High-Speed Intrusion Detection in Support of Critical Infrastructure Protection

Telecommunication network plays a fundamental role in the management of critical infrastructures since it is largely used to transmit control information among the different elements composing the architecture of a critical system. The health of a networked system strictly depends on the security mechanisms that are implemented in order to assure the correct operation of the communication network. For this reason, the adoption of an effective network security strategy is seen as an important and necessary task of a global methodology for critical infrastructure protection. In this paper we present 2 contributions. First, we present a distributed architecture that aims to secure the communication network upon which the critical infrastructure relies. This architecture is composed of an intrusion detection system (IDS) which is built on top of a customizable flow monitor. Second, we propose an innovative method to extrapolate real-time information about user behavior from network traffic. This method consists in monitoring traffic flows at different levels of granularity in order to discover ongoing attacks.

[1]  Jay Beale,et al.  Snort 2.1 Intrusion Detection, Second Edition , 2004 .

[2]  Cristina L. Abad,et al.  Log correlation for intrusion detection: a proof of concept , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[3]  George W Bush,et al.  The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets , 2003 .

[4]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[5]  Philip K. Chan,et al.  Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security , 2004, CCS 2004.

[6]  James C. Foster,et al.  Intrusion Detection Systems , 2004 .

[7]  Dana A. Shea Critical Infrastructure: Control Systems and the Terrorist Threat [Updated October 1, 2002] , 2002 .

[8]  Simon Pietro Romano,et al.  Evaluating Pattern Recognition Techniques in Intrusion Detection Systems , 2005, PRIS.

[9]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[10]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[11]  Cristina L. Abad,et al.  Correlation between NetFlow System and Network Views for Intrusion Detection , 2004 .

[12]  Sushil Jajodia,et al.  ADAM: a testbed for exploring the use of data mining in intrusion detection , 2001, SGMD.

[13]  Dario Salvi,et al.  A Distributed multi-purpose IP flow monitor , 2005 .

[14]  Georg Carle,et al.  HISTORY – High-Speed Network Monitoring and Analysis , 2005 .

[15]  Yifan Li,et al.  VisFlowConnect: netflow visualizations of link relationships for security situational awareness , 2004, VizSEC/DMSEC '04.

[16]  Katsuyuki Yamazaki,et al.  A distributed real-time tool for IP-flow measurement , 2004, 2004 International Symposium on Applications and the Internet. Proceedings..

[17]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[18]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..