Introduction
The raising availability of Internet connectivity and the increase of network bandwidth are boosting
the use of the world wide web for providing more and more services. Supported services range from
e-commerce to social networks, from telephone calls to business-to-business transactions. Therefore
a huge amount of businesses are relying on the Internet. Moreover, the access to an unbelievable
quantity of high-value and sensitive information is enabled and secured employing the Internet as
Critical Infrastructure. What could be the next generation services provided by Internet? Besides,
is Internet reliable enough for supporting all these services?
This work aims at addressing together these two questions, investigating the paradigm of coopera-
tive environments as a possible mean of letting diverse organizations collaborate in the context of
the security of Financial Institutions. A brief overview of cooperative environments is provided, in
order to introduce the main topics of the whole work. All these aspects are supported by CoMiFin,
a European project focused exactly on the security of Financial Institutions. A short description
of CoMiFin is also given, together with a more detailed background about Financial Institutions
scenario.
Cooperative Environments
For today’s software systems, the need of timely and adaptively reacting to unpredictable changes
in the environment, so as to identify and notify possible opportunities and threats to interested
actors, is becoming more and more crucial. On these lines, a very interesting class of systems is
that of Sense and Respond (SRS). They detect and correlate external events, that is the sense
phase, and then produce on time useful outputs, that is the respond phase.
A primary property of SRSs is the ability to produce timely responses. Part of the complexity of
present environments is due to the high speed in which changes occur and it’s often crucial to react
with a limited delay. For example, systems that monitor Critical Infrastructures have to notify
anomalies as soon as possible, in order to prevent damages to people or things.
An important aspect of SRSs is that the quality of generated responses depends on how much input
is gathered. Let’s consider a system in charge of computing the fastest route to reach a certain
destination. If this system were based on roads’ topology only, such calculation wouldn’t take into
account any problem due to tra�c condition or road accidents. The employment of some automatic
1
2 CHAPTER 0
mean to detect the current situation of roads would surely improve the quality of computed route.
We can say "the more I could sense, the better I would respond". So, another relevant property of
SRSs is the ability of gathering input data from several sources, possibly heterogeneous and widely
distributed.
This latter property can be seen as a way of putting together many di�erent actors with the aim of
obtaining some added-value bene�t. Resuming route calculation example, roads’ topology, tra�c
conditions and real-time information about road accidents are correlated to get the fastest way.
Another interesting example is about failure detection. In distributed systems, load peaks and
hardware/software failures can heavily a�ect the communication between nodes. The capacity of
dynamically detecting failed nodes is fundamental for carrying out main distributed communica-
tion protocols, but the delays introduced by the network and the topology of the network itself can
make hard for each node to have the same knowledge about the health of the other nodes. The
idea is to let all the nodes collaborate sharing their own knowledge in order to achieve a common
perception about which nodes are alive and which not.
In this regard, a very interesting area of research concerns the usage of SRSs to let a set of in-
dependent systems collaborate for an established common goal, creating in this way a cooperative
environment. A brief analysis of the properties satis�ed by this class of systems is quite helpful to
identify what is needed to obtain collaboration in practice. First of all, due to the large volume
of input data and to the demand for elaborating them in a timely fashion, we need to use some
parallel computing paradigm, so that computation could be speeded up as required to meet time
constraints. This in turn implies the employment of a huge number of computational, storage and
network resources, so that a parallel elaboration could be carried out on a big input data set.
An emerging technology suitable for supporting cooperative environments is cloud computing [26].
Besides its innovative business aspects, it concerns also with the over-the-Internet provision of
dynamically scalable and often virtualized resources. Its scalability is useful to face any peak in
the load or hardware/software failure. The virtualization is important for maximizing resource
utilization. So, cloud computing can be the right mean for having at disposal the required amount
of resources where the desired parallel computing framework can be then deployed.
CoMiFin
CoMiFin (Communication Middleware for Monitoring Financial Critical Infrastructure) [3] is an
EU project funded by the Seventh Framework Programme (FP7), started in September 2008 and
continuing for 30 months. The research area is Critical Infrastructure Protection (CIP), focussing
on the Critical Financial Infrastructure (CFI).
An increasing amount of sensitive tra�c is being carried over open communication media, such as
the Internet. This trend exposes services and the supporting infrastructure to massive, coordinated
attacks and frauds that are not being e�ectively countered by any single organization. In order to
3
identify threats against Critical Infrastructures and business continuity, CoMiFin aims to facilitate
information exchange and distributed event processing among a subset of participants grouped in
federations. Federations are regulated by contracts and they are enabled through the Semantic
Room abstraction: this abstraction facilitates the secure sharing and processing of information by
providing a trusted environment for the participants to contribute and analyze data. Input data
can be real time security events, historical attack data, logs, and other sources of information that
concern other Semantic Room participants. Semantic Rooms can be deployed on top of an IP net-
work allowing adaptable con�gurations from peer-to-peer to cloud-centric con�gurations, according
to the needs and the requirements of the Semantic Room participants.
A key objective of CoMiFin is to prove the advantages of having a cooperative approach in the
rapid detection of threats. Speci�cally, CoMiFin demonstrates the e�ectiveness of its approach
by addressing the problem of protecting �nancial Critical Infrastructure. This allows groups of
�nancial actors to take advantage of the Semantic Room abstraction for exchanging and processing
information, thereby allowing them to take proactive steps in protecting their business continuity,
for example, through generating fast and accurate intruder blacklists.
Scenario: Financial Institutions
Nowadays, the �nancial industry is witnessing technological and usage changes due to globalization,
new trends towards the "webi�cation" of �nancial services such as home banking, online trading,
remote payments, and increased competitions among �nancial stakeholders.
In such a context, it emerges that �nancial institutions’ infrastructures are no longer being con�ned
within single organizational boundaries; they start becoming part of a global unmanaged �nancial
ecosystem that consists of interconnected �nancial domains and other critical infrastructures like
telecommunication supply, electricity supply in which cross-domain interactions spanning di�erent
administrative borders are in place.
As of today, the overall number of transactions being conducted over the above mentioned �nancial
ecosystem is increasing. Speci�cally, it is increasing the portion of tra�c that is carried out through
public networks such as Internet, thus exposing the overall ecosystem to massive and coordinated
attacks and frauds.
Protecting the ecosystem from faults and malicious attacks is then essential in order to ensure
stability, availability, and continuity of key �nancial markets and individual businesses, since those
attacks might also signi�cantly compromise the results of �nancial transactions.
Currently, some threats or attacks targeted to di�erent �nancial entities are di�cult or even im-
possible to be detected adopting local single-domain monitoring approaches. However, a novel
approach based on inter-organization cooperation and information sharing can improve security
threats detection capabilities.
The main objective of CoMiFin is to design and develop a distributed system that can enhance the
4 CHAPTER 0
situation-awareness of �nancial organizations so as to allow them to better address security threats
and timely trigger local protection mechanisms, thus preventing or mitigating dangerous e�ects.
In order to build the system, it has been considered a possible scenario within which proving the
e�ectiveness of the CoMiFin solution.
My Contribution
Within the context of CoMiFin project introduced so far, my contribution has been twofold:
I’ve been actively involved in the analysis, design, development and installation of SR Man-
ager, a component of CoMiFin system architecture that will be deeply described later;
I’ve developed a simple monitoring software aimed at collecting statistics about the perfor-
mances of Agilis, a distributed parallel computing framework that will be detailed afterwards.
Organization
The thesis is organized as follow:
- in Chapter 1, the scenario of Financial Institutions is investigated in more details in order to
catch the requirements the system is expected to meet;
- in Chapter 2, the architecture of CoMiFin system is illustrated by a top-down approach;
- in Chapter 3, requirements for SR Management components are identi�ed and re�ned from
high-level requirements, and the architecture of these components is described in more details;
- in Chapter 4, an insight of an SR for Intrusion Detection is provided, together with a possible
architecture supporting it;
- �nally, Chapter 5 outlines the conclusions obtained from this work and proposes some future
directions for this area.
Chapter 1
Scenario and Requirements
As already stated in the introduction, the collaborative approach can o�er bene�ts in several
scenarios:
in the �nancial context, organizations can cooperate sharing their tra�c data to improve
their security defenses;
the calculation of shortest routes can be enhanced putting together info coming from sources
of di�erent nature, that is making them collaborate;
reliable failure detection services can be built on top of collaborative environments that make
involved nodes exchange their knowledge about the health of other nodes.
This chapter, as well as the rest of thesis, is aimed at exploring in more details the current situation
of �nancial environments. Most important threats are described and analyzed in order to get the
basis for identifying the requirements that have been relevant for what concerns my contribution
and that CoMiFin project is expected to address.
1.1 Reference Scenarios
The key elements of the overall CoMiFin �nancial scenario have been investigated starting from
the structure of a single organization (or business entity) that may be willing to use the CoMiFin
system and participate in the so-called CoMiFin cloud. Figure 1.1 depicts this structure. An orga-
nization can be thought of as logically divided into two principal parts: an internal part (the left
hand side of the shaded rectangle in Figure 1.1) and an external part (the right hand side of the
rectangle in the same �gure). The internal part consists of the set of hardware and/or software
components that communicate with each other using intra-domain communications; intra-domain
communications are usually carried on over possibly proprietary and highly secure networks, using
proprietary protocols. The internal part can be in turn constructed out of a set of internal networks
(the dotted circles in Figure 1.1 ) that interact one another inside a major organization. These
networks might de�ne the boundaries of internal organizations that compose the major one.
5
6 Chapter 1: Scenario and Requirements
Figure 1.1: Structure of business entity
Hardware and software resources deployed within the internal part are not accessible from the
outside, since they are not directly connected to the Internet and are properly protected by hard-
ware/software components in order to guarantee a high level of isolation. For instance, Figure
1.1 illustrates a bank corporation (i.e., Lloyds TSB) that may consist of a set of banks each of
which can be located in di�erent geographical areas by means of bank agencies. Each bank in
the major corporation, and recursively each bank agency, can use an own proprietary network in
order to carry out �nancial activities. The external part consists of the set of hardware and/or
software components connected to the outside world (i.e., the Internet). In the bank corporation
example of Figure 1.1, dedicated resources can be used for instance in order to provide end users
with e-banking services that use communications over Internet. Communication and interaction
between the external and internal parts are regulated by speci�c security policies and several levels
of �rewalls (which may include the de�nition of a DMZ for hosting external resources) in order to
protect the internal part from attacks and unauthorized accesses.
Based on this organization structure, Figure 1.2 shows how a single organization can contribute to
the construction of a global �nancial ecosystem, and the position in that scenario of the CoMiFin
cloud.
In the CoMiFin scenario, there exist actors strictly related to the �nancial context, and critical ser-
vice providers. Figure 1.2 depicts some �nancial actors such as banks (e.g., Unicredit, Lloyds TSB)
and clearing houses (e.g., SWIFT), although any other organization related to the �nance envi-
ronment (e.g., insurances, regulatory agencies, government agencies), and critical service providers
such as telecommunication companies (e.g., AT&T) and power grid companies can be also involved.
Each actor that is willing to exploit the functionalities o�ered by the CoMiFin system can partici-
pate in the CoMiFin cloud with a number of so-called end-points (the pattern �lled circles in Figure
1.2). These end-points include dedicated software components that, along with the resources pro-
vided by each actor, are connected to the Internet in order to exploit Internet’s robustness. Events
Ricevi informazioni sui nostri servizi, sulle offerte e non perdere news e consigli su università e lavoro.
