Motivation

Cyber protection of computer networks, operated services and users are currently ensured by separated subjects (network providers, service provider, security teams). Based on the results of security events, incidents and attacks detection, which could influence the infrastructure, protective countermeasures are deployed. But just some of the security information is shared between security teams, which is the reason, their full potential cannot be used for the whole infrastructure.

Our prime objective in this project is developing and implementing a pilot system for effective transmission and analysis of detected security events among security teams in the Czechia, including National and Governmental security team. An early exchange of information between involved organizations will simplify prediction of attack´s expansion and it will also help organizations with preparation for the threats. In this manner, the systém will eliminate the attack´s consequences on national cyberspace.

Technology and specifics

• Collecting and sharing of security events
  The system will permit extension of distributing and collecting security events originating from a huge spectrum of compiled security elements generating those events. A library enabling to easily connect various systems (e. g. honeypots, behaviour analysis systems, logs) and so-called third-party systems (e. g. N6, ShadowServer, UCEPROTECT) will be designed and implemented.

• Intelligent analysis of security events
  The research is focused on methods for correlation of different types of security reports, on methods for correlation an event in place and in time, on methods of determining the credibility within the reported event and on credibility within the entities themselves reported inside the events. The final outcome will be deriving aggregated and correlated information from the enormous amount of security events. The analysis of the spreading threats will open the possibility of long-term observing security trends and it will also continuously make the Czech cybersecurity system increasingly effective.

• Correlation of different types of national cyberspace security events
  The project includes creating correlations with primary data acquired from network CESNET2 (packets, flows, logs) in order to events´ verification, enriching mined data and system calibration. We will design and pilot deploy a manner of integration of acquired information with the aim of supporting the avoidance of the impending attack.

• Increased security of organizations
  In order to increase the security of involved organizations against attacks, we will develop connections on chosen elements ensuring network security (e. g. firewall, IPS, filters). That will allow distribution of intelligent analysis results and their use for securing the infrastructure.

• Enriching of mined data and expanding detection abilities of event producers
  We will be researching and developing tools for selective collecting and analysing the network traffic data in order to determine new threats and to verify and analyse existing threats. Optional level of detail will enable a deeper understanding of threats.

• Support for filtration and possibility to (partly) anonymize shared data
  The primary goal is to ensure high quality of data in all aspects. We consider our priority to preserve delicate data under the control of involved organizations. Due to private information transmission between different subjects, we reflect the law aspects of sharing and using the information (with respect to privacy protection).

• Law aspects of events' sharing identification
  This partial goal has its presence in all the areas the project is dealing with. The main intention is analysing potentially problematic procedures and processes from the law perspective and suggesting a methodic strategy for using current and developing technologies.

Achievements

We are planning to transfer the technology abroad next year and to establish not just international cooperation, but also increasing security caution and sharing on the international level.

IDENTIFICATION CODE

VI20162019029

PARTNER

PROVIDER