Esrel08 Final


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Esrel08 Final

  1. 1. F. Flammini, A. Gaglione, N. Mazzocca, C. Pragliola DETECT: a novel framework for the detection of attacks to critical infrastructures presented by Andrea Gaglione Dipartimento di Informatica e Sistemistica Università di Napoli “Federico II” Via Claudio 21, 80125 Napoli Email: [email_address] Web: European Safety & Reliability Conference, ESREL’08 22-25 September 2008 , Valencia, Spain
  2. 2. Outline <ul><li>Contextualization and scope of the work </li></ul><ul><li>EDL (Event Description Language) </li></ul><ul><li>DETECT architecture and an example scenario </li></ul><ul><li>Conclusions and future works </li></ul>
  3. 3. Critical Infrastructure Protection Transportation Banking Energy and utilities Government Health
  4. 4. CIP event cycle <ul><li>… our work </li></ul><ul><li>Realization of the DETECT framework which </li></ul><ul><ul><li>receives inputs coming from sensor systems </li></ul></ul><ul><ul><li>co rrelates the inputs for detection of threats </li></ul></ul>Analysis and assessment Remediation Indications and warning Mitigation Response Reconstitution Pre-Event Post-Event <ul><li>The phases build on one another </li></ul><ul><li>Comprehensive solution for infrastructure assurance </li></ul>Event
  5. 5. The DETECT approach <ul><li>Model-based logical and temporal correlation </li></ul><ul><li>of basic events detected by intelligent </li></ul><ul><li>video-surveillance and/or sensor networks </li></ul><ul><li>Early warning of complex attack scenarios </li></ul><ul><li>since their first evolution steps </li></ul><ul><li>Output of DETECT: </li></ul><ul><ul><li>identifier(s) of the suspected scenario </li></ul></ul><ul><ul><li>alarm level, associated to scenario evolution </li></ul></ul><ul><li>Possible integration with SMS/SCADA systems </li></ul>DETECT Engine Alarm level (1, 2, 3, ...) Detected attack scenario Event History Scenario Repository
  6. 6. The Event Description Language (EDL) <ul><li>Event: happening that occurs (in a system) at some location and at some point in time </li></ul>Primitive Event: condition on a specific sensor Composite Event: combination of primitive events defined by means of proper operators Chakravarthy, S. & Mishra, D. 1994. Snoop: An expressive event specification language for active databases. Data Knowl. Eng. , Vol. 14, No. 1, pp. 1–26. <ul><li>Operators </li></ul><ul><ul><li>OR: E1 OR E2  occurs when at least one of its components (E1, E2) occurs </li></ul></ul><ul><ul><li>AND : E1 AND E2  occur when both of its component occurr </li></ul></ul><ul><ul><li>ANY: ANY(m, E1, E2, …, En), m<=n  occur when m out of n distinct events specified in the expression occur </li></ul></ul><ul><ul><li>SEQ: E1 SEQ E2  occurs when E2 occurs provided that E1 is already occurred </li></ul></ul>
  7. 7. Event Trees <ul><li>Composite events are represented by event trees </li></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><ul><li>E7 = (E1 OR E2) AND (E2 SEQ (E4 AND E6)) </li></ul></ul></ul><ul><li>Temporal Constraints </li></ul><ul><ul><li>define a validity interval for a composite event </li></ul></ul><ul><ul><li>can be added to any operator </li></ul></ul><ul><ul><li>Example: ( E1 AND E2 ) = True </li></ul></ul>Leaf: primitive event internal node: EDL operator  formal expression  t1< t | ( E1(t)  E2(t1)  E1(t1)  E2(t) ) [T]  |t – t1| ≤ T
  8. 8. The software architecture of DETECT <ul><li>Event History </li></ul><ul><ul><li>database with the list </li></ul></ul><ul><ul><li>of primitive events detected </li></ul></ul><ul><ul><li>by sensors </li></ul></ul><ul><li>EDL Repository </li></ul><ul><ul><li>database of known attack scenarios </li></ul></ul><ul><li>Detection Engine </li></ul><ul><ul><li>can support both deterministic and heuristic models </li></ul></ul><ul><ul><li>our implementation: Event Trees </li></ul></ul><ul><li>Model Generator </li></ul><ul><ul><li>builds the detection model(s) starting from the EDL files </li></ul></ul><ul><li>Model Manager (4 submodules): </li></ul><ul><ul><li>Model Feeder: one for each model, instantiates the input of the detection engine by performing queries on the Event History </li></ul></ul><ul><ul><li>Model Executor : triggers the execution of the model solver </li></ul></ul><ul><ul><li>Model Updater : allows for online modification of the model </li></ul></ul><ul><ul><li>Output Manager : stores the output of the model(s) </li></ul></ul>Current implementation
  9. 9. Parameter contexts <ul><li>States which occurrences of component events play an active part in the detection process </li></ul><ul><ul><li>Recent: only the most recent occurrence of the initiator is considered </li></ul></ul><ul><ul><li>Chronicle: the initiator-terminator pair is unique </li></ul></ul><ul><ul><li>Continuous: each initiator starts the detection of the event </li></ul></ul><ul><ul><li>Cumulative: all occurrence of primitive events are accumulated until the composite events is detected </li></ul></ul>
  10. 10. An example scenario <ul><li>Terrorist threat in a subway station </li></ul><ul><ul><li>Intrusion and drop of explosive in a tunnel </li></ul></ul><ul><ul><ul><li>the attacker stays on the platform for a long time </li></ul></ul></ul><ul><ul><ul><li>the attacker goes down the track and moves inside the tunnel portal </li></ul></ul></ul><ul><ul><ul><li>the attacker drops the explosive bag inside the tunnel and leaves the station </li></ul></ul></ul><ul><li>Security system </li></ul><ul><ul><li>Intelligent cameras (S1) human tracking </li></ul></ul><ul><ul><li>Active infrared barriers (S2) </li></ul></ul><ul><ul><li>Explosive sniffer (S3) </li></ul></ul>Tunnel portal protection
  11. 11. An example scenario <ul><li>Scenario evolution: </li></ul>(E1 AND E2) OR E3 SEQ (E4 AND E5) <ul><ul><li>extended presence </li></ul></ul><ul><ul><li>on the platform (E1 by S1 ) </li></ul></ul><ul><ul><li>train passing (E2 by S1 ) </li></ul></ul><ul><ul><li>platform line crossing </li></ul></ul><ul><ul><li>(E3 by S1 ) </li></ul></ul><ul><ul><li>tunnel intrusion (E4 by S2 ) </li></ul></ul><ul><ul><li>explosive detection </li></ul></ul><ul><ul><li>(E5 by S3 ) </li></ul></ul>
  12. 12. Conclusions and future works <ul><li>Advantages of the methodology w.r.t. traditional approaches </li></ul><ul><ul><li>Logic correlation of events </li></ul></ul><ul><ul><li>Early warning of complex attack scenario and automatic response to emergencies </li></ul></ul><ul><li>Future developments </li></ul><ul><ul><li>Implement a heuristic detection model to complement deterministic detection </li></ul></ul><ul><ul><li>Integration of DETECT with the SeNsIM </li></ul></ul><ul><ul><li>framework </li></ul></ul>
  13. 13. THE END Thank you for your kind attention … any questions?