1. International Workshop on Computational Intelligence in Security for Information Systems
CISIS ’08
October, 23-24, 2008, Genova, Italy
F. Flammini, A. Gaglione, N. Mazzocca, V. Moscato, C. Pragliola
Wireless Sensor Data Fusion for Critical
Infrastructure Security
Andrea Gaglione
AnsaldoSTS Department of Computer Science and Systems
Business Innovation Unit University of Naples “Federico II”
Via Nuova delle Brecce, 260 Via Claudio 21, 80125 Naples, Italy
80147 Naples, Italy Tel.: 081 768 3869 – Fax: 081 768 3816
Tel.: 081 243 2695 Email: andrea.gaglione@unina.it
Email: gaglione.andrea@asf.ansaldo.it
Web: http://wpage.unina.it/andrea.gaglione

2. Outline
 Contextualization and scope of the work
 Architectural proposal of the framework
 An example application
 Conclusions and future works
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
2/14

3. Critical Infrastructure Protection
Transportation
Government Banking
Energy and
utilities
Health
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
3/14

4. CIP event cycle
Analysis and Indications
Remediation Mitigation Response Reconstitution
assessment and warning
Event
Pre-Event Post-Event
basic idea: attack
THREAT
ROUTE scenarios are made of a
SENSING set of basic steps
POINTS
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
4/14

5. Motivation and proposal
 Integration of data coming from different sensor
systems (also Wireless Sensor Networks)
 On-line reasoning about the events captured by
sensor systems
Decision support and early warning system used
to effectively face security threats by exploiting
the advantages of WSN
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
5/14

6. The SeNsIM framework
 Sensor Networks Integration and Management
 Solves the heterogeneity issue
 Ensures system scalability
 Shows a unified view of different networks
 Wrapper-mediator paradigm
 a wrapper gathers the features of the
underlying network and retrieves sensor
data
 the mediator keeps a repository of
connected networks and manages user
queries and the related results which are
stored in an appropriate DB table
…XML as modeling language
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
6/14

7. The DETECT framework 1/2
 Decision Triggering Event Composer & Tracker
 Model-based (Event Trees formalism) logical and
temporal correlation of basic events detected by
intelligent video-surveillance and/or sensor networks
 Attack scenarios are described with a specific Event
Description Language (EDL)
 Language operators:
 OR: E1 OR E2  occurs when at least one of its components (E1, E2)
occurs
 AND: E1 AND E2  occurs when both of its component occur
 ANY: ANY(m, E1, E2, …, En), m<=n  occurs when m out of n distinct
events specified in the expression occur
 SEQ: E1 SEQ E2  occurs when E2 occurs provided that E1 is already
occurred
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
7/14

8. The DETECT framework 2/2
 Early warning of complex attack scenarios since their first
evolution steps
 Output of DETECT:
 identifier(s) of the suspected scenario
 alarm level, associated to scenario evolution
 Possible integration with SMS/SCADA systems
DETECT Engine
Scenario
Repository Detected
attack
scenario
Event
History Alarm level
(1, 2, 3, ...)
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
8/14

9. Overall system architecture
 Integration of SeNsIM and DETECT in order to
obtain an online reasoning about the events
captured by different WSNs
 Sharing of the Event
History DB
 Overall system GUI
 Editing attack scenarios
 Building user queries
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
9/14

10. Software integration
 Sub-modules involved in
the integration
 Query Builder allows the
user for building queries
 Scenario Window to edit
threats
 Shared Event History
 Written by the Result
Handler
 Read by the Model Feeder
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
10/14

11. Example application scenario 1/2
 Terrorist attack on a railway line
 Multiple train halting and railway bridge bombing
 Artificial occupation of the track circuits before and after a bridge
 Interruption of the railway power line
 Remote bombing of the bridge
 Formal description of the scenario
 Notation: sensor description (sensor ID) :: event description (event ID)
 Fence vibration detector (S1) :: Possible on track intrusion (E1)
 On track circuit_X sensor (S2) :: Occupation(E2)
 Lineside train detector (S3) :: No train detected (E3)
 On track circuit_Y sensor (S4) :: Occupation (E4)
 Lineside train detector (S5) :: No train detected (E5)
 Voltmeter (S6) :: No power (E6)
 On-shaft accelerometer (S7) :: Structural movement (E7)
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
11/14

12. Example application scenario 2/2
 EDL description of the scenario
(((E1 SEQ ((E2 AND E3) OR (E4 AND E5)))
OR
((E2 AND E3) AND (E4 AND E5)))
SEQ E6) SEQ E7
Alert
Event detected Possible countermeasure
level
Possible on track intrusion 1 Alert the security officier
Artificial occupation of one
2 Trigger an emergency stop message
or both track circuits
Railway power line off 3 If possible, switch on back-up power supply
Complete scenario 4 Emergency call to first responder
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
12/14

13. Conclusions and future works
 We provided an architectural proposal of a framework
which:
 Collects data from heterogeneous source
 Correlates such data in order to enhance the protection
of a critical infrastructure
 We described an example application of the framework
to the case study of a railway transportation system
 We are currently developing missing modules of
software system
 Next step: interfacing the framework with a real SMS
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
13/14

14. THE END
Thank you for your kind attention
…any questions?