In particular, the users can do several operations related to the quotation service, and the probe has the goal to track all of these actions and store them in the FINSEC data layer as FINSTIX objects. Two different malicious actions have been identified, which can be detected:

• Scenario 1: Continuous recalculation of the bills fee with modification of the guarantees: the online platform for insurance price calculation could be used by HDI agents or other users in normal or malicious way. The normal behaviour envisages that a user can recalculate the insurance price many times, by changing some choices in insurance coverings and options. However, some fields (sensitive data) should not be changed to obtain more advantageous conditions.
• Scenario 2: Excessive requests to the ANIA license plate database: this scenario will be based on online price requests for car insurance. The ANIA insurance authority database is used by HDI agents to get information about cars from their license plate, and this can be done in authorized or unauthorized ways (e.g., to get personal information about cars and their owners, for commercial purposes).

In both of these attack scenarios, the probe will perform a first step of analysis of the operations logs, by aggregating the data.

The high-level architecture of this probe is based on some software modules, namely HDI’s remote application where the insurance agent launches requests for price quotation and an internal application generating the log report for what the HDI part is concerned. The FINSEC side of the probe is composed by the log reader exposing the API mentioned in the following paragraph, which generates both raw and aggregate x-events, and pushes them into the FINSEC Data Layer. These x-events will be processed by FINSEC Service Tier, in particular by Predictive Analytics and Anomaly Detection services. The Figure below shows a schematic representation of the high-level architecture.