310 likes | 325 Views
The project. An architecture for Safeguarding large complex critical infrastructures. Start slide show. Go to next slide. Go back one slide. Go to first slide. To run this slide show. Three buttons will appear at the bottom right hand corner of the screen.
E N D
The project An architecture for Safeguardinglarge complex critical infrastructures Startslideshow
Go to next slide Go back one slide Go to first slide To run this slide show • Three buttons will appear at the bottomright hand corner of the screen • Click on these to control the slide show • On some slides, these do not appear until the animation is finished • Now – click on the right hand button to continue
An overview of the project • Safeguard aims to enhance the dependability and survivability of Large Complex Critical Infrastructures (LCCIs). • It will use electricity networks and telecommunications networks as practical examples of LCCIs. • The aim is to produce a generic solution that can be adapted for other forms of LCCI. • Started December 2001, ends May 2004
Society and infrastructure We rely heavily on many different types of infrastructure
Society and infrastructure There is a massive degree of interdependence between them
INFORMATION& CONTROL Society and infrastructure In particular, control systems are often strongly interlinked
INFORMATION& CONTROL Society and infrastructure Failure of a single node in a single infrastructure can trigger an uncontrollable cascading failureof many other infrastructures
How can we counter those threats? Safeguard believes that: • Large complex critical infrastructures are too complex to be protected solely by existing systems • LCCIs need to be self-healing • Agent technology is a very effective way to increase the survivability of LCCIs faced with: • Failure • Accidents • Attacks
Organisational Infrastructure Intra-dependency Cyber-Infrastructure PhysicalInfrastructure Layered networks Each layer has a degree of dependency on the other layers There are three layersin most networks: including people e.g. management and controlsystems e.g. hardware such as cables and switches
Organisational Infrastructure Intra-dependency Cyber-Infrastructure Inter-dependency PhysicalInfrastructure Layered networks Interconnected LCCIs will have a degree of interdependency between similar layers in other LCCIs There are three layersin most networks:
Safeguard agents The Safeguard approach Protecting the physical layer is outside the scope of this project. It is important, but there are more appropriate ways of dealing with it than agent technology. However, the higher layers are an increasing area of attacks, and we believe that infrastructure safeguards could be provided by a fourth layer containing a population of Safeguard agents interacting with layer 2 and 3.
The role of Safeguard agents • Maintain critical services under all conditions • The Safeguard agents have a hierarchy of roles: • Level 1 – identify component failure or an attack in progress • Level 2 – self-healing to replace functions of the failed component • Level 3 – if self-healing fails, isolate problem components and suggest a reconfiguration strategy • Safeguard needs to be able to recognise dynamically changing • Normal behaviour • Abnormal but acceptable behaviour • Abnormal and unacceptable behaviour
Home LCCI IDSwrapper Diagnosiswrapper Hybrid detector agent Actuator Action agent Correlation agent Correlation agent Action agent Negotiation agent Topology agent Other LCCIs MMI The Safeguard architecture
Wrapper agentsInterface with other applications on LCCI,e.g. IDS, diagnostic software Home LCCI IDSwrapper Diagnosiswrapper The Safeguard architecture Can be classified into categories such as: WA for Alert Databases, which either get information on request from other agents or provide a constant (filtered) flow of information. WA for Information Gathering, which gather information about the current status of the system.
Hybrid detector agentsDetect previous signatures and new anomalies Home LCCI IDSwrapper Diagnosiswrapper Hybrid detector agent The Safeguard architecture Each hybrid detector agent can have a signature-based component used for alert classification based on earlier knowledge and an anomaly-detecting component that specialises in detecting deviations from normality. Click for more about Hybrid detectors
Hybrid detectors • N-Gram and invariant hybrid detector • processes data readings using the n-gram technique • uses a Bayesian network to combine this with invariant rules automatically detected in the data • Event course hybrid detector • deployed in the electricity network to monitor deviations from normal event sequences within the control system • case base reasoning techniques used to model normal event sequences • Neural network hybrid detector • inside the Remote Terminal Units in electricity networks to detect when their data patterns deviate from normal behaviour • could be used to identify anomalous patterns in the IP traffic in a telecom management network • Clustering detector • filters and analyses data captured by TCPdump in IP networks
Home LCCI IDSwrapper Diagnosiswrapper Hybrid detector agent Correlation agent Correlation agent The Safeguard architecture Correlation agentsHierarchical. Analyse inputs from lower level agents to detect problems This evaluation will result in an alarm message being sent either to another Correlation Agent or directly to an Action Agent and the MMI.
The Safeguard architecture Compiles information about the controlled network - including network components, the connections between them, the importance of each component and the services running on each machine. Its information is provided to other agents, such as the correlation agent and the negotiation agent. Home LCCI IDSwrapper Diagnosiswrapper Hybrid detector agent Topology agentKnows where to find topology and configuration data about the LCCI Correlation agent Correlation agent Topology agent
Home LCCI Action agentReceives problem diagnosis from Correlation Agent and decides on action to be taken by Actuator Agent IDSwrapper Diagnosiswrapper Hybrid detector agent Action agent Correlation agent Correlation agent Action agent Topology agent The Safeguard architecture The electricity Action Agent is based on defence trees. The telecom Action Agent uses a combination of perimeter defence, internal router and switch reconfiguration and host-based countermeasures.
Actuator agentsInterface with other components of the LCCI to actuate changes Home LCCI IDSwrapper Diagnosiswrapper Hybrid detector agent Actuator Correlation agent Action agent Action agent Correlation agent Topology agent The Safeguard architecture Execute commands from the Action Agents and feedback confirmation of the action. This may include a certain level of abstraction, for example, an actuator attached to a firewall could receive generic commands such as ‘block incoming connections from network A’ and apply appropriate commands on the firewall, no matter what software it is running.
Home LCCI IDSwrapper Diagnosiswrapper Hybrid detector agent Actuator Correlation agent Action agent Correlation agent Action agent Negotiation agent Topology agent Other LCCIs The Safeguard architecture Establishes the relationship between the home LCCI and other LCCIs. When other LCCIs fail, interacts with the Correlation Agent to make sure that any analysis of problems in the home LCCI takes this into account. Ensures that failure (and restoration) of the home LCCI is communicated to other LCCIs. Negotiation agentInterfaces with other LCCIs. Agrees service levels, discusses problems.
Home LCCI IDSwrapper Diagnosiswrapper Hybrid detector agent Actuator Correlation agent Action agent Correlation agent Action agent Negotiation agent Topology agent Other LCCIs MMI The Safeguard architecture Ensures that all information is transferred and correctly filtered to avoid information overload. In the case of alarms, it proposes possible solutions if the Action Agents are incapable of resolving the situation. Also supports the administrator when complicated configuration or attack counter actions have to be undertaken. MMI agentFilters information and communicates with the human administrator
A reminder of the Safeguard architecture Home LCCI IDSwrapper Diagnosiswrapper Hybrid detector agent Actuator Correlation agent Action agent Correlation agent Action agent Negotiation agent Topology agent Other LCCIs MMI
Safeguard and the European Union’s IST programme The Information Society Technologies programme • Aims to ‘realise the benefits of the information society for Europe both by accelerating its emergence and by ensuring that the needs of individuals and enterprises are met’ • The phase of the workplan that Safeguard is in runs from 1998 – 2004 and has a budget of €3600M
The partners in the project • Queen Mary, University of London • Is managing the project. • Is one of the four large Colleges of the University of London. • Has expertise in • complex telecoms systems • agent technology
The partners in the project • Aplicaciones en Informática Avanzada • Are one of the few Spanish companies dedicated to consulting on and engineering of software and Information Systems • Are experts in electricity network management systems
The partners in the project • Ente per le Nuove tecnologie, l’Energia e l’Ambiente • The Italian National Agency for New Technology, Energy and the Environment. • Are involved in work on agent organisation for LCCIs and emergency management domains for many years.
The partners in the project • Linköping University • The Laboratory of Real-time Systems is a leading department for computer science research and education in Sweden • Are experts in modelling and simulation
The partners in the project • Swisscom • Switzerland's leading telecommunications provider • Are experts on security of telecom systems
The partners in the project plus a panel of senior government and industry advisors from Europe and the USA
Contact • Project manager • wes.carter@elec.qmul.ac.uk • Visit the safeguard web site • www.ist-safeguard.org