Project SABU

At present, the protection of computer networks, provided services and users against cyber attacks is mostly assured by independent entities. These entities detect security incidents affecting the infrastructure operated and adopt countermeasures based on the results. Network operators, service providers and security teams share only a limited amount of information about the detected security events, incidents and attacks. Thus, such data are not fully exploited to protect the infrastructure as a whole.

The key objective of the project is to develop and launch a pilot system for efficient sharing of information about security events and their analysis between the security teams in the Czech Republic. It should enable predicting the development of the attacks in the future, thus mitigating the impact of any such attack on the national cyberspace. The system should enable timely exchange of information about the detected security events between the entities involved, including the Czech National and Government security teams. The system will analyse and provide valuable information about the current threats. Through the system, the collated information will be shared with the entities involved to enable them to build their defence against the imminent threat. The outcomes will also be used to monitor the trends which the threats are following in the national cyberspace, which may subsequently contribute to enhancing the Czech cyber-security system. Since sensitive data are transmitted between various entities, legal aspects of information sharing and use with respect of privacy protection also need to be addressed.

The project will also address possible correlations between certain types of security events originating in the national cyberspace. Further, correlations on the primary data obtained from the CESNET2 network (packets, flows, logs) will be analysed in order to verify the events, to enrich data mined and to calibrate the system. A possible method for the exploitation of the information gathered in averting the imminent attacks will be developed and tested.

Project goals:

  • To broaden the span for the gathering and sharing of security events from a wide range of security tools (from a number of different developers) generating these events. To this end, a library enabling easy interconnection of multiple systems (e.g. honeypots, behaviour analysis systems, logs) as well as so called third-party systems (e.g. N6, ShadowServer, UCEPROTECT) will be developed and implemented.
  • To perform the intelligent analysis of the security events. In order to obtain aggregated and correlated data from a large number of security incidents, methods for the correlation of various types of security alerts, methods for the correlation of incidents in terms of time and space and methods for the verification of the reliability of security alerts and the reliability of the entities reported will be developed. In addition, tools enabling detecting the sequence of semantically linked events have also been developed.
  • To apply the results of the intelligent analysis to enhance the protection. In order to increase the protection of the involved entities against the attacks, connectors to selected network protection tools (e.g. firewall, IPS, filters) will also be developed as a part of the project. This should enable to distribute the results of the analysis and their application in protecting the infrastructure.
  • To enrich data mining and to expand the detection abilities of the event producers. In order to detect new threats, the verification and analysis of existing threats will be further analysed. Tools for selective gathering and analysis of network traffic data with an adjustable degree of detail enable deeper insight into the nature of the threats.
  • To support the filtration and the possibility of (partial) anonymisation of the shared data. This partial goal is present across all the areas and its purpose is to ensure high data quality and to keep sensible data under the control of the involved entities.
  • To identify legal aspects of event sharing. This partial goal is present across all the areas addressed by SABU and its purpose is to analyse the potentially problematic inputs and process from the legal point of view and to draft methodological procedures for the application of the existing technologies and technologies being developed.

When solving the SABU project, we build and use Warden and Mentat systems developed as a part of the CESNET Large Infrastructure and currently operated by the CESNET-CERTS security team to ensure security and data exchange in the CESNET’s e-Infrastructure.

SABU's roadmap


Q2 2019 Production launch of SABU in the Czech Republic and abroad
Q1 2019 Parameter testing and optimisation, packet release


Q1-4 2018 Implementation of the mitigation connectors for partner systems
Q1-4 2018 Implementation of the search for advanced details
Q1-4 2018 Implementation of advanced intelligent analysis including reputation


Q4 2017 Launch of SABU with the partners
Q1-4 2017 Implementation of connectors to other commonly implemented systems
Q1-4 2017 Implementation of the search for details
Q1-4 2017 Implementation of intelligent analysis


Q4 2016 Preparing connectors for project partners
Q3 2016 Assessment of the testing operation
Q2 2016 Involvement of project partners by means of mail reports
Q1 2016 First meeting with SABU partners


Q2 2015 The SABU project was approved!!! (8 June)
Q1 2015 Launch of the Warden 3 system, release of Warden 3.0 packets
Q1 2015 Filing the application for the SABU project into Security Research Programme of the Czech Ministry of Interior


Q4 2014 Finalising the SABU project’s application under the Security Research Programme of the Czech Ministry of Interior
Q4 2014 Release of the Warden 2.2 packets
Q3 2014 Creating a flexible data format IDEA


Q4 2013 Release of the Warden 2.1 packets
Q3 2013 Release of the Warden 2.0 packets


Q1 2012 Release of the Warden 1.2.0 packets
Q1 2012 Release of the Warden 1.1.0 packets
Q1 2012 Release of the Warden 0.1.0 beta


Q3 2011 Warden project start
Last modified: 02.06.2016 13:27