Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in...
Transcript of Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in...
![Page 1: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/1.jpg)
© 2017 – The symbIoTe Consortium
Security in federated IoT Environment
H2020 symbIoTe project
Mikołaj Dobski, PSNC
Euro-CASE 2017, Poznań
Grant Agreement No 688156
![Page 2: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/2.jpg)
© 2017 – The symbIoTe Consortium2
• symbIoTe project overview
– Interoperability goals & software architecture
– Security layer(s)
• CDD & symbIoTe’s AD
• Data streams mining
– Constraints
– Concept drift & its detectors
Agenda
![Page 3: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/3.jpg)
© 2017 – The symbIoTe Consortium3
• Architecture: general overview
• Interoperability aspects
• Level 1-4 components
• Auth(n/z) approaches
symbIoTe Overview
![Page 4: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/4.jpg)
© 2017 – The symbIoTe Consortium4
• Universal light switch on your mobile phone
– … switch on/off the lights wherever you go (at home, in the office, in public spaces…)
– … but of course, only if you are allowed to do so…
A simple interoperable IoT app
![Page 5: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/5.jpg)
© 2017 – The symbIoTe Consortium5
Platforms monetizing their resources
IoTPlatform A
IoTPlatform B
Temperature sensor “X” atcoordinates
(… , …)
“Room A Temperature”
service of room at building “Z”
![Page 6: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/6.jpg)
© 2017 – The symbIoTe Consortium6
High-level architecture
![Page 7: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/7.jpg)
© 2017 – The symbIoTe Consortium7
Interoperability Aspects
Smart Space
Domain
Smart Device
Domain
Application
Domain
Cloud
Domain
Level 4: roaming devices
Level 3: dynamic smart spaces
Level 2: organizational
interoperability
Level 1:
syntactic and
semantic
interoperability
![Page 8: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/8.jpg)
© 2017 – The symbIoTe Consortium
SECURITY IN SYMBIOTE
Challenges and solutions
![Page 9: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/9.jpg)
© 2017 – The symbIoTe Consortium9
• Target goal: multi-domain access right composition
• Users registered in one or more platforms are authorized to access resources exposed elsewhere
Main goal and approach
Platform A Platform C
User/App
Platform B
Is registered in Platforms A & B Can access to resources in Platform C
![Page 10: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/10.jpg)
© 2017 – The symbIoTe Consortium10
AD
Authorization
Authentication
Baseline
Layers (0)
![Page 11: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/11.jpg)
© 2017 – The symbIoTe Consortium11
AD
Authorization
Authentication
Baseline
Layers (1)
![Page 12: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/12.jpg)
© 2017 – The symbIoTe Consortium12
TLS
Audits
Secure coding
Baseline security
![Page 13: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/13.jpg)
© 2017 – The symbIoTe Consortium13
AD
Authorization
Authentication
Baseline
Layers (2)
![Page 14: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/14.jpg)
© 2017 – The symbIoTe Consortium14
PKI
JWT
X.509
Authentication layer
![Page 15: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/15.jpg)
© 2017 – The symbIoTe Consortium15
• Well-known structure used for storing user’s attributes
• New claims added by symbIoTe
• Three kinds of tokens
– Authorization JWS: home, foreign, guest
– Home Token Acquisition JWS
– Client Authentication JWS
JSON Web Tokens
![Page 16: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/16.jpg)
© 2017 – The symbIoTe Consortium16
Auth(N) with challenge-response
![Page 17: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/17.jpg)
© 2017 – The symbIoTe Consortium17
AD
Authorization
Authentication
Baseline
Layers (3)
![Page 18: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/18.jpg)
© 2017 – The symbIoTe Consortium18
• Resources protected through the Attribute-Based Access Control (ABAC) paradigm
• User’s attributes stored in trusted data structures, i.e., JSON Web Tokens (JWT)
• Access Policies assigned to each resource
• User’s attributes processable through a Mapping Function
Authorization layer
![Page 19: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/19.jpg)
© 2017 – The symbIoTe Consortium19
Auth(Z) with ABAC policies
![Page 20: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/20.jpg)
© 2017 – The symbIoTe Consortium20
•Type: HOME
•born : 1990
Platform A
• Type: FOREIGN
• isOver18 : True
Platform B
Attributes Mapping
![Page 21: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/21.jpg)
© 2017 – The symbIoTe Consortium21
MDARC
Platform A
• User : Alice
• Subscription : valid
Platform B
• User: Bob
• Subscription : valid
Access granted
![Page 22: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/22.jpg)
© 2017 – The symbIoTe Consortium22
AD
Authorization
Authentication
Baseline
Layers (4)
![Page 23: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/23.jpg)
© 2017 – The symbIoTe Consortium23
NetflixOSS
Statistics
Events Logging
Anomaly Detection layer
![Page 24: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/24.jpg)
© 2017 – The symbIoTe Consortium24
EventsIdentityResourcesComponentsTrafficRoot
API
Core
Search
User_1 Log_1
…
AAM
Registry User_n
External
AAMs
RAP
Resource_1
Session_1
...
...
...
Resource_n Session_n Log_n
Behavioral patterns Decision Tree
![Page 25: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/25.jpg)
© 2017 – The symbIoTe Consortium25
Data flowAAMs
Search
Platform
Temporal patterns
![Page 26: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/26.jpg)
© 2017 – The symbIoTe Consortium26
Core
Platform_2Platform_1
Identified AD threats
![Page 27: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/27.jpg)
© 2017 – The symbIoTe Consortium27
• Platform usage statistics (GDPR)
• What is an anomaly?
• Quality of AD service
• Decision tree building algorithm
• Anomaly confirmation algorithm
Open questions
![Page 28: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/28.jpg)
© 2017 – The symbIoTe Consortium28
AD
Authorization
Authentication
Baseline
Provided software
![Page 29: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/29.jpg)
© 2017 – The symbIoTe Consortium29
• Authentication & Authorization Managers (PKI CAs)– Issuing credentials (X.509 certs and JWTs)
– Authenticating platforms and users (by credentials validation)
– Managing credentials translation (Attributes mapping function)
• Security Handlers– Reference Cryptography operations implementation
– Managing a key store with clients’ certificates
– Generating client’s Auth(N) payloads
– Matching ABAC policies against received Auth(Z) payloads
• Anomaly Detection Module– Continuously building APIs’ temporal and behavioral usage models to
detect anomaly spikes
Security components
![Page 30: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/30.jpg)
© 2017 – The symbIoTe Consortium
Thank you!
Questions?
www.symbiote-h2020.eu
@symbiote_h2020
H2020 symbIoTe
github.com/symbiote-h2020
![Page 31: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/31.jpg)
© 2017 – The symbIoTe Consortium
CONCEPT DRIFT & ANOMALY DETECTION
Where humans and rules are not enough…
![Page 32: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/32.jpg)
© 2017 – The symbIoTe Consortium32
Gains Costs
AD pros and cons
![Page 33: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/33.jpg)
© 2017 – The symbIoTe Consortium
HANDLING DATA AND DATA STREAMS
A bit of theory
![Page 34: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/34.jpg)
© 2017 – The symbIoTe Consortium34
Data
• Data Mining • Data Stream Mining
Sir Ronald Aylmer Fisher’s Iris data set
![Page 35: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/35.jpg)
© 2017 – The symbIoTe Consortium35
DSM constraints
Mohamed Gaber and João Gama, University of Porto,
State-of-the-art in data stream mining. 2007.
![Page 36: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/36.jpg)
© 2017 – The symbIoTe Consortium36
Windowing / batches
Dariusz Brzezinski. Mining data streams with concept drift. Master’s thesis,
Poznan University of Technology, Poznan, Poland, 2010.
![Page 37: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/37.jpg)
© 2017 – The symbIoTe Consortium37
Inspiration – decision trees
J.R. Quinlan, Centre for Advanced Computing Sciences,
New South Wales Institute of Technology, Australia, Induction of Decision Trees, 1986.
![Page 38: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/38.jpg)
© 2017 – The symbIoTe Consortium
CONCEPT DRIFT
When things start to change…
![Page 39: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/39.jpg)
© 2017 – The symbIoTe Consortium39
Events’ attributes space
![Page 40: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/40.jpg)
© 2017 – The symbIoTe Consortium40
Concept drift types
Dariusz Brzezinski. Mining data streams with concept drift. Master’s thesis,
Poznan University of Technology, Poznan, Poland, 2010.
![Page 41: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/41.jpg)
© 2017 – The symbIoTe Consortium41
DDF
EDDM
DDM
CD Detector inspiration
![Page 42: Grant Agreement No 688156 H2020 symbIoTe …...© 2017 –The symbIoTe Consortium Security in federated IoT Environment H2020 symbIoTe project MikołajDobski, PSNC Euro-CASE 2017,](https://reader035.fdocuments.net/reader035/viewer/2022081404/5f05f55c7e708231d4159466/html5/thumbnails/42.jpg)
© 2017 – The symbIoTe Consortium42
• 2004, Active mining of data streams, Wei Fan et al.
• 2008, An active learning method for mining time-changing data streams, Huang
• 2011, Semi-supervised approach to handle sudden concept drift in enron data, Kmieciak & Stefanowski
• 2014, Active learning from partly labeled data streams, Master’s thesis, Dobski
Demand driven framework
𝑃𝑆 =𝑙∈𝑑𝑡
|𝑃𝑠 𝑙 − 𝑃𝐷 𝑙 |
2× 100%