Cesario Di Sarno

A Resilient Architecture for Forensic Storage of Events in Critical Infrastructures

In Critical Infrastructures, forensic analysis of stored events is an essential task when a security breach occurs. The goal of forensic analysis is to provide evidence to be used as valid proofs in a legal proceeding. So, it is very important to ensure the integrity of the events stored in order to perform a correct forensic analysis. Today, most of the SIEMs used to protect the Critical Infrastructures sign the security events with RSA classic algorithm in order to ensure their integrity. The signed security events cannot be admissible as evidence if the secret key is compromised, or when the module responsible for signing operations is down for any reason. In this paper a new architecture that overcomes these limitations has been proposed. Experimental tests show the performance of our architecture and the high resilience in faulty situations, i.e. some nodes are under attack.

A GPS Spoofing Resilient WAMS for Smart Grid

Smart grids provide efficiency in energy distribution, easy identification of disturbance sources, and fault prediction. To achieve these benefits a continuous monitoring of voltage and current phasors must be performed. Phasor Measurement Units (PMUs) allow measurements of the phasors. A Wide Area Measurement System uses PMUs placed in different locations to assess the status of the power grid. To correctly analyze the phasors provided by PMUs, phasors must refer to the same time. For this reason each PMU uses the clock provided by a GPS receiver. GPS receiver is vulnerable to spoofing attack and it is a single point of failure. In this context we examined Network Time Protocol (NTP) as an alternative time source when the GPS receiver is compromised. In this paper a resilient architecture is proposed that is able to detect and react to the GPS spoofing attack. Experimental tests have shown the effectiveness of our solution.

Enhancing Intrusion Detection in Wireless Sensor Networks through Decision Trees

Wireless Sensor Networks (WSNs) are being increasingly adopted also in very sensitive applications where it is of paramount importance to ensure that the sensor network is protected from cyber-security threats. In this paper we present a new IDS architecture designed to ensure a trade-off between different requirements: high detection rate is obtained through decision tree classification; energy saving is obtained through light detection techniques on the motes. A dataset including sinkhole attack has been created and employed to evaluate the effectiveness of the proposed solution. Such a dataset has been made available, and will facilitate future comparisons of alternative solutions.

A framework for Internet data real-time processing: A machine-learning approach

Nowadays, the Internet Service Providers have to keep track of and in some cases to analyze for legal issues, a great amount of Internet data. Real-time big data processing and analysis introduce new challenges that must be addressed by system engineers. This is because: 1) traditional technologies exploiting databases are not designed to process a huge amount of data in real-time 2) classic machine learning algorithms implemented by widely adopted tools as Weka or R are not designed to perform “on the fly” analysis on streamed data. In this paper the authors propose an architecture that makes the real-time big data processing and analysis possible. The proposed architecture is based on two main components: a stream processing engine called Apache Storm and a framework called Yahoo SAMOA allowing to perform data analysis through distributed streaming machine learning algorithms. Our architecture is tested for Skype traffic recognition within network traffic generated by several Personal Computers in a streamed way. Experimental results have shown the effectiveness of proposed solution.

A novel security information and event management system for enhancing cyber security in a hydroelectric dam

Security information and event management (SIEM) systems are increasingly used to cope with the security challenges involved in critical infrastructure protection. However, these systems have several limitations. This paper describes an enhanced security information and event management system that (i) resolves conflicts between security policies; (ii) discovers unauthorized network data paths and appropriately reconfigures network devices; and (iii) provides an intrusion- and fault-tolerant storage system that ensures the integrity and non-forgeability of stored events. The performance of the enhanced system is demonstrated using a case study involving a hydroelectric dam. The case study considers an attack model that affects portions of the information technology infrastructure of the hydroelectric dam and demonstrates that the security information and event management system is successfully able to detect and respond to attacks.

Addressing Security Issues of Electronic Health Record Systems through Enhanced SIEM Technology

Electronic Health Records (EHR) are digital documents containing citizen medical information that can be used for advanced eHealth services, like emergency patient summary retrieving, historical data and events analysis, remote medical report access, e-Prescription. In this work we present the case study of an EHR management infrastructure, namely the InFSE, which implements a federated network of regional autonomous districts deployed on national scale. Despite the adoption of access control mechanisms based on authenticated transactions and assertions, the InFSE can be illegitimately used to retrieve patient health data and violate the citizens privacy. We propose an enhanced Security Information and Event Management (SIEM) system, namely MASSIF, which is able to discover business logic anomalies and protect the identities of involved parties. In particular we focus on the software modules that perform sophisticated data aggregation and analysis, and provide fault and intrusion tolerant storage facilities, namely the Generic Event Translator, the Security Probes and the Trustworthy Event Storage. The components have been integrated on the widely used open source OSSIM SIEM and validated on a realistic test bed based on elements of the InFSE infrastructure.

An Intrusion and Fault Tolerant Forensic Storage for a SIEM System

Current Security Information and Events Management (SIEM) solutions lack a data storage facility which is secure enough - i.e. stored events related to security incidents cannot be forged and are always available - that it can be used for forensic purposes. Forensic storage used by current SIEM solutions uses traditional RSA algorithm to sign the security events. In this paper we have analyzed the limits of current forensic storages, and we have proposed an architecture for forensic storage, implementing a threshold-based variant of the RSA algorithm, that outperforms state of the art SIEM solutions in terms of intrusion- and fault-tolerance. We show by experiments that our forensic storage works correctly even in the presence of cyber-attacks, although with a performance penalty. We also conduct an experimental campaign to evaluate the performance cost of the proposed scheme as a function of the threshold.

An Hybrid Architecture to Enhance Attacks Detection on IT infrastructure

Nowadays, IT systems are widely used to support the services offered from any infrastructure. This allows the improvement of business processes but on the other hand it exposes the infrastructure to cyber-attacks. Misuse and anomaly detection are two widely adopted approaches to discover known and unknown cyberattacks. In this paper we provide an overviewof the techniques currently adopted for misuse and anomaly detection and we discuss a conceptual architecture that exploits the advantages of both misuse and anomaly detection to improve cyber-security. Also we provide a conceptual description of an expert system that solves conflicts due to detection mismatches between misuse and anomaly detection techniques.

Energy-Based Detection of Multi-layer Flooding Attacks on Wireless Sensor Network

Ensuring cyber security on Wireless Sensor Network (WSN) is a challenging task since nodes are devices with very limited resources. Existing Intrusion Detection Systems (IDSs) solutions either ensure protection from attacks at one specific OSI layer, or they ensure multi-layer protection but with more relevant computational costs. In this work we propose a new solution which aims at detecting attacks at different OSI layers by minimizing the number of features required to perform intrusion detection activities on a WSN node. In this work we consider multi-layer flooding attack performed at routing and application layers; our experimental tests show that a high correlation exists between the features of these attacks available at the corresponding layers and energy consumption. This allows to use energy consumption as the only feature to detect both the attacks even if they are performed at different OSI layers.

Improving SIEM capabilities through an enhanced probe for encrypted Skype traffic detection

Nowadays, the Security Information and Event Management (SIEM) systems take on great relevance in handling security issues for critical infrastructures as Internet Service Providers. Basically, a SIEM has two main functions: i) the collection and the aggregation of log data and security information from disparate network devices (routers, firewalls, intrusion detection systems, ad hoc probes and others) and ii) the analysis of the gathered data by implementing a set of correlation rules aimed at detecting potential suspicious events as the presence of encrypted real-time traffic. In the present work, the authors propose an enhanced implementation of a SIEM where a particular focus is given to the detection of encrypted Skype traffic by using an ad-hoc developed enhanced probe (ESkyPRO) conveniently governed by the SIEM itself. Such enhanced probe, able to interact with an agent counterpart deployed into the SIEM platform, is designed by exploiting some machine learning concepts. The main purpose of the proposed ad-hoc SIEM is to correlate the information received by ESkyPRO and other types of data obtained by an Intrusion Detection System (IDS) probe in order to make the encrypted Skype traffic detection as accurate as possible.