ares - secihd'11 francesco flammini
TRANSCRIPT
Augmenting Surveillance System Capabilities Augmenting Surveillance System Capabilities byby
Exploiting Event Correlation and Distributed Exploiting Event Correlation and Distributed AttackAttack
DetectionDetectionpresented by
Dr. Francesco Flammini
Ansaldo STS – Innovation & Competitiveness [email protected]
ARES’11 – SeCIHD WorkshopVienna, 22-23 August 2011
Francesco Flammini, Nicola Mazzocca, Alfio Pappalardo, Concetta Pragliola, Valeria Vittorini
2SeCIHD’11, Francesco Flammini
PPhysical hysical SSecurity ecurity IInformation nformation MManagementanagement
…
STATION1
SECURITY MANAGEMENT SYSTEM
Central
Security Management System
IMAGES/ALARMS
COMMANDS
IntelligentVideo Analysis
SUB SYSTEM 1
Intrusion Detection/Access Control
Intelligent SoundDetection
CBRNeDetectors
…SUB SYSTEM 3
SUB SYSTEM 2 SUB SYSTEM 4
SUB SYSTEM N
STATIONN
SECURITY MANAGEMENT SYSTEM
IntelligentVideo Analysis
SUB SYSTEM 1
Intrusion Detection/Access Control
Intelligent SoundDetection
CBRNeDetectors
…SUB SYSTEM 3
SUB SYSTEM 2 SUB SYSTEM 4
SUB SYSTEM N
4SeCIHD’11, Francesco Flammini
Sensors and eventsSensors and events
Passenger StationsPower StationsTunnels, Bridges
LineDepots
Vehicles
5SeCIHD’11, Francesco Flammini
The DETECT frameworkThe DETECT framework
• Objectives:– Provide superior early warning and situation
awareness by automatic detection of suspicious threat scenarios
– Increase alarm reliability by exploiting redundancy and diversity
• Means:– Model-based correlation of primitive events
detected by heterogeneous distributed sensor networks
7SeCIHD’11, Francesco Flammini
DETECT-SMS IntegrationDETECT-SMS Integration
DETECT SMSWARNINGS
COMMANDS
Event History
DB
VIEW THREAT DETAILS
CONFIRMTHREAT
SCENARIOS
• The SMS collects the events generated by the sensorial subsystems and store them into the Event History DB
• The DETECT correlation engine is fed by each new entry in the DB and provides warnings on threat scenarios in case of matches with known patterns
8SeCIHD’11, Francesco Flammini
Detection Models based on Event Detection Models based on Event TreesTrees
• Example:
• Additional parameters: contexts (initiatiator/terminator events) and timing contraints on logic operators
9SeCIHD’11, Francesco Flammini
Example threat scenarioExample threat scenarioDrop of Chemical Warfare Agent (CWA) in an
underground metro railway platform: possible basic set of events
– attackers drop the CWA– contaminated people fall to the floor– people around the contaminated area run away and/or
scream– CWA spread out on the platform and then reach the
stairs/escalators to the concourse level
10SeCIHD’11, Francesco Flammini
Event Tree for the example scenarioEvent Tree for the example scenario
• Detection model built using the DETECT GUI
SCENARIO EVOLUTION
STEP 1
2, <5’ →,
<10’
FALL
RUN FALL
RUN
CAM 1
CAM 2
SCREAM
MIC
CWA CWA
IMS/SAW
IR
11SeCIHD’11, Francesco Flammini
In-progress and future developmentsIn-progress and future developments• Francesco Flammini, Concetta Pragliola, Alfio Pappalardo and Valeria
Vittorini: A robust approach for on-line and off-line threat detection based on event tree similarity analysis. In: Proc. 8th IEEE International Conference on Advanced Video and Signal-Based Surveillance, Workshop on Multimedia Systems for Surveillance (MMSS’11), Klagenfurt University, Austria, August 30 – September 2, 2011– Heuristic situation recognition, with increased robustness w.r.t. missed
detections and imperfect scenario modeling
• Detection models based on Bayesian Networks or other probabilistic methods, accounting for:– Sensor detection reliability parameters (POD, FAR, etc.)– “Noisy” logic correlators for fuzzy reasoning
• Possible off-line running of the correlation engine for post-event forensic searches on user specified scenarios
• Real-time updates on the Scenario Repository by the operators based on observed anomalies (human-in-the-loop assisted learning)