Closing the loop of SIEM analysis to Secure Critical Infrastructures

Critical Infrastructure Protection is one of the main challenges of last years. Security Information and Event Management (SIEM) systems are widely used for coping with this challenge. However, they currently present several limitations that have to be overcome. In this paper we propose an enhanced SIEM system in which we have introduced novel components to i) enable multiple layer data analysis; ii) resolve conflicts among security policies, and discover unauthorized data paths in such a way to be able to reconfigure network devices. Furthermore, the system is enriched by a Resilient Event Storage that ensures integrity and unforgeability of events stored.Comment: EDCC-2014, BIG4CIP-2014, Security Information and Event Management, Decision Support System, Hydroelectric Da

Applying Extensions of Evidence Theory to Detect Frauds in Financial Infrastructures

The Dempster-Shafer (DS) theory of evidence has significant weaknesses when dealing with conflicting information sources, as demonstrated by preeminent mathematicians. This problem may invalidate its effectiveness when it is used to implement decision-making tools that monitor a great number of parameters and metrics. Indeed, in this case, very different estimations are likely to happen and can produce unfair and biased results. In order to solve these flaws, a number of amendments and extensions of the initial DS model have been proposed in literature. In this work, we present a Fraud Detection System that classifies transactions in a Mobile Money Transfer infrastructure by using the data fusion algorithms derived from these new models. We tested it in a simulated environment that closely mimics a real Mobile Money Transfer infrastructure and its actors. Results show substantial improvements of the performance in terms of true positive and false positive rates with respect to the classical DS theory

A framework for mastering heterogeneity in multi-layer security information and event correlation

Security Information and Event Management (SIEM) is a consolidated technology that relies on the correlation of massive amounts of security-relevant information in order to detect ongoing attacks and intrusions. This correlation process is usually fed with logs generated by network devices and equipment, thus proving to be ineffective against attacks that affect multiple domains (e.g. physical, logical) or different architectural levels (e.g. network, operating system, application) of a service infrastructure. To bridge the gap, we propose a flexible framework for event collection and correlation, namely the Generic Event Translator, which is able to process heterogeneous data and spot evidence of security issues by using complex event pattern detectors that correlate information from multiple architectural layers and domains of the monitored infrastructure. The framework has been integrated into the open-source SIEM OSSIM, and validated in two challenging case studies, namely a dam infrastructure control system and a mobile phone based payment service

Real-time Security & Dependability monitoring: Make it a bundle

Security & Dependability (SEC&DEP) monitoring has definitely become a number one priority, since it is understood that it is the pre-requisite for allowing system operation to continue also in the presence of faults and/or attacks. Since effective remediation requires that the right actions be taken at the right time, in order for SEC&DEP monitoring to be really useful, the results of the monitoring process must be made available in a timely fashion, i.e. in (near) real-time. A plethora of technologies exists, that individually represent a (potentially) effective building block of a real-time SEC&DEP monitoring facility, but - regrettably - they very much lack integration. We claim that a significant advancement in the convergence of such technologies is needed. While recently some achievements have been made, much is yet to be done. In this paper, we briefly review the current State Of The Art (SOTA) of technologies that can be used to implement a real-time SEC&DEP monitoring facility, with two objectives: 1) perform a gap analysis, i.e. point out the major limitations of such technologies, and 2) identify the main avenues towards effective SEC&DEP monitoring

Protecting the WSN Zones of a Critical Infrastructure via Enhanced SIEM Technology

Attacks on Critical Infrastructures are increasing and becoming more sophisticated. In addition to security issues of Supervisory Control And Data Acquisition systems, new threats come from the recent adoption of Wireless Sensor Network (WSN) technologies. Traditional security solutions for solely Information Technology (IT) based infrastructures, such as the Security Information and Events Management (SIEM) systems, can be strongly enchanced to address such issues. In this paper we analyze limits of current SIEMs to protect CIs and propose a framework developed in the MASSIF Project to enhance services for data treatment. We present the Generic Event Translation and introduce the Resilient Storage modules to collect data from heterogeneous sources, improve the intelligence of the SIEM periphery, reliably store information of security breaches. Particularly, by focusing on the first two features, we illustrate how they can improve the detection of attacks targeting the WSN of a dam monitoring and control system

Integration of a System for Critical Infrastructure Protection with the OSSIM SIEM Platform: A dam case study

In recent years the monitoring and control devices in charge of supervising the critical processes of Critical Infrastructures have been victims of cyber attacks. To face such threat, organizations providing critical services are increasingly focusing on protecting their network infrastructures. Security Information and Event Management (SIEM) frameworks support network protection by performing centralized correlation of network asset reports. In this work we propose an extension of a commercial SIEM framework, namely OSSIM by AlienVault, to perform the analysis of the reports (events) generated by monitoring, control and security devices of the dam infrastructure. Our objective is to obtain evidences of misuses and malicious activities occurring at the dam monitoring and control system, since they can result in issuing hazardous commands to control devices. We present examples of misuses and malicious activities and procedures to extend OSSIM for analyzing new event types

Security Issues of a Phasor Data Concentrator for Smart Grid Infrastructure

The use of PMUs (Phasor Measurement Units) for measurement and control of the power grids over wide areas is becoming fundamental to improve power system reliability. Synchrophasors, that enable a synchronized evaluation of the phasor through GPS radio clock, are being extensively deployed together with network-based PDC (Phasor Data Concentrator) applications for providing a precise and comprehensive view of the status of the entire grid. The objective of this paper is to raise the awareness about the security issues related to the adoption of such technologies in power grids. In particular, we address two main vulnerabilities of the synchrophasor networks: (i) the protocols used to exchange data between the PMU and the PDC are usually not encrypted, and (ii) PDCs do not automatically sanitize the data received from the PMU. These vulnerabilities tremendously increase the exposure of a power distribution infrastructure to threats of cyber-attacks. In the paper we present an application scenario where such vulnerabilities are exploited by performing a SQL-injection attack that compromises the database used to store PMUs data