Abstract
Telecommunication network plays a fundamental role in the management of critical infrastructures since it is largely used to transmit control information among the different elements composing the architecture of a critical system. The health of a networked system strictly depends on the security mechanisms that are implemented in order to assure the correct operation of the communication network. For this reason, the adoption of an effective network security strategy is seen as an important and necessary task of a global methodology for critical infrastructure protection. In this paper we present 2 contributions. First, we present a distributed architecture that aims to secure the communication network upon which the critical infrastructure relies. This architecture is composed of an intrusion detection system (IDS) which is built on top of a customizable flow monitor. Second, we propose an innovative method to extrapolate real-time information about user behavior from network traffic. This method consists in monitoring traffic flows at different levels of granularity in order to discover ongoing attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Dunn, M., Wigert, I.: An Inventory and Analysis of Protection Policies in Fourteen Countries. In: Wenger, A., Metzger, J. (eds.) International CIIP (Critical Information Infrastructure Protection) Handbook 2004, ETH Swiss Federal Institute fo Technology Zurich (2004)
U.S. Government, The National Strategy for The Physical Protection of Critical Infrastructures and Key Assets. The White House, Washington, USA (2003)
U.S. Government,Green Paper on a European Programme for Critical Infrastructure Protection COM (2005)576, Brussels (2005)
Byres, E., Lowe, J.: The Myths and Facts behind Cyber Security Risks for Industrial Control Systems, British Columbia Institute of Technology
Lavalle, L., Balducelli, C., Vicoli, G.: Anomaly Detection Approach to Safeguard Critical Infrastructures: A Knowledge Engineering Process on a SCADA Case Study. In: Proceedings of Complex Network and Infrastructure Protection (CNIP 2006) (March 2006)
Communication from the Commission to the Council and the European Parliament Critical Infrastructure Protection in the fight against terrorism COM (704)2004, Brussels (October 2004)
Shea, D.A.: Critical Infrastructure: Control Systems and the Terrorist Threat, in Report for Congress RL31534. The Library of Congress (Febraury 2003)
Davis, P.: Abuse and Misuse of Firewalls in SCADA and Control Systems Environments. In: Proceedings of Complex Network and Infrastructure Protection (CNIP 2006) (March 2006)
Esposito, M., Mazzariello, C., Oliviero, F., Romano, S.P., Sansone, C.: Evaluating Pattern Recognition Techniques in Intrusion Detection Systems. In: Proceedings of 5th Workshop on Pattern Recognition in Information Systems (PRIS 2005) (May 2005)
D’Antonio, S., Mazzariello, C., Oliviero, F., Salvi, D.: A distributed multi-purpose IP flow monitor. In: Proceedings of 3rd International Workshop on Internet Performance, Simulation, Monitoring and Measurement (IPS-MoMe 2005) (March 2005)
Vigna, G., Kemmerer, R.: Netstat: a network based intrusion detection system. Journal of Computer Security 7(1) (1999)
Anderson, D.: Detecting usual program behavior using the statistical component of the next-generation intrusion detection expert system (nides), Technical report, Computer Science Laboratory (1995)
Tyson, M.: Derbi: Diagnosys explanation and recovery from computer break-ins, Technical report, SRI International (2000)
Rebecca Gurley Bace. Intrusion Detection. Macmillan Technical Publishing, Basingstoke (January 2000)
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: Proceedings of ACM SIGCOMM 2005 (August 2005)
Mahoney, M.V.: Network traffic anomaly detection based on packet bytes. In: Proceedings of ACM SAC 2003 (2003)
Baker, A.R., Caswell, B., Poor, M.: Snort 2.1 Intrusion Detection, 2nd edn., Syngress (2004)
Paxson, V., Terney, B.: Bro reference manual (2004)
Lindqvist, U., Porras, P.A.: Detecting computer and network misuse through the production-based expert system toolset (p-best). In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California, May 1999, pp. 146–161 (1999)
Wenke Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC) 3(4), 227–261 (2000)
Barbara, D., Couto, J., Jajodia, S., Popyack, L., Wu, N.: Adam: Detecting intrusion by data mining. In: Proceedings of the Workshop on Information Assurance and Security (2001)
Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Ipfix working group internet draft, architecture model for ip flow information export, Internet draft, IETF (January 2005)
Kitatsuji, Y., Yamazaki, K.: A distributed real-time tool for ip-flow measurement. In: Proceedings of the 2004 International Symposium on Applications and the Internet (2004)
Falko Dressler, F., Carle, G.: History - high speed network monitoring and analysis. In: Proceedings of 24th IEEE Conference on Computer Communications (IEEE INFOCOM 2005) (March 2005)
Abad, C., Li, Y., Lakkaraju, K., Yin, X., Yurcik, W.: Correlation between netflow system and network views for intrusion detection. In: Proceedings of Workshop on Link Analysis, Counter-terrorism, and Privacy held in conjunction with SDM 2004 (2004)
Yin, X., Yurcik, W., Treaster, M., Li, Y., Lakkaraju, K.: Visflowconnect: netflow visualizations of link relationships for security situational awareness. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 26–34. ACM Press, New York (2004)
Abad, C., Taylor, J., Sengul, C., Yurcik, W., Zhou, Y., Rowe, K.: Log correlation for intrusion detection: A proof of concept. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC) (2003)
Li, Z., Taylor, J., Partridge, E., Zhou, Y., Yurcik, W., Abad, C., Barlow, J., Rosendale, J.: Uclog: A unified, correlated logging architecture for intrusion detection. In: Proceedings of the 12th International Conference on Telecommunication Systems, Modeling and Analysis (ICTSM) (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
D’Antonio, S., Oliviero, F., Setola, R. (2006). High-Speed Intrusion Detection in Support of Critical Infrastructure Protection. In: Lopez, J. (eds) Critical Information Infrastructures Security. CRITIS 2006. Lecture Notes in Computer Science, vol 4347. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11962977_18
Download citation
DOI: https://doi.org/10.1007/11962977_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69083-2
Online ISBN: 978-3-540-69084-9
eBook Packages: Computer ScienceComputer Science (R0)