Foto personale

Mirco MARCHETTI

Department of Engineering "Enzo Ferrari"

Ferretti, Luca; Marchetti, Mirco; Andreolini, Mauro; Colajanni, Michele ( 2017 ) - A symmetric cryptographic scheme for data integrity verification in cloud databases - INFORMATION SCIENCES - n. volume 422 - pp. da 497 a 515 ISSN: 0020-0255 [Articolo in rivista (262) - Articolo su rivista]
Abstract

Cloud database services represent a great opportunity for companies and organizations in terms of management and cost savings. However, outsourcing private data to external providers leads to risks of confidentiality and integrity violations. We propose an original solution based on encrypted Bloom filters that addresses the latter problem by allowing a cloud service user to detect unauthorized modifications to his outsourced data. Moreover, we propose an original analytical model that can be used to minimize storage and network overhead depending on the database structure and workload. We assess the effectiveness of the proposal as well as its performance improvements with respect to existing solutions by evaluating storage and network costs through micro-benchmarks and the TPC-C workload standard.

Marchetti, Mirco; Stabili, Dario ( 2017 ) - Anomaly detection of CAN bus messages through analysis of ID sequences - IEEE Intelligent Vehicles Symposium, Proceedings - Institute of Electrical and Electronics Engineers Inc. ) - pp. da 1577 a 1583 ISBN: 9781509048045 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

This paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. The proposed algorithm identifies anomalies in the sequence of messages that flow in the CAN bus and is characterized by small memory and computational footprints, that make it applicable to current ECUs. Its detection performance are demonstrated through experiments carried out on real CAN traffic gathered from an unmodified licensed vehicle.

Stabili, Dario; Marchetti, Mirco; Colajanni, Michele ( 2017 ) - Detecting attacks to internal vehicle networks through Hamming distance - Proceedings of the IEEE 2017 AEIT International Annual Conference - Infrastructures for Energy and ICT (AEIT 2017) [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Analysis of in-vehicle networks is an open research area that gained relevance after recent reports of cyber attacks against connected vehicles. After those attacks gained international media attention, many security researchers started to propose different algorithms that are capable to model the normal behaviour of the CAN bus to detect the injection of malicious messages. However, despite the automotive area has different constraint than classical IT security, many security research have been conducted by applying sophisticated algorithm used in IT anomaly detection, thus proposing solutions that are not applicable on current Electronic Control Units (ECUs). This paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. Moreover, the proposed algorithm has been designed and implemented with the very strict constraint of low-end ECUs, having low computational complexity and small memory footprints. The proposed algorithm identifies anomalies in the sequence of the payloads of different classes of IDs by computing the Hamming distance between consecutive payloads. Its detection performance are evaluated through experiments carried out using real CAN traffic gathered from an unmodified licensed vehicle.

Apruzzese, Giovanni; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco ( 2017 ) - Detection and Threat Prioritization of Pivoting Attacks in Large Networks - IEEE TRANSACTIONS ON EMERGING TOPICS IN COMPUTING - pp. da 1 a 1 ISSN: 2168-6750 [Articolo in rivista (262) - Articolo su rivista]
Abstract

Several advanced cyber attacks adopt the technique of "pivoting" through which attackers create a command propagation tunnel through two or more hosts in order to reach their final target. Identifying such malicious activities is one of the most tough research problems because of several challenges: command propagation is a rare event that cannot be detected through signatures, the huge amount of internal communications facilitates attackers evasion, timely pivoting discovery is computationally demanding. This paper describes the first pivoting detection algorithm that is based on network flows analyses, does not rely on any a-priori assumption on protocols and hosts, and leverages an original problem formalization in terms of temporal graph analytics. We also introduce a prioritization algorithm that ranks the detected paths on the basis of a threat score thus letting security analysts investigate just the most suspicious pivoting tunnels. Feasibility and effectiveness of our proposal are assessed through a broad set of experiments that demonstrate its higher accuracy and performance against related algorithms.

Apruzzese, Giovanni; Marchetti, Mirco; Colajanni, Michele; GAMBIGLIANI ZOCCOLI, Gabriele; Guido, Alessandro ( 2017 ) - Identifying malicious hosts involved in periodic communications - Proceegings of the 16th IEEE International Symposium on Network Computing and Applications (NCA 2017) [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

After many research efforts, Network Intrusion Detection Systems still have much room for improvement. This paper proposes a novel method for automatic and timely analysis of traffic generated by large networks, which is able to identify malicious external hosts even if their activities do not raise any alert by existing defensive systems. Our proposal focuses on periodic communications, since our experimental evaluation shows that they are more related to malicious activities, and it can be easily integrated with other detection systems. We highlight that periodic network activities can occur at very different intervals ranging from seconds to hours, hence a timely analysis of long time-windows of the traffic generated by large organizations is a challenging task in itself. Existing work is primarily focused on identifying botnets, whereas the method proposed in this paper has a broader target and aims to detect external hosts that are likely involved in any malicious operation. Since malware-related network activities can be considered as rare events in the overall traffic, the output of the proposed method is a manageable graylist of external hosts that are characterized by a considerably higher likelihood of being malicious compared to the entire set of external hosts contacted by the monitored large network. A thorough evaluation on a real large network traffic demonstrates the effectiveness of our proposal, which is capable of automatically selecting only dozens of suspicious hosts from hundreds of thousands, thus allowing security operators to focus their analyses on few likely malicious targets.

Pierazzi, Fabio; Apruzzese, Giovanni; Colajanni, Michele; Guido, Alessandro; Marchetti, Mirco ( 2017 ) - Scalable architecture for online prioritization of cyber threats - Proceedings of the 9th NATO International Conference on Cyber Conflicts (CyCon 2017) [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

This paper proposes an innovative framework for the early detection of several cyber attacks, where the main component is an analytics core that gathers streams of raw data generated by network probes, builds several layer models representing different activities of internal hosts, analyzes intra-layer and inter-layer information. The online analysis of internal network activities at different levels distinguishes our approach with respect to most detection tools and algorithms focusing on separate network levels or interactions between internal and external hosts. Moreover, the integrated multi-layer analysis carried out through parallel processing reduces false positives and guarantees scalability with respect to the size of the network and the number of layers. As a further contribution, the proposed framework executes autonomous triage by assigning a risk score to each internal host. This key feature allows security experts to focus their attention on the few hosts with higher scores rather than wasting time on thousands of daily alerts and false alarms.

Dagan, Tsvika; Marchetti, Mirco; Stabili, Dario; Colajanni, Michele; Wool, Avishai ( 2017 ) - Vehicle Safe-Mode, Limp-Mode in the Service of Cyber Security - Proceegings of the 2017 Embedded Security in Cars conference (ESCAR Europe 2017) [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

This paper describes a concept for vehicle safe-mode, that may help reduce the potential damage of an identified cyber-attack. Unlike other defense mechanisms, that try to block the attack or simply notify of its existence, our mechanism responds to the detected breach, by limiting the vehicle’s functionality to relatively safe operations, and optionally activating additional security counter-measures. This is done by adopting the already existing mechanism of Limp-mode, that was originally designed to limit the potential damage of either a mechanical or an electrical malfunction and let the vehicle “limp back home” in relative safety. We further introduce two modes of safe-modemoperation: In Transparent-mode, when a cyber-attack is detected the vehicle enters its pre-configured Limp-mode; In Extended-mode we suggest to use custom messages that offer additional flexibility to both the reaction and the recovery plans. While Extended-mode requires modifications to the participating ECUs, Transparent-mode may be applicable to existing vehicles since it does not require any changes in the vehicle’s systems—in other words, it may even be deployed as an external component connected through the OBD-II port. We suggest an architectural design for the given modes, and include guidelines for a safe-mode manager, its clients, possible reactions, and recovery plans. We note that our system can rely upon any deployed anomaly-detection system to identify the potential attack.

Ferretti, Luca; Marchetti, Mirco; Colajanni, Michele ( 2017 ) - Verifiable Delegated Authorization for User-Centric Architectures and an OAuth2 Implementation - Proceedings - International Computer Software and Applications Conference - IEEE Computer Society ) - PROCEEDINGS - INTERNATIONAL COMPUTER SOFTWARE & APPLICATIONS CONFERENCE - n. volume 2 - pp. da 718 a 723 ISBN: 9781538603673 ISSN: 0730-3157 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Delegated authorization protocols have become wide-spread to implement Web applications and services, where some popular providers managing people identity information and personal data allow their users to delegate third party Web services to access their data. In this paper, we analyze the risks related to untrusted providers not behaving correctly, and we solve this problem by proposing the first verifiable delegated authorization protocol that allows third party services to verify the correctness of users data returned by the provider. The contribution of the paper is twofold: we show how delegated authorization can be cryptographically enforced through authenticated data structures protocols, we extend the standard OAuth2 protocol by supporting efficient and verifiable delegated authorization including database updates and privileges revocation.

Marchetti, Mirco; Pierazzi, Fabio; Colajanni, Michele; Guido, Alessandro ( 2016 ) - Analysis of high volumes of network traffic for Advanced Persistent Threat detection - COMPUTER NETWORKS - n. volume 109 - pp. da 127 a 141 ISSN: 1389-1286 [Articolo in rivista (262) - Articolo su rivista]
Abstract

Advanced Persistent Threats (APTs) are the most critical menaces to modern organizations and the most challenging attacks to detect. They span over long periods of time, use encrypted connections and mimic normal behaviors in order to evade detection based on traditional defensive solutions. We propose an innovative approach that is able to analyze efficiently high volumes of network traffic to reveal weak signals related to data exfiltrations and other suspect APT activities. The final result is a ranking of the most suspicious internal hosts; this rank allows security specialists to focus their analyses on a small set of hosts out of the thousands of machines that typically characterize large organizations. Experimental evaluations in a network environment consisting of about 10K hosts show the feasibility and effectiveness of the proposed approach. Our proposal based on security analytics paves the way to novel forms of automatic defense aimed at early detection of APTs in large and continuously varying networked systems.

Marchetti, Mirco; Pierazzi, Fabio; Guido, Alessandro; Colajanni, Michele ( 2016 ) - Countering Advanced Persistent Threats through Security Intelligence and Big Data Analytics - Proc. of the 8th NATO International Conference on Cyber Conflicts (CyCon 2016), - IEEE 345 E 47TH ST, NEW YORK, NY 10017 USA ) - pp. da 243 a 261 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Advanced Persistent Threats (APTs) represent the most challenging threats to the security and safety of the cyber landscape. APTs are human-driven attacks backed by complex strategies that combine multidisciplinary skills in information technology, intelligence, and psychology. Defending large organisations with tens of thousands of hosts requires similar multi-factor approaches. We propose a novel framework that combines different techniques based on big data analytics and security intelligence to support human analysts in prioritising the hosts that are most likely to be compromised. We show that the collection and integration of internal and external indicators represents a step forward with respect to the state of the art in the field of early detection and mitigation of APT activities.

Marchetti, Mirco; Stabili, Dario; Guido, Alessandro; Colajanni, Michele ( 2016 ) - Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms - Proc. of the IEEE 2nd International Forum on Research and Technologies for Society and Industry (RTSI 2016) - IEEE 345 E 47TH ST, NEW YORK, NY 10017 USA ) - pp. da 429 a 434 ISBN: 9781509011315 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

This paper evaluates the effectiveness of information-theoretic anomaly detection algorithms applied to networks included in modern vehicles. In particular, we focus on providing an experimental evaluation of anomaly detectors based on entropy. Attacks to in-vehicle networks were simulated by injecting different classes of forged CAN messages in traces captured from a modern licensed vehicle. Experimental results show that if entropy-based anomaly detection is applied to all CAN messages it is only possible to detect attacks that comprise a high volume of forged CAN messages. On the other hand, attacks characterized by the injection of few forged CAN messages attacks can be detected only by applying several independent instances of the entropy based anomaly detector, one for each class of CAN messages.

Pierazzi, Fabio; Casolari, Sara; Colajanni, Michele; Marchetti, Mirco ( 2016 ) - Exploratory security analytics for anomaly detection - COMPUTERS & SECURITY - n. volume 56 - pp. da 28 a 49 ISSN: 0167-4048 [Articolo in rivista (262) - Articolo su rivista]
Abstract

The huge number of alerts generated by network-based defense systems prevents detailed manual inspections of security events. Existing proposals for automatic alerts analysis work well in relatively stable and homogeneous environments, but in modern networks, that are characterized by extremely complex and dynamic behaviors, understanding which approaches can be effective requires exploratory data analysis and descriptive modeling. We propose a novel framework for automatically investigating temporal trends and patterns of security alerts with the goal of understanding whether and which anomaly detection approaches can be adopted for identifying relevant security events. Several examples referring to a real large network show that, despite the high intrinsic dynamism of the system, the proposed framework is able to extract relevant descriptive statistics that allow to determine the effectiveness of popular anomaly detection approaches on different alerts groups.

Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco ( 2016 ) - Guaranteeing correctness of bulk operations in outsourced databases - Lecture Notes in Computer Science - Springer Verlag ) - LECTURE NOTES IN COMPUTER SCIENCE - n. volume 9766 - pp. da 37 a 51 ISBN: 9783319414829; 9783319414829 | 9783319414829 ISSN: 1611-3349 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

The adoption of public cloud services, as well as other data outsourcing solutions, raises concerns about confidentiality and integrity of information managed by a third party. By focusing on data integrity, we propose a novel protocol that allows cloud customers to verify the correctness of results produced by key-value databases. The protocol is designed for supporting efficient insertion and retrieval of large sets of data through bulk operations in read and append-only workloads. In these contexts, the proposed protocol improves state-of-the-art by reducing network overheads thanks to an original combination of aggregate bilinear map signatures and extractable collision resistant hash functions.

Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco ( 2016 ) - Implementation of Verified Set Operation Protocols Based on Bilinear Accumulators - Lecture Notes in Computer Science - n. volume 10052 - pp. da 626 a 636 ISBN: 978-3-319-48964-3; 978-3-319-48965-0; 978-3-319-48 | 978-3-319-48965-0 | 978-3-319-48964-3 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

This paper proposes an efficient protocol for verifiable delegation of computation over outsourced set collections. It improves state of the art protocols by using asymmetric bilinear pairing settings for improved performance with respect to previous proposals based on symmetric settings. Moreover, it extends update operations by supporting efficient modifications over multiple sets. With respect to previous work the proposed protocol has a modular design, that clearly identifies its main building blocks and well-defined interfaces among them. This novel conceptualization allows easier auditing of the protocol security properties and serves as the blueprint of a novel implementation that is released publicly (https://​weblab.​ing.​unimore.​it/​people/​ferretti/​versop/​). To the best of our knowledge, this is the first public implementation of a protocol for verifiable sets operations.

Andreolini, Mauro; Colajanni, Michele; Marchetti, Mirco ( 2015 ) - A collaborative framework for intrusion detection in mobile networks - INFORMATION SCIENCES - n. volume 321 - pp. da 179 a 192 ISSN: 0020-0255 [Articolo in rivista (262) - Articolo su rivista]
Abstract

Abstract Mobile devices are becoming the most popular way of connection, but protocols supporting mobility represent a serious source of concerns because their initial design did not enforce strong security. This paper introduces a novel class of stealth network attacks, called mobility-based evasion, where an attacker splits a malicious payload in such a way that no part can be recognized by existing defensive mechanisms including the most modern network intrusion detection systems operating in stateful mode. We propose an original cooperative framework for intrusion detection that can prevent mobility-based evasion. The viability and performance of the proposed solution is shown through a prototype applied to Mobile IPv4, Mobile IPv6 and WiFi protocols.

Andreoli, Andrea; Ferretti, Luca; Marchetti, Mirco; Colajanni, Michele ( 2015 ) - Enforcing Correct Behavior without Trust in Cloud Key-Value Databases - Proceedings - 2nd IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2015 - IEEE International Symposium of Smart Cloud, IEEE SSC 2015 - Institute of Electrical and Electronics Engineers New York USA) - pp. da 157 a 164 ISBN: 9781467392990; 9781467392990 | 9781467392990 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Traditional computation outsourcing and modern cloud computing are affected by a common risk of distrust between service requestor and service provider. We propose a novel protocol, named Probus, that offers guarantees of correct behavior to both parts without assuming any trust relationship between them in the context of cloud-based key-value databases. Probus allows a service requestor to have evidence of cloud provider misbehavior on its data, and a cloud provider to defend itself from false accusations by demonstrating the correctness of its operations. Accusation and defense proofs are based on cryptographic mechanisms that can be verified by a third party. Probus improves the state-of-the-art by introducing novel solutions that allow for efficient verification of data security properties and by limiting the overhead required to provide its security guarantees. Thanks to Probus it is possible to check the correctness of all the results generated by a cloud service, thus improving weaker integrity assurance based on probabilistic verifications that are adopted by related work.

Balboni, Andrea; Marchetti, Mirco; Colajanni, Michele; Melegari, Andrea ( 2015 ) - Supporting sense-making and decision-making through time evolution analysis of open sources - International Conference on Cyber Conflict, CYCON - NATO CCD COE Publications Tallinn EST) - n. volume 2015- - pp. da 185 a 202 ISBN: 9789949954421 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Modern societies produce a huge amount of open source information that is often published on the Web in a natural language form. The impossibility of reading all these documents is paving the way to semantic-based technologies that are able to extract from unstructured documents relevant information for analysts. Most solutions extract uncorrelated pieces of information from individual documents; few of them create links among related documents and, to the best of our knowledge, no technology focuses on the time evolution of relations among entities. We propose a novel approach for managing, querying and visualizing temporal knowledge extracted from unstructured documents that can open the way to novel forms of sense-making and decision-making processes. We leverage state-of-the-art natural language processing engines for the semantic analysis of textual data sources to build a temporal graph database that highlights relationships among entities belonging to different documents and time frames. Moreover, we introduce the concept of temporal graph query that analysts can use to identify all the relationships of an entity and to visualize their evolution over time. This process enables the application of statistical algorithms that can be oriented to the automatic analysis of anomalies, state change detection, forecasting. Preliminary results demonstrate that the representation of the evolution of entities and relationships allows an analyst to highlight relevant events among the large amount of open source documents.

Pierazzi, Fabio; Balboni, Andrea; Guido, Alessandro; Marchetti, Mirco ( 2015 ) - The network perspective of cloud security - Proceedings - IEEE 4th Symposium on Network Cloud Computing and Applications, NCCA 2015 - IEEE New York USA) - pp. da 75 a 82 ISBN: 0769556035 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

The cloud computing paradigm has become really popular, and its adoption is constantly increasing. Hence, also network activities and security alerts related to cloud services are increasing and are likely to become even more relevant in the upcoming years. In this paper, we propose the first characterization of real security alerts related to cloud activities and generated by a network sensor at the edge of a large network environment over several months. Results show that the characteristics of cloud security alerts differ from those that are not related to cloud activities. Moreover, alerts related to different cloud providers exhibit peculiar and different behaviors that can be identified through temporal analyses. The methods and results proposed in this paper are useful as a basis for the design of novel algorithms for the automatic analysis of cloud security alerts, that can be aimed at forecasting, prioritization, anomaly and state-change detection.

L. Ferretti; M. Colajanni; M. Marchetti ( 2014 ) - Distributed, concurrent and independent access to encrypted cloud databases - IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS - n. volume 25 - pp. da 437 a 446 ISSN: 1045-9219 [Articolo in rivista (262) - Articolo su rivista]
Abstract

Placing critical data in the hands of a cloud provider should come with the guarantee of security and availability for data at rest, in motion, and in use. Several alternatives exist for storage services, while data confidentiality solutions for the database as a service paradigm are still immature. We propose a novel architecture that integrates cloud database services with data confidentiality and the possibility of executing concurrent operations on encrypted data. This is the first solution supporting geographically distributed clients to connect directly to an encrypted cloud database, and to execute concurrent and independent operations including those modifying the database structure. The proposed architecture has the further advantage of eliminating intermediate proxies that limit the elasticity, availability, and scalability properties that are intrinsic in cloud-based solutions. The efficacy of the proposed architecture is evaluated through theoretical analyses and extensive experimental results based on a prototype implementation subject to the TPC-C standard benchmark for different numbers of clients and network latencies.

Luca Ferretti; Fabio Pierazzi; Michele Colajanni; Mirco Marchetti;Marcello Missiroli ( 2014 ) - Efficient detection of unauthorized data modification in cloud databases - Proceedings of the 2014 International Conference on High Performance Computing & Simulation (HPCS 2014) - Institute of Electrical and Electronics Engineers ( IEEE ) Los Alamitos USA) - pp. da 1 a 6 ISBN: 9781479942763 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Cloud services represent an unprecedented opportunity, but their adoption is hindered by confidentiality and integrity issues related to the risks of outsourcing private data to cloud providers. This paper focuses on integrity and proposes an innovative solution that allows cloud tenants to detect unauthorized modifications to outsourced data while minimizing storage and network overheads. Our approach is based on encrypted Bloom filters, and is designed to allow efficient integrity verification for databases stored in the cloud. We assess the effectiveness of the proposal as well as its performance improvements with respect to existing solutions by evaluating storage and network costs.

Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco ( 2014 ) - Performance and cost evaluation of an adaptive encryption architecture for cloud databases - IEEE TRANSACTIONS ON CLOUD COMPUTING - n. volume 2 - pp. da 10 a 25 ISSN: 2168-7161 [Articolo in rivista (262) - Articolo su rivista]
Abstract

The cloud database as a service is a novel paradigm that can support several Internet-based applications, but its adoption requires the solution of information confidentiality problems. We propose a novel architecture for adaptive encryption of public cloud databases that offers an interesting alternative to the trade-off between the required data confidentiality level and the flexibility of the cloud database structures at design time. We demonstrate the feasibility and performance of the proposed solution through a software prototype. Moreover, we propose an original cost model that is oriented to the evaluation of cloud database services in plain and encrypted instances and that takes into account the variability of cloud prices and tenant workload during a medium-term period.

Ferretti, L.; Pierazzi, F.; Colajanni, M.; Marchetti, M. ( 2014 ) - Scalable architecture for multi-user encrypted SQL operations on cloud database services - IEEE TRANSACTIONS ON CLOUD COMPUTING - n. volume 2 issue 4 - pp. da 448 a 458 ISSN: 2168-7161 [Articolo in rivista (262) - Articolo su rivista]
Abstract

The success of the cloud database paradigm is strictly related to strong guarantees in terms of service availability, scalability and security, but also of data confidentiality. Any cloud provider assures the security and availability of its platform, while the implementation of scalable solutions to guarantee confidentiality of the information stored in cloud databases is an open problem left to the tenant. Existing solutions address some preliminary issues through SQL operations on encrypted data. We propose the first complete architecture that combines data encryption, key management, authentication and authorization solutions, and that addresses the issues related to typical threat scenarios for cloud database services. Formal models describe the proposed solutions for enforcing access control and for guaranteeing confidentiality of data and metadata. Experimental evaluations based on standard benchmarks and real Internet scenarios show that the proposed architecture satisfies also scalability and performance requirements.

Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco ( 2013 ) - Access control enforcement on query-aware encrypted cloud databases - Proceedings of the 2013 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), - Institute of Electrical and Electronics Engineers ( IEEE ) Los Alamitos USA) - pp. da 717 a 722 ISBN: 9780769550954 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

The diffusion of cloud database services requires a lot of efforts to improve confidentiality of data stored in external infrastructures. We propose a novel scheme that integrates data encryption with users access control mechanisms. It can be used to guarantee confidentiality of data with respect to a public cloud infrastructure, and to minimize the risks of internal data leakage even in the worst case of a legitimate user colluding with some cloud provider personnel. The correctness and feasibility of the proposal is demonstrated through formal models, while the integration in a cloud-based architecture is left to future work.

Marchetti, Mirco; Colajanni, Michele ( 2013 ) - Cooperative approaches to SIEM and Intrusion Detection - Advances in Security Information Management: Perceptions and Outcomes - Nova Science Publishers Hauppauge, NY, USA USA) - pp. da 79 a 116 ISBN: 978-1-62417-204-5 [Contributo in volume (Capitolo o Saggio) (268) - Capitolo/Saggio]
Abstract

The original approach to intrusion detection was based on the deployment of a centralized component that gathers and analyzes events at system or network level. In this chapter we present architectures that leverage multiple components and cooperation techniques for the analysis and management of large numbers of security events generated by complex information systems. Their goal is to enhance the system capability and/or to improve the analysis efficacy by merging and correlating security alerts coming from different sources.

Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco ( 2013 ) - Security and Confidentality Solutions for Public Cloud Database Services - Proceedings of the Seventh International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2013) - IARIA - PRT) - pp. da 36 a 42 ISBN: 9781612082981 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

The users perception that the confidentiality of their data is endangered by internal and external attacks is limiting the diffusion of public cloud database services. In this context, the use of cryptography is complicated by high computational costs and restrictions on supported SQL operations over encrypted data. In this paper, we propose an architecture that takes advantage of adaptive encryption mechanisms to guarantee at runtime the best level of data confidentiality for any type of SQL operation. We demonstrate through a large set of experiments that these encryption schemes represent a feasible solution for achieving data confidentiality in public cloud databases, even from a performance point of view.

Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco; Adriano Enrico, Scaruffi ( 2013 ) - Transparent access on encrypted data distributed over multiple cloud infrastructures - Proceedings of CLOUD COMPUTING 2013 : The Fourth International Conference on Cloud Computing, GRIDs, and Virtualization - IARIA - PRT) - pp. da 201 a 207 ISBN: 978-1-61208-271-4 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Using cloud infrastructures to store and backup data is becoming a popular alternative that guarantees performance and scalability at reasonable prices. However, standard cloud solutions could raise some concerns about data confidentiality and dependency on a single provider. We aim to address these issues by using cloud storage of multiple cloud providers. Our solution ciphers, partitions and replicates data among multiple cloud architectures, thus augmenting availability and confidentiality, and avoiding lock-in of one cloud provider. The proposed model is implemented through open source software that leverages data storage offered by multiple providers. This prototype demonstrates the effectiveness of the geographically distributed architecture in several real case scenarios.

Angori, Enrico; Colajanni, Michele; Marchetti, Mirco; Messori, Michele ( 2012 ) - Collaborative Attack Detection Using Distributed Hash Tables - Collaborative Financial Infrastructure Protection - Springer Berlin Heidelberg DEU) - pp. da 175 a 201 ISBN: 9783642204197 [Contributo in volume (Capitolo o Saggio) (268) - Capitolo/Saggio]
Abstract

This chapter describes a distributed architecture for collaborative detection of cyber attacks and network intrusions based on distributed hash tables (DHTs). We present a high-level description of the distributed architecture for collaborative attack detection. In particular, we highlight the two main functional blocks: the collaboration layer, realized through a DHT, and the engine for complex event processing. We then describe the implementation of a working prototype of the proposed architecture that represents one of the Semantic Rooms of the CoMiFin project. Our reference implementation is implemented through well-known open source software. In particular, the DHT leverages Scribe and PAST, while we use Esper as the CEP engine. We demonstrate how the proposed implementation can be used to realize a collaborative architecture for the early detection of real-world attacks carried out against financial institutions. We focus on the detection of Man-in-the-Middle attacks to demonstrate the effectiveness of our proposal. Finally, we highlight the main advantages of the proposed architecture with respect to traditional (centralized and hierarchical) solutions for intrusion detection. In particular, we address the issues of fault tolerance, scalability, and load balancing.

Marchetti, Mirco; Colajanni, Michele; Messori, Michele; L., Aniello; Y., Vigfusson ( 2012 ) - Cyber Attacks on Financial Critical Infrastructures - Collaborative Financial Infrastructure Protection: Tools, Abstractions, and Middleware - Springer-Verlag New York Inc New York USA) - pp. da 53 a 81 ISBN: 9783642204197 [Contributo in volume (Capitolo o Saggio) (268) - Capitolo/Saggio]
Abstract

This chapter focuses on attack strategies that can be (and have been) used against financial IT infrastructures. The first section presents an overview and a classification of the different kinds of frauds and attacks carried out against financial institutions and their IT infrastructures. We then restrict our focus by analyzing in detail five attack scenarios, selected among the ones presented in the previous section. These attack scenarios are: Man in the Middle (and its variant, Man in the Browser), distributed denial of service (DDoS), distributed portscan, session hijacking, and malware-based attacks against Internet banking customers. These scenarios have been selected because of their distributed nature: all of them involve multiple, geographically distributed financial institutions. Hence their detection will benefit greatly from the deployment of new technologies and best practices for information sharing and cooperative event processing. For each scenario we present a theoretical description of the attack as well as implementation details and consequences of past attacks carried out against real financial institutions.

Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco ( 2012 ) - Supporting security and consistency for cloud database - CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security - Springer-Verlag GmbH Berlino DEU) - pp. da 179 a 193 ISBN: 978-3-642-35361-1 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Typical Cloud database services guarantee high availability and scalability, but they rise many concerns about data confidentiality. Combining encryption with SQL operations is a promising approach although it is characterized by many open issues. Existing proposals, which are based on some trusted intermediate server, limit availability and scalability of original cloud database services. We propose an alternative architecture that avoids any intermediary component, thus achieving availability and scalability comparable to that of unencrypted cloud database services. Moreover, our proposal guarantees data consistency in scenarios in which independent clients concurrently execute SQL queries, and the structure of the database can be modified.

M. Colajanni; L. Dal Zotto; M. Marchetti; M. Messori ( 2011 ) - Defeating NIDS evasion in Mobile IPv6 networks - roc. of the 12th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2011) - IEEE New York USA) - pp. da 1 a 9 ISBN: 9781457703522 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

The diffusion of mobile devices and technologies supportingtransparent network mobility can have detrimental effects onnetwork security. We describe how an attacker can leverage mobility in IPv6 networks to perpetrate known attackswhile evading detection by state-of-the-art Network IntrusionDetection Systems (NIDSs). We then propose a new defensestrategy based on the exchange of state information amongdistributed NIDSs. We demonstrate the effectiveness of the proposed solution through a prototype implementation, evaluatedexperimentally in a Mobile IPv6 network.

M. Marchetti;M. Colajanni;F. Manganiello ( 2011 ) - Framework and Models for Multistep Attack Detection - INTERNATIONAL JOURNAL OF SECURITY AND ITS APPLICATIONS - n. volume 5 - pp. da 73 a 92 ISSN: 1738-9976 [Articolo in rivista (262) - Articolo su rivista]
Abstract

Cyber attacks are becoming increasingly complex, especially when the target is a modern IT infrastructure, characterized by a layered architecture that integrates several security technologies such as firewalls and intrusion detection systems. These contexts can be violated by a multistep attack, that is a complex attack strategy that comprises multiple correlated intrusion activities. While a modern Intrusion Detection System detects single intrusions, it is unable to link them together and to highlight the strategy that underlies a multistep attack.Hence, a single multistep attack may generate a high number of uncorrelated intrusion alerts. The critical task of analyzing and correlating all these alerts is then performed manually by security experts. This process is time consuming and prone to human errors. This paper proposes a novel framework for the analysis and correlation of security alerts generated by state-of-the-art Intrusion Detection Systems. Our goal is to help security analysts in recognizing and correlating intrusion activities that are part of the same multistep attack scenario. The proposed framework produces correlation graphs, in which all the intrusion alerts that are part of the same multistep attack are linked together. By looking at these correlation graphs, a security analyst can quickly identify the relationships that link together seemingly uncorrelated intrusion alerts, and can easily recognize complex attack strategies and identify their final targets. Moreover, the proposed framework is able to leverage multiple algorithms for alert correlation.

Marchetti, Mirco; Colajanni, Michele; Manganiello, Fabio ( 2011 ) - Identification of correlated network intrusion alerts - Cyberspace Safety and Security (CSS), 2011 Third International Workshop on - IEEE New York USA) - pp. da 15 a 20 ISBN: 9781457710346 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Attacks to information systems are becoming moresophisticated and traditional algorithms supporting NetworkIntrusion Detection Systems may be ineffective or cause toomany false alarms. This paper describes a new algorithm for thecorrelation of alerts generated by Network Intrusion DetectionSystems. It is specifically oriented to face multistep attacks wheremultiple intrusion activities belonging to the same attack scenarioare performed within a small time window. This algorithm takesas its input the security alerts generated by a NIDS and, througha pseudo-bayesian alert correlation, is able to identify those thatare likely to belong to the same multistep attack scenario. Theproposed approach is completely unsupervised and applicable tosecurity alerts generated by any kind of NIDS.

Manganiello, Fabio; Marchetti, Mirco; Colajanni, Michele ( 2011 ) - Multistep attack detection and alert correlation in intrusion detection systems - Information Security and Assurance - Springer New York USA) - pp. da 101 a 110 ISBN: 9783642231407 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

A growing trend in the cybersecurity landscape is repre-sented by multistep attacks that involve multiple correlated intrusionactivities to reach the intended target. The duty of correlating secu-rity alerts and reconstructing complete attack scenarios is left to sys-tem administrators because current Network Intrusion Detection Sys-tems (NIDS) are still oriented to generate alerts related to single attacks,with no or minimal correlation analysis among dierent security alerts.We propose a novel approach for the automatic analysis of multiple se-curity alerts generated by state-of-the-art signature-based NIDS. Ourproposal is able to group security alerts that are likely to belong to thesame attack scenario, and to identify correlations and causal relation-ships among them. This goal is achieved by combining alert classicationthrough Self Organizing Maps and unsupervised clustering algorithms.The ecacy of the proposal is demonstrated through a prototype testedagainst network trac traces containing multistep attacks.

Colajanni, Michele; DAL ZOTTO, Luca; Marchetti, Mirco; Messori, Michele ( 2011 ) - The problem of NIDS evasion in mobile networks - New Technologies, Mobility and Security (NTMS), 2011 4th IFIP International Conference on - IEEE New York USA) - pp. da 1 a 6 ISBN: 9781424487059 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

This paper presents a novel NIDS evasion strategy that allows attackers to exploit network mobility to perform attacks undetectable by modern NIDSs. Mobility-based NIDS evasion works by combining traditional evasion techniques and node mobility. It represents a generally applicable evasion strategy that works on several protocols for node mobility, and it is effective against state-of-the- art and well configured signature-based NIDSs. We describe three evasion scenarios based on node mobility, and demonstrate the practical applicability of the proposed evasion strategy through a proof of concept attack in a realistic network environment. We conclude the paper by presenting some ideas addressing mobility-based NIDS evasion.

Colajanni, Michele; Marchetti, Mirco; Messori, Michele ( 2010 ) - Selective and early threat detection in large networked systems - Proc. of the 10th IEEE International Conference on Computer and Infromation Technology (CIT 2010) - IEEE New York USA) - pp. da 604 a 611 ISBN: 9781424475476 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

The complexity of modern networked informationsystems, as well as all the defense-in-depth best practices,require distributed intrusion detection architectures relying onthe cooperation of multiple components. Similar solutions causea multiplication of alerts, thus increasing the time needed for alertmanagement and hiding the few critical alerts as needles in ahay stack. We propose an innovative distributed architecture forintrusion detection that is able to provide system administratorswith selective and early security warnings. This architecture issuitable to large networks composed by several departmentsbecause it leverages hierarchical and peer-to-peer cooperationschemes among distributed NIDSes. Moreover, it embeds adistributed alert ranking system that makes it possible to evaluatethe real level of risk represented by a security alert generatedby a NIDS, and it allows independent network departments toexchange early warnings about critical threats. Thanks to thesefeatures, a system administrator can focus on the few alertsthat represent a real threat for the controlled infrastructure andcan be notified about the most dangerous intrusions before hisdepartment is attacked.

G., Lodi; L., Querzoni; R., Baldoni; Marchetti, Mirco; Colajanni, Michele; V., Bortnikov; G., Chockler; E., Dekel; G., Laventman; A., Roytman ( 2009 ) - Defending financial infrastructures through early warning systems: the intelligence cloud approach - Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies - ACM New York USA) - pp. da 1 a 18 ISBN: 9781605585185 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Recent evidence of successful Internet-based attacks and frauds involving financial institutions highlights the inadequacy of the existing protection mechanisms, in which each instutition implements its own isolated monitoring and reaction strategy. Analyzing on-line activity and detecting attacks on a large scale is an open issue due to the huge amounts of events that should be collected and processed. In this paper, we propose a large-scale distributed event processing system, called intelligence cloud, allowing the financial entities to participate in a widely distributed monitoring and detection effort through the exchange and processing of information locally available at each participating site. We expect this approach to be able to handle large amounts of events arriving at high rates from multiple domains of the financial scenario. We describe a framework based on the intelligence cloud where each participant can receive early alerts enabling them to deploy proactive countermeasures and mitigation strategies.

Clement, Allen; Wong, Edmund; Alvisi, Lorenzo; Dahlin, Mike; Marchetti, Mirco ( 2009 ) - Making Byzantine Fault Tolerant Systems Tolerate Byzantine Faults - Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation - The USENIX Association ) [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

This paper argues for a new approach to building Byzantine fault tolerant replication systems. We observe that although recently developed BFT state machine replication protocols are quite fast, they don't tolerate Byzantine faults very well: a single faulty client or server is capable of rendering PBFT, Q/U, HQ, and Zyzzyva virtually unusable. In this paper, we (1) demonstrate that existing protocols are dangerously fragile, (2) define a set of principles for constructing BFT services that remain useful even when Byzantine faults occur, and (3) apply these principles to construct a new protocol, Aardvark. Aardvark can achieve peak performance within 40% of that of the best existing protocol in our tests and provide a significant fraction of that performance when up to f servers and any number of clients are faulty. We observe useful throughputs between 11706 and 38667 requests per second for a broad range of injected faults.

Marchetti, Mirco; Messori, Michele; Colajanni, Michele ( 2009 ) - Peer-to-peer architecture for collaborative intrusion and malware detection on a large scale - Information Security 12th International Conference, ISC 2009, Pisa, Italy, September 7-9, 2009. Proceedings - Springer New York USA) - INTERNATIONAL JOURNAL OF INFORMATION SECURITY - pp. da 475 a 490 ISBN: 9783642044731 ISSN: 1615-5262 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

The complexity of modern network architectures and the epidemic diffusion of malware require collaborative approaches for defense. We present a novel distributed system where each component collaborates to the intrusion and malware detection and to the dissemination of the local analyses. The proposed architecture is based on a decentralized, peer-to-peer and sensor-agnostic design that addresses dependability and load unbalance issues affecting existing systems based on centralized and hierarchical schemes. Load balancing properties, ability to tolerate churn, self-organization capabilities and scalability are demonstrated through a prototype integrating different open source defensive software.

Marchetti, Mirco; Colajanni, Michele ( 2008 ) - Adaptive traffic filtering for efficient and secure IP mobility - Proceedings of the 4th ACM symposium on QoS and security for wireless and mobile networks - ACM N/A USA) - pp. da 43 a 50 ISBN: 9781605582375 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

The Mobile IP (MIP) protocol that supports node mobility in IP networks may be implemented through two routing schemes: triangular routing and reverse tunneling. While triangular routing guarantees better performance because of shorter routing paths, it is not compatible with egress filtering policies enforced by many firewalls. As a result, it is necessary to recur to the slower reverse tunneling routing scheme that causes lower mobile connection throughput and higher round trip times. In this paper, we propose an innovative adaptive traffic filtering technique in which egress filtering rules are dynamically and automatically modified to reflect the presence of mobile nodes inside the protected network. The proposed scheme, called secure triangular routing, guarantees the best trade-off between performance and security because it enables triangular routing without violating network security policies. Viability and performance improvements of the proposed solution have been demonstrated by experiments carried out through a prototype. The proposed solution does not require any modification in correspondent nodes or in their networks, and it fully complies with the MIP protocol specifications.

Clement, Allen; Marchetti, Mirco; Wong, Edmund; Alvisi, Lorenzo; Dahlin, Mike ( 2008 ) - BFT: The time is now - LADIS '08 Proceedings of the 2nd Workshop on Large-Scale Distributed Systems and Middleware [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Data centers strive to provide reliable access to the data and services that they host. This reliable access requires the hosted data and services hosted by the data center to be both consistent and available. Byzantine fault tolerance (BFT) replication offers the promise of services that are consistent and available despite arbitrary failures by a bounded number of servers and an unbounded number of clients.

Colajanni, Michele; Gozzi, Daniele; Marchetti, Mirco ( 2008 ) - Collaborative architecture for malware detection and analysis - Proceedings of The Ifip Tc 11 23rd International Information Security Conference - Springer New York USA) - pp. da 79 a 93 ISBN: 9780387096988 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

The constant increase of malware threats clearly shows that the present countermeasures are not sufficient especially because most actions are put in place only when infections have already spread. In this paper, we present an innovative collaborative architecture for malware analysis that aims to early detection and timely deployment of countermeasures. The proposed system is a multi-tier architecture where the sensor nodes are geographically distributed over multiple organizations. These nodes send alerts to intermediate managers that, in their turn, communicate with one logical collector and analyzer. Relevant information, that is determined by the automatic analysis of the malware behavior in a sandbox, and countermeasures are sent to all the cooperating networks. There are many other novel features in the proposal. The architecture is extremely scalable and flexible because multiple levels of intermediate managers can be utilized depending on the complexity of the network of the participating organization. Cyphered communications among components help preventing the leakage of sensitive information and allow the pairwise authentication of the nodes involved in the information sharing. The feasibility of the proposed architecture is demonstrated through an operative prototype realized using open source software.

Li, Harri C.; Clement, Allen; Marchetti, Mirco; Kapritsos, Manos; Robison, Luke; Alvisi, Lorenzo; Dahlin, Mike ( 2008 ) - FlightPath: obedience vs. choice in cooperative services - OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

We present FlightPath, a novel peer-to-peer streaming application that provides a highly reliable data stream to a dynamic set of peers. We demonstrate that FlightPath reduces jitter compared to previous works by several orders of magnitude. Furthermore, FlightPath uses a number of run-time adaptations to maintain low jitter despite 10% of the population behaving maliciously and the remaining peers acting selfishly. At the core of FlightPath's success are approximate equilibria. These equilibria allow us to design incentives to limit selfish behavior rigorously, yet they provide sufficient flexibility to build practical systems. We show how to use an Ɛ-Nash equilibrium, instead of a strict Nash, to engineer a live streaming system that uses bandwidth efficiently, absorbs flash crowds, adapts to sudden peer departures, handles churn, and tolerates malicious activity.

Colajanni, Michele; Gozzi, Daniele; Marchetti, Mirco ( 2008 ) - Selective alerts for run-time protection of distributed systems - The proceedings of Data Mining IX: Data Mining, Protection, Detection and other Security Technologies - WIT Press N/A USA) [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Network Intrusion Detection Systems (NIDS) are popular components for a fast detection of network attacks and intrusions, but their efficacy is limited by the high numbers of false alarms that affect them. As a consequence, system administrators,that have to manually manage an overwhelming amount of intrusion alerts, tend to decrease the alarm threshold or even to deactivate most NIDS functions. These weaknesses are frequently exploited by the attackers to avoid or to delay attackdetection.In order to improve the efficacy of attack detection and reduce the amount of false positives, we propose a novel scheme for runtime lert management. It filters innocuous attacks by taking advantage of the correlation between the NIDS alerts and detailed information concerning the protected information systems, that is retrieved from heterogeneous and unstructured data sources. Thanks to the proposed scheme, an alert is sent to the system administrator only if an attack threatens some real vulnerability of the protected hosts. Otherwise, as it occurs in the large majority of the cases, the alert is stored for a subsequent offline analysis. The viability and efficacy of the proposed solution are demonstrated through an operative prototype that has been tested in networks subject to realistic attacks.

M. ANDREOLINI; CASOLARI S; COLAJANNI M; MARCHETTI M ( 2007 ) - Dynamic load balancing for network intrusion detection systems based on distributed architectures - The 6th IEEE International Symposium on Network Computing and Applications - IEEE Computer Society Los Alamitos, CA USA) - pp. da 153 a 160 ISBN: 9780769529226 [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Increasing traffic and the necessity of stateful analyses impose strong computational requirements on network intrusion detection systems (NIDS), and motivate the need of distributed architectures with multiple sensors. In a context of high traffic with heavy tailed characteristics, static rules for dispatching traffic slices among distributed sensors cause severe imbalance. Hence, the distributed NIDS architecture must be combined with adequate mechanisms for dynamic load redistribution.In this paper, we propose and compare different policies for the activation/deactivation of the dynamic load balancer. In particular, we consider and compare single vs. double threshold schemes, and load representations based on resource measures vs. load aggregation models.Our experimental results show that the best combination of a double threshold scheme with a linear aggregation of resource measures is able to achieve a really satisfactory balance of the sensor loads together with a sensible reduction of the number of load balancer activations.

M. COLAJANNI; D. GOZZI; M. MARCHETTI ( 2007 ) - Enhancing interoperability and stateful analysis of cooperative network intrusion detection systems - Proc. of the ACM/IEEE Symposium on Architectures for Networking and Communication Systems - ACM USA) [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

A traditional Network Intrusion Detection System (NIDS) isbased on a centralized architecture that does not satisfy theneeds of most modern network infrastructures characterizedby high traffic volumes and complex topologies. The problemof decentralized NIDS based on multiple sensors is thateach of them gets just a partial view of the network trafficand this prevents a stateful and fully reliable traffic analysis.We propose a novel cooperation mechanism that addressesthe previous issues through an innovative state managementand state migration framework. It allows multipledecentralized sensors to share their internal state, thus accomplishing innovative and powerful traffic analysis. Theadvanced functionalities and performance of the proposedcooperative framework for network intrusion detection systemsare demonstrated through a fully operative prototype.

Michele Colajanni; Mirco Marchetti ( 2006 ) - A Parallel Architecture for Stateful Intrusion Detection in High Traffic Networks - Proc. of the IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006) - IEEE N/A USA) [Contributo in Atti di convegno (273) - Relazione in Atti di Convegno]
Abstract

Abstract—In a scenario where network bandwidth and traffic are continuously growing, network appliances that have to monitor and analyze all flowing packets are reaching their limits. These issues are critical especially for Network Intrusion Detection Systems (NIDS) that need to trace and reassemble every connection, and to examine every packet flowing on the monitored link(s), to guarantee high security levels. Any NIDS based on a single component cannot scale over certain thresholds, even if it has some parts built in hardware. Hence, parallel architectures appear as the most valuable alternative for the future. In this paper, we propose a parallel NIDS architecture that is able to provide us with fully reliable analysis, high performance and scalability. These properties come together with the low costs and high flexibility that are guaranteed by a total software implementation. The load balancing mechanism of the proposed NIDS distributes the traffic among a configurable number of parallel sensors, so that each of them is reached by a manageable amount of traffic. The parallelism and traffic distribution do not alter the results of the traffic analysis that remains reliable and stateful.