The document presents DETECT, a framework for detecting attacks on critical infrastructures. It uses an Event Description Language to model attack scenarios as combinations of primitive and composite events. The DETECT architecture receives input from sensors, correlates events using event tree models of scenarios, and outputs detected scenario identifiers and alarm levels. An example scenario of a terrorist attack in a subway station is shown. Future work includes improving detection models and integrating DETECT with other frameworks.

1. F. Flammini, A. Gaglione, N. Mazzocca, C. Pragliola DETECT: a novel framework for the detection of attacks to critical infrastructures presented by Andrea Gaglione Dipartimento di Informatica e Sistemistica Università di Napoli “Federico II” Via Claudio 21, 80125 Napoli Email: [email_address] Web: http://wpage.unina.it/andrea.gaglione European Safety & Reliability Conference, ESREL’08 22-25 September 2008 , Valencia, Spain

2. Outline Contextualization and scope of the work EDL (Event Description Language) DETECT architecture and an example scenario Conclusions and future works

3. Critical Infrastructure Protection Transportation Banking Energy and utilities Government Health

4. CIP event cycle … our work Realization of the DETECT framework which receives inputs coming from sensor systems co rrelates the inputs for detection of threats Analysis and assessment Remediation Indications and warning Mitigation Response Reconstitution Pre-Event Post-Event The phases build on one another Comprehensive solution for infrastructure assurance Event

5. The DETECT approach Model-based logical and temporal correlation of basic events detected by intelligent video-surveillance and/or sensor networks Early warning of complex attack scenarios since their first evolution steps Output of DETECT: identifier(s) of the suspected scenario alarm level, associated to scenario evolution Possible integration with SMS/SCADA systems DETECT Engine Alarm level (1, 2, 3, ...) Detected attack scenario Event History Scenario Repository

6. The Event Description Language (EDL) Event: happening that occurs (in a system) at some location and at some point in time Primitive Event: condition on a specific sensor Composite Event: combination of primitive events defined by means of proper operators Chakravarthy, S. & Mishra, D. 1994. Snoop: An expressive event specification language for active databases. Data Knowl. Eng. , Vol. 14, No. 1, pp. 1–26. Operators OR: E1 OR E2  occurs when at least one of its components (E1, E2) occurs AND : E1 AND E2  occur when both of its component occurr ANY: ANY(m, E1, E2, …, En), m<=n  occur when m out of n distinct events specified in the expression occur SEQ: E1 SEQ E2  occurs when E2 occurs provided that E1 is already occurred

7. Event Trees Composite events are represented by event trees Example: E7 = (E1 OR E2) AND (E2 SEQ (E4 AND E6)) Temporal Constraints define a validity interval for a composite event can be added to any operator Example: ( E1 AND E2 ) = True Leaf: primitive event internal node: EDL operator  formal expression  t1< t | ( E1(t)  E2(t1)  E1(t1)  E2(t) ) [T]  |t – t1| ≤ T

8. The software architecture of DETECT Event History database with the list of primitive events detected by sensors EDL Repository database of known attack scenarios Detection Engine can support both deterministic and heuristic models our implementation: Event Trees Model Generator builds the detection model(s) starting from the EDL files Model Manager (4 submodules): Model Feeder: one for each model, instantiates the input of the detection engine by performing queries on the Event History Model Executor : triggers the execution of the model solver Model Updater : allows for online modification of the model Output Manager : stores the output of the model(s) Current implementation

9. Parameter contexts States which occurrences of component events play an active part in the detection process Recent: only the most recent occurrence of the initiator is considered Chronicle: the initiator-terminator pair is unique Continuous: each initiator starts the detection of the event Cumulative: all occurrence of primitive events are accumulated until the composite events is detected

10. An example scenario Terrorist threat in a subway station Intrusion and drop of explosive in a tunnel the attacker stays on the platform for a long time the attacker goes down the track and moves inside the tunnel portal the attacker drops the explosive bag inside the tunnel and leaves the station Security system Intelligent cameras (S1) human tracking Active infrared barriers (S2) Explosive sniffer (S3) Tunnel portal protection

11. An example scenario Scenario evolution: (E1 AND E2) OR E3 SEQ (E4 AND E5) extended presence on the platform (E1 by S1 ) train passing (E2 by S1 ) platform line crossing (E3 by S1 ) tunnel intrusion (E4 by S2 ) explosive detection (E5 by S3 )

12. Conclusions and future works Advantages of the methodology w.r.t. traditional approaches Logic correlation of events Early warning of complex attack scenario and automatic response to emergencies Future developments Implement a heuristic detection model to complement deterministic detection Integration of DETECT with the SeNsIM framework

13. THE END Thank you for your kind attention … any questions?