Comifin cluster meeting

735 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
735
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Comifin cluster meeting

  1. 1. Collaborative Security for Protection of Financial Critical Infrastructures Roberto Baldoni CoMiFin baldoni@dis.uniroma1.it
  2. 2. Financial Critical Infrastructures• Financial critical infrastructures are more exposed to a variety of coordinated and massive cyber attacks – Attacks against financial services that supported WikiLe aks (2010) – Payment card fraud (2008): coordinated attackers retrieved 9 million of US dollars• Risks for financial institutions (FIs) – Cost of downtime of an e-service is around 6 millions dollars per day – Damage to reputation – Loss of personal information about customers Amsterdam July 5th 2011 Roberto Baldoni 2
  3. 3. CoMiFin Essential contract contract contract Agre ed infor matio n Organization 1 warn in gs Collaborative .... Processing System gs rnin wa n t io rma InternetOrganization M I n fo reed Ag Amsterdam July 5th 2011 Roberto Baldoni 3
  4. 4. CoMiFin Essential: sense-and- response applications■ Monitoring■ Continuous Control■ Command and Control■ Mashup Services■ Business intelligence Amsterdam July 5th 2011 Roberto Baldoni 4
  5. 5. CoMiFin Essentials: The notion of semantic room■ Contract ■ set of processing and data sharing services provided by the SR along with the data protection, privacy, isolation, trust, security, dependability, performance requirements. ■ The contract also contains the hardware and software requirements a member has to provision in order to be admitted into the SR.■ Objective ■ each SR has one strategic objective to meet (e.g, large-scale stealthy scans detection, detecting Man-In-The-Middle attacks)■ Deployment ■ highly flexible to accommodate the use of different technologies for the implementation of the processing and sharing within the SR (i.e., the implementation of the SR logic or functionality). Amsterdam July 5th 2011 Roberto Baldoni 5
  6. 6. CoMiFin Essentials: Deploying a SemanticRoom ■ Private cloud ■ Deployment of the semantic room through the federation of computing and storage capabilities at each member ■ Each member brings a private cloud to federate Ap■ Public Cloud pl ica ve tio l ■ Deployment of the semantic room on Le n Co a third party cloud provider lla bo Le ■ The third party owns all computing ra ve t io l and storage capabilities■ Hybrid approach n In te rn et Le ve l Amsterdam July 5th 2011 Roberto Baldoni 6
  7. 7. Comifin Essentials: Business Vision• CoMiFin platform can be potentially useful for addressing the following business use cases – Monitoring and reaction to cyber threats. We have semantic rooms deployment for: Man-in-the-Browser (privacy preserving) Man-in-the-Middle, Botnet detection, stealthy inter-domain port scan – Monitoring and reaction to frauds. We have semantic room deployment for: Counterfeit Euros Tampered ATM Unauthorized POS – Anti money laundering monitoring (Sapienza – Italian Intelligence) – Interconnection of semantic rooms. We have deployment for: stealthy inter-domain port scan semantic room output feeds man-in-the-middle semantic room to increase accuracy detection• Four FAB meeting evaluation sessions (UBS, INTESA SAN PAOLO, SWIFT, ABI) that have highlighted its possible business value in real financial use cases. Amsterdam July 5th 2011 Roberto Baldoni 7
  8. 8. CoMiFin: Major Achievements• COMIFIN Architecture&Portal (semantic room lifecycle)• Distributed platform hadoop-based for complex event processing : AGILIS• Esper-Based semantic room platform for massive event processing incoming from • EPTS (Event Processing Technical Society) innovation trustworthy partners award 2011• Developments of • IBM Faculty Award 2011 for research in Distributed Massive –4 Semantic rooms detecting cyber processing event attacks –1 Semantic room for fraud detection • TR35 Innovation award 2011 –1 interconnection of semantic(Giorgia Lodi) roomsAmsterdam July 5th 2011 Roberto Baldoni 8
  9. 9. CoMiFin: Major Achievements (i) -AGILIS• Distributed platform hadoop-based for complex event processing : – AGILISAmsterdam July 5th 2011 Roberto Baldoni 9
  10. 10. CoMiFin, Semantic Room I: preventinginter-domain stealthy scan Attacker performs port scanning simultaneously at multiple sites trying to identify TCP/UDP ports that have been left open. Those ports can then be used as the attack vectors • Added value of collaboration: – Ability to identify an attacker trying to conceal his/her activity by accessing only a small number of ports within each individual domain • Action taken: – black list IP addresses – update historical recordsAmsterdam July 5th 2011 Roberto Baldoni 10
  11. 11. CoMiFin, Semantic Room I: preventinginter-domain stealthy scanAmsterdam July 5th 2011 Roberto Baldoni 11
  12. 12. CoMiFin, Semantic Room I: preventinginter-domain stealthy scanAmsterdam July 5th 2011 Roberto Baldoni 12
  13. 13. CoMiFin: Major Achievements – MEF SemanticRoom for Frauds detection and correlation• Find out possible (spatial/temporal) correlation patterns among single isolated applications They do not exchange information with each other Data are apparently uncorrelated Sipaf: Credit card frauds Sirfe: Counterfeit banknotes• From the two applications we extracted three main data flows concerning Counterfeit Euros (from Sirfe) Tampered ATM (from Sipaf) Unauthorized POS (from Sipaf)• We did not consider unauthorized credit card transactions due to unavailability of important data such as Italian location Amsterdam July 5th 2011 Roberto Baldoni 13
  14. 14. MEF Semantic Room data processing• We have identified the following possible correlations – Mainly based on geo-localization on the entire Italy GeoAggregation Identifies “hot areas”, i.e., areas (1 Km x 1 Km approximately) characterized by a high number of crime episodes of the three previously mentioned types Data from Sirfe and Sipaf are correlated based on the location Scores are assigned to the three data flow types and a threshold mechanism is used to identify red (high concentration), yellow (medium concentration) and green areas (low concentration) Crime Entropy Identifies areas characterized by a high number of different crime episodes Data from Sirfe and Sipaf are correlated based on the location » White areas correspond to high entropy and then high number of different episodes Amsterdam July 5th 2011 Roberto Baldoni 14
  15. 15. MEF Semantic Room: data processingarchitecture <<ESPER CEP Engine>>Counterfeit SR gateway I/O socket euros adapter I/O socket <<Main Engine>> Tampered SR gateway EPL Query ATM I/O adapter socket alerts alert SR gatewayUnauthorized <<invoke>> <<invoke>> POS adapter I/O socket Services Cloud <<use>> subscribers Semantic Room Amsterdam July 5th 2011 Roberto Baldoni 15
  16. 16. MEF Semantic Room: CounterfeitBanknotes
  17. 17. Semantic Room: CounterfeitBanknotes - speculations Day vs. multiplicity V55605030341

×