INOV's BP-IDS



Functional Components Description

The BP-IDS is a monitoring solution that aims at the detection of incidents on technology enabled infrastructures. It operates by collecting traces from multiple sensors scattered on the monitored infrastructure that indicate execution of activities in business processes, and reconstructs in real time the business process executed based on those traces. The reconstructed processes are then validated by comparing them with their specification and business rules. Whenever the executed process deviates from the specification, the activity is marked as a possible incident and the infrastructure administrator is notified in real-time by BP-IDS with the causes of that anomaly (traces, affected processes, etc.). Thus, offering broad protection against: cybersecurity incidents (such as, intrusions or forgery of equipment behaviour); and operational security incidents (like, equipment and network failure, human error, or natural disasters).

The deployment example of Figure 4 is relative to an infrastructure comprised by two systems (A and B) network connected using a network switch. In this example BP-IDS is composed by: its essential components (sensor and monitoring core); and its additional management applications (the administration and monitoring Interfaces).

As illustrated in Figure 4, in its essence, BP-IDS is architected as a distributed system composed by: the monitoring components, that gather business process traces and analyse them according to the specification; and the management applications, that allow system administrators to interact with the monitoring components to setup the components and obtain the monitoring results.

Monitoring Components:

The monitoring components are comprised by: a monitoring core, that analyses the business process traces according to the specification and business rules; and sensors, that discover and send to the monitoring core all the traces of activities traces found on infrastructures data resources, based on identification patterns that dictate how activities of business processes are extracted from the data. BP-IDS provides two types of sensors: network-based sensors, that extract traces by inspecting network traffic; or host-based sensors that extracts them based on the logs stored in the infrastructure’s systems.

As depicted in Figure 5 the monitoring components are implemented by several software modules.

The monitoring core is composed by two software modules: Verification Engine and Configuration Manager. Verification Engine is the module responsible for conducting the analysis of the traces captured by the sensors, using the business specifications of the organization. It is also the Verification Engine’s responsibility to report the incidents found during the analysis and export the incident details (implemented by its inner component Event Output Engine that performs such exportation). The Configuration Manager module, on the other hand, is responsible for automatically configuring the several sensors when BP-IDS system is launched, based on the network topology of the monitored environment and identification patterns that dictate how the business process traces are identified.

Each sensor is composed by a network/host-based COTS sensor and its corresponding Sensor Plugin software module. The Sensor Plugin serves as an interface between the monitoring core and the actual sensor. It receives the information from the Configuration Manager, and sets up the sensor for capturing data. Whenever data is captured by the sensor, the Sensor plugin receives the data captured and converts it into business process traces, which are then sent to the monitoring core’s Verification Engine.

Management applications:

The management applications are interfaces that allow the system administrators to interact with BP-IDS, and are composed by the administration and monitor interfaces.

The administration application allows the administrators to provide all the necessary information to setup the monitoring core: the business specification used by the Verification Engine during the analysis (Figure 6); and the infrastructure network topology used by the Configuration Manager to configure the sensors (Figure 7).

The Monitoring Interface, on the other hand, allows the administrators to conduct forensic investigations based on the results obtained from BP-IDS monitoring core analysis. As depicted in Figure 8, this interface allows administrators to view the several incidents reported by BP-IDS, and pinpoint the business traces non-compliant with the specification.


Keywords

Intrusion detection, Incident detection, business processes


Services

  • Detection of incidents on technology enabled infrastructures.

  • Collects traces from multiple sensors scattered on the monitored infrastructure that indicate execution of activities in business processes, and reconstructs in real time the business process executed based on those traces.

  • Partners can test the process monitoring approach with their own datasets of Industrial Control Systems (or even other type of systems) and process specification.

  • Remote access to the Administration and Monitoring interface available.


Technical equipment

INOV's datacenter


Use request

Free access for Consortium Partners for non-commercial usage. For commercial usage, license fees apply.