Skip to main content
SpringerLink
Log in
Book cover

International Conference on Computer Safety, Reliability, and Security

SAFECOMP 2011: Computer Safety, Reliability, and Security pp 310–323Cite as

A Collaborative Event Processing System for Protection of Critical Infrastructures from Cyber Attacks

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6894))

Abstract

We describe an Internet-based collaborative environment that protects geographically dispersed organizations of a critical infrastructure (e.g., financial institutions, telco providers) from coordinated cyber attacks. A specific instance of a collaborative environment for detecting malicious inter-domain port scans is introduced. This instance uses the open source Complex Event Processing (CEP) engine ESPER to correlate massive amounts of network traffic data exhibiting the evidence of those scans. The paper presents two inter-domain SYN port scan detection algorithms we designed, implemented in ESPER, and deployed on the collaborative environment; namely, Rank-based SYN (R-SYN) and Line Fitting. The paper shows the usefulness of the collaboration in terms of detection accuracy. Finally, it shows how Line Fitting can both achieve a higher detection accuracy with a smaller number of participants than R-SYN, and exhibit better detection latencies than R-SYN in the presence of low link bandwidths (i.e., less than 3Mbit/s) connecting the organizations to Esper.

This research is partially funded by the EU project CoMiFin (Communication Middleware for Financial Critical Infrastructures [10]).

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 2000 DARPA Intrusion Detection Scenario Specific Data Sets, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000data.html

  2. ITOC Research: CDX Datasets, http://www.itoc.usma.edu/research/dataset/index.html

  3. LBNL/ICSI Enterprise Tracing Project, http://www.icir.org/enterprise-tracing/

  4. DShield: Cooperative Network Security Community - Internet Security (2009), http://www.dshield.org/indexd.html/

  5. Where Complex Event Processing meets Open Source: Esper and NEsper (2009), http://esper.codehaus.org/

  6. Bro: an open source Unix based Network intrusion detection system, NIDS (2010), http://www.bro-ids.org/

  7. JBoss Drools Fusion (2010), http://www.jboss.org/drools/drools-fusion.html

  8. Snort: an open source network intrusion prevention and detection system, IDS/IPS (2010), http://www.snort.org/

  9. System S. (2010), http://domino.research.ibm.com/comm/research_projects.nsf/pages/esps.index.html

  10. Communication Middleware for Monitoring Financial Critical Infrastructures (2011), http://www.comifin.eu

  11. WANem The Wide Area Network emulator (2011), http://wanem.sourceforge.net/

  12. Akdere, M., Çetintemel, U., Tatbul, N.: Plan-based complex event detection across distributed sources. PVLDB 1(1), 66–77 (2008)

    Google Scholar 

  13. Aniello, L., Lodi, G., Baldoni, R.: Inter-Domain Stealthy Port Scan Detec- tion through Complex Event Processing. In: Proc. of 13th European Workshop on Dependable Computing, Pisa (May 11-12, 2011)

    Google Scholar 

  14. Baker, S., Waterman, S.: In the Crossfire: Critical Infrastructure in the Age of Cyber War (2010)

    Google Scholar 

  15. Bogk, A.: Advisory: Weak PNG in PHP session ID generation leads to session hijacking (March 2010)

    Google Scholar 

  16. Cate, F., Staten, M., Ivanov, G.: The value of Information Sharing. In: Protecting Privacy in the New Millennium Series, Council of Better Business Bureau (2000)

    Google Scholar 

  17. Hauser, C.H., Bakken, D.E., Dionysiou, I., Harald Gjermundrød, K., Irava, V.S., Helkey, J., Bose, A.: Security, trust, and qos in next- generation control and communication for large power systems. IJCIS 4(1/2), 3–16 (2008)

    Article  Google Scholar 

  18. Huang, Y., Feamster, N., Lakhina, A., Xu, J.: Diagnosing network disruptions with network-wide analysis. In: Proc. of the 2007 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pp. 61–72. ACM, New York (2007)

    Chapter  Google Scholar 

  19. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proc. of the IEEE Symposium on Security and Privacy (2004)

    Google Scholar 

  20. Locasto, M.E., Parekh, J.J., Keromytis, A.D., Stolfo, S.J.: Towards collaborative security and p2p intrusion detection. In: IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY (June 15-17, 2005)

    Google Scholar 

  21. Lodi, G., Baldoni, R., Chockler, G., Dekel, E., Mulcahy, B.P., Martufi, G.: A contract-based event driven model for collaborative security in financial information systems. In: Proc. of the 12th International Conference on Enterprise Information Systems, Funchal, Madeira - Portugal (2010)

    Google Scholar 

  22. Lodi, G., Baldoni, R., Elshaafi, H., Mulcahy, B., Csertain, G., Gonczy, L.: Trust Management in Monitoring Financial Critical Information Infrastructures. In: Proc. of the 2nd International Conference on Mobile Lightweight Wireless Systems - Critical Information Infrastructure Protection Track, Barcelona (May 2010)

    Google Scholar 

  23. Tang, C., Steinder, M., Spreitzer, M., Pacifici, G.: A Scalable Application Placement Controller for Enterprise Data Centers. In: 16th International Conference on World Wide Web (2007)

    Google Scholar 

  24. Xie, Y., Sekar, V., Reiter, M.K., Zhang, H.: Forensic Analysis for Epidemic Attacks in Federated Networks. In: ICNP, pp. 43–53 (2006)

    Google Scholar 

  25. Zhou, C.V., Karunasekera, S., Leckie, C.: A peer-to-peer collaborative intrusion detection system. In: 13th IEEE International Conference on Networks, Kuala Lumpur, Malaysia (November 2005)

    Google Scholar 

  26. Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Computer and Security 29, 124–140 (2009)

    Article  Google Scholar 

  27. Zhou, C.V., Karunasekera, S., Leckie, C.: Evaluation of a Decentralized Archi- tecture for Large Scale Collaborative Intrusion Detection. In: Proc. of the 10th IFIP/IEEE International Symposium on Integrated Network Management (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Rome “La Sapienza”, Via Ariosto 25, 00185, Rome, Italy

    Leonardo Aniello, Giuseppe Antonio Di Luna, Giorgia Lodi & Roberto Baldoni

Authors
  1. Leonardo Aniello
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giuseppe Antonio Di Luna
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giorgia Lodi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Roberto Baldoni
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Ansaldo STS, Via Argine, 425, 80147, Napoli, Italy

    Francesco Flammini

  2. Italian Association Critical Infrastructure (AIIC), Rome, Italy

    Sandro Bologna

  3. Dipartimento di Informatica e Sistemistica, Università di Napoli Federico II, Via Claudio, 21, Napoli, Italy

    Valeria Vittorini

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Aniello, L., Di Luna, G.A., Lodi, G., Baldoni, R. (2011). A Collaborative Event Processing System for Protection of Critical Infrastructures from Cyber Attacks. In: Flammini, F., Bologna, S., Vittorini, V. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2011. Lecture Notes in Computer Science, vol 6894. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24270-0_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-24270-0_23

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-24269-4

  • Online ISBN: 978-3-642-24270-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation