The project An architecture for Safeguarding large complex critical infrastructures Start slide show
To run this slide show Three buttons will appear at the bottom right hand corner of the screen Go to next slide Click on these to control the slide show Go back one slide On some slides, these do not appear until the animation is finished Go to first slide Now – click on the right hand button to continue
An overview of the project Safeguard aims to enhance the dependability and survivability of Large Complex Critical Infrastructures (LCCIs). It will use electricity networks and telecommunications networks as practical examples of LCCIs. The aim is to produce a generic solution that can be adapted for other forms of LCCI. Started December 2001, ends May 2004
Society and infrastructure We rely heavily on many different types of infrastructure
Society and infrastructure There is a massive degree of interdependence between them
Society and infrastructure In particular, control systems are often strongly interlinked INFORMATION & CONTROL
Society and infrastructure INFORMATION & CONTROL Failure of a single node in a single infrastructure can trigger an uncontrollable cascading failure of many other infrastructures
How can we counter those threats? Safeguard believes that: Large complex critical infrastructures are too complex to be protected solely by existing systems LCCIs need to be self-healing Agent technology is a very effective way to increase the survivability of LCCIs faced with: Failure Accidents Attacks
Layered networks Each layer has a degree of dependency on the other layers There are three layers in most networks: Organisational Infrastructure including people Intra-dependency Cyber-Infrastructure LCCIs can generally be described by three layers, made up of Physical infrastructures (made by hardware components). Cyber-infrastructures (made by software components). Organisational infrastructures (made by human operators) Each layer has a degree of dependency on the other layers, although there is also a degree of independence. For instance, the telecommunications network could continue in operation for a while without any organisational layer. In a similar way, we can see that interconnected LCCIs will have a degree of interdependency between similar layers in other LCCIs. Particularly at the cyber layer, this dependency is increasing as the need to exchange information between different LCCIs grows e.g. management and control systems Physical Infrastructure e.g. hardware such as cables and switches
Layered networks Interconnected LCCIs will have a degree of interdependency between similar layers in other LCCIs There are three layers in most networks: Organisational Infrastructure Inter-dependency Intra-dependency Cyber-Infrastructure LCCIs can generally be described by three layers, made up of Physical infrastructures (made by hardware components). Cyber-infrastructures (made by software components). Organisational infrastructures (made by human operators) Each layer has a degree of dependency on the other layers, although there is also a degree of independence. For instance, the telecommunications network could continue in operation for a while without any organisational layer. In a similar way, we can see that interconnected LCCIs will have a degree of interdependency between similar layers in other LCCIs. Particularly at the cyber layer, this dependency is increasing as the need to exchange information between different LCCIs grows Physical Infrastructure
The Safeguard approach agents This slide represents a set of interconnected nodes in an LCCI or, indeed a set of interconnected LCCIs. Note that there is a complex mesh between the different layers in different nodes. The 3 layers we have looked at have to be protected if we are going to keep our LCCIs alive. We have taken the decision that protecting the physical layer is outside the scope of this project. It is important, but there are more appropriate ways of dealing with it than agent technology. However, the higher layers are an increasing area of attacks, and we believe that infrastructure safeguards could be provided by a fourth layer containing a population of Safeguard agents interacting with layer 2 and 3. The circles represent the Safeguard agents, that manage the survivability of the whole infrastructure. One of the aims of the project is to investigate autonomous agent architectures that can manage the survivability of the infrastructure through localised communication, without appealing to a global co-ordinator, or to excessive inter node communication. Protecting the physical layer is outside the scope of this project. It is important, but there are more appropriate ways of dealing with it than agent technology. However, the higher layers are an increasing area of attacks, and we believe that infrastructure safeguards could be provided by a fourth layer containing a population of Safeguard agents interacting with layer 2 and 3.
The role of Safeguard agents Maintain critical services under all conditions The Safeguard agents have a hierarchy of roles: Level 1 – identify component failure or an attack in progress Level 2 – self-healing to replace functions of the failed component Level 3 – if self-healing fails, isolate problem components and suggest a reconfiguration strategy Safeguard needs to be able to recognise dynamically changing Normal behaviour Abnormal but acceptable behaviour Abnormal and unacceptable behaviour
The Safeguard architecture Home LCCI IDS wrapper Diagnosis wrapper Hybrid detector agent Actuator Topology agent Correlation agent Action agent Negotiation agent MMI Other LCCIs
The Safeguard architecture Wrapper agents Interface with other applications on LCCI, e.g. IDS, diagnostic software Home LCCI IDS wrapper Diagnosis wrapper Can be classified into categories such as: WA for Alert Databases, which either get information on request from other agents or provide a constant (filtered) flow of information. WA for Information Gathering, which gather information about the current status of the system. Wrapper agents The wrapper agents will interface with other applications running on the LCCI such as intrusion detection system (IDS), firewall, virus checker and diagnostic software. Their task will be to pass information from these applications to the correlation agents and receive feedback from the action agents, in the form of data and policy updates. They may include limited intelligence to avoid sending too much data to correlation agents.
The Safeguard architecture Hybrid detector agents Detect previous signatures and new anomalies Home LCCI IDS wrapper Diagnosis wrapper Hybrid detector agent Each hybrid detector agent can have a signature-based component used for alert classification based on earlier knowledge and an anomaly-detecting component that specialises in detecting deviations from normality. Hybrid Detector Agents There are two main components in a Safeguard hybrid agent. Each hybrid agent has an anomaly detecting component that specializes in defining normality and in detecting deviations from normality and a second signature based component used for alert classification based on earlier knowledge. The latter is diagnostic in nature as it often attempts to pinpoint a cause. The former is for completeness, enabling us to detect new patterns of anomaly, while the latter is to improve speed and accuracy. Information from the hybrid detector agents is passed on to correlation agents for analysis and action. Click for more about Hybrid detectors
Hybrid detectors N-Gram and invariant hybrid detector processes data readings using the n-gram technique uses a Bayesian network to combine this with invariant rules automatically detected in the data Event course hybrid detector deployed in the electricity network to monitor deviations from normal event sequences within the control system case base reasoning techniques used to model normal event sequences Neural network hybrid detector inside the Remote Terminal Units in electricity networks to detect when their data patterns deviate from normal behaviour could be used to identify anomalous patterns in the IP traffic in a telecom management network Clustering detector filters and analyses data captured by TCPdump in IP networks
The Safeguard architecture Home LCCI IDS wrapper Diagnosis wrapper Hybrid detector agent Correlation agent Correlation agents Hierarchical. Analyse inputs from lower level agents to detect problems Correlation Agent These agents will operate across wide areas of the system, eventually in a hierarchised framework. Their main tasks will be to Process information coming from the lower level agents, such as wrappers or Hybrid Detector, but also other correlation agents. Request more information to evaluate the state of the system Detect possible problems Pass this evaluation on to action agents who will carry out an appropriate response. This evaluation can be carried out using case based reasoning, neural networks or a similar technique and the system will learn from past experience and the operators. In addition to their coordination functions, the correlation agents will look for connections in the information that they receive and use this to update applications on the system. For example, by correlating information about an anomalous process with a positive result from the virus checker the correlation agent could explicitly identify the anomalous process as a virus and then instruct the hybrid detector agents to learn its anomaly pattern, so that they can recognize it (and its variants) more quickly in the future. This will be especially useful for new attacks or problems. This evaluation will result in an alarm message being sent either to another Correlation Agent or directly to an Action Agent and the MMI.
The Safeguard architecture Compiles information about the controlled network - including network components, the connections between them, the importance of each component and the services running on each machine. Its information is provided to other agents, such as the correlation agent and the negotiation agent. Home LCCI IDS wrapper Diagnosis wrapper Hybrid detector agent Topology agent Knows where to find topology and configuration data about the LCCI Topology agent The topology agent will have knowledge of the system and will be able to quickly answer any questions asked by the correlation, action or MMI agent. Information about the network will be provided by low-level agents, such as a wrapper agent interfacing with diagnosis software. The topology agent may also have to gather information from humans, such as the people responsible for certain systems. This knowledge should include the components, covering their (inter)connections, importance, the services they are running and the people responsible for them or who can answer questions about them. Correlation agent Correlation agent Topology agent
The Safeguard architecture Action agent Receives problem diagnosis from Correlation Agent and decides on action to be taken by Actuator Agent Home LCCI IDS wrapper Diagnosis wrapper Hybrid detector agent Topology agent Correlation agent Action agent Action agent The action agents will receive a diagnosis from the correlation agents and decide upon an appropriate course of action. To respond effectively to anomalies these agents will have to access detailed knowledge about the most critical areas of the system, through the topology agent, and then will decide upon the best way to restore it to its normal state. Some of their responses could be learnt by example from the human operators. Effective actions on the system will be taken through actuators which will interface between the Safeguard agents and the real system. Typical actions could include killing a process that started up without instrumentation or reconfiguring a firewall to block incoming connections from a given network range. The electricity Action Agent is based on defence trees. The telecom Action Agent uses a combination of perimeter defence, internal router and switch reconfiguration and host-based countermeasures.
The Safeguard architecture Actuator agents Interface with other components of the LCCI to actuate changes Home LCCI IDS wrapper Diagnosis wrapper Hybrid detector agent Actuator Topology agent Correlation agent Action agent Execute commands from the Action Agents and feedback confirmation of the action. This may include a certain level of abstraction, for example, an actuator attached to a firewall could receive generic commands such as ‘block incoming connections from network A’ and apply appropriate commands on the firewall, no matter what software it is running. Actuator agents Actuator agents will, like wrapper agents, interface with the components of the cyber part of the LCCI. Instead of passing information from the system to the Safeguard agents, they will have to actuate changes on the system. These changes will be commanded by the action agents for the purpose of the safety of the LCCI. A typical action would be to close a given port on a firewall.
The Safeguard architecture Establishes the relationship between the home LCCI and other LCCIs. When other LCCIs fail, interacts with the Correlation Agent to make sure that any analysis of problems in the home LCCI takes this into account. Ensures that failure (and restoration) of the home LCCI is communicated to other LCCIs. Home LCCI IDS wrapper Diagnosis wrapper Hybrid detector agent Actuator Topology agent Correlation agent Action agent Negotiation agent Other LCCIs Negotiation agent Interfaces with other LCCIs. Agrees service levels, discusses problems. Negotiation Agent These will come into play when the Safeguard system needs to interact with agents in other autonomous systems or even other large complex critical infrastructures. Their tasks will include rerouting and requesting services and sharing information about failures and attacks. If the telecommunications network experiences a major failure, the negotiation agent could arrange for calls to be switched through to the most suitable network at an appropriate price.
The Safeguard architecture Ensures that all information is transferred and correctly filtered to avoid information overload. In the case of alarms, it proposes possible solutions if the Action Agents are incapable of resolving the situation. Also supports the administrator when complicated configuration or attack counter actions have to be undertaken. Home LCCI IDS wrapper Diagnosis wrapper Hybrid detector agent Actuator Topology agent Correlation agent Action agent Negotiation agent MMI Other LCCIs MMI Agent The MMI Agent is a high level agent communicating with the human administrator. Its major role is to assure that all information is transferred and correctly filtered in order to avoid information overload, thus supplying humans with a global picture in arbitrary granularity. In the case of true alarms the human will be able to take over if action agents are incapable of resolving the situation. The MMI agent also supports the administrator when complicated configuration or attack counter actions have to be undertaken. The MMI Agent also has the duty to feed back human knowledge into the Safeguard system by notifying various agents of decision made by human operators. MMI agent Filters information and communicates with the human administrator
A reminder of the Safeguard architecture Home LCCI IDS wrapper Diagnosis wrapper Hybrid detector agent Actuator Correlation agent Action agent Correlation agent Action agent Negotiation agent Topology agent Other LCCIs MMI
Safeguard and the European Union’s IST programme The Information Society Technologies programme Aims to ‘realise the benefits of the information society for Europe both by accelerating its emergence and by ensuring that the needs of individuals and enterprises are met’ The phase of the workplan that Safeguard is in runs from 1998 – 2004 and has a budget of €3600M
The partners in the project Queen Mary, University of London Is managing the project. Is one of the four large Colleges of the University of London. Has expertise in complex telecoms systems agent technology
The partners in the project Aplicaciones en Informática Avanzada Are one of the few Spanish companies dedicated to consulting on and engineering of software and Information Systems Are experts in electricity network management systems
The partners in the project Ente per le Nuove tecnologie, l’Energia e l’Ambiente The Italian National Agency for New Technology, Energy and the Environment. Are involved in work on agent organisation for LCCIs and emergency management domains for many years.
The partners in the project Linköping University The Laboratory of Real-time Systems is a leading department for computer science research and education in Sweden Are experts in modelling and simulation
The partners in the project Swisscom Switzerland's leading telecommunications provider Are experts on security of telecom systems
The partners in the project plus a panel of senior government and industry advisors from Europe and the USA
Contact Project manager Visit the safeguard web site wes.carter@elec.qmul.ac.uk Visit the safeguard web site www.ist-safeguard.org