Community Research and Development Information Service - CORDIS

H2020

SISSDEN Report Summary

Project ID: 700176
Funded under: H2020-EU.3.7.

Periodic Reporting for period 1 - SISSDEN (Secure Information Sharing Sensor Delivery event Network)

Reporting period: 2016-05-01 to 2017-10-31

Summary of the context and overall objectives of the project

The SISSDEN project will improve the cyber security posture of EU entities and end users through the development of situational awareness and sharing of actionable information. SISSDEN will provide free-of-charge victim notification services, and close collaboration with Law Enforcement Agencies, National Computer Emergency Response Teams (CERTs), and network owners and internet services providers in general.
The core infrastructure element of SISSDEN is a worldwide sensor network based on state-of-the-art honeypot/darknet technologies and a high-throughput automated data processing centre in Europe. This passive threat data collection mechanism will be highly scalable and complemented by behavioural analysis of malware and multiple external data sources. Actionable information produced by SISSDEN will be used for the purposes of no-cost victim notification and remediation. It will especially benefit SMEs and citizens.
SISSDEN will provide in-depth analytics on the collected data. Metrics developed as part of the project will be used to establish the scale of some measurable security issues in the EU. Finally, a curated reference data set will be created and published to provide a high-value resource to academia and vetted researchers in the cybersecurity domain, thereby encouraging future innovation.
Key objectives:
1. Create a large distributed sensor network.
2. Advancements in attack detection.
3. Advancements in malware analysis and botnet tracking.
4. Improving the fight against botnets.
5. Collect, store, analyse and reliably process Internet scale security data sets.
6. Share high-quality actionable information on a large scale.
7. Provide objective situational awareness through metrics.
8. Create and publish a large scale curated reference data set.
SISSDEN targets the highest Technology Readiness Level (TRL9) for most of its component, delivering a high-quality, fully operational solution. TRL7 is planned for the more experimental data analyses.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

The preparation of the data collection, storage and sharing infrastructure started with the specification of a set of use cases and requirements, and creation of a database of external data sources of actionable security information. These inputs formed the basis for the design of an initial architecture specification.
Rapid development allowed an initial rollout in April 2017, which included selected architecture components with a focus on demonstrating an end-to-end SISSDEN data flow process. 10 Remote VPS Node endpoints (i.e. sensors) were procured that tunnel traffic to honeypots located at the interim data centre in Warsaw. Two honeypot types were deployed at this stage - Cowrie (telnet/SSH attack data) and Spampot. A new brute force report type was added to Shadowserver’s existing victim remediation reporting system and a number of reports were sent out via the reporting system to recipients, including National CERTs. The trial methodology was elaborated in a public deliverable D6.1 “Trial Definition and Test Plan”. The full end-to-end data flow was validated in a single, comprehensive test, proving that even the first deployment of the system is already fully functional and capable of providing actionable information to end users.
The first fully-operational version of the system was deployed, along with numerous upgrades to the sensor network and management platform, in October 2017. This included a redesigned backend, 44 sensors in total (distributed worldwide), and new data collection systems. At the time of writing, the total amount of sensors had expanded to 71 and new honeypot types are being adapted to the dockerized honeypot model developed by the project. Work is continuing to integrate more partner systems and third-party data sources. The sensor network is growing steadily and we expect it to substantially exceed the initial minimal goal of 100 sensors soon.
Extensions to partner data collection mechanisms and malware analysis tools are also progressing. Open source changes are propagated upstream whenever possible, allowing others to benefit from SISSDEN research. Some of the work included valuable academic research, resulting in scientific publications accepted at top-tier conferences.
The most research oriented part of the project is the analysis of data collected during the pilot phase to obtain new insights into the observed malicious activity. Several new analysis methods have been proposed, implemented and verified. This work is extensively documented in a public deliverable D5.1 “Preliminary data analysis specification”, which is available on the project website. The methods can be roughly clustered into three thematic groups: malware behaviour analysis, botnet and malware tracking, and analysis of honeypot and darknet data.
Apart from these technical achievements, SISSDEN has also prepared a preliminary assessment of the legal requirements associated with data collection, from both privacy and criminal law perspectives.

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

The SISSDEN project will deploy an innovative, robust, large scale distributed sensor network composed of beyond state-of-the-art virtualized honeypots that analyse traffic tunnelled from network endpoints hosted in many international locations. The collected data will help enhance situational awareness via free daily remediation reports for network owners, National CERTs and Law Enforcement and other government institutions, as well as SMEs and private citizens. The threat intelligence provided will help constitute one of the largest, richest, most timely and accurate data sources for identifying malware threats and malicious behaviour based on end-user exposure.
A curated reference dataset generated within the EU will surpass the patchwork of regional and commercial datasets currently available and drive forward the global understanding of cyber threats with no-cost for all the stakeholders, vetted security researchers and cybercrime fighters.
Large scale Internet attack data collection, analysis and sharing by the SISSDEN project will primarily generate positive societal impacts in four main areas:
1. National CERTs and other large national institutions.
2. Law Enforcement Agencies.
3. Service Providers, Enterprises, SMEs and Individual Citizens.
4. Vetted Security Researchers and Research Institutions.
The sensor network is already deployed and growing fast. Since April 2017, brute force attacks are reported to victims via Shadowserver’s reporting system on an intermittent trial basis. The ongoing development of the project allows us to expect that daily reports will commence shortly, supplying a constant stream of actionable threat information. The National CERT recipient user base has increased to 89 National CERTs worldwide. Only one EU member state (Cyprus) does not yet have its National CERT on the recipient list. The number of direct recipients is now over 3,800, exceeding the planned target audience.
The project is already producing valuable research, published in top-tier conferences and journals. New analysis methods are being developed and novel extensions to malware analysis methodology are being proposed.
Several of the analysis modules are already in direct operational use by SISSDEN partners, affecting the security of their respective clients or constituents.

Related information

Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top