A security event description of intelligent applications in edge-cloud environment

In traditional network environment, the attack topology of the network is usually obtained based on a graph traversal algorithm. It uses connection relationships to describe the process of the attack, thus completing the description of network security event. However, in the edge-cloud environment, the control logic and data forwarding of network devices are separated from each other. The control layer is responsible for the centralized management of network edge nodes. After acquiring the entire network topology, it can automatically generate a visualized network structure. This architecture extends traditional cloud computing architecture to the edge of the network, helping to handle some latency-sensitive service requirements, especially for most IoT applications. Therefore, security analysts can grasp the connection status of the devices on the entire network in the control domain. This network topology generation method based on the control layer information is directly and efficiently, which can greatly simplify the description of security events in the edge-cloud environment. At the same time, the separate structure also hides specific details of the underlying network device. Petri-net, as a formal description tool, can be used to describe such structure. Among existing security event description methods, the CORAS modeling tool has the advantages of graphical description, reusability and refinement description. And it also provides analysis guides to guide the operation steps. Based on the edge-cloud environment, this paper combines the advantages of CORAS modeling and analysis with Object-oriented Petri-net theory, and proposes a COP (CORAS-based Object-oriented Petri-net)-based Intelligent Applications security event description method. Experiments verify that this method is suitable for describing the complexity and dynamics of security events in edge cloud environment.


Introduction
Edge-Cloud computing is the product of ICT convergence, which can meet the development needs of future HD video, VR/AR, Industrial Internet and V2X business. In order to better understand the security events of the edge cloud network and evaluate network security from system perspective, a security event description method is needed.
The technology for describing network security events has become one of focus research fields in Edge Cloud. A command-level anomaly detection method with matrix and color is proposed to represent anomaly situation [1]. Such matrix-based description method is also used in fields such as IP address-based traffic description [2]. The description tool developed by Junlong Zhou implements dynamic resource descriptions with fault tolerance for data-intensive meteorological workflows in cloud [3]. There are many similar methods [4,5] that can help describe large-scale network security faults, such as worm attacks, DDoS attacks, and network scanning attacks. These methods can also describe network traffic on parallel coordinate planes, and realize attack visualization. Ref. [6] designed a method for describing the correlation among network security events. This method provides a security internal correlation through a ring-shaped relationship diagram to help analysts detect malicious behavior. With the increase of network complexity, rule-based vulnerability analysis technology is difficult to find potential penetration points in the network. In edge cloud networks, Ref. [7] explores a twostage locality-sensitive hashing-based approach for privacy-preserving mobile service recommendation in cross-platform edge environment. A strategy model is proposed to establish the connection between two devices. Ref [8] used CORAS framework to link prediction in paper citation network to construct paper correlated graph. The CORAS framework has the advantages of graphical description, good reusability, and fine description [9][10][11][12][13][14][15]. However, the formal description ability is insufficient. And the lack of dynamic analysis capabilities restricts its application in large-scale edge cloud network security analysis and evaluation.
In addition, most of the network topology are usually obtained based on the graph traversal algorithms, and the connection relationship is used to describe the occurrence of the attack. What's more, the description of the network security event is completed. In the edge cloud network, the control logic and data forwarding of network equipment are separated, and the control layer is responsible for the centralized management of network nodes. The control layer can obtain the entire network topology and use the entire network topology to automatically generate a visualized entire network structure. Security analysts can grasp the connection status of the entire network devices in the control domain. The method of network topology generation based on control layer information is directly and efficiently, which greatly simplifies the description of security events in edge cloud networks. At the same time, such a separated structure also allows the specific details of the underlying network equipment to be hidden, thereby forming an abstract, virtual, flat structure. As a formal description tool, Petri-net can be used to describe such structures [16][17][18][19][20]. Among existing security event description methods, CORAS modeling tools have the advantages of graphical description [21][22][23][24], good reusability, and finegrained description. They also provide analysis guides to guide operation steps.
So, based on the structure of the edge cloud network, this paper combines the advantages of CORAS modeling and analysis ideas with Object-oriented Petri-net theory, and then proposes a COP (CORAS-based Objectoriented Petri-net) security event description method to model the complexity and dynamics of intelligent applications security events.

Security risk assessment methods
(1) Attack Trees Analysis (ATA). ATA is an analytical method for exploiting system weaknesses from the perspective of an attacker [25]. It uses the tree structure to describe the possible attacks on the system. Because most risk assessment methods need to make assumptions based on existing information, the accuracy of the assessment will be limited by the accuracy of the hypothesis. To ensure the best results, the conclusions drawn from the attack tree analysis need to be compared to other analysis results or assessed by experts. However, building a 100% accurate attack tree model is almost impossible. And this step will greatly increase the complexity of the method. The evaluator needs to know the extent of the assessment and make the attack tree model good enough. In order to prevent this step from consuming too many resources, the following three conditions need to be considered: a. Defender's system has vulnerabilities. b. Attackers need to have enough ability to exploit these vulnerabilities. c. The expected benefit is the motivation for the attack, and the attacker can gain benefits by attacking.
The main advantage of ATA is that it can be easily rewritten according to the needs and characteristics of the organization. This method can also conclude which attacks are most likely to occur in terms of the entire system. From a certain perspective, security is not a result but a process, and ATA can form a basic understanding of this process.
(2) Failure Tree Analysis (FTA). FTA is a top-down assessment method. It uses a tree diagram to organically link system security failures to internal failures. In the fault tree, the root node indicates a fault, and the leaf node indicates an event that may cause a fault. Different layers are linked by logic gate symbols and the upper layer probability is calculated according to the underlying probability. However, the fault tree cannot analyze the hazards and risks caused by the fault time, so it can only be used as a method of some parts in the risk analysis. (1) Failure Mode Effect and Criticality Analysis (FMECA). FMECA is a single component failure mode analysis and hazard analysis tool. Its purpose is to reduce the possibility of failure and improve the reliability of system operation [26]. FMECA is a bottom-up approach that identifies faults in the form of a discussion and records the results in a table. The disadvantage of this approach is that there are too many limitations in a single unit, ignoring the connections and commonalities between the units.
(2) Hazard and Operability Study (HAZOP). HAZOP is a structured inspection method for potential hazards of the system. It uses structured checks to determine the abnormal operation of the system from normal design. And the purpose of this method is to identify threats. The HAZOP analysis is conducted in the form of a discussion, and the analyst uses a variety of analysis techniques to collect system information into the document as an input to the analysis. In the analysis process, some system-related questions are used to form special guidance words to help improve the comprehensiveness of the analysis. This not only ensures the analysis results are consistent with the characteristics of the system, but also adds extra information.
The analysis results are saved in a table format. (3) Petri-net. Petri-net is a graphical modeling tool based on mathematical theory. Petri-net can automatically control the state of the system by changing the state of the token in the system to describe a dynamic complex system. It is commonly used in the field of security analysis to analyze security threats transmitted through the system. (4) Analytic Hierarchy Process (AHP). AHP uses a hierarchical approach to quantify empirical judgments and form quantitative decision values. However, this method is subject to human factors, and there are fluctuations between various indicators and lack of consistency.
The traditional method lacks comprehensive considerations for security risk technology and management. A single assessment method cannot objectively and accurately reflect the security status of complex information security system engineering. This comes to analysis comprehensive security risk assessment methods. Comprehensive risk assessment methods have a set of implementation steps and theoretical systems, and their solutions for risk assessment are more comprehensive than traditional risk assessment methods. They may contain some traditional analytical methods. However, in addition to these, they generally follow certain security standards and also provide solutions to systemic risks.
(1) CCTA Risk Analysis and Management Method (CRAMM). CRAMM is a security service framework system proposed by the British government. It is an automated qualitative assessment method, but in order to achieve good results, experts need to participate in the assessment. The purpose of this method is to assess the security of related information systems and networks. To achieve the goal, the method focuses on three aspects: (1) Identify assessment assets.
(2) Identify threats and vulnerabilities and calculate risks. (3) Identify and give countermeasures according to priority. (2) Operationally Critical Treat, Asset, and Vulnerability Evaluation (OCTAVE). OCTAVE is a method developed by Carnegie Mellon University to define the security risks of assessing information within a system organization. This approach provides a new approach to information security for large organizations. OCTAVE enables organizations to view security issues from a risk-based perspective and describe the technology in a commercial perspective. OCTAVE Allegro is a new version that was published in 2007. This version is based on the two previous versions, OCTAVE Original (1999) and OCTAVE-S.
OCTAVE Allegro focuses on information assets. One of the advantages of using OCTAVE Allegro is that it can be conducted in the form of a seminar. It provides the required collaborative environment, the necessary guides, work forms and questionnaires. All of the abovementioned content is free. OCTAVE Allegro consists of four stages and eight steps. The results of each step are recorded by the worksheet and used as input for the next step.
(3) Consultative Objective and Bi-functional Risk Analysis (COBRA). COBRA is a risk analysis method created by C&A. COBRA aims to provide organizations with a way to self-assess their own information technology without additional consultants. COBRA follows the guidance of ISO 17799 and its risk assessment process includes two aspects. One is COBRA Risk Consultant, and the other one is ISO Compliance.
COBRA Risk Consultant is a questionnaire-based computer program that contains a number of standardized questions to gather information about asset types, vulnerabilities, threats, etc. This approach generates appropriate recommendations and solutions by evaluating relevant threats. COBRA Risk Consultant is designed based on self-assessment, which can be used without relevant knowledge and without expert involvement. The reports generated by COBRA Risk Consultant are professional business reports that can be read by security professionals or non-professionals. ISO Compliance contains standard questions related to the broad categories specified in the ISO 17799 standard.

(4) Control Objectives for Information and related
Technology (COBIT). COBIT is proposed by ISAKA. It is the most internationally recognized and most authoritative standard for security and information technology management and control. And It has been developed to COBIT 5. There is no unified evaluation system for security risk assessment methods. This paper presents a simple assessment framework for comparing the various methods described above. The framework evaluates the above methods from the eight aspects: data requirement (DR), tool support (TS), operability(O), application cost (AC), application range (AR), method type (MT), policy assurance (PA) and support organization (SO). This helps relevant organizations to select appropriate security risk assessment methods based on their needs. Table 1 shows the comparison results.

Component-based CORAS and petri-net
CORAS is a modeling analysis description method formed by combining some security analysis technologies (such as HazOp, FTA, FMEA, etc.) and system development technologies (such as UML) [27]. CORAS is a graphical and model-based method that has the following advantages: (1) CORAS can provide a precise description of the target system. Its syntax and all related security features are easy to use; (2) The graphical representation of CORAS information enhances the communication and interaction of each participant in the analysis; (3) CORAS facilitates the documentation of risk assessment assumptions and assessment results.
CORAS can be divided into three different components: (1) The CORAS Risk Modeling Language: This part includes the graphical grammar, textual grammar of the CORAS icon and related semantics; (2) The CORAS Method: This part includes a step-bystep description of the safety analysis process and a guide to constructing a CORAS chart; (3) The CORAS Tool: This part includes tools for documenting, maintaining, and reporting the results of risk analysis.
In addition to including descriptions and analytical methods, the CORAS approach also takes into account international standards for risk management, such as the Australian/New Zealand Standard for Risk Management, AS/NZS 4360:2004, ISO/IEC 17799, ISO/IEC 13335, the ISO Reference Model for Open Distributed Processing, and so on.
CORAS has gradually started to develop toward component-based risk analysis [18]. Component-based refers to a way of thinking or development rather than a specific technology. At its core, for complex system analysis tasks, reusable components should be utilized to reduce the workload, rather than analyzing from scratch. It contains development techniques including syntax, rules, and implementation guidelines for specifying the behavior and system architecture of components. This standardizes the incremental analysis of the system. A simple example is given below to illustrate how component-based CORAS describes and analyzes

Security
Events. An example of modeling and analysis of a threat scenario is shown in Fig. 1.
Hackers have grasped the fragile point that the player can directly play files. By sending tampered music files, the media player buffer overflow vulnerability is used to threaten user-related media assets. When the receive file operation is invoked, the channel interface calls the tampered music file from the interface of the media player. Once the file is played, it will use a buffer overflow vulnerability to overwrite the pointer address to point to malicious code, threatening the user's assets. In the above threat scenarios, scenarios, risks, and threat assets are defined as individual component objects. The description of the entire Security Event is done by connecting the calling relationships of the interfaces between the objects. The entire description process is very clear and concise, which helps participants involved in the risk analysis and evaluation to understand and communicate the entire event. At the same time, related scenes are also very convenient for documenting preservation. If a new threat scenario is created, the entire modeled part is not necessary to make major changes, so the reusability of the model is also guaranteed. However, from the above examples, CORAS can also be found to have shortcomings such as insufficient formal description ability, excessive subjectivity, and insufficient dynamic analysis capability.
Petri-net is a graphical description method based on mathematical theory. It is a special directed graph consisting of the "place", "transition" and "connection" relationship. And it uses Token to describe the state changes in the graph. The basic Petri-net is defined as following: Definition 1 Basic Petri-net is a triple: Where: (1) P is a finite set of spaces that represent the state of the system; T is a finite set of transitions that represent changes in behavior; (2) P ∪ T ≠ , P ∩ T = ;  (3) F ⊆ (P × T) ∪ (T × P) is a Solitary Sets. It is the "connection" relationship of Petri-net, connecting places and transitions; Place sets and transition sets are the basic building blocks of a petri. Connection relationships are constructed from these two sets. Each place represents a storage location for a resource. Transition is based on voluntary connection and is governed by connection relationships. Therefore, transition can only be directly related to the place: This means that there are no resources that do not participate in any "transitions" and no "transition" that cause resource "connection".
The Petri-net model unifies graphics and semantics. Its expression is intuitive and its content structure is rigorous. It is easy to describe the relationship of system connection. Petr-net is ideally suited to describe the characteristics of various real-time, dynamic cyberattacks for risk description and analysis.
Combining the advantages of CORAS modeling and analysis ideas with the Object-oriented Petri-net theory, this paper proposes a COP (CORAS-based Objectoriented Petri-net) security event description method in an edge cloud environment. This method is suitable for modeling and describing the complexity and dynamics of network security events.

COP modeling method
Definition 2 COP is a security event description process that defines it as a triple: where, (1) SP = {sp 1 , sp 2 , …, sp n } is a sub-process of the COP evaluation process, which can be regarded as a special place; (2) OG = {og 1 , og 2 , …, og n } is a collection of Outer Gate Transitions between sub-processes. In order to comply with the description of COP, this paper extends the transition T to G. G can be regarded as a special gate transition, and this transition has the characteristic of gate. This paper introduces two different gate transitions, as shown in Fig. 2:  (3) OF = {of 1 , of 2 , …, of n }is a collection of all Outer Flows outside the sub-process, corresponding to the dependencies between the subprocesses.

Definition 3
The COP sub-process sp i is internally defined as a triple: where, (1) P = {p 1 , p 2 , …, p n } is a collection of all the places in the sub-process sp i ; Message passing between objects is triggered by the transition which is in the connection message.
In the description of modeling using the COP method, the COP model of each object is given first. Secondly, the message input and output interface are defined according to the connection relationship between the objects. Then connect the interfaces according to the connection relationship and initialize the COP model. Finally, a COP analysis is performed. The COP modeling steps are shown in Fig. 3.
The COP model initialization algorithm is as follows: Conversion rules: (1) Each method in each class is represented by a pair of places. Given a method M, a token in its input place indicates that M has been called; a token in its output place indicates that M has completed execution.  corresponding to the services provided by the class (ie, methods of the class) have been added in the conversion of the class in step (1), and the places corresponding to the requested service must also be added. The transformation of the CORAS model to the COP model has changed the deficiencies of traditional methods. The above rules enable the CORAS model to fully describe the concurrency, synchronization, and conflict situations of security events in the edge cloud system.

Experimental cases and analysis
Different from the distributed management of traditional network devices, the unified management of the control layer in the edge cloud network will cause new threats. DDoS attacks against network controllers is an example [5]. In order to verify the feasibility and effectiveness based on COP, this paper uses SDN technology to build a simulation environment as shown in Fig. 4. The paper carried out the DoS attack simulation and described the security events triggered. The device layer includes multiple Edge-hosts, OpenFlow switches, controllers, and application servers. The control layer uses Floodlight as the SDN controller. The application layer runs a security application. The simulation software is MININET.
Common DOS attacks include ICMP packet attacks and TCP request attacks. These two attacks achieve the effect of denial of service attacks by consuming bandwidth resources and link resources in the network. The data packet transmission information in the experiment is shown in Table 2. After the request, the stream data that is not matched by the OFS flow table will be packaged and delivered to Floodlight. After the Floodlight identifies the packet, it passes the packet to the application layer security application for processing. The security app sends the specified protection policy to Floodlight. Floodlight will send the corresponding new flow table and settings to OFS. Finally, the OFS processes the packet according to the new command. The experiment collects the link bandwidth occupancy rate (lbor: link bandwidth occupancy rate), the client packet transmission rate (psps: package send per second), and the server-side packet reception rate (prps: package received per second) as statistical indicators.
The statistical indicator includes the Cloud packet reception frequency prps. This frequency response corresponds to the attack strength and credibility of the attack. The greater the number of attacks, the more  likely the attack is to be a real intrusion. A gate threshold value ε, which is dynamically adjusted by the application layer security application, can be set as a reference value for the number of alarms, whereby the probability λ of occurrence of a certain attack can be calculated.
For an attack, when the data is less than the set gate threshold ε i , the probability value λ i of the attack is represented by prps i ε i . When the threshold ε i is exceeded, the probability value λ i of the attack is considered to be 1.
It is also possible to divide the transmission frequency prps i into different intervals according to the provisions of GB20984-2007 as the basis for the attack threat assignment. The division between intervals can be divided into non-equal divisions, as shown in Table 3. In this way, the probability λ of an attack occurring is calculated.
The experiment uses the first attack probability calculation method as the evaluation basis. First, Edge-host 1 sends ICMP packets at a lower frequency. Edge-host 3 and Edge-host 4 send TCP packets at a lower frequency. Edge-host 2 sends ICMP packets at increasing frequency until it occupies all of the link bandwidth and then drops to normal. Edge-host 4 then sends TCP packets with increasing frequency until it occupies all of the link bandwidth and then drops to normal. The Cloud link bandwidth occupancy, Edge-host packet transmission frequency, and Cloud packet reception frequency in the experiment are shown in Fig.5, Fig.6 and Fig.7.
It can be seen that as the two DoS attacks progress, the bandwidth is heavily occupied, normal traffic cannot be sent, and the connection cannot be established. We choose the 27th second, as shown in Fig. 8, as the time point to analyze the experiment result. In the figure, the red horizontal line is the gate threshold value ε, and the red vertical line is the 27th second of the experiment. Assume that both the ICMP gate threshold ε 1 and the ε 2 of TCP are 40% of the bandwidth occupied by the Cloud packet. Table 4 lists the data on the likelihood of an attack occurring at the red vertical dashed line.

Attack scene COP modeling definition
The moment is modeled and analyzed according to the COP modeling step. The process is as follows: The moment contains five sub-processes, in which Edge-host 1~E dge-host 4 are recorded as potential attack initiators as sub-process sp 1~s p 4 . Two different potential attack behaviors ICMP and TCP belong to two different  sub-processes sp 5 and sp 6 . The attacked server is the target Recorded as sub-process sp 7 .
(1) Initialize the COP network, assign Ф; (2) New a sub-process sp 1 . sp 1 does not have a library and transitions that need to be described in detail. The modeling results are shown in Fig.9:

COP method analysis
In the qualitative description, we want to know the type of attack, rather than the specific attack details, so we can compress the sub-process. This kind of sub-flow is independently scaled. The describing way of the details like packing up and opening is completed. The description of different refinement levels is realized. The subprocesses that have completed the analysis at the same time can be saved independently as the analysis results. Portions of the same analysis content encountered in    other analyses can be directly replaced to achieve reuse of the model. The qualitative results are shown in Fig.10. It can be clearly seen that sp 1~s p 4 initiates two different attacks sp 5 and sp 6 against sp 7 . The results of each attack analysis can be saved separately to implement model reuse. The attack process can be scaled independently to achieve a different level of description.
In the quantitative description, the analysis can be performed based on the connection relationship in the COP network. Suppose that the risk of an object being attacked is F. From the definition of COP, it can be seen that in the case of AND gate transition, the value of F is determined by the sum of the possibility of initiating attack precondition. In the case of an OR gate transition, the value of F is determined by the maximum probability of initiating an attack precondition. Bring the possibility of potential attack at this moment in Table 3 to Fig.9. The possibility of each attack content and attack type is shown in Fig.11.
According to the definition, the risk value of the possible attack node sp 7 is calculated as follows: The overall risk value of node sp 7 is 0.997. In this way, the risk value of the attacked party can be calculated, and the dynamic quantitative analysis can be further implemented by modifying the set gate threshold.  Assuming that the probability of attack to be analyzed exceeds 0.6, the new COP model is shown in Fig.12: Among them, ig 51 , og 3 degenerates into a normal gate transition. At this time, the risk value of sp 7 is: Once it is detected that the actual risk value of the relevant asset exceeds the acceptable risk value (assumed to be 0.5), the application-level security application performs the flow table update according to the set rules. Then, depending on the magnitude of the risk value, a new forwarding path can be set to offload, limit or block certain stream data. In the experiment, if the gate threshold is exceeded, the forwarding request of the relevant network segment is discarded, and the stream data is discarded. After setting the rules, the Cloud link bandwidth occupancy, Edge-host packet transmission frequency, and Cloud packet reception frequency are shown in Fig.13, Fig.14, and Fig.15. It can be seen that in the case where the transmission packet law is unchanged in the simulation network, the transmission source with the attack intention is blocked, the link occupancy rate of the Cloud end is significantly reduced, and the normal service is guaranteed.
Braendeland G et al. used the EBNF paradigm to describe CORAS and use the paradigm to calculate the probability of security risk based on the description results [28]. However, this method fails to take advantage of the graphical description of CORAS. And the safety risk probability calculation method is mainly through static evaluation by experts, so the evaluation results are not objective enough. COP inherits CORAS's graphical description, reusability and refined description of the advantages, and uses Object-oriented Petri-net to increase the advantages of formal description, scalability and dynamic verification. At the same time, the data source of CORAS quantitative analysis is transformed from subjective expert evaluation into objective scanning analysis, which reduces the human factors in the analysis process and makes the results more reliable.

Conclusion
This paper combines a model-based static Security Event modeling description method CORAS and Objectoriented Petri-net, and proposes a COP-based security risk modeling method. Compared with the existing model-based methods, the proposed COP model not only inherits the existing model's extensibility, reusability, and refinement description, but also enhances the formal description and dynamic analysis capabilities. In the edge-cloud environment, the COP description of the entire network in the control domain can be directly generated based on the control layer information, and its efficiency is far superior to the topology discovery technology in the traditional network. The attack simulation experiment proves that COP can effectively describe the cloud environment security incidents, and can further carry out risk strategy response based on the description results.