Salvatore D'Antonio

Cadenus: creation and deployment of end-user services in premium IP networks

Current trends in the information and communications technology industry clearly indicate the existence of a business requirement for a market-enabling technology that allows network operators to interact with users in a seamless, transparent manner for the sale and delivery of a wide range of services with guaranteed quality of service. In this context the need arises for the dynamic creation, configuration and delivery of services with QoS guarantees via the automated management of service level agreements. The aim of the Cadenus project is to bring theoretical and practical contributions to this area by defining a framework for the provisioning of advanced communication services in premium IP networks. Such networks might be characterized by a high degree of complexity, in terms not only of scale, but also of number of operators and technological heterogeneity. Our contribution is twofold, comprising both the design of the proposed framework and its actual implementation. An innovative approach was taken to framework design, based on the concept of mediation. With respect to the framework implementation, an example illustrating the realization of a virtual private network scenario is presented.

An Intrusion Detection System for Critical Information Infrastructures using Wireless Sensor Network technologies

Wireless Sensor Network (WSN) technology is being increasingly used for data collection in Critical Infrastructures (CIs). The paper presents an Intrusion Detection System (IDS), which is able to protect a CI from attacks directed to its WSN-based parts. By providing accurate and timely detection of malicious activities, the proposed IDS solution ultimately results in a dramatic improvement in terms of protection, since opportunities are given for performing proper remediation/reconfiguration actions, which counter the attack and/or allow the system to tolerate it. We present the basic ideas, discuss the main implementation issues, and perform a preliminary experimental campaign. Not only have experiments demonstrated the effectiveness of the proposed approach in protecting the system against two very serious attacks to WSNs (namely: sinkhole, and bogus packet), but they have also proved that the stringent requirements (in terms of limited availability of resources) which are typical of current state-of-the-art WSN technologies, are met.

Techniques for available bandwidth measurement in IP networks: a performance comparison

As the Internet grows in scale and complexity, the need for accurate traffic measurement increases. Among the different parameters relevant to traffic measurement, the paper pays attention to the available bandwidth of a path. In particular, a performance comparison of three different techniques, devoted to available bandwidth measurement, is attained under different operating conditions. The comparison is based on the outcomes of an extensive experimental activity. Experimental tests are not limited to the mere execution of the software tools that implement the techniques under test; indeed, a proper measurement station comprising a digital counter has been set up by the authors with the aim of gaining a reference value to be compared with results provided by the considered tools. The adoption of a performance evaluation methodology relying on the use of electronic instrumentation for time measurement represents a good example of cross-fertilization between two distinct research areas: networking on one side and electronic measurements on the other. The tools have been tested under different cross-traffic conditions and their performance has been evaluated in terms of the following metrics: concurrence, repeatability, bias, and time. For each cross-traffic scenario and with reference to every performance metric, the paper identifies the tool that provides the best results. Furthermore, an optimal setting for the parameters of each tool has been identified thanks to the extensive experimental activity that has been performed.

Integration of a system for critical infrastructure protection with the OSSIM SIEM platform: a dam case study

In recent years the monitoring and control devices in charge of supervising the critical processes of Critical Infrastructures have been victims of cyber attacks. To face such threat, organizations providing critical services are increasingly focusing on protecting their network infrastructures. Security Information and Event Management (SIEM) frameworks support network protection by performing centralized correlation of network asset reports. In this work we propose an extension of a commercial SIEM framework, namely OSSIM by AlienVault, to perform the analysis of the reports (events) generated by monitoring, control and security devices of the dam infrastructure. Our objective is to obtain evidences of misuses and malicious activities occurring at the dam monitoring and control system, since they can result in issuing hazardous commands to control devices. We present examples of misuses and malicious activities and procedures to extend OSSIM for analyzing new event types.

Applying Data Mining Techniques to Intrusion Detection in Wireless Sensor Networks

Wireless Sensor Networks (WSNs) have become a hot research topic in recent years. They have many potential applications for both civil and military tasks. However, the unattended nature of WSNs and the limited computational and energy resources of their nodes make them susceptible to many types of attacks. Intrusion detection is one of the major and efficient defence methods against attacks in a network infrastructure. Intrusion Detection Systems can be seen as the second line of defence and they complement the security primitives that are adopted in order to prevent attacks against the computer network being protected. The peculiar features of a wireless sensor network pose stringent requirements to the design of intrusion detection systems. In this paper, we propose a hybrid, lightweight, distributed Intrusion Detection System (IDS) for wireless sensor networks. This IDS uses both misuse-based and anomaly-based detection techniques. It is composed of a Central Agent, which performs highly accurate intrusion detection by using data mining techniques, and a number of Local Agents running lighter anomaly-based detection techniques on the motes. Decision trees have been adopted as classification algorithm in the detection process of the Central Agent and their behaviour has been analysed in selected attacks scenarios. The accuracy of the proposed IDS has been measured and validated through an extensive experimental campaign. This paper presents the results of these experimental tests.

A Resilient Architecture for Forensic Storage of Events in Critical Infrastructures

In Critical Infrastructures, forensic analysis of stored events is an essential task when a security breach occurs. The goal of forensic analysis is to provide evidence to be used as valid proofs in a legal proceeding. So, it is very important to ensure the integrity of the events stored in order to perform a correct forensic analysis. Today, most of the SIEMs used to protect the Critical Infrastructures sign the security events with RSA classic algorithm in order to ensure their integrity. The signed security events cannot be admissible as evidence if the secret key is compromised, or when the module responsible for signing operations is down for any reason. In this paper a new architecture that overcomes these limitations has been proposed. Experimental tests show the performance of our architecture and the high resilience in faulty situations, i.e. some nodes are under attack.

Security issues of a phasor data concentrator for smart grid infrastructure

The use of PMUs (Phasor Measurement Units) for measurement and control of the power grids over wide areas is becoming fundamental to improve power system reliability. Synchrophasors, that enable a synchronized evaluation of the phasor through GPS radio clock, are being extensively deployed together with network-based PDC (Phasor Data Concentrator) applications for providing a precise and comprehensive view of the status of the entire grid. The objective of this paper is to raise the awareness about the security issues related to the adoption of such technologies in power grids. In particular, we address two main vulnerabilities of the synchrophasor networks: (i) the protocols used to exchange data between the PMU and the PDC are usually not encrypted, and (ii) PDCs do not automatically sanitize the data received from the PMU. These vulnerabilities tremendously increase the exposure of a power distribution infrastructure to threats of cyber-attacks. In the paper we present an application scenario where such vulnerabilities are exploited by performing a SQL-injection attack that compromises the database used to store PMUs data.

High-speed intrusion detection in support of critical infrastructure protection

Telecommunication network plays a fundamental role in the management of critical infrastructures since it is largely used to transmit control information among the different elements composing the architecture of a critical system. The health of a networked system strictly depends on the security mechanisms that are implemented in order to assure the correct operation of the communication network. For this reason, the adoption of an effective network security strategy is seen as an important and necessary task of a global methodology for critical infrastructure protection. In this paper we present 2 contributions. First, we present a distributed architecture that aims to secure the communication network upon which the critical infrastructure relies. This architecture is composed of an intrusion detection system (IDS) which is built on top of a customizable flow monitor. Second, we propose an innovative method to extrapolate real-time information about user behavior from network traffic. This method consists in monitoring traffic flows at different levels of granularity in order to discover ongoing attacks.

Design principles and algorithms for effective high-speed IP flow monitoring

In this paper, we present design principles and related implementation experience for building effective and scalable IP flow monitoring systems. We focus on the monitoring of high-speed links, where the short packet inter-arrival time and the huge number of simultaneous flows impose a number of challenging requirements. First, the small inter-arrival times imply that algorithms for packet attribution to flows must be fast and efficient. To this purpose, an appropriate model for hash-based packet classification is proposed. Second, also the update of per-flow information must be fast, which suggests that fast memories are needed in order to avoid that memory access becomes the system bottleneck. But fast memories are still expensive and small, while the number of simultaneous flow in high-speed links is large. Therefore, the need arises to introduce strategies that help in keeping memory requirements low: one of these is the fast identification of timed out flows. Finally, identifying and periodically reporting information about long-lived flows receiving a lot of traffic is of paramount importance for those applications that cannot simply wait for the termination of these flows to receive the corresponding information. We provide design principles and algorithms that can be applied to all these tasks. A comparative study of some of them is carried out and performance figures are obtained using significant metrics.

INcreasing Security and Protection through Infrastructure REsilience: The INSPIRE Project

The INSPIRE project aims at enhancing the European potential in the field of security by ensuring the protection of critical information infrastructures through (a) the identification of their vulnerabilities and (b) the development of innovative techniques for securing networked process control systems. To increase the resilience of such systems INSPIRE will develop traffic engineering algorithms, diagnostic processes and self-reconfigurable architectures along with recovery techniques. Hence, the core idea of the INSPIRE project is to protect critical information infrastructures by appropriately configuring, managing, and securing the communication network which interconnects the distributed control systems. A working prototype will be implemented as a final demonstrator of selected scenarios. Controls/Communication Experts will support project partners in the validation and demonstration activities. INSPIRE will also contribute to standardization process in order to foster multi-operator interoperability and coordinated strategies for securing lifeline systems.