Aerospace and Electronic Systems Magazine November 2017 - 16

Provisioning for a Distributed ATM Security Management: The GAMMA Approach
versary for each moment of time given the received event detections. Parameters P,S of the adversary's state are estimated using
dynamic Bayesian network for sequential data analysis, which is
similar to the approaches used for Bayesian multiple target tracking [25].
The AEP system updates its internal parameters using newly
received information for each moment of time, similar to the correction step of Bayesian filters, updating the adversary's state beliefs (probability distribution). Parameter T is estimated based on
game theory methods. From the estimated probability distribution
over the adversary's state, a subset of most probable states is selected.
An expected impact is estimated for each of the selected states
based on the predefined impact values, estimated adversary's
skills, and the properties of the implemented security control. Derived information is reported to the SMP modules via the internal
event bus.

INFORMATION EXCHANGE GATEWAY
The IEG aims at providing strong mechanisms for protection of
web services against the most sophisticated attacks. Concretely,
the IEG is capable of detecting new kinds of malicious contents
and intercepting them by deciphering, analyzing, and confronting
the messages with access control and filtering policies. Thus, it
serves to protect web services from XML-based threats. The IEG
is placed to face the web service provider. It scans incoming-outgoing XML traffic in order to protect the assets for a given perimeter. Therefore, all requests coming from the web server consumer
addressing the web server provider is inspected by the IEG before
they reach the web server provider. In the case that the requested
content is not considered as malicious, it reaches the destination.
Otherwise, the IEG drops the content. The main functionalities of
the IEG are as follows:
C

Malicious content detection capabilities:
deep packet inspection on SOAP (Simple Object Access
Protocol) messages to examine precisely the payload and
also the header of the packet in order to search for protocol noncompliance, malware, intrusions or other kind of
malicious contents;

INFORMATION DISSEMINATION SYSTEM
The IDS is a module that interacts with a multitude of event sources. It receives security information from other modules over the
internal event bus using the open messaging system of Kafka from
the Apache Software Foundation [26]. The information is retained
within the IDS and can be accessed by the authorized users. The
IDS facilitates manual as well as automatic dissemination of security information to other stakeholders at national or European
levels.
An IDS instance of SMPs at the national level is connected to
another IDS instance of the SMP at the European level. When IDS
instances are up and running, a secure network connection is established between SMPs to share the security information. All the received security information within IDS is disseminated on a needto-know basis by applying dissemination rules on the content of
the security information, the source, and the expected destination.
After applying the dissemination rules to the security information,
the designated SMP nodes are known and the security information
is encrypted and sent to these nodes. The SMP nodes receive, store,
and forward the security information via their internal event bus to
the other modules within their SMP domain.
Other than disseminating security information between nodes
coming from other SMP modules, the IDS provides situational
awareness, in both the temporal and spatial domains, of (potential)
incidents with related information (e.g. alarms, security information, intelligence information) received from connected detection
systems. The information is presented on a concise situational
awareness display with the possibility to zoom at different levels.
The IDS provides the means to the situational awareness display
for incorporating other dynamic information (e.g. traffic, weather,
etc.) received from external systems.

OTHER SYSTEM-LEVEL PROTOTYPES
In this section, we provide further details about the local security
functions, named as security prototypes that are implemented in
GAMMA for proof of concept purposes.
16

bad request detection by using rule-based methods and
whitelist mechanisms combined with strict content validation policies;
reverse proxy behavior by forwarding requests to the web
services provider in case the content is considered as safe.
Otherwise, the requests are blocked and they are not forwarded to the web service provider.
C

Access control capabilities:
support for authentication methods; the IEG is compliant with WS-Security standards (authentication,
signatures, and encryption) and offers other kinds of
services, like Transport Layer Security (TLS), for communication encryption and mutual authentication using
X.509 certificates to authenticate the server and the client as well.

Log and transfer security alerts:
Malicious SOAP transactions' registration with log message; transactions are referenced with a unique identification.

SATCOM SECURITY
The SATCOM security prototype is a client-server softwarebased solution designed to secure the management and control of
the communication in satellite networks. It is to detect and offer
countermeasures to the threats, from a technical and/or operational
point of view. The impact of the threats identified earlier targeting
SATCOM SA is reduced by the coordinated functions of a set of
modules integrated in the prototype. The functions of SATCOM
security prototype are as follows:

IEEE A&E SYSTEMS MAGAZINE

NOVEMBER 2017

Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine November 2017