Large-Scale Monitoring of Critical Digital Infrastructures

Abstract

Network monitoring is becoming increasingly important, both as a security measure for corporations and organizations, and in an infrastructure protection perspective for nation-states. Governments are not only increasing their monitoring efforts, but also introducing requirements for data retention in order to be able to access traffic data for the investigation of serious crimes, including terrorism. In Europe, a resolution on data retention was passed in December 2005 (The European Parliament, 2005). However, as the level of complexity and connectivity in information systems increases, effective monitoring of computer networks is getting harder. Systems for efficient threat identification and assessment are needed in order to handle high-speed traffic and monitor data in an appropriate manner. We discuss attacks relating to critical infrastructure, specifically on the Internet. The term critical infrastructure refers to both systems in the digital domain and systems that interface with critical infrastructure in the physical world. Examples of a digital critical infrastructure are the DNS (domain name service) and the routing infrastructure on the Internet. Examples of systems that interface with the physical world are control systems for power grids and telecommunications systems. In 1988, the first Internet worm (called the Morris worm) disabled thousands of hosts and made the Internet almost unusable. In 2002, the DNS root servers were attacked by a distributed denial-of-service (DDoS) attack specifically directed at these servers, threatening to disrupt the entire Internet.1 As our critical infrastructure, including telecommunication systems and power grids, becomes more connected and dependent on digital systems, we risk the same types of attacks being used as weapons in information warfare or cyber terrorism. Any digital system or infrastructure has a number of vulnerabilities with corresponding threats. These threats can potentially exploit vulnerabilities, causing unwanted incidents. In the case of critical infrastructures, the consequences of such vulnerabilities being exploited can become catastrophic. In this chapter, we discuss methods relating to the monitoring, detection, and identification of such attacks through the use of monitoring systems. We refer to the data-capturing device or software as a sensor. The main threats considered in this chapter are information warfare and cyber terrorism. These threats can lead to several different scenarios, such as coordinated computer attacks, worm attacks, DDoS attacks, and large scale scanning and mapping efforts. In this context, the primary task of network monitoring is to detect and identify unwanted incidents associated with threats in order to initiate appropriate precautionary measures and responses.