Rule Learning is carried out in the Knowledge Refinement System, which is a part of the Self-Adaptive Event Correlation module. It is in charge of testing the events happened in the system (mainly due to user’s interactions) and, according to the current set of Security Rules (derived from the Corporate Security Policies), making a decision on whether to ALLOW or DENY the user’s desired action.

This system will be able to improve the initial set of rules following the Rule Refinement process:

  • Initial Rules: They will be defined by the Chief Security Officer in the company, according to the Corporate Security Policies.
  • Data Mining: Will be performed on all the data gathered in the system, stored as events (user behaviour).
    • Classification → assign classes to new patterns.
    • Clustering → group similar patterns.
    • Feature Selection → remove less significant variables, non-effective for classification.
    • Data Visualization → show data information for a controller (CSO) in a visual way
  • Refinement: The set of security rules will be improved in order to better deal with the detected anomalous patterns or situations (in the Data Mining step).

Below is the architecture of the MUSES Knowledge Refinement System (MusKRS) component:

KRS

MUSES client gathers all user data related to a specific action and its context, and this information is stored in the server database. By using Data Mining techniques, the Knowledge Refinement System is able to process the data and extract as many features as the sensors in the client can provide. The stored information is, then, processed into what is called “patterns”, and the set of patterns is called a “dataset”. This dataset is therefore used to train a classification algorithm, which “learns” from the data and builds a model which is a set of rules to classify further incoming events. Thus, this is a useful way to obtain new rules from the events.

Furthermore, the first set of rules that the Data Miner obtains along with the existing set of security rules in the system are used as input of the Knowledge Compiler. It applies a type of Evolutionary Algorithm based methodology, which is Genetic Programming, taking then advantage of the “tree based” structure of a rule. This means that, the conditions of a rule are taken as the edges of a tree, and the consequences of the rule (final ALLOW or DENY) are the leaves. Thus, by applying Genetic Programming, the security rules are refined and presented to the Chief Security Officer of the company, who finally accepts them in case they result useful.

With respect to the Privacy Enhancing System, it is in charge of make sure that the storage of the data respects the hard limits, which themselves are the maximum amount of time that the data can remain in the system. This way, user privacy is always preserved.