Evolving business models, computing paradigms, and management practices are rapidly re-shaping the usage models of ICT infrastructures, and demanding for more flexibility and dynamicity in enterprise security, beyond the traditional “security perimeter” approach. Since valuable ICT assets cannot be easily enclosed within a trusted physical sandbox any more, there is an increasing need for a new generation of pervasive and capillary cybersecurity paradigms over distributed and geographically-scattered systems. Following the generalized trend towards virtualization, automation, software-definition, and hardware/software disaggregation, in this paper we elaborate on a multi-tier architecture made of a common, programmable, and pervasive data-plane and a powerful set of multi-vendor detection and analysis algorithms. Our approach leverages the growing level of programmability of ICT infrastructures to create a common and unified framework that could be used to monitor and protect distributed heterogeneous environments, including legacy enterprise networks, IoT installations, and virtual resources deployed in the cloud.
• externalization and offloading: the cloud and similar facilities host sensitive processes and
data in third parties infrastructures, even shared with other customers;
• multiplicity and heterogeneity of domains : sensors, actuators, and other things in harsh
environments with limited processing capabilities are more exposed to compromise than
other IT assets in enterprise networks; for instance, recent botnets like Mirai, Brickerbot,
and Hajime have demonstrated the vulnerability of IoT as well as the possibility to exploit
compromised devices to carry out large DDoS attacks (1 Tb/s and above) [
Since valuable assets cannot anymore be kept inside a trusted physical sandbox, there is an increasing need for new forms of pervasive and capillary control techniques to tackle network threats, which are able to correlate events in both time and space dimensions, provide timely operational information to feed novel disruptive approaches capable of estimating the risk in real-time, and carry out focused and effective defensive and mitigation actions. Current cybersecurity technologies suffer from important limitations, which make them less effective in the evolving scenario, especially against recent complex multi-vector attacks: • intrinsic rigidity, due to the difficult to change architecture and system configuration: network partitioning, deployment of hardware or software security appliances (including the necessary agents), routing and switching policies; • substantial inefficiency, because a) network traffic is often bounced across different appliances for analysis, inspection, mitigation, and processing, hence wasting bandwidth and increasing latency; b) similar or the same operations are carried out by different appliances (e.g., packet and software inspection, log analysis), which often are not interoperable; • narrow scope, since most appliances usually deal with specific aspects only (e.g., firewalling, antivirus, event and log management, intrusion, deny of service) and consider a restricted set of events and devices; • processing overhead to analyze packets, software, behavior, events, and logs, which eventually slows down systems and may be unsustainable by simplest devices (smartphones, IoT); • outdated models: the presence of personal and mobile devices, the broad availability of removable media, the pervasive coverage of public wireless networks, interconnection to IoT devices, and externalization and offloading of processing/storage are the main factors that, especially when combined together, are increasingly opening new breaches in the security perimeter, making it an ineffective and obsolete concept.
In this paper, we envision a new paradigm for managing cyber-security threats in heterogeneous environments. Our approach aims at fostering the transition from multiple independent security appliances to a common framework, leveraging the increasing level of programmability of ICT infrastructures. We describe a multi-tier architecture (Fig. 1) that decouples a pervasive and shared context fabric from centralized business logic; the former is responsible to monitor the environment and to enforce security actions in a capillary way, whereas the latter collects detection and mitigation algorithms that are usually provided by different security appliances. A comprehensive presentation layer will facilitate the interaction with users and other security systems. Our architecture also includes specific elements for collection and secure conservation of forensic information for future investigation and possible use as evidence in court, since compliance to relevant normative will be ever more part of the design of cyber-security systems in the next future.
The paper is organized as follows. Section 2 briefly reviews current approaches and trends in distributed security monitoring. In Section 3 we outline the main concept behind our approach and describe the overall framework. In Section 4 we discuss the architecture design and the main components we are going to use for realizing our framework. Finally, we give our conclusions and describe future work in Section 5. 2
With the increasing uptake of cloud and IoT technologies, micro-firewalls and distributed
firewalls are emerging to protect isolated or virtual resources outside of the enterprise perimeter
[
Threat identification by exploiting network programmability has already been investigated
by several research papers (e.g., [
We observe a generalized trend from centralized standalone security boxes to more distributed frameworks, though programmability of networks is still partially exploited and unified control and management is missing.
The underpinning concept of our approach is a transition from multiple independent security appliances to a common framework, where cyber-security is managed in a coordinated way, as shown in Fig. 1. Our purpose is to exploit and improve available interfaces and protocols for programmable communication infrastructures, hence our work will focus on network threats. In this context, the main challenge is to build the necessary knowledge and awareness both in physical and virtual environments, by real-time collection of massive events from a multiplicity of capillary sources, their inter- and intra-domain correlation in space and time, and the applianodfSfi-nelicvnueesretaignreaaplyossiistory tion for
V manisaugaelmiseantiton, reamnemadolSiyanyttsiiitctooesnrm,ian-nwgd,ide
LAN
LAN !
IoT Server VM VM VM
Presentation cation of remediation actions, while maintaining essential properties such as forwarding speed, scalability, autonomy, usability, fault tolerance, resistance to compromises, and responsiveness.
Fig. 2 pictorially depicts the reference scenario and the structure for a novel multi-layer lawful-compliant cyber-security framework over large, distributed, and even virtualized environments. It drives beyond the legacy “security perimeter” concept by building on pervasive and capillarity programmability of the communication infrastructure. The framework is organized in three logical layers: context fabric, business logic, and presentation. The picture also shows the logical components, together with their main implications and tasks at each layer.
The context fabric entails a rich set of traffic filtering, packet inspection, processing (and, likely, storage) functions that are delegated to specific (physical or virtual) networking devices for performance and privacy matters. In our vision, such functions will no more rely on dedicated hardware appliances or virtual software functions; rather, the ambition is to shape the network behavior by building on the growing availability of flexible and programmable data planes and acceleration features. The business logic combines and correlates local information from multiple monitoring points, in the same or different domains, and builds system-wide situational awareness that allows to promptly detect and predict multi-vector and interdisciplinary cyber-attacks. Knowledge created at this level is presented to users for awareness and for identification of remediation and mitigation actions; it can then be shared with other administrative domains to coordinate response to new threats and attacks. In this layer, storage of data with legal validity is essential for off-line analysis and cyber-crime investigation. Finally, presentation of the processed information, events, and knowledge to humans provides knowledge of vulnerabilities, threats, anomalies, and attacks, so that countermeasures can be taken manually ...
Local controller
Management
plane Orchestration
plane Computing plane Control plane Data source ...
Data source
Filtering, Filtering, inspection, ... inspection, processing processing pinFrsoiplcteeercsitnsioignn,g, ... pinFrsoiplcteeercsitnsioignn,g, pDlaantea Information workflow
Control, processing, and management architecture or automatically; in addition, log and proof of suspicious events are to be collected and should allow backtrace of activity in relevant domains.
Our design considers the duality and synergy between the information workflow and the control, processing and management architecture, as shown in Fig. 3. On the one hand, the information workflow better explains the logical processing flow. Local tasks (to be delegated to data sources) collect and aggregate data, and filter and process packets; identification algorithms (deep data analysis and correlation) build system-wide knowledge and situational awareness; data representation stores and visualize information for humans, and allows system administrators to identify possible remediation and mitigation actions. On the other hand, the control, processing, and management architecture shows the architectural elements and the orchestration functions. Due to its complexity, the architecture is further split into several logical planes: data, control, computing, orchestration, and management. 3.1
Context Fabric The context fabric is responsible for collecting and aggregating information that is relevant for threat identification, as well as for classification, filtering, and processing of network packets. Data, events, and security logs must be collected capillary within the system, from heterogeneous sources in networking and computing devices.
The context fabric runs lightweight tasks in local networking devices. It leverages the
growing level of programmability of networking infrastructures, which enable to push much
more intelligence to network devices, well beyond the flow-level reporting already available
today for anomaly detection (e.g., NetFlow, sFlow, IPFIX). In addition, emerging architectures
and paradigms known as fog computing [
The architecture of the context fabric is organized in two planes (see Fig. 3). At the data
plane, lightweight filtering and inspection tasks handle packets without putting significant stress
to the computing resources needed. Our interest is not only limited to flow programmability
(e.g., OpenFlow [
At the control plane, the need is the ability to discover, configure, and manage local
heterogeneous resources. The purpose is to build a common and uniform abstraction of the underlying
data planes, by extending existing protocols and interfaces (e.g., OpenFlow [
One of the main limitation of existing technologies is that only simple data plane programs are allowed, i.e., without support for complex programs created according to the split data/control plane paradigm as originally proposed with SDN/OpenFlow. The challenges are therefore i) to support more powerful programs, which can operate according to the split data/control plane paradigm; ii) to support more powerful actions on the data in transit, which enable to implement some proactive security actions (e.g., drop network traffic, modify packet information, craft ad-hoc packets for specific purposes) that go beyond simple monitoring. 3.2
Business Logic The main task of the business logic layer is to extract knowledge from the multiplicity and heterogeneity of data collected by the context fabric. The challenge is the definition of innovative algorithms that define which metrics are needed for each monitored point and correlate them in both time and space dimensions. Such analysis could be based on Attack Graphs, Attack Surface analysis, Kill Chain definitions and Attack trees models with the support of the deep learning techniques, Petri nets, and strategic models such as Stackelberg leadership model, Artificial Neural Networks.
The definition of algorithms for threat and anomaly detection should consider big data and machine learning capabilities to add predictive and proactive capabilities to existing security tools and systems. Multi-domain analysis and correlation of capillary data allows to promptly detect and predict multi-vector and interdisciplinary cyber-attacks, and to build wide awareness and coordinated response to new threats and attacks. The framework should also account for relevant events and data to be stored as evidence in case of suspicious activity, in order to be used as evidence in case of forensics investigation.
Processing and analysis of network traffic flows can reveal personal data, secrets, intellectual properties, habits, behaviors, etc., hence harming fundamental rights of organizations and humans. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data is going to revolutionize the privacy landscape in all European Countries. It is of paramount importance that all data gathered in any cyber-security monitoring framework will be compliant with said Privacy Regulation. In addition, there are specific requirements for legal validity of logs and events in court.
Data protection should consider anonymization and pseudonymization techniques that can hide the identify and the behavior of systems and users outside criminal investigations. Legal validity of the extracted data to be used in case of forensics investigation should be tackled, by considering technologies and mechanisms to protect the integrity, origin, and trustworthiness of data (e.g., digital signing, timestamping, message integrity codes, one-way encryption, ) according to the requirements and guidelines settled by normative frameworks. 3.3
Presentation Risks, vulnerabilities, on-going attacks, and threats must be depicted to organizations and their security staff in the appropriate manner to support timely and effective reaction to cybersecurity threats, by settling proper remediation and mitigation actions.
At the management plane (see Fig. 3), visualization solutions may rely on multi-layer software architectures and REST-based APIs for accessing threats and attacks database by multiple devices, flexible graphical layouts defined by templates and style-sheets to adapt the representation to heterogeneous devices and platforms, event-driven publish/subscription mechanisms for real-time notification of threats, anomalies, and attacks. The interface should also provide the ability to trigger pre-defined remediation actions, as well as to define new ones as new threats are identified. The capability to automate response allows faster mitigation for well-known attacks.
Managing the underlying infrastructure and adapting it to the evolving scenario is perhaps the most challenging issue for the whole framework. The orchestration plane is responsible for deploying and coordinating the hardware/software components over a mix of pervasive resources. The purpose is to understand which tasks should be offloaded and which tasks must be performed centrally. To this end, the target is to run detection algorithms and the business logic on high-performance, reliable, and protected infrastructures (e.g., private cloud installations), while offloading monitoring, inspection, and filtering tasks to local resources. In case of offloading, the orchestrator is responsible to select the proper resource (e.g., hardware switch or virtual switch in hypervisor) according to specific requirement and constraints by the algorithms (e.g., inspect incoming traffic, monitor traffic sent by host X, etc.). 4
Starting from the main concept and the conceptual architecture devised in Section 3, we have already derived the preliminary platform design shown in Fig. 4. It entails a number of functional elements that are necessary to implement the whole framework.
The programmable switch is responsible for traffic inspection and simple analysis, hence
implementing the data plane of the context fabric. It will carry out filtering and processing
operations by hardware or software acceleration mechanisms. Data, events, and measurements
extracted will undergo a certification process to produce trusted information for forensics and
lawful investigation. The switch will offer both a programming interface to configure filtering
rules and offload simple tasks, as well as a data publication interface to export collected
information to the controller (control plane of the context fabric). The switch will be an enhanced
version of existing SDN devices; Open vSwitch [
The controller translates (or “compiles”) technology agnostic programs and configurations (Northbound interface) into specific SDN protocols (Southbound interface). A similar operation is performed in the opposite direction for data, events, and measurements. The controller is responsible for all switches in a domain or subdomain: it manages network topology, recovers Human interface
Data visualisation Method modelling Decision support
Intent framework
Data harmonisation Detection algorithm Distributed computing framework
Orchestration Northbound interface
Orchestrator
Legal repository
Secure storage
Controller Compiler
Data aggregation and anonimisation
Southbound interface Programming interface
Local filtering and processing Hw acceleration
Sw acceleration Data publication Data certification
Programmable
switch
from errors, collect data and measurements; in our architecture, it will also be responsible for
data aggregation and anonymization. Anonymization is required to use data and measurements
outside of legal investigation for threat identification without breaking confidentiality and
privacy. The RestConf [
The orchestrator is the smarter engine of the whole platform. It includes abstractions and
models to split detection algorithms and mitigation policies in centralized and distributed
computing tasks; centralized tasks perform data correlations and analysis, whereas distributed tasks
are responsible for filtering, deep packet inspection, simple local processing. The distribution
of tasks between the cloud and local devices is very similar to fog computing, hence we will
consider recent concepts in this field, such as [
The legal repository will be responsible for secure and trusted storage of data, information,
and events for successive lawful investigation. Key features in this case is trustworthiness,
availability, integrity, resilience, resistance to attacks, and scalability, in order to prevent alteration
or losses of data in case of attack. The repository will be an innovative storage infrastructure
specifically designed and implemented to comply with requirements for lawful applications. We
target design and implementation of a storage system suitable for preserving data with
innovative reliability, security, availability, and scalability features inherited by existing virtual file
systems for distributed storage of information (e.g., Ceph [
The human interface is the visualization tools to draw the current cyber-security picture and to enable quick and intuitive response to attacks. It will correlate attacks and threats with the actual network topology, suggest remediation and countermeasures, and enable definition of custom reaction strategies in case of new and unknown threats. Our human interface will be developed to explicitly address interaction with management of distributed resources. 5
In this paper, we have described our concept about a new cyber-security paradigm beyond the security perimeter model. Our work leverages programmable communication infrastructures and focus on network threats, but we think it could be easily extended to a broader scope (including monitoring of application events and system calls) once the first protocols for fog computing will be available.
We have already carried out preliminary design and identification of functional components for the whole framework. We have already gathered complementary skills and expertise in a research consortium and we are going to start the envisaged research and implementation work in the next months. 6
The authors would like to thanks other people who contributed to the discussion and the preparation of the SAMOA proposal: Joanna Kolodziej (Cracow University of Technology), Flora Strohmeier (Synyo Gmbh), Olaf Gebauer (Ostfalia University), Stefano Mele (Carnelutti Law Firm).
This work was supported in part by the European Commission, under project Matilda (grant no. 761898).