Architecting the OpenSearch service at CERN

The centralised Elasticsearch service has been running at CERN since 2016, providing the search and analytics engine for numerous CERN users. The service has been based on the open-source version of Elasticsearch, surrounded by a set of external open-source plugins offering security, multitenancy, extra visualization types, and more. In October 2020, CERN embarked on an evaluation of OpenDistro for Elasticsearch, an alternative solution that used a different set of modules while retaining the core of open-source Elasticsearch. Notably, OpenDistro offered the advantage of bundling all components together, simplifying the deployment of new versions. This evaluation gained increased significance following a license change imposed by Elastic, the original creators of Elasticsearch. Consequently, the OpenDistro project was rebranded, now based on a forked version of Elasticsearch, called OpenSearch. Motivated by the license change and the streamlined deployment of the featurerich OpenSearch project as a fully open-source environment, the decision was taken to migrate the service at CERN towards it. The migration required a complete architectural redesign to accommodate the new modules while upholding the established standards of resource efficiency. The new service not only introduced a wide range of additional capabilities but also resolved longstanding maintainability issues while meeting the growing demands of various use-cases. At the time of writing, CERN’s service comprises 42 OpenSearch and 41 OpenDistro clusters in active production, plus 28 OpenSearch development clusters. This article covers the motivation, design, and implementation of this transition, highlighting the challenges encountered throughout the process

Privacy-Preserving Passive DNS

The Domain Name System (DNS) was created to resolve the IP addresses of web servers to easily remembered names. When it was initially created, security was not a major concern; nowadays, this lack of inherent security and trust has exposed the global DNS infrastructure to malicious actors. The passive DNS data collection process creates a database containing various DNS data elements, some of which are personal and need to be protected to preserve the privacy of the end users. To this end, we propose the use of distributed ledger technology. We use Hyperledger Fabric to create a permissioned blockchain, which only authorized entities can access. The proposed solution supports queries for storing and retrieving data from the blockchain ledger, allowing the use of the passive DNS database for further analysis, e.g., for the identification of malicious domain names. Additionally, it effectively protects the DNS personal data from unauthorized entities, including the administrators that can act as potential malicious insiders, and allows only the data owners to perform queries over these data. We evaluated our proposed solution by creating a proof-of-concept experimental setup that passively collects DNS data from a network and then uses the distributed ledger technology to store the data in an immutable ledger, thus providing a full historical overview of all the records

A Privacy-Preserving Healthcare Framework Using Hyperledger Fabric

Electronic health record (EHR) management systems require the adoption of effective technologies when health information is being exchanged. Current management approaches often face risks that may expose medical record storage solutions to common security attack vectors. However, healthcare-oriented blockchain solutions can provide a decentralized, anonymous and secure EHR handling approach. This paper presents PREHEALTH, a privacy-preserving EHR management solution that uses distributed ledger technology and an Identity Mixer (Idemix). The paper describes a proof-of-concept implementation that uses the Hyperledger Fabric's permissioned blockchain framework. The proposed solution is able to store patient records effectively whilst providing anonymity and unlinkability. Experimental performance evaluation results demonstrate the scheme's efficiency and feasibility for real-world scale deployment

Investigating Machine Learning Attacks on Financial Time Series Models

Machine learning and Artificial Intelligence (AI) already support human decision-making and complement professional roles, and are expected in the future to be sufficiently trusted to make autonomous decisions. To trust AI systems with such tasks, a high degree of confidence in their behaviour is needed. However, such systems can make drastically different decisions if the input data is modified, in a way that would be imperceptible to humans. The field of Adversarial Machine Learning studies how this feature could be exploited by an attacker and the countermeasures to defend against them. This work examines the Fast Gradient Signed Method (FGSM) attack, a novel Single Value attack and the Label Flip attack on a trending architecture, namely a 1-Dimensional Convolutional Neural Network model used for time series classification. The results show that the architecture was susceptible to these attacks and that, in their face, the classifier accuracy was significantly impacted

Control Requirements for Optimal Operation of Large Isolated Systems with Increased Wind Power Penetration

International audienceIncreased penetration of wind power in isolated systems may cause steady state and dynamic security problems in case of various disturbances. In this paper, initial results of studies of large systems with high wind penetration are presented, revealing their control requirements in order to increase renewables, while maintaining a high level of security of operation