Valerio Formicola

Integration of a system for critical infrastructure protection with the OSSIM SIEM platform: a dam case study

In recent years the monitoring and control devices in charge of supervising the critical processes of Critical Infrastructures have been victims of cyber attacks. To face such threat, organizations providing critical services are increasingly focusing on protecting their network infrastructures. Security Information and Event Management (SIEM) frameworks support network protection by performing centralized correlation of network asset reports. In this work we propose an extension of a commercial SIEM framework, namely OSSIM by AlienVault, to perform the analysis of the reports (events) generated by monitoring, control and security devices of the dam infrastructure. Our objective is to obtain evidences of misuses and malicious activities occurring at the dam monitoring and control system, since they can result in issuing hazardous commands to control devices. We present examples of misuses and malicious activities and procedures to extend OSSIM for analyzing new event types.

Security issues of a phasor data concentrator for smart grid infrastructure

The use of PMUs (Phasor Measurement Units) for measurement and control of the power grids over wide areas is becoming fundamental to improve power system reliability. Synchrophasors, that enable a synchronized evaluation of the phasor through GPS radio clock, are being extensively deployed together with network-based PDC (Phasor Data Concentrator) applications for providing a precise and comprehensive view of the status of the entire grid. The objective of this paper is to raise the awareness about the security issues related to the adoption of such technologies in power grids. In particular, we address two main vulnerabilities of the synchrophasor networks: (i) the protocols used to exchange data between the PMU and the PDC are usually not encrypted, and (ii) PDCs do not automatically sanitize the data received from the PMU. These vulnerabilities tremendously increase the exposure of a power distribution infrastructure to threats of cyber-attacks. In the paper we present an application scenario where such vulnerabilities are exploited by performing a SQL-injection attack that compromises the database used to store PMUs data.

Enhancing SIEM Technology to Protect Critical Infrastructures

Coordinated and targeted cyber-attacks on Critical Infrastructures (CIs) and Supervisory Control And Data Acquisition (SCADA) systems are increasing and becoming more sophisticated. Typically, SCADA has been designed without having security in mind, which is indeed approached by reusing solutions to protect solely Information Technology (IT) based infrastructures, such as the Security Information and Events Management (SIEM) systems. According to the National Institute of Standards and Technology (NIST), these systems are often ineffective for CIs protection. In this paper we analyze limits of current SIEMs and propose a framework developed in the MASSIF Project to enhance services for data treatment. Particularly, the Generic Event Translation (GET) module collects security data from heterogeneous sources, by providing intelligence at the edge of the SIEM; the Resilient Storage (RS), reliably stores data related to relevant security breaches. We illustrate a prototypal deployment for the dam monitoring and control case study.

An extended ns-2 for validation of load balancing algorithms in Content Delivery Networks

This paper deals with the design, the development and the usage guidelines of a novel Content Delivery Network library for the ns-2 simulator. Such library allows evaluating new application-level load balancing approaches, with special regard to distributed content web servers. It includes some typical load balancing algorithms proposed in the literature and it can be extended to support new solutions. The proposed tool extends the ns-2 simulator with new HTTP data types and new application components which are in charge of data treatment. Moreover a new agent has been added to allow the simulation of data transferring. The library has been designed to work in a non-hierarchical and peer to peer cooperation environment. Several examples of testing scenarios are proposed in the paper.

Enhancing Intrusion Detection in Wireless Sensor Networks through Decision Trees

Wireless Sensor Networks (WSNs) are being increasingly adopted also in very sensitive applications where it is of paramount importance to ensure that the sensor network is protected from cyber-security threats. In this paper we present a new IDS architecture designed to ensure a trade-off between different requirements: high detection rate is obtained through decision tree classification; energy saving is obtained through light detection techniques on the motes. A dataset including sinkhole attack has been created and employed to evaluate the effectiveness of the proposed solution. Such a dataset has been made available, and will facilitate future comparisons of alternative solutions.

Protecting the WSN zones of a critical infrastructure via enhanced SIEM technology

Attacks on Critical Infrastructures are increasing and becoming more sophisticated. In addition to security issues of Supervisory Control And Data Acquisition systems, new threats come from the recent adoption of Wireless Sensor Network (WSN) technologies. Traditional security solutions for solely Information Technology (IT) based infrastructures, such as the Security Information and Events Management (SIEM) systems, can be strongly enchanced to address such issues. In this paper we analyze limits of current SIEMs to protect CIs and propose a framework developed in the MASSIF Project to enhance services for data treatment. We present the Generic Event Translation and introduce the Resilient Storage modules to collect data from heterogeneous sources, improve the intelligence of the SIEM periphery, reliably store information of security breaches. Particularly, by focusing on the first two features, we illustrate how they can improve the detection of attacks targeting the WSN of a dam monitoring and control system.

Use of the Dempster–Shafer theory to detect account takeovers in mobile money transfer services

Advanced cyber-threats, specifically targeted to financial institutions, are growing in frequency and sophistication, both globally and in individual countries. To counter this trend, effective solutions are needed that are able to reliably and timely detect frauds across multiple channels that process millions of transactions per day. These security solutions are required to process logs produced by different systems and correlate massive amounts of information in real-time. In this paper, we propose an approach based on the Dempster–Shafer (DS) theory, that results in high performance of the detection process, i.e. high detection rates and low false positive rates. The approach is based on combining multiple (and heterogeneous) data feeds to get to a degree of belief that takes into account all the available evidence. The proposed approach has been validated with respect to a challenging demonstration case, specifically the detection of frauds performed against a mobile money transfer (MMT) service. An extensive experimental campaign has been conducted, using synthetic data generated by a simulator which closely mimics the behavior of a real system, from a major MMT service operator.

Use of the Dempster-Shafer Theory for Fraud Detection: The Mobile Money Transfer Case Study

Security Information and Event Management (SIEM) systems are largely used to process logs generated by both hardware and software devices to assess the security level of service infrastructures. This log-based security analysis consists in correlating massive amounts of information in order to detect attacks and intrusions. In order to make this analysis more accurate and effective we propose an approach based on the Dempster-Shafer theory, that allows for combining evidence from multiple and heterogeneous data sources and get to a degree of belief that takes into account all the available evidence. The proposed approach has been validated with the respect to a challenging demonstration case, namely the detection of frauds performed against a Mobile Money Transfer service. An extensive simulation campaign has been executed to assess the performance of the proposed approach and the experimental results are presented in this paper.

Assessing the Impact of Cyber Attacks on Wireless Sensor Nodes That Monitor Interdependent Physical Systems

This paper describes a next-generation security information and event management (SIEM) platform that performs real-time impact assessment of cyber attacks that target monitoring and control systems in interdependent critical infrastructures. To assess the effects of cyber attacks on the services provided by critical infrastructures, the platform combines security analysis with simulations produced by the Infrastructure Interdependencies Simulator (i2Sim). The approach is based on the mixed holistic reductionist (MHR) methodology that models the relationships between functional components of critical infrastructures and the provided services. The effectiveness of the approach is demonstrated using a scenario involving a dam that feeds a hydroelectric power plant. The scenario considers an attack on a legacy SCADA system and wireless sensor network that reduces electricity production and degrades the services provided by the interdependent systems. The results demonstrate that the attack is detected in a timely manner, risk assessment is performed effectively and service level variations can be predicted. The paper also shows how the impact of attacks on services can be estimated when limits are imposed on information sharing.

Addressing Security Issues of Electronic Health Record Systems through Enhanced SIEM Technology

Electronic Health Records (EHR) are digital documents containing citizen medical information that can be used for advanced eHealth services, like emergency patient summary retrieving, historical data and events analysis, remote medical report access, e-Prescription. In this work we present the case study of an EHR management infrastructure, namely the InFSE, which implements a federated network of regional autonomous districts deployed on national scale. Despite the adoption of access control mechanisms based on authenticated transactions and assertions, the InFSE can be illegitimately used to retrieve patient health data and violate the citizens privacy. We propose an enhanced Security Information and Event Management (SIEM) system, namely MASSIF, which is able to discover business logic anomalies and protect the identities of involved parties. In particular we focus on the software modules that perform sophisticated data aggregation and analysis, and provide fault and intrusion tolerant storage facilities, namely the Generic Event Translator, the Security Probes and the Trustworthy Event Storage. The components have been integrated on the widely used open source OSSIM SIEM and validated on a realistic test bed based on elements of the InFSE infrastructure.