H2020 symbiote project

Size: px

Start display at page:

Download "H2020 symbiote project"

Alisha Osborne
5 years ago
Views:

1 Grant Agreement No H2020 symbiote project Security in federated IoT Environment Mikołaj Dobski, PSNC Euro-CASE 2017, Poznań

2 Agenda symbiote project overview Interoperability goals & software architecture Security layer(s) CDD & symbiote s AD Data streams mining Constraints Concept drift & its detectors 2

3 symbiote Overview Architecture: general overview Interoperability aspects Level 1-4 components Auth(n/z) approaches 3

4 A simple interoperable IoT app Universal light switch on your mobile phone switch on/off the lights wherever you go (at home, in the office, in public spaces ) but of course, only if you are allowed to do so 4

5 Platforms monetizing their resources Temperature sensor X at coordinates (, ) IoT Platform A IoT Platform B Room A Temperature service of room at building Z 5

6 High-level architecture 6

7 Interoperability Aspects Application Domain Cloud Domain Smart Space Domain Level 1: syntactic and semantic interoperability Level 2: organizational interoperability Level 3: dynamic smart spaces Smart Device Domain Level 4: roaming devices 7

8 SECURITY IN SYMBIOTE Challenges and solutions

to access resources exposed elsewhere Is registered in Platforms A & B

9 Main goal and approach Target goal: multi-domain access right composition Users registered in one or more platforms are authorized to access resources exposed elsewhere Is registered in Platforms A & B Can access to resources in Platform C User/App Platform A Platform B Platform C 9

10 Layers (0) AD Authorization Authentication Baseline 10

11 Layers (1) AD Authorization Authentication Baseline 11

12 Baseline security Secure coding Audits TLS 12

13 Layers (2) AD Authorization Authentication Baseline 13

14 Authentication layer X.509 JWT PKI 14

15 JSON Web Tokens Well-known structure used for storing user s attributes New claims added by symbiote Three kinds of tokens Authorization JWS: home, foreign, guest Home Token Acquisition JWS Client Authentication JWS 15

16 Auth(N) with challenge-response 16

17 Layers (3) AD Authorization Authentication Baseline 17

18 Authorization layer Resources protected through the Attribute- Based Access Control (ABAC) paradigm User s attributes stored in trusted data structures, i.e., JSON Web Tokens (JWT) Access Policies assigned to each resource User s attributes processable through a Mapping Function 18

19 Auth(Z) with ABAC policies 19

20 Attributes Mapping Type: HOME born : 1990 Platform B Type: FOREIGN isover18 : True Platform A 20

21 MDARC Platform A User : Alice Subscription : valid Access granted Platform B User: Bob Subscription : valid 21

22 Layers (4) AD Authorization Authentication Baseline 22

23 Anomaly Detection layer Netflix OSS Events Logging Statistics 23

24 Behavioral patterns Decision Tree Root Traffic Components Resources Identity Events User_1 Log_1 Search Core AAM Registry User_n API Session_1... AAMs Resource_1 External... RAP... Resource_n Session_n Log_n 24

25 Temporal patterns Search AAMs Data flow Platform 25

26 Identified AD threats Core Platform_1 Platform_2 26

27 Open questions Platform usage statistics (GDPR) What is an anomaly? Quality of AD service Decision tree building algorithm Anomaly confirmation algorithm 27

28 Provided software AD Authorization Authentication Baseline 28

29 Security components Authentication & Authorization Managers (PKI CAs) Issuing credentials (X.509 certs and JWTs) Authenticating platforms and users (by credentials validation) Managing credentials translation (Attributes mapping function) Security Handlers Reference Cryptography operations implementation Managing a key store with clients certificates Generating client s Auth(N) payloads Matching ABAC policies against received Auth(Z) payloads Anomaly Detection Module Continuously building APIs temporal and behavioral usage models to detect anomaly spikes 29

30 Thank you! Questions? H2020 symbiote github.com/symbiote-h2020

31 CONCEPT DRIFT & ANOMALY DETECTION Where humans and rules are not enough

32 AD pros and cons Gains Costs 32

33 HANDLING DATA AND DATA STREAMS A bit of theory

34 Data Data Mining Data Stream Mining Sir Ronald Aylmer Fisher s Iris data set 34

35 DSM constraints Mohamed Gaber and João Gama, University of Porto, State-of-the-art in data stream mining

36 Windowing / batches Dariusz Brzezinski. Mining data streams with concept drift. Master s thesis, Poznan University of Technology, Poznan, Poland,

37 Inspiration decision trees J.R. Quinlan, Centre for Advanced Computing Sciences, New South Wales Institute of Technology, Australia, Induction of Decision Trees,

38 CONCEPT DRIFT When things start to change

39 Events attributes space 39

40 Concept drift types 40 Dariusz Brzezinski. Mining data streams with concept drift. Master s thesis, Poznan University of Technology, Poznan, Poland, 2010.

41 CD Detector inspiration DDM EDDM DDF 41

42 Demand driven framework P s l P D l PS = 100% l dt , Active mining of data streams, Wei Fan et al. 2008, An active learning method for mining time-changing data streams, Huang 2011, Semi-supervised approach to handle sudden concept drift in enron data, Kmieciak & Stefanowski 2014, Active learning from partly labeled data streams, Master s thesis, Dobski

symbiote Towards an IoT Framework for Semantic and Organizational Interoperability

Grant Agreement No 688156 symbiote Towards an IoT Framework for Semantic and Organizational Interoperability Ivana Podnar Žarko, Sergios Soursos, Ivan Gojmerac, Elena Garrido Ostermann, Gianluca Insolvibile,