An event-based platform for collaborative threats detection and monitoring

• We discuss the Semantic Room (SR) abstraction, which enables the construction of collaborative platforms for data aggregation and correlation aimed at early detecting attacks and frauds.
• We describe an SR for detecting port scanning by presenting two different implementations: one uses a centralized CEP engine (Esper) while the other employs a distributed one (Storm).
• We propose an SR for the monitoring of financial frauds which correlates information coming from Italian banks and other financial institutions; this SR also provides privacy-preserving mechanisms.

Organizations must protect their information systems from a variety of threats. Usually they employ isolated defenses such as firewalls, intrusion detection and fraud monitoring systems, without cooperating with the external world. Organizations belonging to the same markets (e.g., financial organizations, telco providers) typically suffer from the same cyber crimes. Sharing and correlating information could help them in early detecting those crimes and mitigating the damages.The paper discusses the Semantic Room (SR) abstraction which enables the development of collaborative event-based platforms, on the top of Internet, where data from different information systems are shared, in a controlled manner, and correlated to detect and timely react to coordinated Internet-based security threats (e.g., port scans, botnets) and frauds. In order to show the flexibility of the abstraction, the paper proposes the design, implementation and validation of two SRs: an SR that detects inter-domain port scan attacks and an SR that enables an online fraud monitoring over the Italian territory. In both cases, the SRs use real data traces for demonstrating the effectiveness of the proposed approach. In the first SR, high detection accuracy and small detection delays are achieved whereas in the second, new fraud evidence and investigation instruments are provided to law enforcement agencies.