SecSy: A Security-oriented Tool for Synthesizing Process Event Logs

Similar documents
Lluis Belanche + Alfredo Vellido. Intelligent Data Analysis and Data Mining. Data Analysis and Knowledge Discovery

Generation of a Set of Event Logs with Noise

WoPeD - An Educational Tool for Workflow Nets

EDIminer: A Toolset for Process Mining from EDI Messages

SAP BusinessObjects Business Intelligence Suite Document Version: 4.1 Support Package Patch 3.x Update Guide

Installation Logon Recording Basis. By AD Logon Name AD Logon Name(recommended) By Windows Logon Name IP Address

Handling Big(ger) Logs: Connecting ProM 6 to Apache Hadoop

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007

Database Application Developer Tools Using Static Analysis and Dynamic Profiling

Process Modelling from Insurance Event Log

Potential Targets - Field Devices

Relational XES: Data Management for Process Mining

A Mind Map Based Framework for Automated Software Log File Analysis

WebSphere Business Monitor V7.0 Installation and stand-alone server profile creation

Windows Operating Systems. Basic Security

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

WebSphere Business Monitor V7.0: Clustering Single cluster deployment environment pattern

User Identification and Authentication

Compliance Response Edition 07/2009. SIMATIC WinCC V7.0 Compliance Response Electronic Records / Electronic Signatures. simatic wincc DOKUMENTATION

Feedback Ferret. Security Incident Response Plan

Using weblock s Servlet Filters for Application-Level Security

Selecting Help Desk Software

Desktop Web Access Single Sign-On Configuration Guide

How To Develop A Static Analysis System For Large Programs

Internet Script Editor (ISE)

BUsiness process mining, or process mining in a short

Monitoring Infrastructure (MIS) Software Architecture Document. Version 1.1

Auditing UML Models. This booklet explains the Auditing feature of Enterprise Architect. Copyright Sparx Systems Pty Ltd

Improved Event Logging for Security and Forensics: developing audit management infrastructure requirements

Intrusion Detection for Grid and Cloud Computing

Open S-BPM: Goals and Architecture

Activity Mining for Discovering Software Process Models

SAP Business Intelligence Suite Patch 10.x Update Guide

Towards Cross-Organizational Process Mining in Collections of Process Models and their Executions

DriveLock Quick Start Guide

A SURVEY ON GENETIC ALGORITHM FOR INTRUSION DETECTION SYSTEM

BPM and Simulation. A White Paper. Signavio, Inc. Nov Katharina Clauberg, William Thomas

Network Connect Installation and Usage Guide

ios App for Mobile Website! Documentation!

Comodo MyDLP Software Version 2.0. Endpoint Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

SEER Enterprise Shared Database Administrator s Guide

Software Test Plan (STP) Template

PaperCut Payment Gateway Module - PayPal Payflow Link - Quick Start Guide

Process Mining: Using CPN Tools to Create Test Logs for Mining Algorithms

Application of Data Mining Techniques in Intrusion Detection

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

1. Introduction Auditing Handlers and Audit Trails Configure the Built-In Handler Create a Custom Audit Handler...

orrelog Ping Monitor Adapter Software Users Manual

LICENSE4J LICENSE MANAGER USER GUIDE

Verification and Validation of Software Components and Component Based Software Systems

U.S. Navy Automated Software Testing

Table of Contents WELCOME TO ADAUDIT PLUS Release Notes... 4 Contact ZOHO Corp... 5 ADAUDIT PLUS TERMINOLOGIES... 7 GETTING STARTED...

Example Software Development Process.

Chapter 4 Getting the Data

Oracle Role Manager. An Oracle White Paper Updated June 2009

!!!!!!!!!!!!! Disco User s Guide

PaperCut Payment Gateway Module - PayPal Payflow Link - Quick Start Guide

JDarkRoom. User Guide. Version 14. Copyright 2009 Duncan Jauncey.

Focus on Security Xerox and the P2600 Hardcopy Device and System Security Working Group

Dotted Chart and Control-Flow Analysis for a Loan Application Process

Discovering passwords in the memory

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

XMPP Instant Messaging and Active Directory

Best Practices: Extending Enterprise Applications to Mobile Devices

Security Development Tool for Microsoft Dynamics AX 2012 WHITEPAPER

Meeting DO-178B Software Verification Guidelines with Coverity Integrity Center

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Case Closed Installation and Setup

Test Data Management Best Practice

Processing and data collection of program structures in open source repositories

How To Use The Correlog With The Cpl Powerpoint Powerpoint Cpl.Org Powerpoint.Org (Powerpoint) Powerpoint (Powerplst) And Powerpoint 2 (Powerstation) (Powerpoints) (Operations

Oracle Database: SQL and PL/SQL Fundamentals NEW

Intrusion Detection Systems

K7 Business Lite User Manual

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

JobScheduler - Quickstart

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Installation Guide of the Change Management API Reference Implementation

orrelog SNMP Trap Monitor Software Users Manual

TIBCO Hawk SNMP Adapter Installation

AndroLIFT: A Tool for Android Application Life Cycles

Prediction of Heart Disease Using Naïve Bayes Algorithm

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

A Framework of User-Driven Data Analytics in the Cloud for Course Management

Adobe Flash Player and Adobe AIR security

Analytics for Performance Optimization of BPMN2.0 Business Processes

Patch Management Reference

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Transcription:

SecSy: A Security-oriented Tool for Synthesizing Process Event Logs Thomas Stocker and Rafael Accorsi University of Freiburg, Germany {stocker,accorsi}@iig.uni-freiburg.de Abstract. SecSy is a highly flexible log synthesis tool, which allows users to configure their simulation procedures in a detailed way, including control flow, data flow and organizational context of business processes. User friendly dialogs provide rich parameter adjustment and intuitive coupling of simulation components. With the possibility of integrating custom transformers, out-of-the-box functionality of SecSy can be extended to fit custom needs. 1 Introduction Research into business process security and compliance is concerned with the requirements formalization of security (e.g. secrecy, binding of duties) and compliance requirements (e.g. obligations, interdependencies between activities) [4] and the development of well-founded techniques and tools for analyzing, monitoring and auditing these requirements in business process specifications [1]. Here, a particular challenge arises when it comes to testing the effectiveness of monitoring and auditing techniques and corresponding tools [2, 3]. Specifically, to test these tools one needs controllably generated event logs that contain process executions comprising process flexibility and variability on the one hand, and process non-compliance on the other, thereby mimicking structural vulnerabilities, process dynamics, intentional attacks and user errors [5]. Such event logs can serve as input for monitoring, auditing and mining tools, thereby allowing developers to assess their kill-rate, i.e. the precision to identify the violation of the designated security and compliance properties or deviations from an original process model. The concepts for simulating business process flexibility and noncompliance employed by SecSy are novel, both in the security, compliance and business process management communities. SecSy allows for highly-controllable simulation output incorporating conform process behavior with respect to targeted security properties, as well as random failures that may lead to the violation of selected properties and incomplete/distorted process logs. Overall, the generation of defect data has been applied to software process improvement in general [6], but has never been seen in the BPM area. We firmly believe that the controlled, Copyright 2014 for this paper by its authors. Copying permitted for private and academic purposes.

2 T. Stocker, R. Accorsi push-button generation of (large) test data is a promising research direction and application domain in business process testing and improvement. 2 Simulation Approach The overall approach for synthesizing event logs is depicted in Fig. 1. SecSy takes a series of business process specifications as input and generates a process log that contains traces of these specifications. Based upon the security and compliance requirements, deviations from the defined control flow are generated with the help of transformers which encode specific trace properties that are either enforced or violated on a random basis. Generated logs are outputted in MXML (a format for process mining), as well as plain text. Ongoing work adds support to Extended Event Streams format (XES). Processes subject to simulation are considered to be executed within a context. While the control flow of a process defines possible execution traces, subjects authorized to execute process activities and objects used by activities are defined by contexts. SecSy allows to define simulation runs, each relating to one process model which are processed one after another according to the number of desired traces for each run. This way, the engine is capable of simulating situations in which there is an initial model for planned process behavior, but a variant of this model was executed for some time, possibly due to the activity of an attacker or process variation/flexibility. During the processing of a simulation run, the engine generates valid log traces according to the control flow of the corresponding process and context and then passes them through the trace transformers which apply transformations in a post-processing manner. Trace transformers can remove or add process activities (simulating skipped activities or incomplete logging), as well as change information within traces in a way business related properties like separation/binding of duties or authorization constraints are enforced or violated. Information about which transformers have been applied on which traces and if the enforcement or violation was successful is stored in a separate simulation log which can be used to determine the aforementioned kill-rate of detection-mechanisms. Fig. 2 depicts the configuration panel of the application. SecSy allows for flexible configuration of all required parameters and the creation and editing of corresponding components. Depending on the simulation type (SIMPLE or DETAILED), generated traces contain only timestamps and activity names or additionally information about executing subjects and data items. The time generator component contains all timing related simulation properties, including the start time for the simulation (date for first trace), the number of cases per day, office-days and -hours, as well as individual activity durations and delays between succeeding activities. In the case of simulation type EX- TENDED, the user has to specify a context and a data container. Data containers generate values for data items used during process execution (e.g. credit amount) and store the values until a trace is completed. This way, the consistent usage of attribute values along a complete trace is ensured. A context holds subjects

Security-oriented log synthesis 3 Run 1: 1000 [ 1,..., r1 ] Simulation Engine #traces... Conform Trace Run i: 500 [ 1,..., ri ] run [ 1,..., r] Transformed Trace... Run n: 1200 [ 1,..., rn ] Log Format Process # Traces Transformers Simulation Runs Context Process Log Simulation Log Fig. 1. Overview of the approach. and their permissions to execute activities and access data elements together with activity data usage (attributes used by activities) information. To specify subject permissions, the user can choose between an access control list or a role based concept, which is particularly helpful for large contexts. Additionally, a context allows to specify constraints on attribute values that can be added to process activities. 3 Trace-Transformations Trace transformers are used to transform traces in a way specific trace properties are enforced or violated. Transformers operate on valid traces generated during the simulation process and generate modified versions of these traces in a postprocessing manner, before they are added to the output log file. Modified fields are locked to prevent further transformers from corrupting the already enforced properties coming from previous applications of transformers. Currently, SecSy comprises the following trace transformers: 1. delay inserts a delay in the process execution and can be used to simulate situations in which work is piling up and process execution is slowed down by unusual long delays between single activities. 2. skip removes specific activities from generated valid log traces so simulate skipped (mandatory) activities. This transformer adjusts timestamps in a way as if the removed activity never happened. 3. silent captures a situation in which a particular activity has not been logged onto the file. In contrast to skip, timestamps are not adjusted. 4. authentication mimics an access control policy and its violation.

4 T. Stocker, R. Accorsi Fig. 2. Screenshot of the configuration panel. 5. binding of duty (BOD) mimics the compliance with or the violation of a binding of duty requirement. 6. separation of duties can be seen as the opposite of BOD: it states that a particular set of activities must be performed by different subjects. The list of predefined transformers shipped with SecSy can be extended with or refined to other domain-specific transformers. For this, users can define their own transformers (implementing specific interfaces) and, subsequently, add them to SecSy. The procedure of including custom transformers requires writing code for the transformer functionality and providing a graphical frontend for parameter setting. On startup, SecSy looks for custom transformer code and adjusts dialogs for simulation run configuration appropriately. This method allows highly flexible transformer definition and sharing and does not require users to compile their own tweaked version of SecSy. Users can make their custom transformers available in form of class-files other users can readily employ. 4 Availability SecSy is a standalone, extensible Java application and has been made available on the Open-Source platform Sourceforge (http://sourceforge.net/projects/ secsy/). Downloads include a runnable jar-version, an OSX application bundle and a sample simulation directory which can be used to get started with SecSy

Security-oriented log synthesis 5 on basis of preconfigured simulation procedures. This directory also contains an example of a custom trace transformer (DesignatorTransformer). A detailed user guide explaining how to set up and use SecSy can be found on http://doku. telematik.uni-freiburg.de/secsy/. This website also allows users to issue feature requests and bug reports in an interactive way. References 1. R. Accorsi. Sicherheit im prozessmanagement. digma Zeitschrift für Datenrecht und Informationssicherheit, (2):72 76, 2013. 2. R. Accorsi and T. Stocker. On the exploitation of process mining for security audits: The conformance checking case. In ACM Symposium on Applied Computing, pages 1709 1716. ACM Press, 2012. 3. R. Accorsi and T. Stocker. On the exploitation of process mining for security audits: The process discovery case. In ACM Symposium on Applied Computing. ACM Press, 2013. 4. T. Breaux, A. Antón, and E. Spafford. A distributed requirements management framework for legal compliance and accountability. Computers & Security, 28(1-2):8 17, 2009. 5. L. Lowis and R. Accorsi. Finding vulnerabilities in SOA-based business processes. IEEE Transactions on Service Computing, 4(3):230 242, August 2011. 6. A. Raninen, T. Toroi, H. Vainio, and J. J. Ahonen. Defect data analysis as input for software process improvement. In O. Dieste, A. Jedlitschka, and N. J. Juzgado, editors, Conference on Product-Focused Software Process Improvement, volume 7343 of Lecture Notes in Computer Science, pages 3 16. Springer, 2012.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information