comifin cluster meeting
DESCRIPTION
TRANSCRIPT
Collaborative Security for Protection
of Financial Critical Infrastructures
Roberto Baldoni
CoMiFin
Financial Critical Infrastructures
• Financial critical infrastructures are more exposed to a variety of coordinated and massive cyber attacks
– Attacks against financial services that supported WikiLeaks (2010)
– Payment card fraud (2008): coordinated attackers retrieved 9 million of US dollars
• Risks for financial institutions (FIs)
– Cost of downtime of an e-service is around 6 millions dollars per day
– Damage to reputation
– Loss of personal information about customers
Amsterdam July 5th 2011 2Roberto Baldoni
Collaborative
Processing
System
. . . .
Organization 1
Agreed information
warnings
Internet
Agreed Inform
ation
Organization M
contractcontractcontract
warnings
CoMiFin Essential
Amsterdam July 5th 2011 3Roberto Baldoni
CoMiFin Essential: sense-and-
response applications
■Monitoring
■Continuous Control
■Command and Control
■Mashup Services
■Business intelligence
Amsterdam July 5th 2011 4Roberto Baldoni
CoMiFin Essentials: The notion of
semantic room
■ Contract
■ set of processing and data sharing services provided by the SR along with the data protection, privacy, isolation, trust, security, dependability, performance requirements.
■ The contract also contains the hardware and software requirements a member has to provision in order to be admitted into the SR.
■ Objective
■ each SR has one strategic objective to meet (e.g, large-scale stealthy scans detection, detecting Man-In-The-Middle attacks)
■ Deployment
■ highly flexible to accommodate the use of different technologies for the implementation of the processing and sharing within the SR (i.e., the implementation of the SR logic or functionality).
Amsterdam July 5th 2011 5Roberto Baldoni
CoMiFin Essentials: Deploying a Semantic
Room
Internet Level
Collaboration
LevelApplication
Level
■ Private cloud
■ Deployment of the semantic room through the federation of computing and storage capabilities at each member
■ Each member brings a private cloud to federate
■ Public Cloud
■ Deployment of the semantic room on a third party cloud provider
■ The third party owns all computing and storage capabilities
■ Hybrid approach
Amsterdam July 5th 2011 6Roberto Baldoni
Comifin Essentials: Business
Vision• CoMiFin platform can be potentially useful for addressing the following
business use cases
– Monitoring and reaction to cyber threats. We have semantic rooms deployment
for:
� Man-in-the-Browser (privacy preserving)
� Man-in-the-Middle,
� Botnet detection,
� stealthy inter-domain port scan
– Monitoring and reaction to frauds. We have semantic room deployment for:
� Counterfeit Euros
� Tampered ATM
� Unauthorized POS
– Anti money laundering monitoring (Sapienza – Italian Intelligence)
– Interconnection of semantic rooms. We have deployment for:
� stealthy inter-domain port scan semantic room output feeds man-in-the-middle semantic room to
increase accuracy detection
• Four FAB meeting evaluation sessions (UBS, INTESA SAN PAOLO, SWIFT, ABI)
that have highlighted its possible business value in real financial use cases.
Amsterdam July 5th 2011 7Roberto Baldoni
CoMiFin: Major Achievements
• COMIFIN Architecture&Portal (semantic room lifecycle)
• Distributed platform hadoop-based for complex event processing : AGILIS
• Esper-Based semantic room platform for massive event processing incoming from trustworthy partners
• Developments of – 4 Semantic rooms detecting cyber attacks
– 1 Semantic room for fraud detection
– 1 interconnection of semantic rooms
Amsterdam July 5th 2011 8Roberto Baldoni
• EPTS (Event Processing
Technical Society) innovation
award 2011
• IBM Faculty Award 2011 for
research in Distributed Massive
event processing
• TR35 Innovation award 2011
(Giorgia Lodi)
• EPTS (Event Processing
Technical Society) innovation
award 2011
• IBM Faculty Award 2011 for
research in Distributed Massive
event processing
• TR35 Innovation award 2011
(Giorgia Lodi)
CoMiFin: Major Achievements (i) -
AGILIS
• Distributed platform hadoop-based for complex event processing :
– AGILIS
Amsterdam July 5th 2011 9Roberto Baldoni
CoMiFin, Semantic Room I: preventing
inter-domain stealthy scan
Attacker performs port scanning simultaneously at
multiple sites trying to identify TCP/UDP ports that
have been left open. Those ports can then be used
as the attack vectors
• Added value of collaboration:
– Ability to identify an attacker trying to conceal his/her
activity by accessing only a small number of ports within
each individual domain
• Action taken:
– black list IP addresses
– update historical records
Amsterdam July 5th 2011 10Roberto Baldoni
CoMiFin, Semantic Room I: preventing
inter-domain stealthy scan
Amsterdam July 5th 2011 11Roberto Baldoni
CoMiFin, Semantic Room I: preventing
inter-domain stealthy scan
Amsterdam July 5th 2011 12Roberto Baldoni
CoMiFin: Major Achievements – MEF Semantic
Room for Frauds detection and correlation
• Find out possible (spatial/temporal) correlation patterns among
single isolated applications
� They do not exchange information with each other
� Data are apparently uncorrelated
� Sipaf: Credit card frauds
� Sirfe: Counterfeit banknotes
• From the two applications we extracted three main data flows
concerning
� Counterfeit Euros (from Sirfe)
� Tampered ATM (from Sipaf)
� Unauthorized POS (from Sipaf)
• We did not consider unauthorized credit card transactions
� due to unavailability of important data such as Italian location
Amsterdam July 5th 2011 13Roberto Baldoni
MEF Semantic Room data processing
• We have identified the following possible correlations– Mainly based on geo-localization on the entire Italy
�GeoAggregation
� Identifies “hot areas”, i.e., areas (1 Km x 1 Km approximately) characterized by a high number of crime episodes of the three previously mentioned types
�Data from Sirfe and Sipaf are correlated based on the location
� Scores are assigned to the three data flow types and a thresholdmechanism is used to identify red (high concentration), yellow (medium concentration) and green areas (low concentration)
�Crime Entropy
� Identifies areas characterized by a high number of different crime episodes
�Data from Sirfe and Sipaf are correlated based on the location
» White areas correspond to high entropy and then high number of different episodes
Amsterdam July 5th 2011 14Roberto Baldoni
MEF Semantic Room: data processing
architecture
Counterfeit
euros
Tampered
ATM
Unauthorized
POS
SR gateway
adapterI/O
socket
SR gateway
adapterI/O
socket
SR gateway
adapterI/O
socket
<<ESPER CEP Engine>>
subscribers
alert
<<Main Engine>>
EPL Query
<<invoke>><<invoke>>
I/O socket
alerts
<<use>>
Semantic Room
Cloud
Services
Amsterdam July 5th 2011 15Roberto Baldoni
MEF Semantic Room: Counterfeit
Banknotes
Semantic Room: Counterfeit
Banknotes - speculations
Day vs. multiplicity V55605030341