Title: Risk-Oriented Design for Forensic-Ready Software Systems

Abstract: Security-related incidents, like cyberattacks, threaten software systems, their data, and the services they support. They cannot be fully mitigated, as serious incidents can always occur, for example, due to the system’s vulnerability or insider attack. The system can also be involved in a dispute. Such incidents must be investigated to uncover what happened, when, where, how, and who is responsible for which digital forensics is employed. However, the investigation is very laborious, with uncertain results. Thus, forensic readiness is employed as a set of proactive measures to improve the effectiveness and the odds. Forensic-ready software systems is a specific take on forensic readiness, approaching it from a software engineering perspective, including the forensic readiness in the software design. Hence, the systems should produce highly trustable, on-point data traces usable as digital evidence and should support the digital forensic processes. Thus, the exact requirements for the system to implement forensic readiness need to be formulated, modelled, reasoned about, and verified. Importantly, they must address the specific needs for which forensic readiness is implemented in the first place by considering the security risks present in the system. This thesis fills the gap in the engineering of forensic-ready software systems by proposing a risk-oriented approach to facilitate the inclusion of forensic readiness into the system’s design. This entails a method for capturing the needs for forensic readiness within the system, assessing them with respect to the risks, and finally formulating implementable and verifiable requirements. The method is supported by a modelling notation capturing the forensic readiness requirements and controls to enable systematic reasoning. Together, they form a basis for further analysis aiming at the assurance of forensic-ready software systems, realised by metrics and a software tool. The methods composing the proposed approach were published in high-rank, peer-reviewed conferences and journals. They were applied to running scenarios, demonstrating their contribution. Furthermore, the approach is complemented by a case study presenting its application and evaluation on a real-world system, showing the feasibility of the results.

(the following planned talk had to be cancelled)

Speaker: Martin Macák, PhD student FI MU
Title: A Process Mining Framework for Insider Attack Detection

Abstract: Insider attacks originate from someone with legitimate access to an organization and its assets. They are one of the most significant cybersecurity challenges. The currently employed security solutions do not address insider attacks sufficiently. First, detecting previously undetected attacks is challenging for the supervised approaches; second, insider attack detection is particularly susceptible to the issue of false positives. Low precision is especially problematic in insider attack detection. Therefore, it is imperative for organizations to minimize it in insider attack detection. Attack understanding is fundamental for detecting previously undetected attacks and false positive rate minimalization. However, in currently-employed solutions, insider behavior is often encoded into a mathematical model that might not be accessible or is not designed to describe the attack vector of an insider attack. Process mining is a discipline that was proposed to give a better understanding of the actions by extracting knowledge from event logs in business processes. The ability to inspect the actions involved in the attack makes process mining a fitting candidate for an insider attack detection solution. This thesis is a collection of papers that aim to address current challenges of process mining utilization for insider attack detection. It introduces a novel process mining framework for insider attack detection. This framework enables the flexible utilization of process mining and provides a way of understanding insider attacks, thereby enabling the detection of insider attacks that did not happen in the past. The thesis describes process mining utilization for insider attack detection in three stages. First, the thesis addresses the assessment of data usability for process-oriented insider attack detection. The results include a systematic literature review on the usage of process mining in cybersecurity and software reliability. Furthermore, five studies were conducted to investigate the criteria for an effective process mining utilization for insider attack detection. Second, the research findings focus on the preparation of insider attack data for process-oriented insider attack detection. We proposed methods for insider attack detection across various domains and conducted three case studies to evaluate them. This resulted in the approach for the preparation of insider attack data for process mining analysis. Last, the thesis addresses the selection of effective process model representation and visualization for process-oriented insider attack detection. It presents the approach for detecting insider attacks, introduces suitable process models, and assesses their effectiveness through a case study.