Enabling Convergence of Physical and Logical Security Through Intelligent Event Correlation

Until now, in most organizations, physical access systems and logical security systems have operated as two independent elements, and have been managed by completely separate departments. The lack of interoperability between the two sectors often resulted in a security hole of the overall infrastructure. An attacker who has physical access can not only steal a PC or confidential data, but can also compromise network security. Therefore, a combination of physical and logical security definitively allows for a more effective protection of the organization. In this work we present a correlation system which aims at bringing a significant advancement in the convergence of physical and logical security technologies. By “convergence” we mean effective cooperation (i.e. a coordinated and results-oriented effort to work together) among previously disjointed functions. The holistic approach and enhanced awareness technology of our solution allows dependable (i.e. accurate, timely, and trustworthy) detection and diagnosis of attacks. This ultimately results in the achievement of two goals of paramount importance, and precisely guaranteeing the protection of citizens and assets, and improving the perception of security by citizens. The effectiveness of the proposed solution is demonstrated in a scenario that deals with the protection of a real Critical Infrastructure. Three misuse cases have been implemented in a simulation environment in order to show how the correlation system allows for the detection of different attack patterns.

[1]  Luigi Coppolino,et al.  Enhancing SIEM Technology to Protect Critical Infrastructures , 2012, CRITIS.

[2]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[3]  Geert Deconinck,et al.  Critical Utility Infrastructure Resilience , 2006 .

[4]  Massimo Ficco,et al.  A Generic Intrusion Detection and Diagnoser System Based on Complex Event Processing , 2011, 2011 First International Conference on Data Compression, Communications and Processing.

[5]  Andrea Bondavalli,et al.  An event correlation approach for fault diagnosis in SCADA infrastructures , 2011, EWDC '11.

[6]  Ralf Steinmetz,et al.  A Cross-Layer Approach to Performance Monitoring of Web Services , 2006, WEWST@ECOWS.

[7]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[8]  Luigi Coppolino,et al.  Use of the Dempster–Shafer theory to detect account takeovers in mobile money transfer services , 2015, J. Ambient Intell. Humaniz. Comput..

[9]  Zhuo Lu,et al.  Cyber security in the Smart Grid: Survey and challenges , 2013, Comput. Networks.

[10]  Miguel Correia,et al.  Intrusion-Resilient Middleware Design and Validation , 2009 .

[11]  Robert F. Mills,et al.  Log-Based Distributed Security Event Detection Using Simple Event Correlator , 2011, 2011 44th Hawaii International Conference on System Sciences.

[12]  Luigi Coppolino,et al.  Exploiting diversity and correlation to improve the performance of intrusion detection systems , 2009, 2009 International Conference on Network and Service Security.

[13]  Nicklaus A. Giacobe,et al.  Application of the JDL data fusion process model for cyber security , 2010, Defense + Commercial Sensing.