ares - secihd'11 francesco flammini

Augmenting Surveillance System Capabilities Augmenting Surveillance System Capabilities byby

Exploiting Event Correlation and Distributed Exploiting Event Correlation and Distributed AttackAttack

DetectionDetectionpresented by

Dr. Francesco Flammini

Ansaldo STS – Innovation & Competitiveness [email protected]

ARES’11 – SeCIHD WorkshopVienna, 22-23 August 2011

Francesco Flammini, Nicola Mazzocca, Alfio Pappalardo, Concetta Pragliola, Valeria Vittorini

2SeCIHD’11, Francesco Flammini

PPhysical hysical SSecurity ecurity IInformation nformation MManagementanagement

…

STATION1

SECURITY MANAGEMENT SYSTEM

Central

Security Management System

IMAGES/ALARMS

COMMANDS

IntelligentVideo Analysis

SUB SYSTEM 1

Intrusion Detection/Access Control

Intelligent SoundDetection

CBRNeDetectors

…SUB SYSTEM 3

SUB SYSTEM 2 SUB SYSTEM 4

SUB SYSTEM N

STATIONN

SECURITY MANAGEMENT SYSTEM

IntelligentVideo Analysis

SUB SYSTEM 1

Intrusion Detection/Access Control

Intelligent SoundDetection

CBRNeDetectors

…SUB SYSTEM 3

SUB SYSTEM 2 SUB SYSTEM 4

SUB SYSTEM N


SMS User InterfaceSMS User Interface


Sensors and eventsSensors and events

Passenger StationsPower StationsTunnels, Bridges

LineDepots

Vehicles


The DETECT frameworkThe DETECT framework

• Objectives:– Provide superior early warning and situation

awareness by automatic detection of suspicious threat scenarios

– Increase alarm reliability by exploiting redundancy and diversity

• Means:– Model-based correlation of primitive events

detected by heterogeneous distributed sensor networks


Prototype DETECT GUIPrototype DETECT GUI


DETECT-SMS IntegrationDETECT-SMS Integration

DETECT SMSWARNINGS

COMMANDS

Event History

DB

VIEW THREAT DETAILS

CONFIRMTHREAT

SCENARIOS

• The SMS collects the events generated by the sensorial subsystems and store them into the Event History DB

• The DETECT correlation engine is fed by each new entry in the DB and provides warnings on threat scenarios in case of matches with known patterns


Detection Models based on Event Detection Models based on Event TreesTrees

• Example:

• Additional parameters: contexts (initiatiator/terminator events) and timing contraints on logic operators


Example threat scenarioExample threat scenarioDrop of Chemical Warfare Agent (CWA) in an

underground metro railway platform: possible basic set of events

– attackers drop the CWA– contaminated people fall to the floor– people around the contaminated area run away and/or

scream– CWA spread out on the platform and then reach the

stairs/escalators to the concourse level


Event Tree for the example scenarioEvent Tree for the example scenario

• Detection model built using the DETECT GUI

SCENARIO EVOLUTION

STEP 1

2, <5’ →,

<10’

FALL

RUN FALL

RUN

CAM 1

CAM 2

SCREAM

MIC

CWA CWA

IMS/SAW

IR


In-progress and future developmentsIn-progress and future developments• Francesco Flammini, Concetta Pragliola, Alfio Pappalardo and Valeria

Vittorini: A robust approach for on-line and off-line threat detection based on event tree similarity analysis. In: Proc. 8th IEEE International Conference on Advanced Video and Signal-Based Surveillance, Workshop on Multimedia Systems for Surveillance (MMSS’11), Klagenfurt University, Austria, August 30 – September 2, 2011– Heuristic situation recognition, with increased robustness w.r.t. missed

detections and imperfect scenario modeling

• Detection models based on Bayesian Networks or other probabilistic methods, accounting for:– Sensor detection reliability parameters (POD, FAR, etc.)– “Noisy” logic correlators for fuzzy reasoning

• Possible off-line running of the correlation engine for post-event forensic searches on user specified scenarios

• Real-time updates on the Scenario Repository by the operators based on observed anomalies (human-in-the-loop assisted learning)

Thank you for your kind Thank you for your kind attentionattention

Questions?

ares - secihd'11 francesco flammini

Technology