by Francesco Flammini, Andrea Gaglione and Concetta Pragliola
Critical Infrastructure Protection (CIP) against both natural and intentional threats has become a major issue in modern society. CIP involves a set of multidisciplinary activities and requires the adoption of appropriate protection mechanisms operated by centralized monitoring systems. Such systems are still highly dependent on human operators for supervision and intervention. One of the challenging goals of the research community in this field is the automatic and early detection of threats, including strategic terror attack scenarios. DETECT (Decision Triggering Event Composer & Tracker) is a new framework able to recognize complex events. This is achieved by a model-based correlation of basic events detected by possibly heterogeneous sensorial subsystems.
The best way to face threats is to stop them before they cause catastrophic consequences. Unfortunately, if the sequence of events is heterogeneous, geographically distributed or rapidly evolving, visual surveillance of video streams and sensor alarms provided by current security systems does not provide operators with satisfactory situational awareness. Operators are therefore less likely to recognize sequences of events that are indicative of a possible threat, due to their limited alert threshold and knowledge base. Furthermore, operators cannot guide and coordinate alarm responses or emergency interventions if they are not precisely aware of what is happening or has happened. The adoption of early warning and decision support systems is a way of coping with these issues.
To this end, we have designed the DETECT framework. The basic assumption behind the framework is that threats can be detected by predicting the set of basic events (ie the patterns) that constitute their signature. For instance, Figure 1b shows the multi-layered asset protection provided by modern security systems. In each layer a set of sensors (eg video, motion, temperature, vibration, sound, smoke) are installed. Threat scenarios must be precisely identified during vulnerability assessment and risk analysis.
DETECT operates by performing a model-based logical, spatial and temporal correlation of basic events detected by different sensor subsystems, in order to recognize sequences of events which indicate likely threats. DETECT is based on a real-time detection engine which implements the concepts of data fusion and cognitive reasoning by means of soft computing approaches. The framework can be interfaced or integrated with existing SMS (Security Management Software). It can serve as an early warning tool or even to automatically trigger adequate countermeasures for emergency/crisis management. As such, it may allow for a quick, focused and automatic response to emergencies, though manual confirmation of detected alarms remains an option.
In fact, human management of critical situations, possibly involving many simultaneous events, is a very delicate task that is both prone to error and subject to forced inhibition. Used as a warning system, DETECT can alert operators to the likelihood and nature of a threat; used as an autonomous reasoning engine, it can activate responsive actions, including audio and visual alarms, unblocking of turnstiles, air-conditioning flow inversion, activation of sprinklers, and emergency calls to first responders. Furthermore, the correlation among basic events detected by diverse redundant sensors can be employed to lower the false alarm rate of the security system, thus improving its overall reliability.
Threats are described in DETECT using a specific Event Description Language (EDL) and stored in a Scenario Repository. Starting from this repository, one or more detection models are automatically generated using a suitable formalism (eg event graphs, Bayesian networks, neural networks etc). In the operational phase, a model manager macro-module performs queries on the Event History database for the real-time feeding of the detection model according to predetermined policies. When a composite event is recognized, the output of DETECT consists of the identifier(s) of the detected/suspected scenario(s); an alarm level, associated to the scenario evolution (used as a progress indicator); and a probability of attack (used as a threshold in heuristic detection). A high-level architecture of the framework is depicted in Figure 2.
Together with a sensor network integration framework, DETECT can perform fusion and reasoning of data generated by smart wireless sensors. To this aim, DETECT is being integrated with SeNsIM (Sensor Networks Integration and Management), as illustrated in Figure 4. SeNsIM is a framework used to integrate heterogeneous and distributed sensor systems (including ad-hoc networks), by offering the user a common view of all data sources.
We are currently working on the implementation of a detection model based on Bayesian networks. The next operational step will be to interface the overall system with a real security management system for field trials. The integration will be performed using Web services and/or the OPC (OLE for Process Communication) standard protocol.
DETECT is a collaborative project carried out by the Innovation Unit of Ansaldo STS Italy and the Department of Computer and Systems Engineering (Dipartimento di Informatica e Sistemistica, DIS) at the University of Naples Federico II.
DETECT and SeNsIM project pages in the Seclab research group Web site: http://www.seclab.unina.it/
ANSALDO STS Italy
University of Naples Federico II, Italy