Security at Runtime  – augmenting traditional security with AI-based anomaly detection

SUNRISE Critical Infrastructure Series

21st April 2023

Throughout its lifetime, SUNRISE will develop a suite of tools and solutions to improve the planning and management of critical infrastructures such as transport, energy, water, and healthcare. One of these tools is being developed by global IT solutions company and SUNRISE project partners XLAB (with contributions from Atos) and will focus on cyber-physical resilience. Modern society depends heavily on complex IT systems, particularly in times of crisis, such as pandemics, as recent times have shown in the case of Covid-19. For this reason, their resilience and security are paramount for the protection of both personal and company data, and ultimately for the continuity of business. With this in mind, cybersecurity can be defined as “information security that relates to the protection of computers, networks, programs and data against unauthorized access.” [1]

This novel approach is a part of the  security solution, deployed on the level of the project itself. The whole security solution is composed of three components: (i) a risk assessment engine and models for to pandemic-specific strategies and indicators, and cyber-physical threats, (ii) an AI-powered log anomaly detector scalable to pandemic-specific configurations of critical infrastructure (CI) systems, and (iii) an incident response and threat intelligence sharing service customised to correlate indicators of compromise and determine the impact on the resilience of CIs. Although the LOMOS component and this blog post relates specifically to the AI-powered log anomaly detector.

The majority of traditional log monitoring solutions are rule-based. With the advent of Natural Language Processing (NLP) approaches, there is a window of opportunity to exploit the complementarity of traditional and novel (NLP-based) approaches. Namely, the latter can model log streams thus capturing normal operations and raising an alert when a deviation from what it deems to be normal, is found.

We plan to put this novel and dynamic approach to good use on project SUNRISE. Our plan is to put it on the lower level and then couple it with the higher-level traditional tool – Wazuh. In this way, we can detect abnormal situations and potential security threats and then categorize them, making such warnings and alerts actionable and useful for the user.

This blog post will address our approach to runtime security in project SUNRISE. As a note, we are not developing this approach solely in SUNRISE, but also in other projects (i.e. PIACERE, ICOS, CYLCOMED, FISHY, etc). We want to expose the approach (and its different configurations) to different domains, different situations andwith different integrations which aim to yield a robust software capable of protecting diverse systems.

LOMOS (developed by XLAB) is a novel LOg MOnitoring System. It aims to identify patterns and anomalies in logs without any manual marking of data, manual intervention, or in other words: manual pre-processing of raw unstructured data. LOMOS achieves this by identifying log templates that match logs and breaking them down into structured log templates according to a tree structure. It observes the sequence of templates to learn what is normal behaviour and provides an anomaly score for normal logs.

Presentation of the LOMOS findings is via a dashboard – it displays the date of identified threats, their ranking, and calls for action. Therefore, LOMOS uses deep learning techniques to analyse system and application logs, providing insights on the status of monitored assets and then computes an anomaly score on sequences of log templates, applying Natural Language Processing (NLP) models allowing for more efficient and accurate log analysis. As with all Deep Learning techniques, there is a training period and a monitoring period.

The complementary component is an open-source security platform Wazuh (deployed by XLAB and configured with state-of-the-art threat intelligence by ATOS). Its agents are compatible with many platforms, Windows, Linux, Mac OS X and more niche ones AIX, Solaris, and HP-UX. It consists of Wazuh server and agents, where the agents are installed on machines, and a server that orchestrates them, collects their data and stores it in the Elasticsearch database. The presentation is made through a modified Kibana UI. Wazuh includes several modules, each with specific rules and thresholds for triggering alerts.

Pairing these approaches together yields a system, capable of analysing infrastructure and application logs. The lower lever, based on LOMOS, is responsible for the infrastructure logs and generates alerts about potential threats, warning, deviations – detected abnormalities. The higher level, based on Wazuh, is tasked with capturing the potential threats on the application level, while also incorporating messaging about threats from the lower (LOMOS) system. In this way, we are covering traditional bases (with Wazuh), while also extending coverage into dynamic, runtime information about the system (with LOMOS), providing more complete (and valuable) insights into the security status of the whole system [2].

Author(s): Joao Pita da Costa, Tomaž Martinčič, Dejan Štepec, Daniel Vladušič

This work was presented at the FastContinuum 2023 Workshop in Coimbra, Portugal (https://sites.google.com/view/fastcontinuum-2023/home , collocated with the International Conference on Performance Engineering 2023), and at the 4th International workshop on Information & Operational Technology security systems (https://drcn2023.upc.edu/IOSEC2023.html, collocated with the International Conference on the Design of Reliable Communication Networks 2023) in Vilanova, Spain.

References:

[1] Accenture (2023). What is Cybersecurity? Available at: https://www.accenture.com/ie-en/insights/cyber-security-index

[2] Matija Cankar, Nenad Petrović, Joao Pita Costa, Aleš Černivec, Jan Antič, Tomaž Martinčič and Dejan Štepec (2023) Security in DevSecOps: Applying Tools and Machine Learning to Verification and Monitoring Steps. Proceedings of the International Conference on Performance Engineering 2023, ACM.

Images: Unsplash