In the past, cyber defences of an organization were mainly focused on the protection from attackers coming the outside.
However, many recent stories (e.g., equation group, Snowden case etc) show that organizations need to consider that the enemy can be already inside their boundaries and that he/she can act from the inside directly on IT systems.
Cyber defence has thus to act like the immune system of an organism: preventing, tolerating, identifying, and destroying pathogens. A protection system should do three basic things: (i) intruders detection, (ii) support the correct delivery of digital services (also when an infection is spreading) and (iii) prevent new intruders from breaking cyber space defences.
In addition, to increase the cyber defence, security aspects must be considered also at design time trying to define systems able to tolerate the presence of an attacker.
The project will focus mainly on the analysis and definition of models, algorithms, and techniques to increase the security level of a given organization and to efficiently and effectively respond in case of a cyber attack. In particular, we will consider security requirements also in the design phase of the system by defining and implementing basic building blocks able to tolerate the presence of a limited number of intruders in the system. Then, we will focus on monitoring, detection and reaction mechanism to cope with possible attackers not considered at design time.
We will define several profiles of attackers (i.e., attack models) and then we will design architectures and algorithms to let the system survive to attacks.
We will also define a visual analytic environment to support security operators in their duties both at design and runtime. In particular, we will provide a support that will contribute to raising the operator situation awareness helping him/her in actuating the best response to a certain attack scenario.
Innovation Points
In the following, we will provide a list of innovation points we target to obtain at the end of the project:
1. Mobile Byzantine Failure model for multi-hop networks. One of the main limitations of the models considering Byzantine behaviours is the fact that they do not allow to represent an evolving attack on multi-hop networks (e.g., a virus or malware propagation). Indeed, existing models either consider a fully connected network with adversaries (e.g., static and Mobile Byzantine failure models) or, in multi-hop networks, they consider that the adversary does not progress compromising multiple entities (e.g., f-locally bounded model). Few efforts exist in the domain of misinformation spreading but it is not clear if and how they can be extended to the case of attackers.
We want to overcome this limitation by defining a model where the attackers propagate an infection on multi-hop networks.
2. Supply-chain Attack graph. Many modern organizations are involved or are internally structured in a supply chain i.e., the service provision depends also on services provided by its provider. The consequence is that organization security assessment must take into account also consumers and providers and the computation of the attack graph could require to span out of the boundary of the organization (or out of the boundary of a division) and this clearly poses privacy concerns. To the best of our knowledge, none of the existing approaches is able to take into account privacy requirements and the current solution is just computing the global attack graph just trusting the other parties and disclosing the needed information.
3. Managing Attackers on dynamic networks. Modern communication networks are dynamic (e.g., software defined networks, mobile networks etc.). Such dynamicity represents a huge issue both at the design and at runtime.
We will consider dynamic networks with Byzantine adversaries to design attack tolerant basic building blocks. Then, we will analyse the impact of the network dynamicity on the monitoring process and we will try to optimize the trade-off detection time vs detection accuracy also when a network reconfiguration is in place.
4. Innovation on Visual Analytics. SIEM products lack efficient methods to present and manipulate large amounts of security data in an efficient and understandable way. The use of advanced visual analytics techniques and state-of-the-art visual analytics engines represents the main innovation of the project in this area.
Expected Impact
Over the past years, digital technologies have become the backbone of our economy and are a critical resource all economic sectors rely on. They now underpin the complex systems which keep our economies running in, for example, finance, health, energy and transport. The very recent failure affecting the IT systems of British Airways is a clear example of the level of dependency achieved [1]. Many business models are built on the uninterrupted availability of the internet and the smooth functioning of information systems.
Cybersecurity incidents, be they intentional or accidental, could disrupt the supply of essential services we take for granted such as water or electricity. Threats can have different origins - including criminal, terrorist or state-sponsored attacks as well as natural disasters and unintentional mistakes.
The cybersecurity market, one of the fastest growing markets in the ICT sector, yields huge economic opportunities. Strengthening the EU's cybersecurity industry will allow European businesses to seize these opportunities and reinforce trust of citizens and businesses in the digital world, contributing to the goals of the Digital Single Market Strategy.
The significance of cybersecurity market is evident by the EU Cybersecurity Strategy defined in 2013 by the European External Action Service and launched to boost industrial capabilities in Europe [2]. The strategy outlines the necessity to safeguard an online environment providing the highest possible freedom and security, for the benefit of everyone. Its goal is to ensure strong and effective protection and promotion of citizens' rights so as to make the EU's online environment the safest in the world.
The results obtained by the project will contribute to advance the state of the art of current solutions for cyber-resilient organizations. Indeed, as widely recognized by the literature in the area, the mere application of existing diagnostic, modeling and evaluation approaches poses several problems that still have to be addressed. Most solutions are tailored for the specific component under study; hence they hardly fit the high heterogeneity and evolution characteristics.
[1] http://www.bbc.com/news/uk-40074751
[2] https://ec.europa.eu/digital-single-market/en/news/communication-cyberse...