A Collaborative Event Processing System for Protection of Critical Infrastructures from Cyber Attacks

We describe an Internet-based collaborative environment that protects geographically dispersed organizations of a critical infrastructure (e.g., financial institutions, telco providers) from coordinated cyber attacks. A specific instance of a collaborative environment for detecting malicious inter-domain port scans is introduced. This instance uses the open source Complex Event Processing (CEP) engine ESPER to correlate massive amounts of network traffic data exhibiting the evidence of those scans. The paper presents two inter-domain SYN port scan detection algorithms we designed, implemented in ESPER, and deployed on the collaborative environment; namely, Rank-based SYN (R-SYN) and Line Fitting. The paper shows the usefulness of the collaboration in terms of detection accuracy. Finally, it shows how Line Fitting can both achieve a higher detection accuracy with a smaller number of participants than R-SYN, and exhibit better detection latencies than R-SYN in the presence of low link bandwidths (i.e., less than 3Mbit/s) connecting the organizations to Esper.

[1]  Roberto Baldoni,et al.  Inter-domain stealthy port scan detection through complex event processing , 2011, EWDC '11.

[2]  Nick Feamster,et al.  Diagnosing network disruptions with network-wide analysis , 2007, SIGMETRICS '07.

[3]  Roberto Baldoni,et al.  A Contract-based Event Driven Model for Collaborative Security in Financial Information Systems , 2010, ICEIS.

[4]  Vyas Sekar,et al.  Forensic Analysis for Epidemic Attacks in Federated Networks , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[5]  Carl H. Hauser,et al.  Security, trust, and QoS in next-generation control and communication for large power systems , 2008, Int. J. Crit. Infrastructures.

[6]  Christopher Leckie,et al.  Evaluation of a Decentralized Architecture for Large Scale Collaborative Intrusion Detection , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[7]  Malgorzata Steinder,et al.  A scalable application placement controller for enterprise data centers , 2007, WWW '07.

[8]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[9]  Ugur Çetintemel,et al.  Plan-based complex event detection across distributed sources , 2008, Proc. VLDB Endow..

[10]  M.E. Locasto,et al.  Towards collaborative security and P2P intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[11]  Roberto Baldoni,et al.  Trust Management in Monitoring Financial Critical Information Infrastructures , 2010, MOBILIGHT.

[12]  C. Leckie,et al.  A peer-to-peer collaborative intrusion detection system , 2005, 2005 13th IEEE International Conference on Networks Jointly held with the 2005 IEEE 7th Malaysia International Conf on Communic.

[13]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..