Augmenting Surveillance System Capabilities Augmenting Surveillance System Capabilities by by Exploiting Event Correlation and Distributed Exploiting Event Correlation and Distributed Attack Attack Detection Detection presented by Dr. Francesco Flammini Ansaldo STS – Innovation & Competitiveness Unit francesco.fl[email protected]ARES’11 – SeCIHD Workshop Vienna, 22-23 August 2011 Francesco Flammini, Nicola Mazzocca, Alfio Pappalardo, Concetta Pragliola, Valeria Vittorini
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Augmenting Surveillance System Capabilities Augmenting Surveillance System Capabilities byby
Exploiting Event Correlation and Distributed Exploiting Event Correlation and Distributed AttackAttack
• Objectives:– Provide superior early warning and situation
awareness by automatic detection of suspicious threat scenarios
– Increase alarm reliability by exploiting redundancy and diversity
• Means:– Model-based correlation of primitive events
detected by heterogeneous distributed sensor networks
6SeCIHD’11, Francesco Flammini
Prototype DETECT GUIPrototype DETECT GUI
7SeCIHD’11, Francesco Flammini
DETECT-SMS IntegrationDETECT-SMS Integration
DETECT SMSWARNINGS
COMMANDS
Event History
DB
VIEW THREAT DETAILS
CONFIRMTHREAT
SCENARIOS
• The SMS collects the events generated by the sensorial subsystems and store them into the Event History DB
• The DETECT correlation engine is fed by each new entry in the DB and provides warnings on threat scenarios in case of matches with known patterns
8SeCIHD’11, Francesco Flammini
Detection Models based on Event Detection Models based on Event TreesTrees
• Example:
• Additional parameters: contexts (initiatiator/terminator events) and timing contraints on logic operators
9SeCIHD’11, Francesco Flammini
Example threat scenarioExample threat scenarioDrop of Chemical Warfare Agent (CWA) in an
underground metro railway platform: possible basic set of events
– attackers drop the CWA– contaminated people fall to the floor– people around the contaminated area run away and/or
scream– CWA spread out on the platform and then reach the
stairs/escalators to the concourse level
10SeCIHD’11, Francesco Flammini
Event Tree for the example scenarioEvent Tree for the example scenario
• Detection model built using the DETECT GUI
SCENARIO EVOLUTION
STEP 1
2, <5’ →,
<10’
FALL
RUN FALL
RUN
CAM 1
CAM 2
SCREAM
MIC
CWA CWA
IMS/SAW
IR
11SeCIHD’11, Francesco Flammini
In-progress and future developmentsIn-progress and future developments• Francesco Flammini, Concetta Pragliola, Alfio Pappalardo and Valeria
Vittorini: A robust approach for on-line and off-line threat detection based on event tree similarity analysis. In: Proc. 8th IEEE International Conference on Advanced Video and Signal-Based Surveillance, Workshop on Multimedia Systems for Surveillance (MMSS’11), Klagenfurt University, Austria, August 30 – September 2, 2011– Heuristic situation recognition, with increased robustness w.r.t. missed
detections and imperfect scenario modeling
• Detection models based on Bayesian Networks or other probabilistic methods, accounting for:– Sensor detection reliability parameters (POD, FAR, etc.)– “Noisy” logic correlators for fuzzy reasoning
• Possible off-line running of the correlation engine for post-event forensic searches on user specified scenarios
• Real-time updates on the Scenario Repository by the operators based on observed anomalies (human-in-the-loop assisted learning)
Thank you for your kind Thank you for your kind attentionattention