Specification-based intrusion detection: Public transportation application using application processes

João Pedro Paulino Aires Ferreira de

Key information

Authors:

João Pedro Paulino Aires Ferreira de (João Pedro Paulino Aires Ferreira de Lima)

Supervisors:

Nelson Nobre Escravana (Nelson Nobre Escravana); Carlos Nuno da Cruz Ribeiro (Carlos Nuno da Cruz Ribeiro)

Published in

10/31/2012

Abstract

Mass transport operators had become very critical cyber-attack targets, in the sense that the disruption of their operation severely compromises the normal functioning of modern cities, and can endanger hundreds of lives at once. Intrusion detection systems (IDS) have been there for a while now but they suffered from effectiveness problems, either because they are ineffective on detecting new unidentified threats or because they generate too many false alarms to be of any usefulness. We developed a centralized hybrid IDS, in order to support the special needs of public transport operators' IT infrastructure and to overcome the usual limitations of IDSs. The developed system uses concepts of both specification-based and misuse detection techniques. The specification-based anomaly detection techniques provides the ability to detect novel, unreported, and application-related attacks with a negligible false positive rate, while the misuse detection techniques provides the ability to detect known malicious activities. The specification-based anomaly detection component was implemented using specifications of the flow of activities performed by the several systems in order to accomplish a certain goal. Any deviation of this specification is considered an attack and must be taken care of. In order to assess the effectiveness of this new approach the system was tested in a simulation of a real-world public transport environment, thus proving that it is able to detect intrusions with a negligible false alarms rate.