Report Open Access

Gotham Remote Logins Monitoring System

Dhar, Mrinal; Brillault, Vincent


Citation Style Language JSON Export

{
  "publisher": "Zenodo", 
  "DOI": "10.5281/zenodo.155316", 
  "title": "Gotham Remote Logins Monitoring System", 
  "issued": {
    "date-parts": [
      [
        2016, 
        9, 
        26
      ]
    ]
  }, 
  "abstract": "<p>Project Specification</p>\n\n<p>In order to detect abused credentials, CERN is running a remote login monitoring system,\u00a0called Gotham.\u00a0This systems compares,\u00a0for each user, the location of remote logins with the user\u2019s past\u00a0behaviour, notifying them of any new location.\u00a0Unfortunately, the design and code used\u00a0by this system is outdated and requires a complete rewrite.</p>\n\n<p>The requirements of this projects are:</p>\n\n<p>\uf0b7 Build a system with the same features as the existing one, but without any\u00a0dependency on old CERN libraries (e.g. perl-LC), which would include:</p>\n\n<p>\u25e6 Pulling data from a login database (running an hourly cron-job)</p>\n\n<p>\u25e6 Enriching the data with geolocation and domains</p>\n\n<p>\u25e6 Support for whitelisting, in particular for CERN IPs</p>\n\n<p>\u25e6 Maintaining a \u2018known location\u2019 database</p>\n\n<p>\uf0b7 Build a Command Line Interface (CLI) for administrator to manually list or\u00a0remove locations for users</p>\n\n<p>\uf0b7 Add support for IPv6 (currently unsupported)</p>\n\n<p>\uf0b7 Design a new system running in real-time streaming mode (instead of using an\u00a0hourly cron-job) by running the code in an Apache\u00a0Spark (http://spark.apache.org/)\u00a0cluster and pulling data from Apache Kafka (http://kafka.apache.org/). Special care\u00a0should\u00a0be taken to ensure that no data is lost in case of crashes.</p>\n\n<p>In addition, extensions of this project can be considered:</p>\n\n<p>\uf0b7 A SSO-enabled web front-end, allowing CERN users (and the CERN Computer\u00a0Security Team) to review their known login locations.</p>\n\n<p>\uf0b7 Reviewing the current location definition and evaluate alternatives.\u00a0For example using \u2018ISPs\u2019 instead of \u2018Organisations\u2019, using\u00a0\u2018City\u2019 geolocalization,\u00a0etc</p>\n\n<p>Abstract</p>\n\n<p>This project aims to completely rewrite the Gotham Remote Logins Monitoring System\u00a0currently in use at CERN. The existing\u00a0system has been written in Perl, and it makes use\u00a0of some really old CERN libraries that make the system difficult to\u00a0maintain.\u00a0Python is a modern, widely used, high-level, interpreted programming language and, as a\u00a0result, was chosen as the\u00a0programming language for this project. There are a number of\u00a0well-maintained open source libraries in Python that have been\u00a0used for the purposes of\u00a0this project,drastically decreasing the chances of security flaws in the libraries and thus\u00a0simplifying the project maintenance.\u00a0Apart from the equivalent functionality that was achieved with respect to the earlier\u00a0version of Gotham, a\u00a0number of new features have been added, like real-time processing\u00a0of input login streams, a web based frontend to be integrated\u00a0with the central account\u00a0management page at CERN, a REST API for accessing previous login information by\u00a0other applications.</p>", 
  "author": [
    {
      "family": "Dhar, Mrinal"
    }, 
    {
      "family": "Brillault, Vincent"
    }
  ], 
  "type": "article", 
  "id": "155316"
}
101
47
views
downloads
All versions This version
Views 101101
Downloads 4747
Data volume 30.0 MB30.0 MB
Unique views 9696
Unique downloads 4343

Share

Cite as