1

Conviction Model for Incident Reaction Architecture

Monitoring based on Automatic Sensors Alert
Detection

Christophe Feltus - Djamel Khadraoui



Public Research Centre Henri Tudor, Luxembourg-Kirchberg, Luxembourg
christophe.feltus@tudor.lu


October 13-16, 2013
Table of contents
2
Introduction
Leading Case Study
Modelling the agents responsibility
Conviction analysis
Case Study validation
Conclusions



October 2013 SMC IEEE conference
Introduction
- CI are infrastructure essential for the functioning of a society and
economy
- CI are monitored and protected by SCADA system (Supervisory
Control and Data Acquisition)
- SCADA operates at different abstraction levels of the CI and are
generally composed of agents system which needs to accurately
collaborate

We observe :
- No integrated approach to support the agents behavior in crisis
situations i.e. no guarantee about the agent ability to perform its
responsibilities after delegation/assignment



October 2013 SMC IEEE conference 3
Leading Case



October 2013 SMC IEEE conference 4
PEP (Policy Enforcement Point)
enforces security policies
provided by the PDP
PIE (Policy Instantiation
Engine) is the agent that
receives information about
attacks from the ACE and
instantiates new security
policies to react to the
attack
PDP (Policy Decision Point) receives the new
security policies defined by the PIE and deploys
(validates) them at the enforcement points
(PEP);
ACE (Agent Correlation
Engine) is the agent in
charge of receiving alerts
coming from network nodes,
to correlates the information
and to forward confirmed
alert to the PIE
SCADA inside
5
Conviction of
responsibility
performance ?
The Agent Responsibility model
6
Commitment
Responsibility concepts definitions
The task is an action to use or transform an object performed by an agent
The responsibility is a state assigned to an agent to signify him its
obligations and accountabilities regarding a task
The accountability is a duty to justify the performance of a task to someone
else under threat of sanction. Accountability is a type of obligation to report
the achievement, maintenance or avoidance of some given state to an
authority and, as consequence, is associated to an obligation.
The assignment is the action of linking an agent to a responsibility.
Delegation process is the transfer of an agents responsibility assignment to
another agent.

7
Responsibility concepts definitions
The capability describes the requisite qualities, skills or resources
necessary to perform a task. Capability may be declined through knowledge
or know-how, possessed by the agent such as ability to make decision, its
processing time, its faculty to analyze a problem, and its position on the
network.
The right encompasses facilities required by an agent to fulfill his obligations
e.g. the access right that the agent gets once he is assigned responsible.
The commitment pledged by the agent related to this assignment represents
his required engagement to fulfill a task and the conviction that he does it
in respect of good practices.
The trust is the reliance that an agent act as it is requested.
For didactic reason, we consider in this paper that a trust level of 10 is
high and a trust level of 0 is low.
8
Agent responsibility in the case study
Because of the size of the paper, only the four most important
concepts are instantiated requirements
The obligations concerning the task (in red),
The capabilities (in blue),
The rights (in green),
The Commitment represented as a trust value (in black).

Cf tables
9
Case study PEPs requierments
10
11
Case study PDPs and ACEs requierments
Guarantee about the agent ability to
perform its responsibilities
It is necessary, for an agent, that:

Rights: should be appropriate to satisfy the agents obligations.
Capability: should be below its capability. Moreover such capability should enable it to fulfill
its obligations
Level of Trust: should be higher or equal to the minimum level required specified

Based on the value of the Right, the Capability and the Trust:

The Conviction A for fulfillment of Obligation O by an Agent with right R,
Capability C and Trust T is:
A
0
(R, C, T) = 0 if (R
0
R) (C
0
C) (T
p
T)
Otherwise:
A
0
(R, C, T) = 1
12
Case study analysis:

If a failing PEP needs to delegate O
1
: Must retrieve the logs from
the component it monitors to another PEP, the latter must
have at least the following capability:

- be on the same network than the component to control (C
1
),
- have enough computing resource to monitor the component to
control (C
4
),
- be able to encrypt data (C
6
)
- be able to communicate securely with the ACE (C
7
).
13 October 2013 SMC IEEE conference
The PEP must also have the following rights to perform O
1
:

- R
1
: is allowed to read log file on the concerned network
component
- R
2
: is allowed to write log in the central logs database
- R
4
: is allowed to read and write in the alert database.

The minimum level for the trust parameter expected from the PEP
is set to 3.

14 October 2013 SMC IEEE conference
Case study analysis:

Validation for the case study
15
However, in practice, we observed :
As a result, in the case of the PEP, the obligation to provide an
immediate reaction is hampered by the fact that the
PEP lacks the capability to communicate with the PDP (C
2
).

This means that any appropriate responsibility cannot be
assigned to the PEP and be implemented in case of abnormally
within the system.
16 October 2013 SMC IEEE conference
Case study analysis:

Validation for the case study
17
Equally, the value for the other agents are
CI are more and more present and need to be seriously managed and monitor
regarding the increasing amount of threats.
This paper presents a solution to automatically react after an incident on a
wireless network based on MAS architecture.
The system initially based on static assignments of function to agents needed
more dynamicity in order to stay aligned with the new arising risks:

We provide a conceptual representation of the agent responsibilities
Based on that definition of the agents responsibilities, a conviction level
can be estimated in order to determine the confidence that the agent can
meet its responsibilities. In the event of such conviction level being low,
decisions can be made to shift the fulfillment of such a responsibility to a
different agent.
18 October 2013 SMC IEEE conference
Conclusions
Acknowledgments
The research described in this paper is funded by the
CockpitCI research project within the 7th framework
Programme (FP7) of the European Union (EU) (topic SEC-
2011.2.5-1 Cyber-attacks against critical infrastructures
Capability Project).



Thank you for your attention !

Any questions ?