered DDoS attacks against HTTP servers, replication and other anomalies in LoRa messages, attacks against LoRa gateways, MQTT attacks, web attacks. An alert aggregation approach was developed that automatically generates actionable and shareable CTI in form of attack patterns derived from heterogenous alerts from various IDSs analysing several data sources. Finally, periodic signature update from the Network Telescope was considered to reduce the vulnerability due to zero-day attacks.
Detection of attacks to the LoRa network and cloud services (applications, message queues) was performed in a smart mobility application deployed in the city of Wolfsburg, which includes a mix of IoT, network, and cloud resources. Secure sharing of sensitive data and detection of DoS attacks were demonstrated for an eHealth application developed for UNITOV, which allows physicians to digitalize medical records of their patients and keep track of sharing policies.