WP5: Dynamic Risk Management

Objectives

This work package will research, design and validate a response system for the dynamic risk management of a monitored ICT system. Its purpose is to compute and propose the most adapted response to be deployed at any time, based on the dynamic assessment of risks that weigh on the monitored ICT system for an entity (e.g., the whole or parts of the company using the monitored ICT system's services). The response system should manage potential attack scenarios and ongoing attacks (i.e., attack situation) to compute a global response associating proactive and reactive response measures that minimize the risks.

Objectives are then to establish innovative and efficient models, security metrics and algorithms to:

a. Be aware of the attack situation (i.e., attack awareness) based on the knowledge of the up-to-date network mapping and inventory, the system's current vulnerabilities and ongoing elementary attacks, and the priorities derived from the ongoing missions and business processes using the ICT system.

b. Assess the risk incurred by an entity on the monitored ICT system (i.e., risk awareness) on both the proactive and reactive chains of treatment. It establishes how the risk quantification models and metrics will take into account the attack situation, the characteristics of the response measures (proactive and reactive), the compliance of the deployed controls with the ICT system's policies, and the mission and business priorities, in order to assess the various dimensions of the risk (i.e., success likelihood, impact of the attack situation, and cost of the response measures).

c. Compute and provide assistance on appropriate response possibilities (i.e., response assistance) that minimize the risk. It establishes how proactive and reactive response measures will be computed on both treatment chains and how they will be associated to instantiate appropriate global response possibilities that minimize the risk. An adaptive approach will be proposed, including technical and operational means that dynamically adjust the security policy to any changes in the ICT system, compute transformations to apply to the configurations of the ICT system accordingly, and redeploy them.

d. Anticipate the moves of the attackers leveraging the knowledge obtained from on-line analysis fed through big data gathered on the monitored IT system. Output of this part of the system will be used as an input to minimize risks and to deploy appropriate mitigation techniques on the monitored IT system.

An important objective is to determine how the input of the established models could come from a knowledge base of a priori and a posteriori data, dynamically collected by probes or provided by security experts.

A risk-driven measurement development methodology will also be developed, involving the mapping between security metrics and activation of contextual adaptive policies. These metrics will be used to evaluate the impact of vulnerabilities on the existing configurations of the ICT system, in order to guide the activation of appropriate responses and the redeployment of configurations according to the updated policy.

Based on the established models and algorithms, a modular response system will be designed to manage the three steps of the risk treatment proactively and reactively. This design will adopt an adaptive approach that dynamically adapts the proposed appropriate response possibilities to any modification on the ICT system at any time. The design will also specify the internal and external interfaces.

In the end, the system will be implemented following the established design, integrated in the Demonstration System Prototype, and experimented to validate the efficiency and exploitability of the approach.

ALBLF is responsible for this work package.

Description of Work and Role of Partners

Task 5.1 - Response System for Dynamic Risk Management Analysis (Month 4 - 13)

The goal is to establish the requirements and formalize models, metrics, algorithms, methodologies and data structures to propose a high-level design of a response system for the dynamic risk management of a monitored ICT System.

The PANOPTESEC project's general requirements will be refined and the specialised requirements of a response system will be developed. A report deliverable (D5.1.1) will describe the requirements covered by the response system. Innovative models and algorithms for proactive and reactive risk assessment, attack awareness and response assistance will be conceived to meet the requirements. Based on these models and algorithms a high-level design, composed of proactive and reactive treatment chains, will specify the functional modules involved and their interactions. A report deliverable (D5.1.2) will capture the high-level design.

Responsible: ALBLF; Participants: ALBLF, CIS-UROME, UzL, IMT, ACEA, SUPELEC

Task 5.2 - Reactive Response System Components Implementation (Month 12 - 22)

A detailed design of the software components of the reactive chain of treatment will be established based on the high-level design of the response system. The internal interfaces of these software components (within the same or between the two treatment chains) will be detailed. The external interfaces between these software components and other software components of the PANOPTESEC system will also be defined. A report deliverable (D5.2.1) of the detailed design of the reactive chain of treatment will be established. The basic models and algorithms of each specified software components will be individually experimented. Eventually, the first prototypes for each specified software components (D5.2.2) will be produced.

Responsible: ALBLF; Participants: ALBLF, CIS-UROME, UzL, IMT, SUPELEC

Task 5.3 - Proactive Response System Components Implementation (Month 12 - 22)

Similarly to task 5.2, a report deliverable (D5.3.1) detailing the design of each software component for the proactive chain of treatment will be produced. This includes the necessary algorithms to map metrics and policies that trigger the adaptive process updating the ICT system's security policy, as well as the necessary mechanisms to reinforce the configuration of the security components accordingly. The basic models and algorithms of each specified software components will be individually experimented. Finally, the first versions of the prototypes of each software components (D5.3.2) will be produced.

Responsible: IMT; Participants: ALBLF, CIS-UROME, IMT, UzL, SUPELEC

Task 5.4 - Response System Refinement (Month 21 - 31)

Software components implemented in task 5.2 and 5.3 will be integrated and tested to validate the correct working of the response system. The integrated response system will be experimented to validate the efficiency of the system in preparation for the operational workshop. Any issue raised during each phase of integration, test, or project evolution will drive prototype refinement.

The outcome of the task will be a tested and validated prototype of a response system for the dynamic risk management of an ICT system (D5.4.1) and its associated report (D5.4.2).

Responsible: ALBLF; Participants: ALBLF, CIS-UROME, UzL, IMT, SUPELEC