High-speed intrusion detection in support of critical infrastructure protection

Nowadays telecommunication network plays a fundamental role in the management of critical infrastructures since it is largely used to transmit control information among the different elements composing the architecture of a critical system. The health of a networked system strictly depends on the security mechanisms that are implemented in order to assure the correct operation of the communication network. For this reason, the adoption of an effective network security strategy is seen as an important and necessary task of a global methodology for critical infrastructure protection. In this paper we present a two-fold contribution. First, we present a distributed architecture aiming to secure the communication network upon which the critical infrastructure relies. Such architecture is composed of an intrusion detection system which is built on top of a customizable flow monitor. Second, we propose an innovative method to extrapolate real-time information about user behavior from network traffic. Such method consists in monitoring traffic flows at different levels of granularity in order to discover ongoing attacks.