1. Short Description
Critical infrastructure is often protected against physical attacks and is also protected against cyber-attacks. The combination of cyber and physical attacks though, can seriously damage parts of critical infrastructure.
In this direction, 7SHIELD develops a monitoring platform dedicated to combination of physical and cyber threat correlation and analysis thus permitting to identify complex scenarios. To achieve this 7SHIELD detectors, correlators and message broker are analysing the effects of such threats.
GEO Spatial Complex Event Processing (G-CEP) is one of these correlators that supports any such kind of physical attack. G-CEP is a backend component responsible for correlating events in time and space from different modules produced by other backend and frontend components as well as external systems (e.g. legacy Computer Aided Dispatch, Social Media) and provide actionable intelligence to SGS and LEA operators.
2. Main Purpose and Benefits
It is recognizable that when
dealing with multiple and disparate
events the Complex Event Processing (CEP) technology can deliver high-speed
event processing, correlation and
identification. CEP patterns emerge from relationships between events
attributes, cause (causal relation between events), time and aggregation
(significance of an event’s activity towards other events). Geospatial event
processing extends the
CEP paradigm with location attributes and spatial relations used to combine
location aware events and to create
spatiotemporal patterns. The G-CEP engine receives events from multiple and
diverse sources, in order to analyse and correlate these in time and space. The
analysis and correlation of these events are based on correlation patterns that
are applied in real-time using time windows and custom spatially enabled
algorithms. It is based on Complex Event Processing technologies and
techniques, enabling the processing of large volumes of incoming data in real-time
in order to provide actionable intelligence. Thus G-CEP supports the wider
objective of seamlessly and accurately identifying potential physical
or/and cyber threats.
3. Main Functions
3.1 Correlation of physical threats
High performance geo-spatial
correlation of C/P security data/events from multiple distributed sources of information and events are involved in 7SHIELD. The
role of the G-CEP component is to receive, analyse and correlate events that
will be produced by the physical detection tools
The G-CEP
engine is designed to provide high performance and scalability. Specifically,
G-CEP engine is capable of handling more than 400.000 events/sec. The latency
that is introduced, in order to perform all correlations is less than 4 microseconds,
whereas more than 1200 correlation rules could be handled by the engine.
The correlated
events are forwarded to the Hybrid Correlator (HCC) and the Situational
Picture Generation & Update (SPGU) components for further analysis. Additionally, the correlation rules have been
adapted accordingly, taking into consideration the type of threats that are
planned to be confronted, the end-user requirements and the pilot’s
characteristics. The communication among G-CEP, Hybrid
Correlator and SPGU is enabled through the message broker (KAFKA) that is
provided by the 7SHIELD platform for this purpose.
4. Integration with other Tools
As described above, the main scope
of the 7SHIELD project is to design and prepare a holistic framework that will
conform to complex threats. In order to do that, the support of various and of
different types, of detection tools was required, providing the platform with
the advanced threat detection capabilities that are required. The management
and the analysis of the events produced by these multiple and diverse detection
tools are supported by the correlation layer of the framework.
In more detail, the scope of the
correlation layer is to receive and analyse the event produced by the detection
layers in order to correlate these. A two-level correlation layer is supported
by the 7SHIELD project. At the first level, the events detected by the physical
detection tools and the events detected by the cyber detection tools are
analysed and correlated separately. These correlated events are forwarded to
the 2nd level of correlation, which combines the correlated cyber
and physical events in order to identify the cyber-physical correlation events.
Figure 4‑1 –
Correlation layers
As we can see in the figure above,
the 1st level of the correlation layer is composed of two
components:
- The
G-CEP component, that analyses and correlates the events created by the
physical detection tools
- The
Cyber Correlator components. That analyses and correlates the events created by
the cyber detection tools.
The 2nd level of the
correlation layer is composed of the Hyper correlator (HCC), which analyses the
results that have been produced by the 1st level of correlation and
combine these, in order to detect complex cyber/physical events.
The results of the correlation
components are forwarded to the SPGU component for further analysis and
formulation of the situational operational picture.
More specifically, G-CEP is a
backend component that collects all events produced by the physical detection
tools and forwards the correlation results to the HCC and SPGU components. In order to meet these requirements, the G-CEP
component has been enhanced to support the format of the messages produced by
the project’s several physical detection tools.
Figure
4‑2
– GCEP communication with other components
The G-CEP component receives events
from the following four physical detection tools:
- Object
and face detection components using video streams
- Laser-based
technologies detection tools
- Infrared
and thermal image processing detection tool
- Data
collection and analysis from UAV
However, the component has been
designed to be agnostic to the type of detection tools that is used to feed
data to. Thus, G-CEP could collect and handle events that would be produced by
external detection tools (other than the detection that are available to the
project).
The G-CEP components forwards the
correlated events to the following two components:
- Hyper
correlator
- Situational Picture Generation Unit
5. Infrastructure RequirementsGCEP is
a backend service that collects data from various
streams, in order to analyse and correlated these, creating actionable
information. No special infrastructure is required. A typical user interface is
provided, enabling the management of the correlation rules by the users.
6. Operation Manual
Users are able to manage online the
list of the correlation rules enabled each time. Thus, they are able to
configure the correlation rule according to the current requirements and status
of the operations. A rule repository is contained inside the G-CEP service.
This repository hosts and manages all the correlation rules that are defined by
the users.
G-SEP is a back-end service; thus,
no user interface is provided.