At present, the protection of computer networks, provided services and users against cyber attacks is mostly assured by independent entities. These entities detect security incidents affecting the infrastructure operated and adopt countermeasures based on the results. Network operators, service providers and security teams share only a limited amount of information about the detected security events, incidents and attacks. Thus, such data are not fully exploited to protect the infrastructure as a whole.
The key objective of the project is to develop and launch a pilot system for efficient sharing of information about security events and their analysis between the security teams in the Czech Republic. It should enable predicting the development of the attacks in the future, thus mitigating the impact of any such attack on the national cyberspace. The system should enable timely exchange of information about the detected security events between the entities involved, including the Czech National and Government security teams. The system will analyse and provide valuable information about the current threats. Through the system, the collated information will be shared with the entities involved to enable them to build their defence against the imminent threat. The outcomes will also be used to monitor the trends which the threats are following in the national cyberspace, which may subsequently contribute to enhancing the Czech cyber-security system. Since sensitive data are transmitted between various entities, legal aspects of information sharing and use with respect of privacy protection also need to be addressed.
The project will also address possible correlations between certain types of security events originating in the national cyberspace. Further, correlations on the primary data obtained from the CESNET2 network (packets, flows, logs) will be analysed in order to verify the events, to enrich data mined and to calibrate the system. A possible method for the exploitation of the information gathered in averting the imminent attacks will be developed and tested.
To broaden the span for the gathering and sharing of security events from a wide range of security tools (from a number of different developers) generating these events. To this end, a library enabling easy interconnection of multiple systems (e.g. honeypots, behaviour analysis systems, logs) as well as so called third-party systems (e.g. N6, ShadowServer, UCEPROTECT) will be developed and implemented.
To perform the intelligent analysis of the security events. In order to obtain aggregated and correlated data from a large number of security incidents, methods for the correlation of various types of security alerts, methods for the correlation of incidents in terms of time and space and methods for the verification of the reliability of security alerts and the reliability of the entities reported will be developed. In addition, tools enabling detecting the sequence of semantically linked events have also been developed.
To apply the results of the intelligent analysis to enhance the protection. In order to increase the protection of the involved entities against the attacks, connectors to selected network protection tools (e.g. firewall, IPS, filters) will also be developed as a part of the project. This should enable to distribute the results of the analysis and their application in protecting the infrastructure.
To enrich data mining and to expand the detection abilities of the event producers. In order to detect new threats, the verification and analysis of existing threats will be further analysed. Tools for selective gathering and analysis of network traffic data with an adjustable degree of detail enable deeper insight into the nature of the threats.
When solving the SABU project, we build and use Warden and Mentat systems developed as a part of the CESNET Large Infrastructure and currently operated by the CESNET-CERTS security team to ensure security and data exchange in the CESNET’s e-Infrastructure.