Skip to main content

Secure Information Sharing Sensor Delivery event Network

Periodic Reporting for period 2 - SISSDEN (Secure Information Sharing Sensor Delivery event Network)

Reporting period: 2017-11-01 to 2019-04-30

The SISSDEN project aimed to improve the cyber security posture of EU entities and end users through the development of situational awareness and sharing of actionable information. SISSDEN provides free-of-charge victim notification services, and close collaboration with National Computer Emergency Response Teams (CERTs) and network owners and internet services providers in general.
The core infrastructure element of SISSDEN is a worldwide sensor network based on state-of-the-art honeypot/darknet technologies and a high-throughput automated data processing centre in Europe. This passive threat data collection mechanism is highly scalable and complemented by behavioural analysis of malware, botnet tracking and multiple external data sources. Actionable information produced by SISSDEN is used for the purposes of no-cost victim notification and remediation. It will especially benefit SMEs and citizens.
SISSDEN provides in-depth analytics on the collected data. Metrics developed as part of the project can be used to establish the scale of some measurable security issues in the EU. Finally, a curated reference data set has been created and published to provide a high-value resource to academia and vetted researchers in the cybersecurity domain, thereby encouraging future innovation.
Key objectives:
1. Create a large distributed sensor network.
2. Advancements in attack detection.
3. Advancements in malware analysis and botnet tracking.
4. Improving the fight against botnets.
5. Collect, store, analyse and reliably process Internet scale security data sets.
6. Share high-quality actionable information on a large scale.
7. Provide objective situational awareness through metrics.
8. Create and publish a large scale curated reference data set.
SISSDEN achieved Technology Readiness Level (TRL9) for most of its components, delivering a high-quality, fully operational solution. TRL7 applies to more experimental data analyses.
"As of 2019.05.01 the SISSDEN project has ended, successfully achieving its objectives and providing valuable, high-impact outcomes.
The core functionality of collecting and processing threat data and generating daily remediation reports for stakeholders has been fully implemented and running operationally with full stability and at full scale for over a year. The size of the sensor network far exceeded original plans, with over 250 sensors. 14 different types of honeypots have been deployed to collect attack data and registered almost two billion events per year. Collected malware samples are automatically analysed by sandboxing systems, with long-term sandboxing systems available for monitoring of particularly interesting samples. Over 20 malware families are constantly tracked providing valuable threat intelligence. Several partner-operated systems have been extended and provide data to the platform, over thirty public third-party sources are also integrated.
Five new remediation feeds have been developed and one existing enriched, providing recipients with high-quality actionable information. Wide dissemination of these results in various events of the security community resulted in high interest.
The data collected by the system has been collected and prepared for sharing with vetted researchers as the curated reference data set.
A set of new analytical methods and tools has been developed by SISSDEN researchers working with the collected data. A review of the proposed methods and presentation of their reviews is published in the public deliverable D5.3 ""Final data analysis results"". Research work led to several peer-reviewed publications and many conference presentations.
The individual project’s outcomes are currently used operationally by the partners and development will continue. As for the SISSDEN platform, the non-profit services are expected to resume in the autumn at the latest, conducted by a subset of the consortium with a new infrastructure (to be procured in July 2019), while SME partners develop a separate commercial service.
"
The SISSDEN project has deployed an innovative, robust, large scale distributed sensor network composed of beyond state-of-the-art virtualized honeypots that analyse traffic tunnelled from network endpoints hosted in many international locations. The collected data helps enhance situational awareness via free daily remediation reports for network owners, National CERTs and other government institutions, as well as SMEs and private citizens. The threat intelligence provided constitutes one of the largest, richest, most timely and accurate data sources for identifying malware threats and malicious behaviour based on end-user exposure.
A curated reference dataset produced as a part of the project provides a unique resource for further research in order to drive forward the global understanding of cyber threats with no-cost for all the stakeholders, vetted security researchers and cybercrime fighters.
Large scale Internet attack data collection, analysis and sharing by the SISSDEN project generates positive societal impacts primarily in four main areas:
1. National CERTs and other large national institutions.
2. Law Enforcement Agencies.
3. Service Providers, Enterprises, SMEs and Individual Citizens.
4. Vetted Security Researchers and Research Institutions.
The sensor network exceeded original assumptions, growing to over 250 sensors spread around the globe. Daily remediation reports supply a constant stream of actionable threat information to thousands of recipients worldwide. The National CERT recipient user base exceeded 100 National CERTs worldwide, including all EU member states. The number of direct recipients is now over 4100, exceeding the planned target audience.
Novel analytical tools and methods provide valuable insights into malware behaviour and network attacks, enabling advanced tracking of botnet activity and effective identification of new threats.
The SISSDEN data collection model
Multilayer concept of the SISSDEN platform
The official SISSDEN project logo
The hardware of the SISSDEN backend
Global coverage of the SISSDEN sensor network
A simplified diagram of the architecture of the SISSDEN platform
European coverage of the SISSDEN sensor network