International Workshop on Computational Intelligence in Security for Information Systems
                                 ...
Outline

           Contextualization and scope of the work
           Architectural proposal of the framework
         ...
Critical Infrastructure Protection
                                                 Transportation


                     ...
CIP event cycle

         Analysis and                            Indications
                              Remediation   ...
Motivation and proposal

         Integration of data coming from different sensor
          systems (also Wireless Senso...
The SeNsIM framework
         Sensor Networks Integration and Management
         Solves the heterogeneity issue
      ...
The DETECT framework 1/2
         Decision Triggering Event Composer & Tracker

         Model-based (Event Trees formal...
The DETECT framework 2/2
         Early warning of complex attack scenarios since their first
          evolution steps
 ...
Overall system architecture

         Integration of SeNsIM and DETECT in order to
          obtain an online reasoning a...
Software integration

         Sub-modules involved in
          the integration
               Query Builder allows the...
Example application scenario 1/2

         Terrorist attack on a railway line
               Multiple train halting and ...
Example application scenario 2/2

         EDL description of the scenario
                                (((E1 SEQ ((E2...
Conclusions and future works
         We provided an architectural proposal of a framework
          which:
            ...
THE END

   Thank you for your kind attention
          …any questions?
Upcoming SlideShare
Loading in …5
×

Cisis08 Detect+Se Ns Im

508 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
508
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cisis08 Detect+Se Ns Im

  1. 1. International Workshop on Computational Intelligence in Security for Information Systems CISIS ’08 October, 23-24, 2008, Genova, Italy F. Flammini, A. Gaglione, N. Mazzocca, V. Moscato, C. Pragliola Wireless Sensor Data Fusion for Critical Infrastructure Security Andrea Gaglione AnsaldoSTS Department of Computer Science and Systems Business Innovation Unit University of Naples “Federico II” Via Nuova delle Brecce, 260 Via Claudio 21, 80125 Naples, Italy 80147 Naples, Italy Tel.: 081 768 3869 – Fax: 081 768 3816 Tel.: 081 243 2695 Email: andrea.gaglione@unina.it Email: gaglione.andrea@asf.ansaldo.it Web: http://wpage.unina.it/andrea.gaglione
  2. 2. Outline  Contextualization and scope of the work  Architectural proposal of the framework  An example application  Conclusions and future works CISIS ‘08 - Genoa (Italy), October 23-24, 2008 2/14
  3. 3. Critical Infrastructure Protection Transportation Government Banking Energy and utilities Health CISIS ‘08 - Genoa (Italy), October 23-24, 2008 3/14
  4. 4. CIP event cycle Analysis and Indications Remediation Mitigation Response Reconstitution assessment and warning Event Pre-Event Post-Event basic idea: attack THREAT ROUTE scenarios are made of a SENSING set of basic steps POINTS CISIS ‘08 - Genoa (Italy), October 23-24, 2008 4/14
  5. 5. Motivation and proposal  Integration of data coming from different sensor systems (also Wireless Sensor Networks)  On-line reasoning about the events captured by sensor systems Decision support and early warning system used to effectively face security threats by exploiting the advantages of WSN CISIS ‘08 - Genoa (Italy), October 23-24, 2008 5/14
  6. 6. The SeNsIM framework  Sensor Networks Integration and Management  Solves the heterogeneity issue  Ensures system scalability  Shows a unified view of different networks  Wrapper-mediator paradigm  a wrapper gathers the features of the underlying network and retrieves sensor data  the mediator keeps a repository of connected networks and manages user queries and the related results which are stored in an appropriate DB table …XML as modeling language CISIS ‘08 - Genoa (Italy), October 23-24, 2008 6/14
  7. 7. The DETECT framework 1/2  Decision Triggering Event Composer & Tracker  Model-based (Event Trees formalism) logical and temporal correlation of basic events detected by intelligent video-surveillance and/or sensor networks  Attack scenarios are described with a specific Event Description Language (EDL)  Language operators:  OR: E1 OR E2  occurs when at least one of its components (E1, E2) occurs  AND: E1 AND E2  occurs when both of its component occur  ANY: ANY(m, E1, E2, …, En), m<=n  occurs when m out of n distinct events specified in the expression occur  SEQ: E1 SEQ E2  occurs when E2 occurs provided that E1 is already occurred CISIS ‘08 - Genoa (Italy), October 23-24, 2008 7/14
  8. 8. The DETECT framework 2/2  Early warning of complex attack scenarios since their first evolution steps  Output of DETECT:  identifier(s) of the suspected scenario  alarm level, associated to scenario evolution  Possible integration with SMS/SCADA systems DETECT Engine Scenario Repository Detected attack scenario Event History Alarm level (1, 2, 3, ...) CISIS ‘08 - Genoa (Italy), October 23-24, 2008 8/14
  9. 9. Overall system architecture  Integration of SeNsIM and DETECT in order to obtain an online reasoning about the events captured by different WSNs  Sharing of the Event History DB  Overall system GUI  Editing attack scenarios  Building user queries CISIS ‘08 - Genoa (Italy), October 23-24, 2008 9/14
  10. 10. Software integration  Sub-modules involved in the integration  Query Builder allows the user for building queries  Scenario Window to edit threats  Shared Event History  Written by the Result Handler  Read by the Model Feeder CISIS ‘08 - Genoa (Italy), October 23-24, 2008 10/14
  11. 11. Example application scenario 1/2  Terrorist attack on a railway line  Multiple train halting and railway bridge bombing  Artificial occupation of the track circuits before and after a bridge  Interruption of the railway power line  Remote bombing of the bridge  Formal description of the scenario  Notation: sensor description (sensor ID) :: event description (event ID)  Fence vibration detector (S1) :: Possible on track intrusion (E1)  On track circuit_X sensor (S2) :: Occupation(E2)  Lineside train detector (S3) :: No train detected (E3)  On track circuit_Y sensor (S4) :: Occupation (E4)  Lineside train detector (S5) :: No train detected (E5)  Voltmeter (S6) :: No power (E6)  On-shaft accelerometer (S7) :: Structural movement (E7) CISIS ‘08 - Genoa (Italy), October 23-24, 2008 11/14
  12. 12. Example application scenario 2/2  EDL description of the scenario (((E1 SEQ ((E2 AND E3) OR (E4 AND E5))) OR ((E2 AND E3) AND (E4 AND E5))) SEQ E6) SEQ E7 Alert Event detected Possible countermeasure level Possible on track intrusion 1 Alert the security officier Artificial occupation of one 2 Trigger an emergency stop message or both track circuits Railway power line off 3 If possible, switch on back-up power supply Complete scenario 4 Emergency call to first responder CISIS ‘08 - Genoa (Italy), October 23-24, 2008 12/14
  13. 13. Conclusions and future works  We provided an architectural proposal of a framework which:  Collects data from heterogeneous source  Correlates such data in order to enhance the protection of a critical infrastructure  We described an example application of the framework to the case study of a railway transportation system  We are currently developing missing modules of software system  Next step: interfacing the framework with a real SMS CISIS ‘08 - Genoa (Italy), October 23-24, 2008 13/14
  14. 14. THE END Thank you for your kind attention …any questions?

×