1. International Workshop on Computational Intelligence in Security for Information Systems
CISIS ’08
October, 23-24, 2008, Genova, Italy
F. Flammini, A. Gaglione, N. Mazzocca, V. Moscato, C. Pragliola
Wireless Sensor Data Fusion for Critical
Infrastructure Security
Andrea Gaglione
AnsaldoSTS Department of Computer Science and Systems
Business Innovation Unit University of Naples “Federico II”
Via Nuova delle Brecce, 260 Via Claudio 21, 80125 Naples, Italy
80147 Naples, Italy Tel.: 081 768 3869 – Fax: 081 768 3816
Tel.: 081 243 2695 Email: andrea.gaglione@unina.it
Email: gaglione.andrea@asf.ansaldo.it
Web: http://wpage.unina.it/andrea.gaglione
2. Outline
Contextualization and scope of the work
Architectural proposal of the framework
An example application
Conclusions and future works
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
2/14
3. Critical Infrastructure Protection
Transportation
Government Banking
Energy and
utilities
Health
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
3/14
4. CIP event cycle
Analysis and Indications
Remediation Mitigation Response Reconstitution
assessment and warning
Event
Pre-Event Post-Event
basic idea: attack
THREAT
ROUTE scenarios are made of a
SENSING set of basic steps
POINTS
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
4/14
5. Motivation and proposal
Integration of data coming from different sensor
systems (also Wireless Sensor Networks)
On-line reasoning about the events captured by
sensor systems
Decision support and early warning system used
to effectively face security threats by exploiting
the advantages of WSN
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
5/14
6. The SeNsIM framework
Sensor Networks Integration and Management
Solves the heterogeneity issue
Ensures system scalability
Shows a unified view of different networks
Wrapper-mediator paradigm
a wrapper gathers the features of the
underlying network and retrieves sensor
data
the mediator keeps a repository of
connected networks and manages user
queries and the related results which are
stored in an appropriate DB table
…XML as modeling language
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
6/14
7. The DETECT framework 1/2
Decision Triggering Event Composer & Tracker
Model-based (Event Trees formalism) logical and
temporal correlation of basic events detected by
intelligent video-surveillance and/or sensor networks
Attack scenarios are described with a specific Event
Description Language (EDL)
Language operators:
OR: E1 OR E2 occurs when at least one of its components (E1, E2)
occurs
AND: E1 AND E2 occurs when both of its component occur
ANY: ANY(m, E1, E2, …, En), m<=n occurs when m out of n distinct
events specified in the expression occur
SEQ: E1 SEQ E2 occurs when E2 occurs provided that E1 is already
occurred
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
7/14
8. The DETECT framework 2/2
Early warning of complex attack scenarios since their first
evolution steps
Output of DETECT:
identifier(s) of the suspected scenario
alarm level, associated to scenario evolution
Possible integration with SMS/SCADA systems
DETECT Engine
Scenario
Repository Detected
attack
scenario
Event
History Alarm level
(1, 2, 3, ...)
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
8/14
9. Overall system architecture
Integration of SeNsIM and DETECT in order to
obtain an online reasoning about the events
captured by different WSNs
Sharing of the Event
History DB
Overall system GUI
Editing attack scenarios
Building user queries
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
9/14
10. Software integration
Sub-modules involved in
the integration
Query Builder allows the
user for building queries
Scenario Window to edit
threats
Shared Event History
Written by the Result
Handler
Read by the Model Feeder
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
10/14
11. Example application scenario 1/2
Terrorist attack on a railway line
Multiple train halting and railway bridge bombing
Artificial occupation of the track circuits before and after a bridge
Interruption of the railway power line
Remote bombing of the bridge
Formal description of the scenario
Notation: sensor description (sensor ID) :: event description (event ID)
Fence vibration detector (S1) :: Possible on track intrusion (E1)
On track circuit_X sensor (S2) :: Occupation(E2)
Lineside train detector (S3) :: No train detected (E3)
On track circuit_Y sensor (S4) :: Occupation (E4)
Lineside train detector (S5) :: No train detected (E5)
Voltmeter (S6) :: No power (E6)
On-shaft accelerometer (S7) :: Structural movement (E7)
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
11/14
12. Example application scenario 2/2
EDL description of the scenario
(((E1 SEQ ((E2 AND E3) OR (E4 AND E5)))
OR
((E2 AND E3) AND (E4 AND E5)))
SEQ E6) SEQ E7
Alert
Event detected Possible countermeasure
level
Possible on track intrusion 1 Alert the security officier
Artificial occupation of one
2 Trigger an emergency stop message
or both track circuits
Railway power line off 3 If possible, switch on back-up power supply
Complete scenario 4 Emergency call to first responder
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
12/14
13. Conclusions and future works
We provided an architectural proposal of a framework
which:
Collects data from heterogeneous source
Correlates such data in order to enhance the protection
of a critical infrastructure
We described an example application of the framework
to the case study of a railway transportation system
We are currently developing missing modules of
software system
Next step: interfacing the framework with a real SMS
CISIS ‘08 - Genoa (Italy), October 23-24, 2008
13/14
14. THE END
Thank you for your kind attention
…any questions?