Enabling Convergence of Physical and Logical Security Through Intelligent Event Correlation

  • Gianfranco CerulloEmail author
  • Luigi Coppolino
  • Salvatore D’Antonio
  • Valerio Formicola
  • Gaetano Papale
  • Bruno Ragucci
Conference paper
Part of the Studies in Computational Intelligence book series (SCI, volume 616)


Until now, in most organizations, physical access systems and logical security systems have operated as two independent elements, and have been managed by completely separate departments. The lack of interoperability between the two sectors often resulted in a security hole of the overall infrastructure. An attacker who has physical access can not only steal a PC or confidential data, but can also compromise network security. Therefore, a combination of physical and logical security definitively allows for a more effective protection of the organization. In this work we present a correlation system which aims at bringing a significant advancement in the convergence of physical and logical security technologies. By “convergence” we mean effective cooperation (i.e. a coordinated and results-oriented effort to work together) among previously disjointed functions. The holistic approach and enhanced awareness technology of our solution allows dependable (i.e. accurate, timely, and trustworthy) detection and diagnosis of attacks. This ultimately results in the achievement of two goals of paramount importance, and precisely guaranteeing the protection of citizens and assets, and improving the perception of security by citizens. The effectiveness of the proposed solution is demonstrated in a scenario that deals with the protection of a real Critical Infrastructure. Three misuse cases have been implemented in a simulation environment in order to show how the correlation system allows for the detection of different attack patterns.


Data Fusion Intrusion Detection System Critical Infrastructure Misuse Case Security Operation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The research leading to these results has received funding from the European Commission within the context of the Seventh Framework Programme (FP7/2007–2013) under Grant Agreement No. 313034 (Situation AWare Security Operation Center, SAWSOC Project). It has been also partially supported by the TENACE PRIN Project (n. 20103P34XC) funded by the Italian Ministry of Education, University and Research, and by the Embedded Systems in critical domains POR Project (CUP B25B09000100007) funded by the Campania region in the context of the POR Campania FSE 2007–2013, Asse IV and Asse V.


  1. 1.
    Tips to reduce false security alarms with proper installation, education and training.
  2. 2.
    Repp, N., Berbner, R., Heckmann, O., Steinmetz, R.: A cross-layer approach to performance monitoring of web services. In: Proceedings of the Workshop on Emerging Web Services Technology, CEUR-WS, December 2006Google Scholar
  3. 3.
    Yu-Sung, W., Bagchi, S., Garg, S., Singh, N.: SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments. In: Proceedings of Dependable Systems and Networks Conference, 28 June 2004, pp. 433–442 (2004)Google Scholar
  4. 4.
    Vigna, G., Robertson, W., Vishal, K., Kemmerer, R.A.: A stateful intrusion detection system for World-Wide Web servers. In: Proceedings of the 19th Annual Computer Security Applications Conference, 8–12 December 2003, pp. 34–43 (2003)Google Scholar
  5. 5.
    Verssimo, P., Correia, M., Neves, N., Sousa, P.: Intrusion-resilient middleware design and validation. In: Information Assurance, Security and Privacy Services (Handbooks in Information Systems, vol. 4), Emerald Group Pub. Ltd., pp. 615–678 (2009)Google Scholar
  6. 6.
    Sousa, P.: Proactive Resilience. In: Proceedings of the 6th European Dependable Computing Conference (EDCC-6) Supplemental Volume, Coimbra, Portugal, October (2006)Google Scholar
  7. 7.
    Dondossola, G., Deconinck, G., Di Giandomenico, F., Donatelli, S., Kaaniche, M., Verssimo, P.: Critical utility infrastructure resilience. In: Workshop on Security and Networking in Critical Real-Time and Embedded Systems (CRTES’06), with RTAS’06, San Jose, California, April (2006)Google Scholar
  8. 8.
    Ficco, M., Daidone, A., Coppolino, L., Bondavalli, A.: An event correlation approach for fault diagnosis in SCADA infrastructures. In: Proceedings of the 13th European Workshop on Dependable Computing (EWDC 2011), Pisa, Italy, May 2011, pp. 15–20. ACM Press (2011). doi: 10.1145/1978582.1978586
  9. 9.
    Ficco, M., Romano, L.: A generic intrusion detection and diagnoser system based on complex event processing. In: Proceedings of the 1st International Conference on Data Compression, Communications and Processing (CCP 2011), Palinuro, Italy, June 2011, pp. 275–284. IEEE CS Press (2011). doi: 10.1109/CCP.2011.43
  10. 10.
    Wang, W., Lu, Z.: Cyber security in the smart grid: survey and challenges. Comput. Netw. 57(5), 1344–1371 (2013). doi: 10.1016/j.comnet.2012.12.017 CrossRefGoogle Scholar
  11. 11.
    Coppolino, L., D’Antonio, S., Esposito, M., Romano, L.: Exploiting diversity and correlation to improve the performance of intrusion detection systems. In: Proceedings of the International Conference on Network and Service Security, N2S’09, Paris, June 2009, pp. 24–26 (2009)Google Scholar
  12. 12.
    Coppolino, L., D’Antonio, S., Formicola, V., Romano, L.: Enhancing SIEM Technology to Protect Critical Infrastructures. Critical Information Infrastructures Security Lecture Notes in Computer Science 7722, 10–21 (2013)Google Scholar
  13. 13.
    Rosa, L., Alves, P., Cruz, T., Simes, P., Monteiro, E.: A comparative study of correlation engines for security event management. In: Proceedings of the 10th International Conference on Cyber Warfare and Security (ICCWS-2015), Kruger National Park, South Africa (2015)Google Scholar
  14. 14.
    Myers, J., Grimaila, M.R., Mills, R.F.: Log-based distributed security event detection using simple event correlator. In: System Sciences (HICSS), 2011 44th Hawaii International Conference, Kauai, 4–7 January 2011. doi: 10.1109/HICSS.2011.288
  15. 15.
    Giacobe, N.A.: Application of the JDL data fusion process model for cyber security. In: Proceedings of the SPIE 7710, Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications 2010, 77100R, 28 April 2010. doi: 10.1117/12.850275
  16. 16.
    Coppolino, L., D’Antonio, S., Formicola, V., Massei, C., Romano, L.: Use of the Dempster Shafer theory to detect account takeovers in mobile money transfer services. J. Ambient Intell. Humaniz. Comput. (April 2015). doi: 10.1007/s12652-015-0276-9 Google Scholar
  17. 17.
    Multi Sensor Data Fusion: Hugh Durrant-Whyte, Australian Centre for Field Robotics, The University of Sydney NSW 2006, Australia (2006)Google Scholar
  18. 18.
    Apache Storm. (2015). Accessed 15 April 2015
  19. 19.
    EsperTech Esper: (2015). Accessed 15 April 2015

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Gianfranco Cerullo
    • 1
    Email author
  • Luigi Coppolino
    • 1
  • Salvatore D’Antonio
    • 1
  • Valerio Formicola
    • 1
  • Gaetano Papale
    • 1
  • Bruno Ragucci
    • 1
  1. 1.University of Naples “Parthenope”NapoliItaly

Personalised recommendations