comifin cluster meeting

17
Collaborative Security for Protection of Financial Critical Infrastructures Roberto Baldoni CoMiFin [email protected]

Upload: fcleary

Post on 24-Jan-2015

356 views

Category:

Technology


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Comifin cluster meeting

Collaborative Security for Protection

of Financial Critical Infrastructures

Roberto Baldoni

CoMiFin

[email protected]

Page 2: Comifin cluster meeting

Financial Critical Infrastructures

• Financial critical infrastructures are more exposed to a variety of coordinated and massive cyber attacks

– Attacks against financial services that supported WikiLeaks (2010)

– Payment card fraud (2008): coordinated attackers retrieved 9 million of US dollars

• Risks for financial institutions (FIs)

– Cost of downtime of an e-service is around 6 millions dollars per day

– Damage to reputation

– Loss of personal information about customers

Amsterdam July 5th 2011 2Roberto Baldoni

Page 3: Comifin cluster meeting

Collaborative

Processing

System

. . . .

Organization 1

Agreed information

warnings

Internet

Agreed Inform

ation

Organization M

contractcontractcontract

warnings

CoMiFin Essential

Amsterdam July 5th 2011 3Roberto Baldoni

Page 4: Comifin cluster meeting

CoMiFin Essential: sense-and-

response applications

■Monitoring

■Continuous Control

■Command and Control

■Mashup Services

■Business intelligence

Amsterdam July 5th 2011 4Roberto Baldoni

Page 5: Comifin cluster meeting

CoMiFin Essentials: The notion of

semantic room

■ Contract

■ set of processing and data sharing services provided by the SR along with the data protection, privacy, isolation, trust, security, dependability, performance requirements.

■ The contract also contains the hardware and software requirements a member has to provision in order to be admitted into the SR.

■ Objective

■ each SR has one strategic objective to meet (e.g, large-scale stealthy scans detection, detecting Man-In-The-Middle attacks)

■ Deployment

■ highly flexible to accommodate the use of different technologies for the implementation of the processing and sharing within the SR (i.e., the implementation of the SR logic or functionality).

Amsterdam July 5th 2011 5Roberto Baldoni

Page 6: Comifin cluster meeting

CoMiFin Essentials: Deploying a Semantic

Room

Internet Level

Collaboration

LevelApplication

Level

■ Private cloud

■ Deployment of the semantic room through the federation of computing and storage capabilities at each member

■ Each member brings a private cloud to federate

■ Public Cloud

■ Deployment of the semantic room on a third party cloud provider

■ The third party owns all computing and storage capabilities

■ Hybrid approach

Amsterdam July 5th 2011 6Roberto Baldoni

Page 7: Comifin cluster meeting

Comifin Essentials: Business

Vision• CoMiFin platform can be potentially useful for addressing the following

business use cases

– Monitoring and reaction to cyber threats. We have semantic rooms deployment

for:

� Man-in-the-Browser (privacy preserving)

� Man-in-the-Middle,

� Botnet detection,

� stealthy inter-domain port scan

– Monitoring and reaction to frauds. We have semantic room deployment for:

� Counterfeit Euros

� Tampered ATM

� Unauthorized POS

– Anti money laundering monitoring (Sapienza – Italian Intelligence)

– Interconnection of semantic rooms. We have deployment for:

� stealthy inter-domain port scan semantic room output feeds man-in-the-middle semantic room to

increase accuracy detection

• Four FAB meeting evaluation sessions (UBS, INTESA SAN PAOLO, SWIFT, ABI)

that have highlighted its possible business value in real financial use cases.

Amsterdam July 5th 2011 7Roberto Baldoni

Page 8: Comifin cluster meeting

CoMiFin: Major Achievements

• COMIFIN Architecture&Portal (semantic room lifecycle)

• Distributed platform hadoop-based for complex event processing : AGILIS

• Esper-Based semantic room platform for massive event processing incoming from trustworthy partners

• Developments of – 4 Semantic rooms detecting cyber attacks

– 1 Semantic room for fraud detection

– 1 interconnection of semantic rooms

Amsterdam July 5th 2011 8Roberto Baldoni

• EPTS (Event Processing

Technical Society) innovation

award 2011

• IBM Faculty Award 2011 for

research in Distributed Massive

event processing

• TR35 Innovation award 2011

(Giorgia Lodi)

• EPTS (Event Processing

Technical Society) innovation

award 2011

• IBM Faculty Award 2011 for

research in Distributed Massive

event processing

• TR35 Innovation award 2011

(Giorgia Lodi)

Page 9: Comifin cluster meeting

CoMiFin: Major Achievements (i) -

AGILIS

• Distributed platform hadoop-based for complex event processing :

– AGILIS

Amsterdam July 5th 2011 9Roberto Baldoni

Page 10: Comifin cluster meeting

CoMiFin, Semantic Room I: preventing

inter-domain stealthy scan

Attacker performs port scanning simultaneously at

multiple sites trying to identify TCP/UDP ports that

have been left open. Those ports can then be used

as the attack vectors

• Added value of collaboration:

– Ability to identify an attacker trying to conceal his/her

activity by accessing only a small number of ports within

each individual domain

• Action taken:

– black list IP addresses

– update historical records

Amsterdam July 5th 2011 10Roberto Baldoni

Page 11: Comifin cluster meeting

CoMiFin, Semantic Room I: preventing

inter-domain stealthy scan

Amsterdam July 5th 2011 11Roberto Baldoni

Page 12: Comifin cluster meeting

CoMiFin, Semantic Room I: preventing

inter-domain stealthy scan

Amsterdam July 5th 2011 12Roberto Baldoni

Page 13: Comifin cluster meeting

CoMiFin: Major Achievements – MEF Semantic

Room for Frauds detection and correlation

• Find out possible (spatial/temporal) correlation patterns among

single isolated applications

� They do not exchange information with each other

� Data are apparently uncorrelated

� Sipaf: Credit card frauds

� Sirfe: Counterfeit banknotes

• From the two applications we extracted three main data flows

concerning

� Counterfeit Euros (from Sirfe)

� Tampered ATM (from Sipaf)

� Unauthorized POS (from Sipaf)

• We did not consider unauthorized credit card transactions

� due to unavailability of important data such as Italian location

Amsterdam July 5th 2011 13Roberto Baldoni

Page 14: Comifin cluster meeting

MEF Semantic Room data processing

• We have identified the following possible correlations– Mainly based on geo-localization on the entire Italy

�GeoAggregation

� Identifies “hot areas”, i.e., areas (1 Km x 1 Km approximately) characterized by a high number of crime episodes of the three previously mentioned types

�Data from Sirfe and Sipaf are correlated based on the location

� Scores are assigned to the three data flow types and a thresholdmechanism is used to identify red (high concentration), yellow (medium concentration) and green areas (low concentration)

�Crime Entropy

� Identifies areas characterized by a high number of different crime episodes

�Data from Sirfe and Sipaf are correlated based on the location

» White areas correspond to high entropy and then high number of different episodes

Amsterdam July 5th 2011 14Roberto Baldoni

Page 15: Comifin cluster meeting

MEF Semantic Room: data processing

architecture

Counterfeit

euros

Tampered

ATM

Unauthorized

POS

SR gateway

adapterI/O

socket

SR gateway

adapterI/O

socket

SR gateway

adapterI/O

socket

<<ESPER CEP Engine>>

subscribers

alert

<<Main Engine>>

EPL Query

<<invoke>><<invoke>>

I/O socket

alerts

<<use>>

Semantic Room

Cloud

Services

Amsterdam July 5th 2011 15Roberto Baldoni

Page 16: Comifin cluster meeting

MEF Semantic Room: Counterfeit

Banknotes

Page 17: Comifin cluster meeting

Semantic Room: Counterfeit

Banknotes - speculations

Day vs. multiplicity V55605030341