Advances in Computer Science: an International Journal Vol. 3, Issue 4, July 2014 © ACSIJ PUBLICATION www.ACSIJ.org ISSN : 2322-5157 ACSIJ Reviewers Committee 2014  Prof. José Santos Reyes, Faculty of Computer Science, University of A Coruña, Spain  Dr. Dariusz Jacek Jakóbczak, Technical University of Koszalin, Poland  Dr. Artis Mednis, Cyber-Physical Systems Laboratory Institute of Electronics and Computer Science, Latvia  Dr. Senlin Liang, Department of Computer Science, Stony Brook University, USA  Dr. Ehsan Mohebi, Department of Science, Information Technology and Engineering, University of Ballarat, Australia  Sr. Mehdi Bahrami, EECS Department, University of California, Merced, USA  Dr. Sandeep Reddivari, Department of Computer Science and Engineering, Mississippi State University, USA  Dr. Chaker Bechir Jebari, Computer Science and information technology, College of Science, University of Tunis, Tunisia  Dr. Javed Anjum Sheikh, Assistant Professor and Associate Director, Faculty of Computing and IT, University of Gujrat, Pakistan  Dr. ANANDAKUMAR.H, PSG College of Technology (Anna University of Technology), India  Dr. Mohammad Nassiri, Faculty of Engineering, Computer Departement, Bu-Ali Sina University, Hamedan, Iran  Dr. Indrajit Saha, Department of Computer Science and Engineering, Jadavpur University, India  Prof. Zhong Ji, School of Electronic Information Engineering, Tianjin University, Tianjin, China  Dr. Heinz DOBLER, University of Applied Sciences Upper Austria, Austria  Dr. Ahlem Nabli, Faculty of sciences of Sfax,Tunisia  Dr. Ajit Kumar Shrivastava, TRUBA Institute of Engg. & I.T, Bhopal, RGPV University, India  Mr. S. Arockiaraj, Mepco Schlenk Engineering College, Sivakasi, India  Prof. Noura AKNIN, Abdelmalek Essaadi University, Morocco ACSIJ Editorial Board 2014  Dr. Seyyed Hossein Erfani ( Chief Editor ), Azad University, Tehran, Iran  Dr. Indrajit Saha, Department of Computer Science and Engineering, Jadavpur University, India  Mohammad Alamery, University of Baghdad, Baghdad, Iraq ACSIJ Published Papers are Indexed By: 1. Google Scholar 2. EZB, Electronic Journals Library ( University Library of Regensburg, Germany) 3. DOAJ, Directory of Open Access Journals 4. Bielefeld University Library - BASE ( Germany ) 5. Academia.edu ( San Francisco, CA ) 6. Research Gate ( MA, USA ) 7. Research Bible ( Tokyo, Japan ) 8. Academic Journals Database 9. Technical University of Applied Sciences ( TH - WILDAU Germany) 10. AcademicKeys 11. WorldCat (OCLC) 12. TIB - German National Library of Science and Technology 13. The University of Hong Kong Libraries 14. Science Gate 15. OAJI Open Academic Journals Index. (Russian Federation) 16. Harvester Systems University of Ruhuna 17. J. Paul Leonard Library _ San Francisco State University 18. OALib _ Open Access Library 19. Université Joseph Fourier _ France 20. CIVILICA ( Iran ) TABLE OF CONTENTS Anomaly Detection Mechanism based on Common NSM Data Objects for Advanced Metering Infrastructure – (pg 1-9) Seongho Ju, Yonghun Lim, Chunghyo Kim, Kyungseok Jeon E-Readiness Assessment Model for Low Bandwidth Environment – (pg 10-19) Nazir Ahmad Suhail CLASSIFICATION ENVIRONMENTAL SOUND WITH WAVELET – (pg 20-23) Aref Farhadi Pour, Mohammad Asgari A Framework for Developing Secure Application in Service – Oriented Architecture – (pg 24-36) Fariba Roozbeh Citizens’ Readiness for e-Government Services in Tanzania – (pg 37-45) Mohamed Dewa, Irina Zlotnikova Chaotic Image Encryption Based On Discrete Wavelet – (pg 46-50) Amirhoushang Arab Avval, Jila Ayubi A Hybridized Artificial Neural Network and Optimization Algorithms for the Diagnosis Of Cardiac Arrhythmias – (pg 51-58) Ali Bahadorinia, Ali Dolatabadi, Ahmad Hajipour Integration technique method using Kekre transform – (pg 59-67) H. B. Kekre, V. R. Lakshmi Gorty Target Localization Using Cooperative Unmanned Aerial Vehicles – (pg 68-73) Ali Pirshayan, Hadi Seyedarabi, Siamak Haghipour Locomotion Planning with 3D Character Animations by Combining Reinforcement Learning Based and Fuzzy Motion Planners – (pg 74-81) Peyman Massoudi, Alireza Bagheri Finding Two Maximum Separating Circles – (pg 82-88) Afsaneh Hellatabadi Farahani, Alireza Bagheri A Game Informatical Comparison of Chess and Association Football (Soccer) – (pg 89-94) Norizan Mat Diah, Nathan Nossal, Nor Azan Mat Zin, Tadaki Higuchi, Hiroyuki Iida A Secure Model for Remote Electronic Voting: A Case of Tanzania – (pg 95-106) Sylvester Kimbi, Irina Zlotnikova Applications of Artificial Life and Digital Organisms in the Study of Genetic Evolution – (pg 107-112) Maurice HT Ling Explicit Object-Oriented Program Representation for Effective Software Maintenance – (pg 113-123) Bassey Isong Clustering Algorithm to Reduce Power Consumption in Wireless Sensor Network – (pg 124-129) Ayat Kazemi, Ehsan Akhtarkavan ACSIJ Advances in Computer Science: an International Journal, Vol. 3, Issue 4, No.10 , July 2014 ISSN : 2322-5157 www.ACSIJ.org Anomaly Detection Mechanism based on Common NSM Data Objects for Advanced Metering Infrastructure Seongho Ju1, Yonghun Lim2, Chunghyo Kim3 and Kyungseok Jeon4 1 Smart Energy Laboratory, Korea Electric Power Corporation Research Institute Daejeon, Korea [email protected] 2 Smart Energy Laboratory, Korea Electric Power Corporation Research Institute Daejeon, Korea [email protected] 3 Smart Energy Laboratory, Korea Electric Power Corporation Research Institute Daejeon, Korea [email protected] 4 Smart Energy Laboratory, Korea Electric Power Corporation Research Institute Daejeon, Korea [email protected] Abstract grids [1]. That is the reason why Network and System The increasing role of information infrastructures in today‟s Management (NSM) data object models are standardized power system results in a demand for high level of network in IEC TC57 WG15 [2], and then defined specific to AMI availability and reliability. However, unlike the traditional by EPRI Projects [3-5]. Information Technology environment, power system has a few NSM data object models in [2] are defined for the purpose characteristics, which makes us develop network and system of the high levels of reliability as well as security in smart. management (NSM) data object models. The initiative steps They consist of „communications health‟, „end system have been launched at IEC standardization, and show what health‟, and „intrusion detection system (IDS)‟ NSM data needs to be defined and monitored for enhanced reliability and availability of power system, but except Advanced Metering object models which are divided into four, two, and seven Infrastructure (AMI). Considering its territory and environment, subtopics in more details, respectively. The first model it seems to be more important to develop common NSM data deals with network and protocol, the second one does with objects for AMI. EPRI identified a common set of AMI electric end system, and the last one treats intrusion detection meter alarms and events later, but not NSM objects broadly. We elements to be monitored. As appears by those elements, investigate current efforts for AMI security, and then suggest the IEC is not concerned about only security, but also all common AMI NSM objects with some exemplars in this paper. hazards including operator carelessness and equipment Our work is expected to become a stepping stone toward failure. It is reasonable to follow this type of approach for reliable Smart grid. power system‟s availability because careless errors can Keywords: AMI, Anomaly Detection, NSM, Security. cause lots of vulnerabilities in cyber infrastructure [6, 7]. It does not matter what a problem is made by, but does 1. Introduction how a problem could be alerted to and responded by operators in a timely and appropriate way. Smart grids which are next generation of power system NSM data object models could be used to get situational have become interesting nowadays. In smart grids, it is awareness of power system in holistic manner by expected to control and manage energy efficiently based supporting communications network integrity, system and on advanced Information Infrastructure (IT) technologies. application health, and many other security management However, smart grids cannot help inheriting security requirements [8]. However, they are specific to power vulnerabilities required to be solved in IT, but that is not system – transmission and distribution area, and won‟t be enough. Unlike traditional IT networks which mainly appropriate for AMI because of their different focus on information confidentiality and integrity, requirements and environments. Power system must rank availability is the most important factor to be met in smart availability with the highest importance, whereas 1 Copyright (c) 2014 Advances in Computer Science: an International Journal. All Rights Reserved. ACSIJ Advances in Computer Science: an International Journal, Vol. 3, Issue 4, No.10 , July 2014 ISSN : 2322-5157 www.ACSIJ.org confidentiality might be the most critical problem in AMI. authentication mechanisms. Those processes are primary Most AMI components are deployed outdoor, which security methods against threats, but not enough for the makes AMI more vulnerable to an act of sabotage and awareness of the current situation in AMI. vandalism than power system. Contrary to power system IEC TC57 WG15 defined what information is needed components which provide little or no support for logging to manage the information infrastructure as reliably as the capabilities and rely on perimeter control components to power system infrastructure [2]. The purposes of this detect anomalous activities, all AMI components should activity are to monitor 1) network and system provide the ability to monitor, report, and/or respond performance, 2) the status of device‟s software and against all kinds of threats regardless of their resources hardware, 3) intrusion detection, and 4) the configuration [3-5]. Therefore, it is more challenging to monitor and of communications network and equipment. NSM manage AMI system efficiently. requirements for power system operations were analyzed We try to define as many NMS data objects as possible at first, and then NSM abstract data types and objects from meters as well as network devices in this paper. were defined. Those objects are expected to support Those objects will address electric utilities need for communications network and system health in addition to greater interoperability of network and security events and intrusion detection. More effort into concrete NSM object enable them to be better situational awareness of AMI model was made by mapping the NSM abstract objects to system. This paper is organized as follows. In section II, the latest IEC 61850 [17]. However, those are all specific for the related works are introduced. On the one hand we briefly power system, but not for AMI. give an overview of NSM and its relevant research Another attempt has been made to develop common AMI outcomes, but on the other AMI security management alarms and events for interoperability and standardization problems are discussed with some existing solutions. This in AMI [3-5]. There are 47 security objects defined in six approach helps to derive common AMI NSM objects in categories: authentication, integrity, controls, anomaly section III, where IEC standard [2] is analyzed with some detection services, cryptographic services, and notification references like ANSI C12.XX in more details. The & signaling services. The objects are expected to common AMI NSM data object model is verified contribute to a new generation of AMI SIEM (Security following some use cases in section IV. We provide Information & Event Management) systems based on a „Detection-logic‟ based on this model to grasp the current consensus among the vendors. But there are two lacks as situation of AMI system, and analyze how well the model it stands now. First, they focused on only alarms and is defined by applying a few scenarios suggested in the events generated by meters, but not by other AMI references [1, 3, 9]. Finally, we conclude this paper with components such as data collectors over electric poles and future works in section V. maintenance service tools. Even if the meter may be the most important component in AMI, it is insufficient to have a good grip on a current state of operation based on 2. Related Works the meter alarms and events. The second is that more objects need to be defined by analyzing the precedent studies in more details. They mainly referred to four 2.1 Network & System Management documents: AMI system security requirements [18], security profile for AMI [19], guidelines for smart grid There AMI has been a key part of smart grid concerning cyber security [20], and smart grid network system about security with many interested parties [10, 11]. It is requirements specification [21]. Those documents provide mainly because AMI handles customers‟ information like security guidance with essential requirements from which how much energy they are using and what the pattern of common AMI alarms and events were derived. ANSI energy usage is. It is a privacy disturbance problem which C12.XX standards were also used there, but there is could block AMI deployment in a field, and has actually substantial room for supplement which will be shown in happened here and there – The invasion of privacy caused chapter III. by smart metering is especially the biggest concern in Europe and North America nowadays [12]. There are also 2.2 AMI Security other security concerns: illegally remote connection/disconnection [10, 13], energy theft [14-16], As mentioned above, there are a few useful materials etc. To cope with these threats, it is necessary to apply published officially as standards or guides. In [18], three authentication as well as encryption algorithms to data on categories which are primary security service, supporting the basis of appropriate key management and device security service, and assurance include 19 subtitles with 2 Copyright (c) 2014 Advances in Computer Science: an International Journal. All Rights Reserved. ACSIJ Advances in Computer Science: an International Journal, Vol. 3, Issue 4, No.10 , July 2014 ISSN : 2322-5157 www.ACSIJ.org more than 500 requirements necessary to maintain a smart grid, potential problems are categorized into five reliable system and consumer confidence. Further groups such as device, networking and so on, and their progress was made to provide more actionable guidance corresponding solutions are presented in [1]. On the other for AMI security implementation with security profiles hand, attack techniques suggested in [23, 26] are more based on some use cases [19]. The recommended cyber specific to AMI. However, all those scenarios show security controls were chosen from the DHS‟s ones in [22] somewhat general concept, so need to be embodied and appropriately adapted for AMI Security. Although the enough to give us the information about how to guidance handles almost all the requirements required compromise AMI and its sequential steps. In [27], a extensively, more steps should be taken to define and systematic method for modeling functionalities of smart monitor which information is necessary to guarantee a meters with some attacks mounted on them. That effort is reliable system against inadvertent mistakes and one of trials which made concrete progress and awakened intentional attacks. It is our research work in the next our attention to security issues in AMI. Rana et al. studied chapter. vulnerabilities in C12.22 [28] for AMI and their usage in More concrete approach toward secure AMI system can order to launch DoS attacks. They are concerned with be found in academic research papers which mainly deal DDoS attack and identify three attack scenarios that with realistic security threats and their countermeasures. exploit vulnerabilities in ANSI C12.22 services: trace To begin with, intrusion detection for AMI is a research service, resolve service, and urgent traffic. The proposed topic treated as an essential method for a reliable system solutions to those attacks which are many realities also nowadays. Berthier et al. [23] argue that a specification- need to gather and analyze some kinds of NSM data based IDS (Intrusion Detection System) is the best objects. approach for AMI. They suggest some detection Apart from the security concerns, it is worth surveying the mechanisms required to monitor AMI. For success, AMI materials addressing AMI system in itself consisting of alerts should be defined first, and then managed communication networks and metering-related devices. comprehensively to detect intrusion. The same authors The interconnection between metering devices [28, 30] work further on the specification-based IDS so as to verify can give rise to security problems, and data table in a its feasibility for AMI by testing its performance with metering device [29] is directly related to AMI security realistic AMI environment [24]. In its case, of course, a because it is a target to be secured. We refer to the kind of NSM data need to be collected and analyzed for specifications for AMI components that KEPCO draw up building accurate state machines. In other words, the as well [31]. The document gives in detail the functions definition of a meaningful data object model is the first and services which all the data concentrators and step towards a reliable AMI and smart grid. communication devices shall support as AMI components Sometimes it is very desirable to create „attack trees‟ to on the basis of well-defined KEPCO AMI protocol as well understand the attackers‟ objectives and their sequential as IEC 62056 standards. All those things can also be steps because attack trees can expose to us which kinds of useful identifying a set of common AMI NSM data objects information would be required to effectively detect attacks. and improving our ability in detecting and responding to Grochocki et al. [9] design a set of attack trees based on any abnormal condition. three case studies: Distributed Denial of Service (DDoS) attack against the data collector, illegally remote 3. Common AMI NSM Data Object Model disconnection on the meters through the data collector, and stealing customer information. The attack techniques Taking into consideration the above references, we fit and their targets suggested in the paper give us a hint as NSM data objects in [2] to suit AMI, but maintain the to the types of information required to be defined as previous frame with three subcategories: communication common AMI NSM data objects. In [14], the attack tree is health, end system health, and IDS. Some NSM data more specific to energy theft. The manipulation of the objects are deleted, whereas others are newly added for demand data is the final goal for energy theft with three AMI. We do show causes for not all the revisions, but different ways to achieve it: measurement interrupting, some critical ones here because of the limited space. Then, Stored demand tampering, and network modifying. Its some scenarios where newly added objects are used to contribution is the hierarchical approach which shows a catch their abnormal situations will be given for your number of realistic activities to the success of demand forgery. More improved attack trees are suggested in [25]. understanding in the next chapter. Those activities are also used for our work. Concrete examples how to attack AMI system can be found in some precedent researches. In the viewpoint of 3 Copyright (c) 2014 Advances in Computer Science: an International Journal. All Rights Reserved. ACSIJ Advances in Computer Science: an International Journal, Vol. 3, Issue 4, No.10 , July 2014 ISSN : 2322-5157 www.ACSIJ.org 3.1 Communication Health AudFncSt Status of audit function operation Add SecSetChgAlm Security-related setting changes Add EndTampAlm End device tampering detection Add The previous document [2] defined 61 NSM data objects for „communication health‟. The number of redefined Monitoring and management of end systems involve ones in this paper is 63: five objects are left out of, internal and external assessment of their health. The whereas seven more ones are supplemented to the result targets to be monitored are the exchanged and stored data, of [2]. First, „PthLst‟ which means the list of paths in application or software module, and the status and network is redundant as „PthRoutLst‟ also contains the operation of end systems. Fifteen objects are more defined, same information. As for „ConnFailAlm‟, it can be whereas none are removed from [2] as shown on Table II. predicted as „ConnFailTmms‟ time as later after The upgrade of firmware or software in meters is not a „ConnAlm‟ occurs. Three others can be removed by the special order any more in AMI, so it is natural to monitor reasons as shown on Table I. On the other hand, there are the software-related objects („FwUpgAlm‟ and seven objects to be added to meet the requirements of „AppUpgSt‟). Audit record within meters is very AMI. As AMI is more vulnerable due to its coverage up to important enough to define „AudRrdAlm‟, „AudStrAlm‟, Home Area Network (HAN), it is essential to monitor any „AudStrMax‟, „AudInvAlm‟, and „AudFncSt‟ for AMI control signal coming from HAN to meters and block it if security, just like IT networks. Electricity usage data are detected. That is the reason why we add „ConSigAlm‟ to worth monitoring in AMI system as it is directly related to the list. As for „AddrResAlm‟ which is referred to [28] as billing service. Therefore, any illegitimate access to a relay‟s function, it is helpful to find out where the electricity usage data shall be detected and set straight. problem is caused by in case the connectivity to any „TestPrtAlm‟ is for preventing the test port of meters from C12.22 device is lost. We also add four more objects for undesirable usage, and „SessLckSet‟ is for automatic the same reason on the bottom of Table I. session locking after the management job is finished in case of illicit access through the unintentionally unclosed Table 1: Communication Health NSM Data Objects for AMI Object Description Revision session. The tampering detection, response, or even PthLst Desirable to be a component of „PthRoutLst‟ Delete evidence is required at the level of end system according ConnFailAlm Deducible from combination of „ConnAlm‟ & Delete to the several references (EndTampAlm). „ConnFailTmms‟ ConnTotTmms Deducible from combination of Delete 3.3 Intrusion Detection System „ConnFailTot‟,„ConnCurTmms‟, and(or) „RsTmms‟ ConnAvTmms Deducible from combination of „ConnFailTot‟ & Delete „ConnTotTmms‟ Table 3: Intrusion Detection System NSM Data Objects for AMI ProAcsAlm Not different from „ProtMisAlm‟ Delete Object Description Revision LgiFailCnt Number of unsuccessful login Add UnAuthUsrCnt Deducible from „UnAuthAlm‟ Delete ConSigAlm Detection of control signal from HAN Add ComLosAlm Deducible from „ConnAlm‟, „ConnFailAlm‟, & Delete AddrResAlm Address resolution service failure alarm Add „EndDct‟ SessToutAlm Session timeout alarm (inactive session) Add ComOnAlm Deducible from „EndDct‟ & „NodDct‟ Delete ResInvAlm Invalid response for request Add PwrLosCnt Deducible from „PwrLosAlm‟ Delete NegFailAlm Negotiation request not accepted by client Add ComLosCnt Deducible from „ComLosAlm‟ Delete TermSesAlm Terminate service invocation Add UnAuthOpr Unauthorized operation Add InitAuthPro Authentication process initialization Add 3.2 End System Health AuthProAlm Authentication process failure Add CodIntChkAlm Code integrity check failure Add (especially when F/W is upgraded) PduIdeCnt Number of identical data transmission Add Table 2: End System Health NSM Data Objects for AMI UsrCurConnCnt Number of concurrent sessions belong to the Add Object Description Revision same user FwUpgAlm F/W upgrade failure Add CertInvAlm Invalid certificate alarm Add AppUpgSt Status of S/W upgrade Add KeyInvAlm Invalid secret (including security key) alarm Add AudRrdAlm Change in audit record Add CrpOprAlm Failure related to cryptographic operation Add AudStrAlm Audit storage exhaustion or failure Add ChgAcsAlm Change in access control or privilege Add AudStrMax Maximum storage capacity for audit record Add ChgUsrAlm Change in user or password Add AudInvAlm Invalid or inaccessible audit record Add UsgDatClr Electricity usage data deletion Add UsgDatTabMod Electricity usage data table modification Add In this category, we newly define eleven data objects the UsgDatLog Change related to electricity usage data Add moment get rid of the five existing ones. The reasons for TestPrtAlm Enabled configuration or test port Add the deletion are briefly presented next to the objects, and SelTestAlm Security functionality self-testing failure Add they are understandable. We try to give more space to the SessLckSet Set session lock period (for automatic Add locking) added objects instead. Any operation without 4 Copyright (c) 2014 Advances in Computer Science: an International Journal. All Rights Reserved. ACSIJ Advances in Computer Science: an International Journal, Vol. 3, Issue 4, No.10 , July 2014 ISSN : 2322-5157 www.ACSIJ.org authorization shall be strictly prohibited, but none of the response. Some objects belong to more than two groups existing objects have to do with it. „UnAuthOpr‟ can be depending upon the situation. used to realize all such operation. When it comes to 1) Group 1 - Ordinary setting or monitoring: These authentication process, „InitAuthPro‟ for the process objects, the class of which is „configuration setting‟, invocation and „AuthProAlm‟ for its failure are defined „status‟, or „value‟, play an ordinary role in monitoring here. The object, „CodIntChkAlm‟, will be reported AMI system. They provide the information about the whenever any failure occurs during checking the integrity present operating situation, and enrich our recognition of of transferred code. It is especially for the firmware to be characteristics specific to AMI through a process called downloaded into meters and then remotely upgraded. This statistical analysis. Thus, they are informative and involve sort of function will be useful for more flexible and valuable meaning to apprehend AMI environment, but intelligent services someday introduced through AMI. sometimes bother AMI managers because of their Both „PduIdeCnt‟ and „UsrCurConnCnt‟ can foreshadow frequent report and large volume: the processing and upcoming attacks or accidents, and incomplete connection storing this data are another concern. Members of this or communication will be expected from three invalid group are „EndLst‟, „NodLst‟, and whatnot. alarms: „CertInvAlm‟, „KeyInvAlm‟, and „CrpOprAlm‟. 2) Group 2 - Bellwether of abnormality: Most „alarm‟ Any change in predefined access control, privilege, or objects should be included in this group. They are password shall be double-checked its legitimacy. It may reported to management center whenever their preset be directly linked to security accident otherwise. conditions are met, and imply whatever happens as we AMI NSM objects defined above can be categorized in call abnormal symptoms. Once the bellwether of any more details, but not recommended because of too many attack or system error is alerted, more objects in group 1 sub-objects identified to be handled. In case of and/or 2 are examined deeply, and then we pick out the „UsgDatTabMod‟, for example, tens of tables each with handful that seem to give more definite circumstantial tens of data fields are defined in [30], which addresses to evidence. Simple investigation is done to roughly predict monitor hundreds or even thousands of objects. Hence, it a few possibilities in this stage. is desirable to leave the task within a private scope. 3) Group 3 - Corroborating evidence: More progress should be made by finding the correlation, causal connection, and sequence among selected objects. For 4. Verification instance, „ConSigAlm‟ on Table I might be normally followed by „NegFailAlm‟, „AuthProAlm‟, „CertInvAlm‟, In this chapter, we provide the concept of „detection- etc. It is the case that malicious intent is suspected and logic‟ first. It is the contrary concept of „attack-tree‟ more evidence is required to confirm whether it is a kind which is introduced by Schneier in [32], and is a basic of problem to be handled or not. „Log‟ objects may be flow based on NSM data objects in the detection of used as supporting evidence. An example is as shown in aberrant operation in AMI. Some case studies on how Fig. 1. well common AMI data objects are defined and fit AMI 4) Group 4 – Final decision: The objects that divulge the system management are adduced thereafter. actual state in themselves are returned as final judgment to a system manager. „AtkTyp‟ with or without „AtkAlm‟ 4.1 Detection Logic are reported in case of attack, and „BufOvAlm‟ or „BufUnAlm‟ in case of buffer problem. „UnAuthOpr‟ has All the NSM data objects may not be used at the same much broader meaning with lots of preceding evidential level for the system management. Some are set, monitored, objects. It represents an attempt at compromising devices and controlled ever since the early stage of management, if „AuthProAlm‟, „CertInvAlm‟, „ChgAcsAlm‟, and the others are carefully watched and analyzed after any signs like are already reported, and an attempt at accessing are detected. They also seem to correlate in keeping with network if it is followed by „NodDct‟, „UnAuthAlm‟, regulations. We try to establish interconnection and „NetAcsAlm‟, and so forth. Whereas it announces sequential order among them in this chapter. To achieve network damage after „ConnAlm‟, „ConnExcAlm‟, or this, we sort them into several categories first, and then „SynAlm‟ are alarmed. identify what is required to be looked into more deeply after what is reported. NSM data objects are classified into four groups: ordinary setting or monitoring, bellwether of abnormality, corroborating evidence, and final decision with some 5 Copyright (c) 2014 Advances in Computer Science: an International Journal. All Rights Reserved.