Project Detail

Concept and project objective(s)

Many daily operations currently rely on services provided through systems generally indicated as critical infrastructures, such as electric grid, oil and natural gas production, transportation and distribution, water supply networks, which depend on the existence and correctness of the network infrastructure. Indeed an emerging common feature of these infrastructures is their reliance on the widespread use of networked systems and components to provide more efficient and innovative services and meet novel user requirements and expectations.

In the past years critical infrastructures were physically and logically separate systems with little interdependence. As digital information gained more and more importance for the operation of such infrastructures, what we might call a “cyber component” of each critical system grew. These cyber components are currently connected through heterogeneous networks and do represent the information infrastructure on which critical infrastructures rely and depend.

Unfortunately the increasing complexity and heterogeneity of the communication networks and systems used to connect such cyber components also increase their level of vulnerability. Furthermore, the progressive disuse of dedicated communication infrastructures and proprietary networked components, together with the growing adoption of IP-based solutions, exposes critical information infrastructures to cyber attacks coming from the Internet.

In conclusion, these infrastructures are characterised by a vulnerability level similar to other systems connected to the Internet, but the socio-economic impact of their failure can be huge.

Based on such considerations, it becomes extremely important to strongly protect the network infrastructure from attacks and failures in order to ensure the secure end-to-end transmission of control information generated by critical systems.

Indeed, as stated in terrorists might attack the communication network through physical or cyber actions in order to undermine the capability of controlling the critical system.

In the described scenario such kinds of events undermine the health of networked infrastructures:

·        threats coming from cyberspace, including specific actions aiming to disrupt communication services as well as effects of wide spectrum attacks to the computer equipment devoted to control the lifeline system;

·        failures in the information exchange due to problems regarding the communication network which connects the control system to the remote units. Delayed or errored information can bring to situations where incorrect actions are undertaken;

·        cascade effects caused by relationships among infrastructures. In case of well-understood relationships, limited factors contribute to the overall health of the infrastructures. However, the relationships are often not well-understood. Thus, there is no compensating means for limiting the effect of a failure to just one infrastructure;

·        acts of terrorism and other extreme events, such as technological disasters or natural catastrophes. These events impose the need to spend efforts to enhance the resilience of critical infrastructures.

The main objective of the INTERSECTION project is to design and implement an integrated framework for:

·        detecting anomalous events;

·        reacting to well-known, as well as new forms of anomalies;

·        deploying truly distributed countermeasures against ongoing threats;

·        providing systems with mechanisms for intrusion tolerance, i.e, preventing intrusions from generating a system failure.

Overall picture of the INTERSECTIION framework.

The whole framework consists of following elements:

Monitoring elements – responsible for gathering information about traffic, routing, etc  Monitoring Module –  responsible for collecting and pre-processing information from Monitoring elements Detection Module – responsible for analysing collected data and making decisions on appropriate reactions. This module provides Vulnerability Module with information on new attacks Vulnerability Module – responsible for storing information about vulnerabilities, relationships  between them and specific vulnerability parameters Reaction Module – responsible for executing decisions made by Detection Module by using appropriate interfaces to network elements Visualisation Module –  to present information coming from other modules of proposed framework

The INTERSECTION Framework 

A further element contributes to complicate the scenario: traffic flows generated by the geographically distributed systems devoted to controlling critical information infrastructures more often than not cross multiple network domains. Thus, in order to effectively manage and control an infrastructural element issues linked to the transport of information in an inter-domain environment should be addressed. Furthermore, computer security incidents usually occur across administrative domains, spanning different organizations and national borders. In case of distributed attacks, it is likely that different aspects of a single incident will be visible to different systems. For these reasons, it is quite clear that it would be advantageous for different organisations and network operators to be able to share data on attacks in progress. The exchange of incident information and statistics among involved parties would be crucial for both detection of ongoing attacks and proactive identification of trends that can lead to incident prevention, as stressed also in many international fora like G8, NATO and, last but not least, UN with the resolution n. 58/199. Organizations and network operators have always been reticent to disclose information about attacks on their systems or through their networks. However, this tendency seems to be overcome by the new awareness that it is only through cooperation that networking infrastructures can be made robust to attacks and failures.

Starting from such considerations, the need arises to deploy a common framework that allows different systems and technologies to interoperate in the field of security through the development and the adoption of standard solutions, interfaces and protocols. The INTERSECTION project aims at contributing to standards process in order to foster multi-provider interoperability and coordinated strategies against both electronic and physical threats. The need for standardisation spans from common security metrics, to the representation of data, being this both monitored data or information on past or ongoing attacks. This work has been partially started, for instance, at the IETF (Internet Engineering Task Force): INTERSECTION aims at both contributing to those activities that have already been started and proposing new items to the standardization process.

Finally, the last decade has seen a major change in most European countries: the de-regulation of the telecom business. This has enabled a large number of new telecom providers to enter the market and compete with the incumbents. Lower interconnection fees stimulated the joint usage of telecom infrastructures among competing providers. So today we confront two facts: first, the traffic between telecom providers has increased enormously; and second, more and more services have migrated and use the IP protocol on lower layers. IP traffic will increase even more in the future with the deployment of the so-called Next Generation Networks (NGN) infrastructure. The interconnection among telecom providers have evolved into one of the most critical parts of European telecom industry.

In such scenario the security and dependability of a telecom infrastructure interconnected with other systems depends upon two factors: the infrastructure itself, but also the “system of systems” resulting from the interconnections. The latter one is especially crucial and therefore a primary subject to be investigated. Interconnections failures will have an increasing impact as the telecom world converges into the NGN paradigm. In this future, failures might lead to the complete outage of a lot of services, thus affecting many countries and millions of users.

Identifying and addressing the interconnection vulnerabilities of a communications system is a basic instrument for protecting it from attack or exploitation. This is essential for future networks, as they will be vital elements of our society.

The INTERSECTION project aims at identifying and classifying vulnerabilities related to interconnections between telecom providers, and providing key action points for overcoming them.

Finally, the definition of metrics to assess and certify the level of security of a network infrastructure is a fundamental task in order to provide a non-discriminatory and secure business environment. A specific work package will be devoted to investigating and addressing such issue.

To summarise, the keyword of the INTERSECTION approach is networked cooperation. We intend to propose a novel security strategy along four planes, whereby network entities share information needed in order to:

-       try to prevent attacks (Cooperative Prevention);

-       detect the attack, in case it bypasses prevention barriers (Cooperative Detection);

-       effectively react to the attack (Cooperative Reaction);

-       tolerate intrusions (Cooperative Tolerance).

A distributed system, which embraces the above paradigm, is highly recommended since it meets a number of requirements of any network with security support. Information sharing enables networked systems to behave in an orchestrated fashion in order to deal with distributed attack strategies.

The main objectives of the project are:

Objective 1:INTERSECTION project will design and implement an integrated security framework.

Objective 2: INTERSECTION project will identify vulnerabilities of heterogeneous network infrastructures and define ontological relationships between them. It will discover dependencies between critical information infrastructures and communication networks in order to face the cascade effects. Furthermore, an European vulnerability database will be realised similar to the National Vulnerability Database, NVD (http://nvd.nist.gov/), provided by NIST (National Institute of Standards and Technology).

Objective 3: INTERSECTION project will identify possible countermeasures (i.e. tools, methods). The project will develop innovative techniques for anomaly and intrusion detection, intrusion tolerance, and topology discovery.

Objective 4: INTERSECTION project will develop fast online monitoring through: the design of new algorithms, the integration with well known methodologies, the use of dedicated hardware equipments such as network processors and cards.

Objective 5: INTERSECTION project will design and implement a novel visualisation framework to detect and inform about identified anomalies (based on collected various types of data).

Objective 6: INTERSECTION will define metrics to assess security systems.

Objective 7: INTERSECTION will disseminate project results and contribute to standards (i.e. IETF).

Progress beyond the state of the art

The INTERSECTION project proposes a research agenda that will spawn in parallel across multiple areas reflecting the multi-dimensionality of the problem we are called to address. Different techniques and tools will be developed to ensure security and resiliency of heterogeneous networks. Such tools will be integrated in a component-based framework for network monitoring, security and resiliency.

Design and development of novel methods for network monitoring

Design and development of innovative techniques for intrusion detection

Grammar-based adaptable parsing of intrusion detection data

An autonomic approach to anomaly detection

Anomaly detection through signal processing

Design and development of intrusion tolerance mechanisms

Study of malware traffic properties

Modelling network traffic anomalies at large scale

Design and development of a visualisation framework

Assessment, design and development of novel inter- and intradomain topology discovery tools

Top of page