There is a big growth in using Digital Twins to monitor and optimize systems in the (Industrial) IoT environment (IIoT) or in the digital society in general. On the other hand, because security is of paramount importance, such systems may employ many security tools/frameworks, which increasingly adopt machine learning (ML) to automate threat detection and mitigate the consequences. It poses new challenges in tool unification (from multi-vendors, data formats) and explainability in security orchestration and response. In this study, we want to build an explainable orchestration model by abstracting security reports, including ML-specific attributes, working with different security tools, and providing sufficient information for performance evaluation (by humans in the loop) with less effort. Moreover, standardizing security reports and security plans will encourage the security playbook development and integration with ML-based orchestration (continuous learning) and the digital twin's knowledge graph for automating security configuration.
- To support explainability in security orchestration, we present the report at physical and logical layers to describe the security anomaly detection and security incident. For more details, please refer to the paper.
Figure 1. Anomaly and Incident reports.
- Mininet
- Ryu
- QoA4ML
- Numpy
- Pandas
Figure 2. RXOMS Workflow
- Step run SDN simulation are describe in SDN Simulation
Figure 3. The simulation overview
- The data for the experiment is stored in data/anomaly_data/all_flow.csv, generated by running the SDN simulation.
- The data is generated from multiple ML tools that detect anomaly from 22 network flows in an SDN network. The network traffic is simulated based on traffic of the SINDIT Factory. The anomaly detection is based on two algorithms: Isolation Forest and Local Outlier Factor. Each algorithm is trained for two features: bytes and packets. So, there are 44 models in total.
- The raw message from the controller that contains the network flow data is stored in file sdn_simulation/ml_detection/raw_message.csv.
- The network flow data is grouped and normalized in sdn_simulation/ml_detection/flow_data.
- The python notebook sdn_simulation/ml_detection/ml_tools.ipynb is a simple test that loads the pre-trained models and predicts the anomaly/score for a given flow data. The anomaly detection result is stored in sdn_simulation/ml_detection/anomal_data.
- Python version: 3.12
- The RXOMS library are implemented in the src/rxoms folder. To install the library, navigate to the root RXOMS folder
<...>/RXOMS
- Run the following command to install the library:
$ pip install .
- RabbitMQ and MongoDB are required to run the Incident Validation and Knowledge Graph services correspondingly. The services can be run in local Docker containers. The configuration of the services is editable at configuration/service/incident_validation.yaml and configuration/service/simulated_kg.yaml.
- The script to run RabbitMQ and MongoDB in Docker containers is provided in the services/start_external_service.sh.
Note: the sample login credential for local MongoDB is saved in configuration/service/db_credential.yaml. Do not commit your credential to the file.
- Navigate to the services folder
- The configuration of the service is editable at configuration/service/simulated_kg.yaml
- User must specify
host
andport
for the service to run, by default,host
is0.0.0.0
,port
is5000
$ python3.12 simulated_KG.py
- Navigate to the services folder with another terminal.
- The configuration of the service is editable at configuration/service/data_enrichment.yaml
- User must specify
host
andport
for the service to run, by default,host
is0.0.0.0
,port
is5001
. The service need to know where is the knowledge graph and incident analysis services, so the user must specify thekg_url
andia_url
in the configuration file. By defaultkg_url
ishttp://localhost:5000
andia_url
ishttp://localhost:5002
.
$ python3.12 data_enrichment.py
- Navigate to the services folder with another terminal.
- The configuration of the service is editable at configuration/service/incident_analysis.yaml
- User must specify
host
andport
for the service to run, by default,host
is0.0.0.0
,port
is5002
. The service need to know where is the knowledge graph and incident validation services, so the user must specify thekg_url
andiv_url
in the configuration file. By defaultkg_url
ishttp://localhost:5000
andiv_url
ishttp://localhost:5003
. - Additionally, physical and logical reports are saved in data/rxoms_reports folder. To disable saving physical reports, set
log_physical_report
toFalse
in the configuration file.
$ python3.12 incident_analysis.py
- The incident analysis service will also send the incident reports to the message queue (RabbitMQ). To consume the message, you can run the services/collector.py script.
- Navigate to the services folder with another terminal.
- The configuration of the service is editable at configuration/service/incident_validation.yaml
- User must specify
host
andport
for the service to run, by default,host
is0.0.0.0
,port
is5003
. The service need to know where is the knowledge graph and plan enforcement services, so the user must specify thekg_url
andpe_url
in the configuration file. By defaultkg_url
ishttp://localhost:5000
andpe_url
ishttp://localhost:5004
.
$ python3.12 incident_validation.py
- Navigate to the services folder with another terminal.
- The configuration of the service is editable at configuration/service/plan_enforcement.yaml
- User must specify
host
andport
for the service to run, by default,host
is0.0.0.0
,port
is5003
. The service need to know where is the knowledge graph service, so the user must specify thekg_url
in the configuration file. By defaultkg_url
ishttp://localhost:5000
.
$ python3.12 plan_enforcement.py
- The test is provided in a notebook experiment/test.ipynb. The notebook contains a test for all APIs of the Knowledge Graph services and 2 tests for sending network anomaly detection to the whole pipeline. The instruction to run the test is provided in the notebook.
If you use the RXOMS library, you can cite
@inproceedings{nguyen2024security,
title={Security Orchestration with Explainability for Digital Twins-based Smart Systems},
author={Nguyen, Minh-Tri and Lam, An Ngoc and Nguyen, Phu and Truong, Hong-Linh},
booktitle={2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)},
pages={1194--1203},
year={2024},
organization={IEEE}
}
- Minh-Tri Nguyen
- Hong-Linh Truong
- Anh-Dung Nguyen
- Hong-Tri Nguyen
- An Ngoc Lam
- Phu Nguyen
Contact: Minh-Tri Nguyen (tri.m.nguyen@aalto.fi)