This project has the following objective: to provide advanced capabilities for monitoring open and heterogeneous sources and predictive analysis to a situational awareness platform in order to detect and identify patterns of cyberattacks. It is funded by the R&D COINCIDENTE program, in the area of innovative solutions in cyberdefense.
The main novelty of the project compared to other similar approaches is the use of multiple sources of information to provide cybersituational awareness. Not just classic sources like intrusion detection systems used, but these sources will be combined with multiple sources of information that can provide added value to situational awareness:
- Presence Sensors: physical presence or logical presence (detection of devices by wifi/bluetooth/mobile telephony/radio frequency signals).
- Threat Intelligence Sources, which incorporate as many intelligence sources as possible in order to improve and refine situational awareness.
- Classic Cybersecurity systems logs, such as logs generated by security subsystems, or by intrusion detection systems, either by pattern detection or by anomaly detection, based on previous automatic learning.
- Modelling of Internal Users, based on their behaviour (UBA – User Behaviour Analytics) or from the point of view of Human Resources.
It will be possible also the introduction of other systems, such as context sensors of activity in networks or systems, or reputation sensors in social networks that could also provide added value.
All this information will be collected and homogenized in a common model of information, on which various techniques based on automatic learning can be programmed for the advanced detection of attacks. These techniques may contain:
- Detection of anomalies in information sources
- Detection of correlation of anomalies between different sources of information
- Predictive modelling based on different automatic learning techniques, such as Markov’s Hidden Chain Systems, Bayesian Networks or Neural Networks.
All this information will feed an expert system with a formal representation of situational awareness information, based on ontologies, in which different metrics can be defined, as formal rules of behaviour, which allows inferring new knowledge from:
- Information directly provided and/or processed from data sources
- Advanced detection information provided by automatic learning techniques.
The result of this processing may give an advanced view of situational awareness that can be processed in various ways, such as:
- Visualization Platform
- Generation of Global and/or Partial Risk Indicators
- Integration with Command and Control Tools for decision support.
The project will combine several techniques associated to the area of Artificial Intelligence for its application to the area of Cybersecurity: automatic learning techniques to detect anomalies in front of previously collected data sources, as well as expert systems, based on ontologies and rules of formal behaviour specification that allow reasoning to implement Cybersecurity metrics to enrich the model itself from previous reasoning.
UPS RSTI Research team is the lead contractor of this project, working also with specialized partners like DinoSec (for RF sensors) and EthonShield (for mobile telephone sensors)