Network management and in particular security management of a world-wide satellite system are challenging tasks. EuroSkyWay (ESW) as a broadband satellite system will be provided with a hierarchical management architecture distributed up to the ESW terminals population by means of agents whose Fault, Configuration, Accounting, Performance and Security (FCAPS) capabilities are used both by private's network management systems and by a centralised network management centre (ESW-NMC). Different management domains partially overlapped have to be interfaced and management information have to be exchanged between the different involved domains. Security is a competitive driver for services supplied by ESW to service providers and telecom operator in a datacommunication networks market scenario. Many design factors contribute to determine the overall security; they can be neatly related to the suitability of the adopted system security services and mechanisms and to the effectiveness of the security management. A timely and accurate security event detection capability is a criticaI feature for a data-communication security management. Security event detection is concerned with any activity that may be tracked as a security violation. A violation is considered to be any event explicitly or implicitly in contrast with ESW security policy. A valid detection of specific security events triggers a suitable action chain according with network management containment and recovery functionality. This firstly requires the choice of conditions whose occurrence triggers security alarm and then requires the specification of the correlation logic that detects security events on alarms basis. This approach is strictly dependent on system threat analysis comprehensiveness and consistency. Threat analysis, even if correctly conducted is not able to reveal every possible threat. Ongoing ESW threat analysis, outlines the difficulty to perform an exhaustive threats identification and the amount of patterns needed for a comprehensive knowledge base. On the other hand the constantly changing nature of network attacks the set-up of a stati c rules as input for expert systems like approaches. The above mentioned considerations have addressed a neural network based solution to ESW security event detection. The neural networks are in fact able to correctly analyse patterns, even if they are incomplete or distorted. Thus, a neural network has the ability to learn the characteristics of security attacks and identifY them on the basis of input pattems that are unlike from the ones observed in previous leaming cycles. A neural network that implements the ESW security event detection is presented in this paper. This neural network provides the capability to classifY security alarm pattems as signatures of attacks with a certain confidence value. Such a signature, is finally detected as security event if its likelihood exceeds a given threshold. The neural network training phase, with learning samples based on both possible ESW normal and abnormal operation system states, will be also described. The model of the proposed classification system for security violation events based on neural network is further on evaluated with respect to the ESW security objectives.
A security event detection approach based on neural network for the ESW broadband satellite system / Castellano, Marcello; G., Tomasicchio; A., Gentile. - (2001). (Intervento presentato al convegno ACTES Proceedings 19th AIAA International Communications Satellite Systems Conference tenutosi a Toulouse, France nel April 17-20).
A security event detection approach based on neural network for the ESW broadband satellite system
CASTELLANO, Marcello;
2001-01-01
Abstract
Network management and in particular security management of a world-wide satellite system are challenging tasks. EuroSkyWay (ESW) as a broadband satellite system will be provided with a hierarchical management architecture distributed up to the ESW terminals population by means of agents whose Fault, Configuration, Accounting, Performance and Security (FCAPS) capabilities are used both by private's network management systems and by a centralised network management centre (ESW-NMC). Different management domains partially overlapped have to be interfaced and management information have to be exchanged between the different involved domains. Security is a competitive driver for services supplied by ESW to service providers and telecom operator in a datacommunication networks market scenario. Many design factors contribute to determine the overall security; they can be neatly related to the suitability of the adopted system security services and mechanisms and to the effectiveness of the security management. A timely and accurate security event detection capability is a criticaI feature for a data-communication security management. Security event detection is concerned with any activity that may be tracked as a security violation. A violation is considered to be any event explicitly or implicitly in contrast with ESW security policy. A valid detection of specific security events triggers a suitable action chain according with network management containment and recovery functionality. This firstly requires the choice of conditions whose occurrence triggers security alarm and then requires the specification of the correlation logic that detects security events on alarms basis. This approach is strictly dependent on system threat analysis comprehensiveness and consistency. Threat analysis, even if correctly conducted is not able to reveal every possible threat. Ongoing ESW threat analysis, outlines the difficulty to perform an exhaustive threats identification and the amount of patterns needed for a comprehensive knowledge base. On the other hand the constantly changing nature of network attacks the set-up of a stati c rules as input for expert systems like approaches. The above mentioned considerations have addressed a neural network based solution to ESW security event detection. The neural networks are in fact able to correctly analyse patterns, even if they are incomplete or distorted. Thus, a neural network has the ability to learn the characteristics of security attacks and identifY them on the basis of input pattems that are unlike from the ones observed in previous leaming cycles. A neural network that implements the ESW security event detection is presented in this paper. This neural network provides the capability to classifY security alarm pattems as signatures of attacks with a certain confidence value. Such a signature, is finally detected as security event if its likelihood exceeds a given threshold. The neural network training phase, with learning samples based on both possible ESW normal and abnormal operation system states, will be also described. The model of the proposed classification system for security violation events based on neural network is further on evaluated with respect to the ESW security objectives.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
