[go: up one dir, main page]

WO2011061767A1 - Smart security-supervision system - Google Patents

Smart security-supervision system Download PDF

Info

Publication number
WO2011061767A1
WO2011061767A1 PCT/IT2009/000519 IT2009000519W WO2011061767A1 WO 2011061767 A1 WO2011061767 A1 WO 2011061767A1 IT 2009000519 W IT2009000519 W IT 2009000519W WO 2011061767 A1 WO2011061767 A1 WO 2011061767A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
site
sensors
software module
simulation software
Prior art date
Application number
PCT/IT2009/000519
Other languages
French (fr)
Inventor
Emilio Montolivo
Original Assignee
Elsag Datamat Spa
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Elsag Datamat Spa filed Critical Elsag Datamat Spa
Priority to PCT/IT2009/000519 priority Critical patent/WO2011061767A1/en
Publication of WO2011061767A1 publication Critical patent/WO2011061767A1/en

Links

Classifications

    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B31/00Predictive alarm systems characterised by extrapolation or other computation using updated historic data

Definitions

  • the present invention relates, in general, to a system for supervising security of a site to be protected, such as for example an industrial site, a power plant -for the production and/or distribution of energy, a port, an airport, a railway station, a bank, headquarters of a company, etc., and in particular to a security- supervision system that is able to simulate and predict actions of potential attackers, such as burglars, hijackers, saboteurs, terrorists, spies, etc., who attempt to violate the site or have already penetrated the site .
  • a security- supervision system that is able to simulate and predict actions of potential attackers, such as burglars, hijackers, saboteurs, terrorists, spies, etc.
  • conventional systems for security supervision of a site have the purpose of enabling detection of possible ill- intentioned and/or illegal acts inside the site and of enabling security staff to manage the devices designed for protection of the site itself, such as, for example, video cameras, entrance-control systems, anti- intrusion and presence-detection systems, etc., and to use them in an optimal way in order to prevent non-authorized access and any other ill- intentioned and/or illegal act.
  • Shown in Figure 1 is a functional block diagram of a security- supervision system 100 of a known type for security supervision of a site to be protected (not illustrated in Figure 1) .
  • the security- supervision system 100 comprises:
  • control software modules 2 • control software modules 2 ;
  • an ICT Information and Communication Technology
  • the human/machine- interface software modules 1 comprise:
  • control software modules 2 instead comprise:
  • first control modules 21 for control of the sensors and of the security devices 3 ;
  • third control modules 23 for collection and analysis of security alarms ;
  • security devices and sensors 3 installed in the site to be protected comprise:
  • Many of the human/machine- interface software modules 1 are typically concentrated in one or more operating rooms, whilst the portable clients 13 can be installed on mobile terminals, such as for example palm-top devices, thus enabling the security staff to operate also when they are not physically present in the operating rooms.
  • control software modules 2 can all reside in the operating rooms or else may be totally or partially distributed inside the site to be protected or outside.
  • the ICT infrastructure 4 comprises all those hardware and/or software apparatuses (telecommunications networks, routing devices, computers, servers, workstations, basic software, etc.) that enable support of operation of the other elements of the security- supervision system 100, i.e., the human/machine-interface software modules 1, the control software modules 2, and the security devices and sensors 3.
  • the security-supervision system 100 performs and/or supports the following operations:
  • the present applicant has carried out an in-depth study aimed at investigating the possibility of improving current security-supervision systems, in particular from the standpoint of reliability and efficiency of said systems .
  • the aim of the present invention is to provide a security-supervision system that is more reliable and efficient than currently known systems.
  • the security-supervision system is configured to supervise security of a site to be protected and is characterized by comprising a simulation software module configured to simulate in a virtual environment potential violations of the security of the site perpetrated by simulated attackers .
  • FIG. 1 is a schematic illustration of a security- supervision system of a known type
  • Figure 2 is a schematic illustration of a security- supervision system according to the present invention.
  • Figure 3 shows in greater detail a component of the system of Figure 2;
  • Figure 4 is a schematic illustration of an example of a site to be protected in which the security-supervision system of Figure 2 is operative.
  • the present invention regards a security-supervision system configured to supervise security of a site to be protected, such as, for example, an industrial site, a power plant for the production and/or distribution of energy, a port, an airport, a railway station, a bank, the headquarters of a company, etc.
  • a security-supervision system configured to supervise security of a site to be protected, such as, for example, an industrial site, a power plant for the production and/or distribution of energy, a port, an airport, a railway station, a bank, the headquarters of a company, etc.
  • the security-supervision system unlike the known systems described previously, comprises a simulation software module that increases considerably the reliability and efficiency of the security-supervision system, both in conditions of normal operativeness and in the case where the site to be protected is the object of an attack and/or some components of the security-supervision system function in a degraded way on account of failures.
  • simulation software module enables the security-supervision system to:
  • the. simulation software module adds a component of "artificial intelligence" to the security-supervision system enabling, amongst other things, provision of indications on the possible interventions of improvement, anticipating the moves of a hypothetical attacker, guiding the security staff during emergencies, optimizing the use of resources, etc.
  • FIG. 2 shows a functional block diagram of a security- supervision system 200 according to the present invention for security supervision of a site to be protected (not illustrated in Figure 2) .
  • the security-supervision system 200 comprises:
  • control software modules 2 of the security-supervision system 200 also comprise :
  • interface and control modules 27 configured to interface with the simulation software module 5 and to control said simulation software module 5.
  • the simulation software module 5 is configured to simulate in a virtual environment actions and behaviours of one or more attackers that are assumed as having penetrated into the site to be protected.
  • the simulation software module 5 can carry out, either in background or upon request from an operator, i.e., a person responsible for security, simulations based upon:
  • a description of the site to be protected in terms of topographical structure of the site (for example, based upon site layouts) , active and passive security devices and sensors 3 installed in the site, security measures of a procedural type active in the site, configurations adopted, etc.;
  • scenario information coming from the outside world and acquired automatically through communications networks of the site to be protected, the Internet, or any other communications channel, and/or entered manually by an operator, said scenario information possibly coming from intelligence sources (signalling of possible attacks, presence of terrorist groups with particular technological skills, new threats, etc.), from the manufacturers of the security devices and sensors 3 (signalling of the discovery of new points of vulnerability or malfunctioning of the presence sensors 32, of the anti- intrusion sensors 33, of the entrance-control systems 34, etc.), from security experts, etc.
  • intelligence sources signalalling of possible attacks, presence of terrorist groups with particular technological skills, new threats, etc.
  • security devices and sensors 3 signalsalling of the discovery of new points of vulnerability or malfunctioning of the presence sensors 32, of the anti- intrusion sensors 33, of the entrance-control systems 34, etc.
  • the description of the site to be protected can be kept updated in real time thanks to the interaction between the simulation software module 5 and the human/machine-interface software modules 1, the control software modules 2, the security devices and sensors 3 , and the IGT infrastructure 4 of the security-supervision system 200.
  • the necessary information can, in fact, totally or partially derive from the information used by the security-supervision system 200 to enable the security staff to locate the position in the site to be protected of the security devices and sensors 3 (for example, the video cameras 31, the presence sensors 32, and the anti-intrusion sensors 33) that have raised a security alarm, of each component of the security-supervision system 200 that has raised an alarm of a diagnostic type, and, more in general, of all the controlled devices.
  • the information on the security and diagnostic alarms collected by the security-supervision system 200 can be kept updated in real time thanks to the interaction between the simulation software module 5 and the other components of the security-supervision system 200, in particular the second control modules 22 and the third control modules 23.
  • the security-supervision system 200 uses, in background or upon request from the security staff, the simulation software module 5 for simulating attacks on the site to be protected and generating information on the most likely modes of attack. In this way, the security-supervision system 200 acquires new capabilities, which include:
  • FIG. 3 shows in greater detail the interface and control modules 27.
  • the interface and control modules 27 comprise:
  • first interface and control modules 271 for analysis and processing of the results of the simulations performed by the simulation software module 5 for presentation to the security staff, by means of the human/machine- interface software modules 1, of said results of the simulations performed and/or of further results obtained on the basis of their analysis and ' processing;
  • third interface and control modules 273 for acquiring from the security-supervision system 200 the data that enable a topographical description of the site to be protected, indicated on which are also the positions of the security devices and sensors 3 and of the apparatuses of the ICT infrastructure 4, the third interface and control modules 273 being further configured to translate said data into a digital format understandable to the simulation software module 5;
  • simulation software module 5 When the simulation software module 5 receives new data, in particular from the third interface and control modules 273 and from the fourth interface and control modules 274, it starts one or more simulation sessions.
  • FIG 4 is a schematic illustration of an example of a site 400 to be protected in which the security-supervision system 200 described previously is operative (only two video cameras of said system are shown designated, respectively, by 31a and 31b) .
  • the site 400 comprises:
  • a courtyard 403 installed in which are the video cameras 31a and 31b ( Figure 4 shows schematically, by means of two pairs of dash-dot lines, the respective fields of vision of the video cameras 31a and 31b) and which communicates with the garage 401 by means of a first security exit 404 that can be opened only from inside the garage 401, the courtyard 403 communicating also with the outside of the site 400 by means of a second security exit 405 that can be opened only from inside the courtyard 403;
  • a corridor 406 that communicates with the courtyard 403 by means of a third security exit 407 and a fourth security exit 408, which can both be opened only from inside the corridor 406;
  • an entrance 409 controlled by sight by a watchman located in a watchman's lodge 410 connected to the entrance 409 and separated therefrom by a transparent bullet-proof window (in Figure 4 designated by a dotted line of boundary between the entrance 409 and the watchman's lodge 410) that enables the watchman to control and identify the persons that enter the site 400 and exit therefrom through the entrance 409, the entrance 409 communicating with the outside of the site 400 by means of a first door 411 and with the garage 401 by means of a second door 412, said doors 411 and 412 being normally open because they are controlled by sight by the watchman, said entrance 409 moreover communicating with the corridor 406 by means of a first armoured door 413, opening of which is governed either by use of a badge possessed only by users authorised to enter the site 400 or by the watchman by means of a pushbutton for opening (not shown in Figure 4) present in the watchman's lodge 410, there also being present in the watchman's lodge
  • a first room 414 present in which is a safe 415, which contains confidential documents and has an opening combination known only to a person responsible for the safe, the first room 414 communicating with the corridor 406 by means of a second armoured door 416 that can be opened only with first keys ;
  • Figure 4 receive from the third control modules 23 (not shown in Figure 4) the information that the third security exit 407 has been left open and consequently ask the simulation software module 5 to carry out simulations for analysing the impact of this event on the security of the site 400.
  • the simulation software module 5 provided for example with the so-called software-agent technology, as will be described in detail in what follows, identifies various paths of attack and the level of risk associated thereto.
  • the simulation software module 5 identifies a potential attack and the corresponding path (represented in Figure 4 by a dashed arrow) in which an attacker 424 (in Figure 4 schematically represented by a stylised figure of a man) :
  • the alarm control unit 423 • reaches, through the corridor 406, the alarm control unit 423 and manages to de-activate the alarms of the second room 417, of the third room 419, and of the fourth room 421, the attacker 424 having, with a second probability P 2 , a level of technological know-how such as to enable him to de-activate the aforesaid alarms;
  • the data on the attacks identified are sent by the simulation software module 5 to the first interface and control modules 271 and to the second interface and control modules 272.
  • the first interface and control modules 271 process the results of the simulations verifying whether associated to the potential attack described previously is a level of risk that exceeds a threshold T (that can be set by the security staff) .
  • the first interface and control modules 271 alert, through the human/machine- interface software modules 1, the security staff of the site 400 if R>T.
  • the second interface and control modules 272 process the results of the simulations and, with reference to the potential attack previously described, send to the local clients 11 the order of showing on the displays present in the watchman's lodge 410, in the absence of different instructions on the part of the watchman, the pictures taken by the video camera 31b.
  • a software agent is a software and/or hardware system programmed/configured in such a way as to
  • an attacker for example, the attacker 424 of Figure 4
  • an attacker is impersonated in the simulated world by one or more software agents that receive an initial quota of "skills", “know-how”, “tools”, “time”, etc. and possibly a target to be achieved.
  • the software agents are then made to move in a virtual environment that models, as described in detail in what follows, the site to be protected (for example the site 400 of Figure 4) controlled by the security-supervision system 200.
  • the model is dynamic in the sense that it is automatically and continuously modified so as to take into account the information coming from the outside world and from the security-supervision system 200 (in real time or otherwise) and, more specifically, from the first control modules 21, the second control modules 22, the third control modules 23, and the fifth control modules 25.
  • the simulation technique described hence enables very realistic simulations to be carried out that take into account, for example, possible failure or malfunctioning of the human/machine-interface software modules 1, of the control software modules 2, of the security devices and sensors 3, and of the apparatuses of the ICT infrastructure , of any possible distraction on the part of the guards (who could fail to abide by the procedures) , and of the social-engineering skills of the potential attackers.
  • the security- supervision system 200 has available a topographical description of the site to be protected (for example the site 400 of Figure 4) .
  • Said topographical description also comprises, i.e., - enables identification of, the positions of the security devices and sensors 3 inside the site to be protected.
  • the site to be protected (for example, the site 400 of Figure 4) controlled by the security- supervision system 200 is represented, in the simulation/simulations executed by the simulation software module 5, by a model that is made up of areas, goods and attackers.
  • the areas can consist of buildings, rooms (for example the entrance 409, the watchman's lodge 410, and the rooms 414, 417, 419 and 421 of Figure 4) , physical containers (for example, the safe 415 of Figure 4) , apparatuses (for example, the alarm control unit 423 of Figure 4) , courtyards (for example, the courtyard 403 of Figure 4) , gardens, carparks (for example, the garage 401 of Figure 4), etc.
  • Each attacker (for example, the attacker 424 of Figure 4) , in the simulation/simulations executed by the simulation software module 5, is represented by a respective software agent and has a set of credential of its own, i.e. the software agent comprises a plurality of respective characteristics.
  • Said credentials of the attacker, or characteristics of the software - agent may vary during one and the same simulation executed by the simulation software module 5 and preferably comprise :
  • a possession of goods (which, for example, once again with reference to the example of attack previously described and shown in Figure 4, comprises, after the attacker 424 has entered the fourth room 421, the first, second, and third keys that have been stolen- by the attacker 424 in the fourth room 421) ;
  • the areas of the model of the site to be protected comprise interfaces through which the attackers can gain access to said areas if they are equipped with appropriate credentials.
  • interfaces are: doors (for example, the security exits 404, 405, 407 and 408, the doors 411 and 412, the armoured doors 413 and 416, the alarmed and armoured doors 418 and 420 and the alarmed door 422 of Figure 4), windows, walls, ceilings, floors, gates (for example, the electric-powered gate of Figure 4), boundaries, air space, etc.
  • Passing through an interface can occur through an attack or without violation, for example using a key for opening a door (for instance, with reference to the example of attack of Figure 4, using the badge for opening the first armoured door 413, or the first keys for opening the second armoured door 416, or the second keys for opening the first alarmed and armoured door 418, or the third keys for opening the second alarmed and armoured door 420) .
  • a key for opening a door for instance, with reference to the example of attack of Figure 4, using the badge for opening the first armoured door 413, or the first keys for opening the second armoured door 416, or the second keys for opening the first alarmed and armoured door 418, or the third keys for opening the second alarmed and armoured door 420.
  • There can exist different modes for violating an interface such as, for example, breaking down a door, or opening it with a jemmy. Said modes also represent just as many modes of attack on the interface.
  • An attacker can have credentials that enable him to
  • the attacker 424 does not have credentials sufficient to be able to break down the second armoured door 416, which, hence, can be passed through by the attacker 424, consequently without violation, only after the latter has come into possession of the first keys.
  • each interface there can be associated protection measures that can comprise: barriers (such as, for example, the security exits 404, 405, 407 and 408, the doors 411 and 412, the armoured doors 413 and 416, the alarmed and armoured doors 418 and 420 and the alarmed door 422 of Figure 4), the presence sensors 32, the anti- intrusion sensors 33 (such as, for example, the alarm sensors, not shown in Figure 4) associated to the alarmed and armoured doors 418 and 420 and to the alarmed door 422 of Figure 4), procedures, etc.
  • the various types of protection measures can co-exist. An attack may require all the protection measures or of just some of them to be overcome.
  • the barriers constitute a physical obstacle to the violation of the interface.
  • a respective state (active/inactive) that can be defined deterministically (for example, when a barrier is open because an attacker has managed to violate it or has been left open on purpose) and/or depend upon the time and/or a procedure, in the latter case the state possibly being known deterministically if the barrier is controlled by the security- supervision system 200, or, otherwise, it possibly being determined only on a probabilistic basis in so far as the security procedure might not have been respected;
  • the anti-intrusion sensors 33 do not oppose violation of the interface but reveal a violation thereof and, in the case where they reveal a violation thereof, raise an alarm, thus reducing the time available to the attacker before he is discovered.
  • the anti-intrusion sensors 33 can conveniently comprise door-opening sensors, microphone sensors that detect breaking of a window or knocking down of a wall, vibration sensors that detect attempts at climbing over a fence, pressure sensors that react if they are trodden on, laser or infrared barriers that react if they are traversed, video cameras with functions of motion detection or intelligent analysis of scenes, etc.
  • Each anti-intrusion sensor 33 preferably comprises the following characteristics:
  • a respective state that can be deterministically defined (for example, when a sensor is inactive because an attacker has managed to de-activate it or is left inactive on purpose) and/or depend upon the time and/or upon a procedure, in the latter case the state possibly being determined only on a probabilistic basis in so far as the security procedure might not have been respected;
  • each presence sensor 32 configured to detect the presence of a person in the area to which they are associated.
  • Typical examples of presence sensors 32 are microwave, infrared, dual-technology detectors, video cameras with functions of motion detection or intelligent analysis of scenes, etc.
  • Each presence sensor 32 preferably comprises the following characteristics:
  • a respective state (active/inactive) that can be defined deterministically (for example when a sensor is inactive because an attacker has managed to de-activate it or is left inactive on purpose) and/or depend upon the time and/or upon a procedure, in the latter case, if the sensor is not controlled by the security-supervision system 200, the state possibly being determined only on a probabilistic basis in so far as the security procedure might not have been respected;
  • a respective time that elapses between signalling of alarm by the sensor and intervention of the guards
  • simulation software module 5 can conveniently take into account also security measures of a procedural type that are associated to the pairs goods/area, as described in detail in what follows, and to the pairs measures of security of a non-procedural type/interface .
  • a specification of the time intervals (time/date) in which the area is authorised to contain the goods
  • the state of an interface can change in the course of a simulation.
  • the information on the real state of an interface is supplied to the simulation software module 5 by the third interface and control modules 273 and by the fourth interface and control modules 274.
  • each area there may be associated one or more goods that generally can be of two types :
  • prizes for the attacker keys, information (for instance, with reference to the example of attack previously described and shown in Figure 4 , the combination of the safe 415) , badges, passwords, additional time, capacity of activating/de-activating the state of interfaces, etc.);
  • each area there can be associated a minimum time of stay that represents the minimum time that the attacker must spend in the area before being able to attempt the next attack.
  • a multidimensional parameter which represents the loss that the owner of the site suffers following upon access to the area by the attacker.
  • the attackers are characterized deterministically or probabilistically (i.e., through the probability- distribution functions) by the possession of the following credentials (or characteristics) :
  • time available before being discovered a time that can be defined deterministically and that varies during simulation according to the choices made by the attacker;
  • the characteristics of the interface with reference to the particular attack considered are compared with the credentials of the attacker.
  • the comparison can be of a deterministic type or of a probabilistic type depending upon the credential considered and the characteristics of the interface .
  • the security-supervision system according to the present invention is an "intelligent" system much more reliable and efficient than currently known security-supervision systems, this both in conditions of normal operativeness and in the case where the site to be protected is the object to an attack and/or some components of the security-supervision system function in a degraded way on account of failures.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Emergency Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Alarm Systems (AREA)

Abstract

The present invention relates to a security- supervision system (200) configured to supervise security of a site (400) to be protected. The security-supervision system (200) comprises a simulation software module (5) configured to simulate in a virtual environment potential violations of the security of the site (400) perpetrated by simulated attackers (424).

Description

SMART SECURITY-SUPERVISION SYSTEM
TECHNICAL SECTOR OF THE INVENTION
The present invention relates, in general, to a system for supervising security of a site to be protected, such as for example an industrial site, a power plant -for the production and/or distribution of energy, a port, an airport, a railway station, a bank, headquarters of a company, etc., and in particular to a security- supervision system that is able to simulate and predict actions of potential attackers, such as burglars, hijackers, saboteurs, terrorists, spies, etc., who attempt to violate the site or have already penetrated the site . STATE OF THE ART
As is known, conventional systems for security supervision of a site have the purpose of enabling detection of possible ill- intentioned and/or illegal acts inside the site and of enabling security staff to manage the devices designed for protection of the site itself, such as, for example, video cameras, entrance-control systems, anti- intrusion and presence-detection systems, etc., and to use them in an optimal way in order to prevent non-authorized access and any other ill- intentioned and/or illegal act.
Shown in Figure 1 is a functional block diagram of a security- supervision system 100 of a known type for security supervision of a site to be protected (not illustrated in Figure 1) .
In particular, as shown in Figure 1, the security- supervision system 100 comprises:
• human/machine- interface software modules 1;
• control software modules 2 ;
· security devices and sensors 3; and
• an ICT (Information and Communication Technology) infrastructure 4 comprising a plurality of apparatuses.
In' detail, once again as shown in Figure 1, the human/machine- interface software modules 1 comprise:
• local clients 11;
· remote clients 12;
• portable clients 13; and
• possible further interface modules 14 for the interaction between the security staff and the security- supervision system 100.
The control software modules 2 instead comprise:
• first control modules 21 for control of the sensors and of the security devices 3 ;
• second control modules 22 for collection and analysis of diagnostic alarms;
· third control modules 23 for collection and analysis of security alarms ;
• fourth control modules 24 for configuration of the security devices and sensors 3 and of the apparatuses of the ICT infrastructure 4 ;
· fifth control modules 25 for video-recording and video- analysis; and
• possible further control modules 26.
Finally, the security devices and sensors 3 installed in the site to be protected comprise:
· video cameras 31;
• presence sensors 32;
• anti- intrusion sensors 33;
• entrance-control systems 34;
• readers of automobile number-plates 35; and
· possible further security devices and sensors 36.
Many of the human/machine- interface software modules 1 are typically concentrated in one or more operating rooms, whilst the portable clients 13 can be installed on mobile terminals, such as for example palm-top devices, thus enabling the security staff to operate also when they are not physically present in the operating rooms.
In addition, the control software modules 2 can all reside in the operating rooms or else may be totally or partially distributed inside the site to be protected or outside.
Finally, the ICT infrastructure 4 comprises all those hardware and/or software apparatuses (telecommunications networks, routing devices, computers, servers, workstations, basic software, etc.) that enable support of operation of the other elements of the security- supervision system 100, i.e., the human/machine-interface software modules 1, the control software modules 2, and the security devices and sensors 3. Generally, the security-supervision system 100 performs and/or supports the following operations:
• control, management and configuration, by means of the first control modules 21 and the fourth control modules 24, of the security devices and sensors 3, in particular of the video cameras 31, of the presence sensors 32, of the anti-intrusion sensors 33, and of the entrance-control systems 34 that control the entrances of the site to be protected;
• management and configuration, by means of the fourth control modules 24, of the ICT infrastructure 4 used by the security-supervision system 100, including the telecommunications networks and the hardware and software platforms ;
• display, via the local clients 11, the remote clients 12, the portable clients 13, and the possible further interface modules 14, of the images coming from the surveillance video cameras 31;
• video-recording, by means of the fifth control modules 25, of the images captured by the video cameras 31 and access to the films recorded via the local clients 11, the remote clients 12, the portable clients 13, and the possible further interface modules 14 ; • automatic and intelligent analysis, once again by means of the fifth control modules 25, of the images captured by the video cameras 31, in real time or after they have been video- recorded, in order to detect possible anomalous situations (such as, for example, presence of activities in areas that ought- not to be accessible, presence of abandoned objects, overstepping of virtual barriers, etc.), identify individuals by means of analysis of the facial features, execute a three- dimensional analysis of the scene by means of binocular filming, etc. ;
• recording and analysis, by means of the third control modules 23, and presentation to the security staff, by means of the human/machine- interface software modules 1, of the security alarms raised by the security devices and sensors 3 with indication on geographical maps or site layouts - indicating the position or positions of the security devices and sensors 3 by which said security alarms have been raised;
• recording and analysis, by means of the second control modules 22, and presentation to the security staff, by means of the human/machine- interface software modules 1, of the diagnostic alarms regarding any malfunctioning and/or failures of the security devices and sensors 3 with indication on geographical maps or site layouts of the position or positions of the security devices and sensors 3 that have failed or are not functioning properly;
• recording and analysis, by means of the second control modules 22, and presentation to the security staff, by means of the human/machine-interface software modules 1, of the diagnostic alarms corresponding to malfunctioning and/or failure of the apparatuses of the ICT infrastructure 4 ;
• management of the security and/or diagnostic alarms;
• etc .
OBJECT AND SUMMARY OF THE INVENTION
The present applicant has carried out an in-depth study aimed at investigating the possibility of improving current security-supervision systems, in particular from the standpoint of reliability and efficiency of said systems .
Consequently, the aim of the present invention is to provide a security-supervision system that is more reliable and efficient than currently known systems.
The aforesaid aim is achieved by the present invention in so far as it relates to a security-supervision system according to what is defined in the annexed claims.
In particular, the security-supervision system according to the present invention is configured to supervise security of a site to be protected and is characterized by comprising a simulation software module configured to simulate in a virtual environment potential violations of the security of the site perpetrated by simulated attackers .
BRIEF DESCRIPTION OF THE DRAWINGS
For a better understanding of the present invention, some preferred embodiments, provided purely by way of explanatory and non-limiting example, will now be illustrated with reference to the annexed drawings (which are not in scale) , wherein :
- Figure 1 is a schematic illustration of a security- supervision system of a known type;
Figure 2 is a schematic illustration of a security- supervision system according to the present invention;
Figure 3 shows in greater detail a component of the system of Figure 2; and
Figure 4 is a schematic illustration of an example of a site to be protected in which the security-supervision system of Figure 2 is operative.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS OF THE INVENTION
The ensuing description is provided to enable a person skilled in the sector to implement and use the invention. Various modifications to the embodiments presented will be immediately evident to persons skilled in the sector and the generic principles disclosed herein could be applied to other embodiments and applications without thereby departing from the sphere of protection of the present invention.
Hence, the present invention must not be understood as being limited just to the embodiments described and shown, but it must be granted the widest sphere of protection in accordance with the principles and the characteristics presented herein and defined in the annexed claims.
The present invention regards a security-supervision system configured to supervise security of a site to be protected, such as, for example, an industrial site, a power plant for the production and/or distribution of energy, a port, an airport, a railway station, a bank, the headquarters of a company, etc.
In particular, the security-supervision system according to the present invention, unlike the known systems described previously, comprises a simulation software module that increases considerably the reliability and efficiency of the security-supervision system, both in conditions of normal operativeness and in the case where the site to be protected is the object of an attack and/or some components of the security-supervision system function in a degraded way on account of failures.
In detail, the simulation software module enables the security-supervision system to:
• pre-warn an operator of the security-supervision system, i.e., a person responsible for security, regarding an increased risk of intrusion in the site to be protected deriving from a situation of malfunctioning of some security sensors or devices and/or of some apparatuses of the ICT infrastructure, indicating in a precise way the paths of attack that have become more likely;
• help to recognize false alarms;
· help to understand which are, inside the site to be protected, the less protected areas and, hence, the ones with higher risk of attack;
• help to reconfigure in an optimal way security devices and sensors, for example redefining the orientation of orientable video cameras, following upon any failure or malfunctioning of a sensor or of a security device;
• identifying realistic scenarios of attack;
• etc . Consequently, the. simulation software module adds a component of "artificial intelligence" to the security-supervision system enabling, amongst other things, provision of indications on the possible interventions of improvement, anticipating the moves of a hypothetical attacker, guiding the security staff during emergencies, optimizing the use of resources, etc.
Figure 2 shows a functional block diagram of a security- supervision system 200 according to the present invention for security supervision of a site to be protected (not illustrated in Figure 2) .
As shown in Figure 2, the security-supervision system 200 comprises:
· the same components as those of the security- supervision system 100 shown in Figure 1 and described previously, said components being consequently identified in Figure 2 by the same reference numbers used in Figure 1 and not being described again; and
· a simulation software module 5.
In addition, once again as shown in Figure 2, the control software modules 2 of the security-supervision system 200 also comprise :
• interface and control modules 27 configured to interface with the simulation software module 5 and to control said simulation software module 5.
The simulation software module 5 is configured to simulate in a virtual environment actions and behaviours of one or more attackers that are assumed as having penetrated into the site to be protected.
In particular, the simulation software module 5 can carry out, either in background or upon request from an operator, i.e., a person responsible for security, simulations based upon:
· a description of the site to be protected in terms of topographical structure of the site (for example, based upon site layouts) , active and passive security devices and sensors 3 installed in the site, security measures of a procedural type active in the site, configurations adopted, etc.;
· information on security and diagnostic alarms collected by the security-supervision system 200;
• other information, hereinafter referred to as "scenario information" , coming from the outside world and acquired automatically through communications networks of the site to be protected, the Internet, or any other communications channel, and/or entered manually by an operator, said scenario information possibly coming from intelligence sources (signalling of possible attacks, presence of terrorist groups with particular technological skills, new threats, etc.), from the manufacturers of the security devices and sensors 3 (signalling of the discovery of new points of vulnerability or malfunctioning of the presence sensors 32, of the anti- intrusion sensors 33, of the entrance-control systems 34, etc.), from security experts, etc.
The description of the site to be protected can be kept updated in real time thanks to the interaction between the simulation software module 5 and the human/machine-interface software modules 1, the control software modules 2, the security devices and sensors 3 , and the IGT infrastructure 4 of the security-supervision system 200. The necessary information can, in fact, totally or partially derive from the information used by the security-supervision system 200 to enable the security staff to locate the position in the site to be protected of the security devices and sensors 3 (for example, the video cameras 31, the presence sensors 32, and the anti-intrusion sensors 33) that have raised a security alarm, of each component of the security-supervision system 200 that has raised an alarm of a diagnostic type, and, more in general, of all the controlled devices.
The information on the security and diagnostic alarms collected by the security-supervision system 200 can be kept updated in real time thanks to the interaction between the simulation software module 5 and the other components of the security-supervision system 200, in particular the second control modules 22 and the third control modules 23.
The security-supervision system 200 uses, in background or upon request from the security staff, the simulation software module 5 for simulating attacks on the site to be protected and generating information on the most likely modes of attack. In this way, the security-supervision system 200 acquires new capabilities, which include:
• evaluation of the impact of possible security devices and sensors 3 and/or apparatuses of the ICT infrastructure 4 that are temporarily out-of-order and support to the decisions with reference to the corrective action that it is most expedient to adopt (such as, for example, variations on the habitual round of a patrol or installation of a temporary video camera, etc.);
• generation of pre-alarms, with indication of the modes and paths of attack that have become most likely following upon any malfunctioning of some security devices and sensors 3 and/or apparatuses of the ICT infrastructure 4 and/or following upon a change of the scenario conditions;
· automatic creation of "intelligent" default configurations (for example, default orientation of a panning video camera 31 such that, even in the absence of orders issued by a person responsible for security, this will frame the areas under higher risk, choice of which framings to maintain by default on the display, etc.);
• intelligent support in real time to the analysis and management of an alarm event (for example, activation of the video cameras 31) along the most likely path of attack in the case of alarm, sending security staff to the points most suitable for intercepting an attack, etc.);
• intelligent and automatic analysis of a real scenario of attack in progress with hypotheses on the causes of the alarm and with the capacity of distinguishing real alarms from false alarms, forecasting of the moves on the part of the attacker and of the most likely paths of attack;
• verification of the validity of the physical, logical and procedural security solutions adopted with consequent real-time and automatic identification of initial deficiencies of design or ones due to change of the scenario conditions, failure of the security devices and sensors 3, failure to respect procedures, etc.
Figure 3 shows in greater detail the interface and control modules 27.
In particular, as shown in Figure 3, the interface and control modules 27 comprise:
• first interface and control modules 271 for analysis and processing of the results of the simulations performed by the simulation software module 5 for presentation to the security staff, by means of the human/machine- interface software modules 1, of said results of the simulations performed and/or of further results obtained on the basis of their analysis and' processing;
• second interface and control modules 272 for analysis and processing of the results of the simulations performed by the simulation software module 5 for reconfiguration of the security-supervision system 200 on the basis of said results of the simulations performed and/or of their analysis and processing;
· third interface and control modules 273 for acquiring from the security-supervision system 200 the data that enable a topographical description of the site to be protected, indicated on which are also the positions of the security devices and sensors 3 and of the apparatuses of the ICT infrastructure 4, the third interface and control modules 273 being further configured to translate said data into a digital format understandable to the simulation software module 5; and
• fourth interface and control modules 274 for collection, pre-processing, translation into a suitable digital format, and sending to the simulation software module 5 of the data supplied by the second control modules 22 and by the third control modules 23 and corresponding to the state of the security devices and sensors 3 and of the apparatuses of the ICT infrastructure 4 (security and diagnostic alarms, active/inactive state, etc.).
When the simulation software module 5 receives new data, in particular from the third interface and control modules 273 and from the fourth interface and control modules 274, it starts one or more simulation sessions.
Figure 4 is a schematic illustration of an example of a site 400 to be protected in which the security-supervision system 200 described previously is operative (only two video cameras of said system are shown designated, respectively, by 31a and 31b) . As shown in Figure 4, the site 400 comprises:
• a garage 401 that communicates with the outside of the site 400 by means of an electric-powered gate 402;
· a courtyard 403 installed in which are the video cameras 31a and 31b (Figure 4 shows schematically, by means of two pairs of dash-dot lines, the respective fields of vision of the video cameras 31a and 31b) and which communicates with the garage 401 by means of a first security exit 404 that can be opened only from inside the garage 401, the courtyard 403 communicating also with the outside of the site 400 by means of a second security exit 405 that can be opened only from inside the courtyard 403;
• a corridor 406 that communicates with the courtyard 403 by means of a third security exit 407 and a fourth security exit 408, which can both be opened only from inside the corridor 406;
• an entrance 409 controlled by sight by a watchman (not shown in Figure 4) located in a watchman's lodge 410 connected to the entrance 409 and separated therefrom by a transparent bullet-proof window (in Figure 4 designated by a dotted line of boundary between the entrance 409 and the watchman's lodge 410) that enables the watchman to control and identify the persons that enter the site 400 and exit therefrom through the entrance 409, the entrance 409 communicating with the outside of the site 400 by means of a first door 411 and with the garage 401 by means of a second door 412, said doors 411 and 412 being normally open because they are controlled by sight by the watchman, said entrance 409 moreover communicating with the corridor 406 by means of a first armoured door 413, opening of which is governed either by use of a badge possessed only by users authorised to enter the site 400 or by the watchman by means of a pushbutton for opening (not shown in Figure 4) present in the watchman's lodge 410, there also being present in the watchman's lodge 410 the local clients 11 (not illustrated in Figure 4) for showing the watchman, by means of displays, the films taken by the video cameras 31a and 31b and notifying the possible diagnostic and/or security alarms raised by the different components of the security- supervision system 200, in particular by the security devices and sensors 3 , and by the apparatuses of the ICT infrastructure 4 ;
• a first room 414, present in which is a safe 415, which contains confidential documents and has an opening combination known only to a person responsible for the safe, the first room 414 communicating with the corridor 406 by means of a second armoured door 416 that can be opened only with first keys ;
• a second room 417 that communicates with the corridor 406 by means of a first alarmed and armoured door 418 that can be opened only with second keys;
• a third room 419 that communicates with the corridor 406 by means of a second alarmed and armoured door 420 that can be opened only with third keys, the third room 419 being the office of the person responsible for the safe (not shown in Figure 4) ;
• a fourth room 421 that communicates with the corridor 406 by means of an alarmed door 422 and kept in which are the first, second, and third keys (not shown in Figure 4) ; and
• an alarm control unit 423 accessible from the corridor 406.
In particular, once again with reference to Figure 4, the scenario described hereinafter is considered. The fourth interface and control modules 274 (not shown in
Figure 4) receive from the third control modules 23 (not shown in Figure 4) the information that the third security exit 407 has been left open and consequently ask the simulation software module 5 to carry out simulations for analysing the impact of this event on the security of the site 400. On the basis of said request, the simulation software module 5, provided for example with the so-called software-agent technology, as will be described in detail in what follows, identifies various paths of attack and the level of risk associated thereto.
In detail, the simulation software module 5 identifies a potential attack and the corresponding path (represented in Figure 4 by a dashed arrow) in which an attacker 424 (in Figure 4 schematically represented by a stylised figure of a man) :
• enters the garage 401 taking advantage of the fact that the electric-powered gate 402 remains open for a few seconds after an authorized access ;
• reaches, through the first security exit 404, the courtyard 403 where he remains for a period so short as not to be noted by the watchman, with a first probability Plt in the pictures taken by the video camera 31b present in the courtyard 403 and shown on the displays present in the watchman's lodge 410 by the local clients 11;
· finds the second security exit that has been left open by mistake in violation of the security procedures of the site 400 and enters the corridor 406;
• reaches, through the corridor 406, the alarm control unit 423 and manages to de-activate the alarms of the second room 417, of the third room 419, and of the fourth room 421, the attacker 424 having, with a second probability P2, a level of technological know-how such as to enable him to de-activate the aforesaid alarms;
• enters the fourth room 421 where he steels the first, second, and third keys;
• enters the third room 419 where the person responsible for the safe has left, with a third probability P3, on a desk (not shown in Figure 4), in violation of the security procedures of the site 400, a ticket with the combination for opening the safe 415;
• opens the second armoured door 416 with the first keys, enters the first room 414, opens the safe 415, and steels confidential documents of value V contained in the safe 415; and
• escapes out of the site 400 traversing the second armoured door 416, the corridor 406, the fourth security exit 408, the courtyard 403 ,and, finally, the second security exit 405.
Consequently, associated to the potential attack identified by the simulation software module 5 is a level of risk R calculated according to the following equation:
R = Px x P2 x Pi x V .
The data on the attacks identified are sent by the simulation software module 5 to the first interface and control modules 271 and to the second interface and control modules 272.
The first interface and control modules 271 process the results of the simulations verifying whether associated to the potential attack described previously is a level of risk that exceeds a threshold T (that can be set by the security staff) . In particular, the first interface and control modules 271 alert, through the human/machine- interface software modules 1, the security staff of the site 400 if R>T.
The second interface and control modules 272 process the results of the simulations and, with reference to the potential attack previously described, send to the local clients 11 the order of showing on the displays present in the watchman's lodge 410, in the absence of different instructions on the part of the watchman, the pictures taken by the video camera 31b.
Hereinafter, without this implying any loss of generality, there follows a detailed description of a preferred embodiment of the simulation software module 5 based upon the so-called single or multiple software-agent technology. In any case, the simulation software module 5 could be conveniently provided using also other simulation techniques. In particular, a software agent is a software and/or hardware system programmed/configured in such a way as to
• be "conscious" of its own position in the simulated world,
• be capable of making autonomous choices ; and
· have a flexible behaviour that will take into account the variations of scenario that it witnesses.
According to said approach, an attacker (for example, the attacker 424 of Figure 4) is impersonated in the simulated world by one or more software agents that receive an initial quota of "skills", "know-how", "tools", "time", etc. and possibly a target to be achieved. The software agents are then made to move in a virtual environment that models, as described in detail in what follows, the site to be protected (for example the site 400 of Figure 4) controlled by the security-supervision system 200. The model is dynamic in the sense that it is automatically and continuously modified so as to take into account the information coming from the outside world and from the security-supervision system 200 (in real time or otherwise) and, more specifically, from the first control modules 21, the second control modules 22, the third control modules 23, and the fifth control modules 25.
The simulation technique described hence enables very realistic simulations to be carried out that take into account, for example, possible failure or malfunctioning of the human/machine-interface software modules 1, of the control software modules 2, of the security devices and sensors 3, and of the apparatuses of the ICT infrastructure , of any possible distraction on the part of the guards (who could fail to abide by the procedures) , and of the social-engineering skills of the potential attackers.
In detail, the security- supervision system 200 has available a topographical description of the site to be protected (for example the site 400 of Figure 4) . Said topographical description also comprises, i.e., - enables identification of, the positions of the security devices and sensors 3 inside the site to be protected. In particular, the site to be protected (for example, the site 400 of Figure 4) controlled by the security- supervision system 200 is represented, in the simulation/simulations executed by the simulation software module 5, by a model that is made up of areas, goods and attackers. In particular, the areas can consist of buildings, rooms (for example the entrance 409, the watchman's lodge 410, and the rooms 414, 417, 419 and 421 of Figure 4) , physical containers (for example, the safe 415 of Figure 4) , apparatuses (for example, the alarm control unit 423 of Figure 4) , courtyards (for example, the courtyard 403 of Figure 4) , gardens, carparks (for example, the garage 401 of Figure 4), etc.
Each attacker (for example, the attacker 424 of Figure 4) , in the simulation/simulations executed by the simulation software module 5, is represented by a respective software agent and has a set of credential of its own, i.e. the software agent comprises a plurality of respective characteristics. Said credentials of the attacker, or characteristics of the software - agent, may vary during one and the same simulation executed by the simulation software module 5 and preferably comprise :
• a level of skill, which is a multidimensional parameter
(and which, for example, with reference to the attack previously described and shown in Figure 4, comprises the technological know-how of the attacker 424 that is characterized by the second probability P2 and that enables him to de-activate the alarms of the rooms 417, 419 and 421) ;
• a possession of goods (which, for example, once again with reference to the example of attack previously described and shown in Figure 4, comprises, after the attacker 424 has entered the fourth room 421, the first, second, and third keys that have been stolen- by the attacker 424 in the fourth room 421) ;
• character factors, for example resolution and ethical sense; and
· a time available before being discovered.
The areas of the model of the site to be protected comprise interfaces through which the attackers can gain access to said areas if they are equipped with appropriate credentials. Examples of interfaces are: doors (for example, the security exits 404, 405, 407 and 408, the doors 411 and 412, the armoured doors 413 and 416, the alarmed and armoured doors 418 and 420 and the alarmed door 422 of Figure 4), windows, walls, ceilings, floors, gates (for example, the electric-powered gate of Figure 4), boundaries, air space, etc.
Passing through an interface can occur through an attack or without violation, for example using a key for opening a door (for instance, with reference to the example of attack of Figure 4, using the badge for opening the first armoured door 413, or the first keys for opening the second armoured door 416, or the second keys for opening the first alarmed and armoured door 418, or the third keys for opening the second alarmed and armoured door 420) . There can exist different modes for violating an interface, such as, for example, breaking down a door, or opening it with a jemmy. Said modes also represent just as many modes of attack on the interface. An attacker can have credentials that enable him to violate an interface using a given type of attack but are insufficient or inadequate for another type of attack. With reference to the example of attack previously described and shown in Figure 4 , the attacker 424 does not have credentials sufficient to be able to break down the second armoured door 416, which, hence, can be passed through by the attacker 424, consequently without violation, only after the latter has come into possession of the first keys.
In addition, to each interface there can be associated protection measures that can comprise: barriers (such as, for example, the security exits 404, 405, 407 and 408, the doors 411 and 412, the armoured doors 413 and 416, the alarmed and armoured doors 418 and 420 and the alarmed door 422 of Figure 4), the presence sensors 32, the anti- intrusion sensors 33 (such as, for example, the alarm sensors, not shown in Figure 4) associated to the alarmed and armoured doors 418 and 420 and to the alarmed door 422 of Figure 4), procedures, etc. The various types of protection measures can co-exist. An attack may require all the protection measures or of just some of them to be overcome. The barriers constitute a physical obstacle to the violation of the interface.
The effectiveness of each barrier is represented by:
• a respective state (active/inactive) that can be defined deterministically (for example, when a barrier is open because an attacker has managed to violate it or has been left open on purpose) and/or depend upon the time and/or a procedure, in the latter case the state possibly being known deterministically if the barrier is controlled by the security- supervision system 200, or, otherwise, it possibly being determined only on a probabilistic basis in so far as the security procedure might not have been respected;
• respective credentials that enable passing through the barrier without attacking it (for example, by using keys, passwords, badges, biometric characteristics, etc.);
• a respective (multidimensional) parameter that represents the respective resistance to violation;
• a respective probability of circumvention without violation (which can even be equal to zero) ;
• a respective probability of failure (that depends upon the barrier, the age of the system of protection of the barrier, and the date of the last maintenance intervention) ; · a respective time required for violation (which is a function of the credentials of the attacker and of the resistance of the barrier) ;
• a respective visibility;
• a respective cost (that enables search for optimal solutions according to the budget available for installation of the protection measures) ; and
• respective information on the respective real state (active/inactive, functioning/failed) supplied to the simulation software module 5 by the other components of the security-supervision system 200, in particular by the entrance-control systems 34 and by the second control modules 22 through the fourth interface and control modules 274.
The anti-intrusion sensors 33 do not oppose violation of the interface but reveal a violation thereof and, in the case where they reveal a violation thereof, raise an alarm, thus reducing the time available to the attacker before he is discovered. The anti-intrusion sensors 33 can conveniently comprise door-opening sensors, microphone sensors that detect breaking of a window or knocking down of a wall, vibration sensors that detect attempts at climbing over a fence, pressure sensors that react if they are trodden on, laser or infrared barriers that react if they are traversed, video cameras with functions of motion detection or intelligent analysis of scenes, etc.
Each anti-intrusion sensor 33 preferably comprises the following characteristics:
• a respective state (active/inactive) that can be deterministically defined (for example, when a sensor is inactive because an attacker has managed to de-activate it or is left inactive on purpose) and/or depend upon the time and/or upon a procedure, in the latter case the state possibly being determined only on a probabilistic basis in so far as the security procedure might not have been respected;
· a respective (multidimensional) parameter that represents the respective resistance to circumvention;
• a respective probability of detection of a violation;
• a respective probability of failure (which depends upon the sensor,- the age thereof, and the date of the last maintenance intervention) ;
• a respective time that elapses between signalling of alarm by the sensor and intervention of the guards;
• a respective visibility;
• a respective cost (which enables search for optimal solutions according to the budget available for installation of the protection measures) ; and
• respective information on the respective real state (active/inactive, functioning/failed) supplied to the simulation software module 5 by the other components of the security-supervision system 200, in particular by the second control modules 22 through the fourth interface and control modules 274.
To each area there can be associated the presence sensors 32 configured to detect the presence of a person in the area to which they are associated. Typical examples of presence sensors 32 are microwave, infrared, dual-technology detectors, video cameras with functions of motion detection or intelligent analysis of scenes, etc. Each presence sensor 32 preferably comprises the following characteristics:
• a respective state (active/inactive) that can be defined deterministically (for example when a sensor is inactive because an attacker has managed to de-activate it or is left inactive on purpose) and/or depend upon the time and/or upon a procedure, in the latter case, if the sensor is not controlled by the security-supervision system 200, the state possibly being determined only on a probabilistic basis in so far as the security procedure might not have been respected;
• a respective (multidimensional) parameter that represents the respective resistance to circumvention;
• a respective probability of detection;
• a respective probability of failure (which depends upon the sensor, the age thereof, and the date of the last maintenance intervention) ;
· a respective time that elapses between signalling of alarm by the sensor and intervention of the guards;
• a respective visibility;
• a respective cost (which enables search for optimal solutions according to the budget available for installation of the protection measures) ; and
• respective information on the respective real state (active/inactive, functioning/failed) supplied to the simulation software module 5 by the other components of the security-supervision system 200, in particular by the second control modules 22 through the fourth interface and control modules 274.
In addition, the simulation software module 5 can conveniently take into account also security measures of a procedural type that are associated to the pairs goods/area, as described in detail in what follows, and to the pairs measures of security of a non-procedural type/interface .
In particular, the procedures associated to the measures of security of a non-procedural type are characterized by:
• a specification of the time intervals (time/date) in which the state of the aforesaid measures must be active or inactive ;
• a probability that the security procedure has not been respected; and
• a cost (that enables search for optimal solutions according to the budget available for installation of the protection measures) .
The procedures associated, instead, to a pair goods/area are characterized by:
· a specification of the time intervals (time/date) in which the area is authorised to contain the goods;
• a probability that the security procedure has not been respected; and
• a cost (which enables search for optimal solutions according to the budget available for installation of the protection measures) .
In addition, the state of an interface can change in the course of a simulation. The information on the real state of an interface is supplied to the simulation software module 5 by the third interface and control modules 273 and by the fourth interface and control modules 274.
The use of an interface by an attacker has a cost for the attacker (possibly zero) that depends upon the characteristics of the interface. The cost manifests itself in loss of credentials (including the time available before being discovered) . An attacker can receive a "prize" or pay a given price following upon access to an area, in particular there may occur :
• a modification of the credentials of the attacker (including the time available before being discovered) ; and · a modification of the state of the interfaces of the area violated and/or of other areas (in particular consider that almost always the violation of an interface has as its result the violation also of the corresponding interface that connects the two areas concerned in the opposite direction) .
To each area there may be associated one or more goods that generally can be of two types :
• prizes for the attacker (keys, information (for instance, with reference to the example of attack previously described and shown in Figure 4 , the combination of the safe 415) , badges, passwords, additional time, capacity of activating/de-activating the state of interfaces, etc.); and
• material goods (for instance, with reference to the example of attack previously described and shown in Figure 4, the confidential documents contained in the safe 415 and stolen by the attacker 424) subtraction/destruction of which causes a loss for the owner of the site.
In addition, to each area there can be associated a minimum time of stay that represents the minimum time that the attacker must spend in the area before being able to attempt the next attack.
Furthermore, to the material goods there can be associated a multidimensional parameter, which represents the loss that the owner of the site suffers following upon access to the area by the attacker.
Preferably, the attackers are characterized deterministically or probabilistically (i.e., through the probability- distribution functions) by the possession of the following credentials (or characteristics) :
• skills defined on a probabilistic basis via a (multidimensional) parameter to be compared with the levels of resistance of the protection measures, in particular with the parameters that measure the resistance to violation of the barriers and the resistance to circumvention of the presence sensors 32 and of the anti-intrusion sensors 33; since the skills are expressed via a multidimensional parameter it is possible to distinguish, for example, a very skilled burglar from a very skilled hacker, the components of the parameter being the same as the ones used for defining the parameters that measure the resistance to violation of the barriers and the resistance to circumvention of the presence sensors 32 and of the anti- intrusion sensors 33; skills can, for example, be expressed in terms of physical-security know-how, logical- security know-how, physical ability, psychological skills (social engineering) ;
• goods possessed (for example keys, passwords, badges, etc.), which enable the barriers to be traversed without violation;
· time available before being discovered, a time that can be defined deterministically and that varies during simulation according to the choices made by the attacker;
• resolution, which expresses the importance that the attacker gives to the fact of possibly being discovered and to the consequences of this eventuality (if the attacker is very resolute he will exploit all the time available before desisting, causing the maximum possible damage; if he is not very resolute, he will attempt to avoid the interfaces and the areas protected by sensors (if they are visible) and will desist after using only a part of the time available) .
To decide whether an attack through a given interface is successful or not the characteristics of the interface with reference to the particular attack considered are compared with the credentials of the attacker. The comparison can be of a deterministic type or of a probabilistic type depending upon the credential considered and the characteristics of the interface . The advantages of the present invention can be readily understood from the foregoing description.
In particular, it is emphasized how the security-supervision system according to the present invention is an "intelligent" system much more reliable and efficient than currently known security-supervision systems, this both in conditions of normal operativeness and in the case where the site to be protected is the object to an attack and/or some components of the security-supervision system function in a degraded way on account of failures.
Said advantage derives from the fact that the security- supervision system according to the present invention comprises the simulation software module. Finally, it is clear that various modifications may be made to the present invention, all of which fall within the sphere of protection of the present invention defined in the annexed claims .

Claims

1. A security-supervision system (200) configured to supervise security of a site (400) to be protected, characterized by comprising a simulation software module (5) configured to simulate in a virtual environment potential violations of the security of the site (400) perpetrated by simulated attackers (424) .
2. The security-supervision system according to Claim 1, comprising security sensors (3) and security devices (3) installed in the site (400) in respective positions and configured to:
• guarantee the security of the site (400) ;
• detect, within the site (400) , any anomalous situations indicative of violations of the security of the site (400) ; and,
• if they detect said anomalous situations, raise alarms ;
the simulation software module (5) being configured to simulate in the virtual environment said potential violations of the security of the site (400) on the basis of the position in the site (400) of the security sensors (3) and of the security devices (3), on the basis of an operating state of said security sensors (3) and of said security devices (3), on the basis of the alarms raised by the security sensors (3) and by the security devices (3) and on the basis of first and second data, the first data digitally representing security measures adopted in the site (400) and the second data digitally representing a topographical structure of the site (400) .
3. The security-supervision system according to Claim 2, further comprising control software modules (2) coupled with the security sensors (3), the security devices (3), and the simulation software module (5) and configured to:
• provide the simulation software module (5) with the first data, the second data, and the position in the site (400) of the security sensors (3) and of the security devices (3);
• control and configure the security sensors (3) and the security devices (3) ;
• provide the simulation software module (5) with a current configuration of the security sensors (3) and of the security devices (3);
• acquire from said security sensors (3) and from said security devices (3) the respective raised alarms;
• determine the operating state of said security sensors (3) and of said security devices (3);
• provide the simulation software module (5) with the operating state of the security sensors (3) and of the security devices (3) , and with the alarms raised by the security sensors (3) and by the security devices (3) ;
• if the operating state of a security sensor (3) or of a security device (3) changes or if a security sensor (3) or a security device (3) raises an alarm or if the current configuration of the security sensors (3) and of the security devices (3) changes, operating the simulation software module (5) so that it simulates in the virtual environment said potential violations of the security of the site (400) ;
the simulation software module (5) being configured to simulate in the virtual environment said potential violations of the security of the site (400) also on the basis of the current configuration of the security sensors (3) and of the security devices (3) .
4. The security-supervision system according to Claim 3, wherein the simulation software module (5) is further configured to provide the control software modules (2) with results obtained on the basis of the simulated potential violations of the security of the site (400) ; the control software modules (2) being further configured to:
• carry out an analysis of the results provided by the simulation software module (5) ; and
• reconfigure the security sensors (5) and the security devices (5) on the basis of said results provided by the simulation software module (5) and of their analysis.
5. The security-supervision system according to Claim 4, wherein the results provided by the simulation software module (5) comprise simulated attacks each of which comprises a respective path within the site (400) done by a respective simulated attacker (424) , respective actions performed within the site (400) by said simulated attacker (424) , and a respective risk associated with the simulated attack and calculated by the simulation software module (5) on the basis of the position in the site (400) , of the operating state and of the current configuration of the security sensors (3) and of the security devices (3), on the basis of the alarms raised by the security sensors (3) and by the security devices (3) and on the basis of the first and second data.
6. The security-supervision system according to Claim 4 or Claim 5, further comprising human/machine-interface software modules (1) coupled with the control software modules (2) and configured to:
acquire from the control software modules (2)
- the position in the site (400) of the security sensors (3) and of the security devices (3),
- the operating state of the security sensors (3) and of the security devices (3),
the alarms raised by the security sensors (3) and the security devices (3),
- the current configuration of the security sensors (3) and of the security devices (3), and
- the results provided by the simulation software module (5) and results of the analysis carried out by the control software modules (2) ;
notify to a security staff of the site (400) - the alarms raised by the security sensors (3) and by the security devices (3) together with the respective position in the site (400) of said security sensors (3) and of said security devices (3) that have raised them,
- changes of the operating state of the security sensors (3) and of the security devices (3) together with the position in the site (400) of said security sensors (3) and of said security devices (3),
- the current configuration of the security sensors (3) and of the security devices (5) , and
- the results provided by the simulation software module (5) to the control software modules (2) and the results of the analysis carried out by the control software modules (2) ;
• enable the security staff to
- modify the current configuration of the security sensors (3) and of the security devices (5),
- operate the simulation software module (5) so that it simulates in the virtual environment said potential violations of the security of the site (400) ,
- modify the first and second data, and
- enter first scenario information to be used in the simulations ;
the simulation software module (5) being configured to simulate in the virtual environment said potential violations of the security of the site (400) also on the basis of said first scenario information.
7. The security-supervision system according to any Claim 3-6, further comprising an information and communication infrastructure (4) made up of a plurality of apparatuses, the control software modules (2) being further configured to:
• determine an operating state of the apparatuses of the information and communication infrastructure (4) ; • provide the simulation software module (5) with the operating state of the apparatuses of the information and communication infrastructure (4); and,
• if the operating state of an apparatus of the information and communication infrastructure (4) changes, operates the simulation software module (5) so that it simulates in the virtual environment said potential violations of the security of the site (400) ;
the' simulation software module (5) being configured to simulate in the virtual environment said potential violations of the security of the site (400) also on the basis of the operating state of the apparatuses of the information and communication infrastructure (4).
8. The security-supervision system according to any Claim
2-7, coupled, through a communications network, with a device to receive from said device second scenario information entered by a user;
the simulation software module (5) being configured to simulate in a virtual environment said potential violations of the security of the site (400) also on the basis of said second scenario information.
9. The simulation software module (5) for a security- supervision system (200) according to any preceding claim.
10. A software program loadable into a memory of an electronic processor of a security-supervision system (200) and configured, when run by said computer, to implement the simulation software module (5) according to any preceding claim .
11. A computer program product comprising computer- readable storing means wherein the software program according to Claim 10 is stored.
12. An electronic processor for a security- supervision system (200) , wherein the software program according to Claim 10 is stored.
PCT/IT2009/000519 2009-11-18 2009-11-18 Smart security-supervision system WO2011061767A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IT2009/000519 WO2011061767A1 (en) 2009-11-18 2009-11-18 Smart security-supervision system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IT2009/000519 WO2011061767A1 (en) 2009-11-18 2009-11-18 Smart security-supervision system

Publications (1)

Publication Number Publication Date
WO2011061767A1 true WO2011061767A1 (en) 2011-05-26

Family

ID=42289350

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IT2009/000519 WO2011061767A1 (en) 2009-11-18 2009-11-18 Smart security-supervision system

Country Status (1)

Country Link
WO (1) WO2011061767A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10564258B2 (en) 2014-10-09 2020-02-18 Utc Fire & Security Corporation Advanced identification techniques for security and safety systems
US11636239B2 (en) 2019-06-03 2023-04-25 At&T Intellectual Property I, L.P. Method and apparatus for simulating events on smart cities

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060059557A1 (en) * 2003-12-18 2006-03-16 Honeywell International Inc. Physical security management system
US20060190228A1 (en) * 2005-02-24 2006-08-24 Ultravision Security Systems, Inc. Method for modeling and testing a security system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060059557A1 (en) * 2003-12-18 2006-03-16 Honeywell International Inc. Physical security management system
US20060190228A1 (en) * 2005-02-24 2006-08-24 Ultravision Security Systems, Inc. Method for modeling and testing a security system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10564258B2 (en) 2014-10-09 2020-02-18 Utc Fire & Security Corporation Advanced identification techniques for security and safety systems
US11636239B2 (en) 2019-06-03 2023-04-25 At&T Intellectual Property I, L.P. Method and apparatus for simulating events on smart cities

Similar Documents

Publication Publication Date Title
AU2020203351B2 (en) Drone-augmented emergency response services
EP3729391B1 (en) Monitoring system for securing networks from hacker drones
US10223888B2 (en) Personnel authentication and tracking system
KR101610657B1 (en) Three-dimensional virtual entrance control and communicable disease control system and method based on entrance control data
US8272053B2 (en) Physical security management system
US7158022B2 (en) Automated diagnoses and prediction in a physical security surveillance system
CN108133527A (en) Wisdom garden access control system and its entrance guard authentication method and gate inhibition's method of control
KR101492799B1 (en) Entrance control integrated video recording system and method thereof
CN117912186A (en) Intelligent security linkage early warning system based on big data service
CN116862740A (en) Intelligent prison management and control system based on Internet
US20210264137A1 (en) Combined person detection and face recognition for physical access control
EP3163521A1 (en) Method and system of adaptive building layout/efficiency optimization
WO2011061767A1 (en) Smart security-supervision system
Xie et al. On‐line physical security monitoring of power substations
KR102124164B1 (en) Inner door system with visitor monitoring function
US20230044156A1 (en) Artificial intelligence-based system and method for facilitating management of threats for an organizaton
Cheh et al. Modeling adversarial physical movement in a railway station: classification and metrics
Bhati et al. Control Strategy Based on Vision for Security in Communication Systems
Berberova et al. Risk-informed security system. The use of surveillance cameras for the particularly hazardous facilities safety
CN211149534U (en) Intelligent storage and control system for valuables
Himelwright Cybersecurity & Correctional Institutions
Zeegers Security of Infrastructure
Smith Security technology in the protection of assets
CN116471377A (en) Security equipment control method, device and storage medium based on Internet
JP2023004657A (en) Track management system, method for tracking, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09808965

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09808965

Country of ref document: EP

Kind code of ref document: A1