Autonomous security for complex systems

复杂系统的自主安全

• 批准号: RGPIN-2021-03278
• 负责人: Cuppens, Frederic
• 金额: $ 2.11万
• 依托单位: École Polytechnique de Montréal
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2021
• 资助国家: 加拿大
• 起止时间: 2021-01-01 至 2022-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=741867
• 关键词: Autonomous; security; complex; systems

Information technology-based systems are facing increasingly complex cyber-attacks. To deal with these cyber-attacks, large enterprises are deploying monitoring infrastructures based on Security Operations Centers (SOCs). SOCs integrate various security functions such as intrusion detection systems, firewalls and supervision systems. They are based on a complex organizational structure, generally at three levels, with a first level dedicated to the task of analyzing low-level alerts, the second level in charge of managing incidents and activating countermeasures, and the last level responsible for forensic analysis, monitoring and anticipation. At the first level, analysts manage alerts by applying checklists and best practice rules. Apart from these reflex reaction tasks, other tasks are generally performed manually and rely on human expertise. The consequence of this complex structure is that the deployment of a SOC is expensive in terms of purchase, operation and maintenance. SOCs are therefore security solutions that are difficult for SMEs (Small and Medium-sized Enterprises) to access. In the absence of adapted solutions, SMEs are increasingly vulnerable to cyber-attacks. To address this problem, we propose to develop the concept of Autonomous Cybersecurity Systems (ACS). The aim is to design concrete solutions to further automate security functions, particularly those that are currently performed manually in SOCs. The concept of ACS will improve the global security of companies and especially SMEs by addressing the following points: (1) Reducing the risk of human error by further automating the decision-making process, (2) Ensuring better management of cyber-attacks by reducing response time, (3) Making security solutions more accessible to businesses, particularly SMEs, by reducing operation and maintenance costs. The following topics will be studied in the research program : T1: Automatic generation of attack graphs. This topic aims to define an Artificial Intelligence-based solution that takes as input the textual descriptions of vulnerabilities and generates an ontological description of the graphs of attacks instantiated on the system considered. T2: Classification of attacker profiles and attack attribution. The objectives will be first to construct a classification of attacker profiles and then analyze the attacker typologies and go further into the so-called attribution problem which aims to trace the source of the attack. T3. Security posture evaluation and impact measurement. The suggested approach is based on the definition of metrics and the identification of dependencies between business services, the objective being to develop an expert system to assist the decision making process in the choice of response to cyber-attacks. By developing solutions to deal with cyber attacks and attackers, this program will enhance trust in digital systems and will have transformative impacts for the Canadian society and economy.

基于信息技术的系统正面临日益复杂的网络攻击。为了应对这些网络攻击，大型企业正在部署基于安全运营中心（SOC）的监控基础设施。SOC集成了各种安全功能，如入侵检测系统，防火墙和监控系统。它们基于复杂的组织结构，通常分为三级，第一级专门负责分析低级别警报，第二级负责管理事件和启动对策，最后一级负责法医分析，监测和预测。在第一级，分析师通过应用检查表和最佳实践规则来管理警报。除了这些反射反应任务之外，其他任务通常手动执行并依赖于人类专业知识。这种复杂结构的结果是，SOC的部署在购买、操作和维护方面是昂贵的。因此，SOC是中小型企业难以访问的安全解决方案。在缺乏适应性解决方案的情况下，中小企业越来越容易受到网络攻击。为了解决这个问题，我们提出了自主网络安全系统（ACS）的概念。其目的是设计具体的解决方案，以进一步自动化安全功能，特别是那些目前在SOC中手动执行的功能。ACS的概念将通过解决以下几点来改善公司，特别是中小企业的全球安全：（1）通过进一步自动化决策过程来降低人为错误的风险，（2）通过减少响应时间来确保更好地管理网络攻击，（3）通过降低运营和维护成本，使安全解决方案更容易为企业，特别是中小企业所用。研究计划将研究以下主题：T1：攻击图的自动生成。本主题旨在定义一种基于人工智能的解决方案，该解决方案将漏洞的文本描述作为输入，并生成所考虑系统上实例化的攻击图的本体描述。 T2：攻击者配置文件和攻击归因的分类。我们的目标是首先构建一个攻击者配置文件的分类，然后分析攻击者的类型学，并进一步进入所谓的归属问题，其目的是跟踪攻击的来源。T3安全态势评估和影响衡量。建议的方法是基于定义的指标和识别业务服务之间的依赖关系，其目标是开发一个专家系统，以协助决策过程中的选择，以应对网络攻击。通过开发应对网络攻击和攻击者的解决方案，该计划将增强对数字系统的信任，并将对加拿大社会和经济产生变革性影响。