A robust approach for on-line and off-line threat detection based on event tree similarity analysis

The security of railway and mass-transit systems is increasingly dependant on the effectiveness of integrated Security Management Systems (SMS), which are meant to detect threats and to provide operators with information required for alarm verification purposes. In order to lower the false alarm rate and improve the detection reliability of threat scenarios, event correlation capabilities need to be integrated into the SMS. In this paper an existing approach based on a-priori defined event patterns is extended using a heuristic situation recognition approach which is more robust to both imperfect scenario modeling (human faults) and missed detections (sensor faults). The approach is based on similarity analysis between the event trees representing scenarios and it is effective both on-line and off-line. Applied on-line, it allows for an earlier and more fault-tolerant threat detection, since scenario matching is not required to be complete nor exact. Applied off-line, its effectiveness is twofold: first, it allows for detecting redundancies when updating the scenario repository; secondly, it enhances the post-event forensic search of suspicious behaviors not previously stored in the scenario repository. The strategy is being experimented in the context of railway protection.

[1]  Francesco Flammini,et al.  Augmenting Surveillance System Capabilities by Exploiting Event Correlation and Distributed Attack Detection , 2011, ARES.

[2]  Christopher D. Wickens,et al.  The benefits of imperfect diagnostic automation: a synthesis of the literature , 2007 .

[3]  Mohan S. Kankanhalli,et al.  Information assimilation framework for event detection in multimedia surveillance systems , 2006, Multimedia Systems.

[4]  Anita K. Jones,et al.  Computer System Intrusion Detection: A Survey , 2000 .

[5]  Mary Lynn Garcia,et al.  The Design and Evaluation of Physical Protection Systems , 2001 .

[6]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Francesco Flammini,et al.  Dependable integrated surveillance systems for the physical security of metro railways , 2009, 2009 Third ACM/IEEE International Conference on Distributed Smart Cameras (ICDSC).

[8]  Mica R. Endsley,et al.  Theoretical Underpinnings of Situation Awareness, A Critical Review , 2000 .

[9]  Francesco Flammini,et al.  Towards Wireless Sensor Networks for railway infrastructure monitoring , 2010, Electrical Systems for Aircraft, Railway and Ship Propulsion.

[10]  Francesco Flammini,et al.  DETECT: a novel framework for the detection of attacks to critical infrastructures , 2008 .

[11]  Fabien Pouget,et al.  Alert correlation: Review of the state of the art , 2003 .

[12]  Francesco Flammini,et al.  On-line integration and reasoning of multi-sensor data to enhance infrastructure surveillance , 2009 .

[13]  Malik Ghallab,et al.  Situation Recognition: Representation and Algorithms , 1993, IJCAI.