High-Speed Intrusion Detection in Support of Critical Infrastructure Protection

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4347)


Telecommunication network plays a fundamental role in the management of critical infrastructures since it is largely used to transmit control information among the different elements composing the architecture of a critical system. The health of a networked system strictly depends on the security mechanisms that are implemented in order to assure the correct operation of the communication network. For this reason, the adoption of an effective network security strategy is seen as an important and necessary task of a global methodology for critical infrastructure protection. In this paper we present 2 contributions. First, we present a distributed architecture that aims to secure the communication network upon which the critical infrastructure relies. This architecture is composed of an intrusion detection system (IDS) which is built on top of a customizable flow monitor. Second, we propose an innovative method to extrapolate real-time information about user behavior from network traffic. This method consists in monitoring traffic flows at different levels of granularity in order to discover ongoing attacks.


critical infrastructure protection (CIP) critical information infrastructure protection (CIIP) intrusion detection flow monitoring security management SCADA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Dunn, M., Wigert, I.: An Inventory and Analysis of Protection Policies in Fourteen Countries. In: Wenger, A., Metzger, J. (eds.) International CIIP (Critical Information Infrastructure Protection) Handbook 2004, ETH Swiss Federal Institute fo Technology Zurich (2004)Google Scholar
  2. 2.
    U.S. Government, The National Strategy for The Physical Protection of Critical Infrastructures and Key Assets. The White House, Washington, USA (2003)Google Scholar
  3. 3.
    U.S. Government,Green Paper on a European Programme for Critical Infrastructure Protection COM (2005)576, Brussels (2005)Google Scholar
  4. 4.
    Byres, E., Lowe, J.: The Myths and Facts behind Cyber Security Risks for Industrial Control Systems, British Columbia Institute of TechnologyGoogle Scholar
  5. 5.
    Lavalle, L., Balducelli, C., Vicoli, G.: Anomaly Detection Approach to Safeguard Critical Infrastructures: A Knowledge Engineering Process on a SCADA Case Study. In: Proceedings of Complex Network and Infrastructure Protection (CNIP 2006) (March 2006)Google Scholar
  6. 6.
    Communication from the Commission to the Council and the European Parliament Critical Infrastructure Protection in the fight against terrorism COM (704)2004, Brussels (October 2004)Google Scholar
  7. 7.
    Shea, D.A.: Critical Infrastructure: Control Systems and the Terrorist Threat, in Report for Congress RL31534. The Library of Congress (Febraury 2003)Google Scholar
  8. 8.
    Davis, P.: Abuse and Misuse of Firewalls in SCADA and Control Systems Environments. In: Proceedings of Complex Network and Infrastructure Protection (CNIP 2006) (March 2006)Google Scholar
  9. 9.
    Esposito, M., Mazzariello, C., Oliviero, F., Romano, S.P., Sansone, C.: Evaluating Pattern Recognition Techniques in Intrusion Detection Systems. In: Proceedings of 5th Workshop on Pattern Recognition in Information Systems (PRIS 2005) (May 2005)Google Scholar
  10. 10.
    D’Antonio, S., Mazzariello, C., Oliviero, F., Salvi, D.: A distributed multi-purpose IP flow monitor. In: Proceedings of 3rd International Workshop on Internet Performance, Simulation, Monitoring and Measurement (IPS-MoMe 2005) (March 2005)Google Scholar
  11. 11.
    Vigna, G., Kemmerer, R.: Netstat: a network based intrusion detection system. Journal of Computer Security 7(1) (1999)Google Scholar
  12. 12.
    Anderson, D.: Detecting usual program behavior using the statistical component of the next-generation intrusion detection expert system (nides), Technical report, Computer Science Laboratory (1995)Google Scholar
  13. 13.
    Tyson, M.: Derbi: Diagnosys explanation and recovery from computer break-ins, Technical report, SRI International (2000)Google Scholar
  14. 14.
    Rebecca Gurley Bace. Intrusion Detection. Macmillan Technical Publishing, Basingstoke (January 2000)Google Scholar
  15. 15.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: Proceedings of ACM SIGCOMM 2005 (August 2005)Google Scholar
  16. 16.
    Mahoney, M.V.: Network traffic anomaly detection based on packet bytes. In: Proceedings of ACM SAC 2003 (2003) Google Scholar
  17. 17.
    Baker, A.R., Caswell, B., Poor, M.: Snort 2.1 Intrusion Detection, 2nd edn., Syngress (2004)Google Scholar
  18. 18.
    Paxson, V., Terney, B.: Bro reference manual (2004)Google Scholar
  19. 19.
    Lindqvist, U., Porras, P.A.: Detecting computer and network misuse through the production-based expert system toolset (p-best). In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California, May 1999, pp. 146–161 (1999)Google Scholar
  20. 20.
    Wenke Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC) 3(4), 227–261 (2000)CrossRefGoogle Scholar
  21. 21.
    Barbara, D., Couto, J., Jajodia, S., Popyack, L., Wu, N.: Adam: Detecting intrusion by data mining. In: Proceedings of the Workshop on Information Assurance and Security (2001)Google Scholar
  22. 22.
    Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Ipfix working group internet draft, architecture model for ip flow information export, Internet draft, IETF (January 2005)Google Scholar
  23. 23.
    Kitatsuji, Y., Yamazaki, K.: A distributed real-time tool for ip-flow measurement. In: Proceedings of the 2004 International Symposium on Applications and the Internet (2004)Google Scholar
  24. 24.
    Falko Dressler, F., Carle, G.: History - high speed network monitoring and analysis. In: Proceedings of 24th IEEE Conference on Computer Communications (IEEE INFOCOM 2005) (March 2005)Google Scholar
  25. 25.
    Abad, C., Li, Y., Lakkaraju, K., Yin, X., Yurcik, W.: Correlation between netflow system and network views for intrusion detection. In: Proceedings of Workshop on Link Analysis, Counter-terrorism, and Privacy held in conjunction with SDM 2004 (2004)Google Scholar
  26. 26.
    Yin, X., Yurcik, W., Treaster, M., Li, Y., Lakkaraju, K.: Visflowconnect: netflow visualizations of link relationships for security situational awareness. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 26–34. ACM Press, New York (2004)CrossRefGoogle Scholar
  27. 27.
    Abad, C., Taylor, J., Sengul, C., Yurcik, W., Zhou, Y., Rowe, K.: Log correlation for intrusion detection: A proof of concept. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC) (2003)Google Scholar
  28. 28.
    Li, Z., Taylor, J., Partridge, E., Zhou, Y., Yurcik, W., Abad, C., Barlow, J., Rosendale, J.: Uclog: A unified, correlated logging architecture for intrusion detection. In: Proceedings of the 12th International Conference on Telecommunication Systems, Modeling and Analysis (ICTSM) (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  1. 1.Lab. ITeM – Consorzio Interuniversitario Nazionale per l’InformaticaCINI 
  2. 2.Dipartimento di Informatica e SistemisticaUniversity of Napoli Federico II 
  3. 3.Complex Systems & Security LabUniversity CAMPUS Bio-Medico of Roma 

Personalised recommendations