We describe an Internet-based collaborative environment that protects geographically dispersed organizations of a critical infrastructure (e.g., financial institutions, telco providers) from coordinated cyber attacks. A specific instance of a collaborative environment for detecting malicious inter-domain port scans is introduced. This instance uses the open source Complex Event Processing (CEP) engine ESPER to correlate massive amounts of network traffic data exhibiting the evidence of those scans. The paper presents two inter-domain SYN port scan detection algorithms we designed, implemented in ESPER, and deployed on the collaborative environment; namely, Rank-based SYN (R-SYN) and Line Fitting. The paper shows the usefulness of the collaboration in terms of detection accuracy. Finally, it shows how Line Fitting can both achieve a higher detection accuracy with a smaller number of participants than R-SYN, and exhibit better detection latencies than R-SYN in the presence of low link bandwidths (i.e., less than 3Mbit/s) connecting the organizations to Esper. © 2011 Springer-Verlag.
A collaborative event processing system for protection of critical infrastructures from cyber attacks / Aniello, Leonardo; DI LUNA, GIUSEPPE ANTONIO; Giorgia, Lodi; Baldoni, Roberto. - STAMPA. - 6894 LNCS:(2011), pp. 310-323. (Intervento presentato al convegno 30th International Conference on Computer Safety, Reliability and Security, SAFECOMP 2011 tenutosi a Naples nel 19 September 2011 through 22 September 2011) [10.1007/978-3-642-24270-0_23].
A collaborative event processing system for protection of critical infrastructures from cyber attacks
ANIELLO, LEONARDO;Giuseppe Antonio Di Luna;BALDONI, Roberto
2011
Abstract
We describe an Internet-based collaborative environment that protects geographically dispersed organizations of a critical infrastructure (e.g., financial institutions, telco providers) from coordinated cyber attacks. A specific instance of a collaborative environment for detecting malicious inter-domain port scans is introduced. This instance uses the open source Complex Event Processing (CEP) engine ESPER to correlate massive amounts of network traffic data exhibiting the evidence of those scans. The paper presents two inter-domain SYN port scan detection algorithms we designed, implemented in ESPER, and deployed on the collaborative environment; namely, Rank-based SYN (R-SYN) and Line Fitting. The paper shows the usefulness of the collaboration in terms of detection accuracy. Finally, it shows how Line Fitting can both achieve a higher detection accuracy with a smaller number of participants than R-SYN, and exhibit better detection latencies than R-SYN in the presence of low link bandwidths (i.e., less than 3Mbit/s) connecting the organizations to Esper. © 2011 Springer-Verlag.| File | Dimensione | Formato | |
|---|---|---|---|
|
VE_2011_11573-415712.pdf
solo gestori archivio
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
620.93 kB
Formato
Adobe PDF
|
620.93 kB | Adobe PDF | Contatta l'autore |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
