A robust approach for on-line and off-line threat detection based on event tree similarity analysis

The security of railway and mass-transit systems is increasingly dependant on the effectiveness of integrated Security Management Systems (SMS), which are meant to detect threats and to provide operators with information required for alarm verification purposes. In order to lower the false alarm rate and improve the detection reliability of threat scenarios, event correlation capabilities need to be integrated into the SMS. In this paper an existing approach based on a-priori defined event patterns is extended using a heuristic situation recognition approach which is more robust to both imperfect scenario modeling (human faults) and missed detections (sensor faults). The approach is based on similarity analysis between the event trees representing scenarios and it is effective both on-line and off-line. Applied on-line, it allows for an earlier and more fault-tolerant threat detection, since scenario matching is not required to be complete nor exact. Applied off-line, its effectiveness is twofold: first, it allows for detecting redundancies when updating the scenario repository; secondly, it enhances the post-event forensic search of suspicious behaviors not previously stored in the scenario repository. The strategy is being experimented in the context of railway protection.