Esrel08 Final

Uploaded on


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. F. Flammini, A. Gaglione, N. Mazzocca, C. Pragliola DETECT: a novel framework for the detection of attacks to critical infrastructures presented by Andrea Gaglione Dipartimento di Informatica e Sistemistica Università di Napoli “Federico II” Via Claudio 21, 80125 Napoli Email: [email_address] Web: European Safety & Reliability Conference, ESREL’08 22-25 September 2008 , Valencia, Spain
  • 2. Outline
    • Contextualization and scope of the work
    • EDL (Event Description Language)
    • DETECT architecture and an example scenario
    • Conclusions and future works
  • 3. Critical Infrastructure Protection Transportation Banking Energy and utilities Government Health
  • 4. CIP event cycle
    • … our work
    • Realization of the DETECT framework which
      • receives inputs coming from sensor systems
      • co rrelates the inputs for detection of threats
    Analysis and assessment Remediation Indications and warning Mitigation Response Reconstitution Pre-Event Post-Event
    • The phases build on one another
    • Comprehensive solution for infrastructure assurance
  • 5. The DETECT approach
    • Model-based logical and temporal correlation
    • of basic events detected by intelligent
    • video-surveillance and/or sensor networks
    • Early warning of complex attack scenarios
    • since their first evolution steps
    • Output of DETECT:
      • identifier(s) of the suspected scenario
      • alarm level, associated to scenario evolution
    • Possible integration with SMS/SCADA systems
    DETECT Engine Alarm level (1, 2, 3, ...) Detected attack scenario Event History Scenario Repository
  • 6. The Event Description Language (EDL)
    • Event: happening that occurs (in a system) at some location and at some point in time
    Primitive Event: condition on a specific sensor Composite Event: combination of primitive events defined by means of proper operators Chakravarthy, S. & Mishra, D. 1994. Snoop: An expressive event specification language for active databases. Data Knowl. Eng. , Vol. 14, No. 1, pp. 1–26.
    • Operators
      • OR: E1 OR E2  occurs when at least one of its components (E1, E2) occurs
      • AND : E1 AND E2  occur when both of its component occurr
      • ANY: ANY(m, E1, E2, …, En), m<=n  occur when m out of n distinct events specified in the expression occur
      • SEQ: E1 SEQ E2  occurs when E2 occurs provided that E1 is already occurred
  • 7. Event Trees
    • Composite events are represented by event trees
      • Example:
        • E7 = (E1 OR E2) AND (E2 SEQ (E4 AND E6))
    • Temporal Constraints
      • define a validity interval for a composite event
      • can be added to any operator
      • Example: ( E1 AND E2 ) = True
    Leaf: primitive event internal node: EDL operator  formal expression  t1< t | ( E1(t)  E2(t1)  E1(t1)  E2(t) ) [T]  |t – t1| ≤ T
  • 8. The software architecture of DETECT
    • Event History
      • database with the list
      • of primitive events detected
      • by sensors
    • EDL Repository
      • database of known attack scenarios
    • Detection Engine
      • can support both deterministic and heuristic models
      • our implementation: Event Trees
    • Model Generator
      • builds the detection model(s) starting from the EDL files
    • Model Manager (4 submodules):
      • Model Feeder: one for each model, instantiates the input of the detection engine by performing queries on the Event History
      • Model Executor : triggers the execution of the model solver
      • Model Updater : allows for online modification of the model
      • Output Manager : stores the output of the model(s)
    Current implementation
  • 9. Parameter contexts
    • States which occurrences of component events play an active part in the detection process
      • Recent: only the most recent occurrence of the initiator is considered
      • Chronicle: the initiator-terminator pair is unique
      • Continuous: each initiator starts the detection of the event
      • Cumulative: all occurrence of primitive events are accumulated until the composite events is detected
  • 10. An example scenario
    • Terrorist threat in a subway station
      • Intrusion and drop of explosive in a tunnel
        • the attacker stays on the platform for a long time
        • the attacker goes down the track and moves inside the tunnel portal
        • the attacker drops the explosive bag inside the tunnel and leaves the station
    • Security system
      • Intelligent cameras (S1) human tracking
      • Active infrared barriers (S2)
      • Explosive sniffer (S3)
    Tunnel portal protection
  • 11. An example scenario
    • Scenario evolution:
    (E1 AND E2) OR E3 SEQ (E4 AND E5)
      • extended presence
      • on the platform (E1 by S1 )
      • train passing (E2 by S1 )
      • platform line crossing
      • (E3 by S1 )
      • tunnel intrusion (E4 by S2 )
      • explosive detection
      • (E5 by S3 )
  • 12. Conclusions and future works
    • Advantages of the methodology w.r.t. traditional approaches
      • Logic correlation of events
      • Early warning of complex attack scenario and automatic response to emergencies
    • Future developments
      • Implement a heuristic detection model to complement deterministic detection
      • Integration of DETECT with the SeNsIM
      • framework
  • 13. THE END Thank you for your kind attention … any questions?