This page describes the demonstrator that we have set up for CS4E-WP3-T4. The demonstrator is based on a conceptual platform, meant for gathering and managing threat information from different data sources. Basically, the demonstrator has the twofold objective of (i) improving the accuracy of Threat Intelligence Services (such as, e.g., TDSs) in detecting and characterizing incoming attacks, and (ii) enabling the sharing of trusted, reliable and relevant threat information (e.g., discovered by TDSs or gathered by means of honeypots) among organizations and threat detection algorithms.
We propose a general framework of interaction and cooperation with threat intelligence services and provided three specific use cases where these services can cooperate. The partners contributed by creating tangible software assets, by integrating them into joint proof-of-concepts, and illustrating the practical feasibility of a modular cybersecurity platform able to provide key information about the status of a system to monitor. This deliverable documented 3 possible integration scenarios, culminating in a variety of videos, online demonstrators and scientific publications. Within these scenarios, we illustrate how such cooperation can (i) improve the performances of the threat prevention and detection systems and minimize the attack surface by strengthening the robustness of machine learning and deep learning models, making them more robust to new threats, false positives and lowering the time to threat detection; and (ii) enable more robust threat intelligence by allowing to better contextualize threat data and devise flexible strategies, methodologies and data formats for collaborative threat intelligence.
The focus of the first scenario is on the sharing of cyber threat intelligence (CTI) within and across communities, as this is a key enabler for cooperation between threat intelligence services and to trigger the deployment of adaptive honeypots. By sharing cyber threat information, other stakeholders or systems can leverage the shared information and collaborate to further analyse the data, increase the confidence in the shared intelligence, or to augment it with additional information such as the reputation and trustworthiness of the reporting entities. Additionally, the information can be leveraged in an adaptive honeypot that aims to deploy software vulnerable against reported threats as a way to lure adversaries and gather more intelligence while they attack the reported vulnerabilities. The sharing capability within and across communities is already present within state-of-practice cyber threat intelligence platforms, though due to the sensitive nature targets of cyberthreats are not always willing to share this information unless they are obliged to be compliant with mandatory incident reporting regulations.
This scenario demonstrates how we address this concern. As we are dealing with sensitive information about threat targets and detailed information about vulnerabilities, the information should never end up in the wrong hands, e.g., malicious adversaries that aim to exploit the intelligence. This scenario builds upon state-of-practice and open-source threat intelligence tools for storing and sharing information to further strengthen the security and privacy posture of intelligence sharing. The main objectives of this scenario are to mitigate privacy concerns by (1) pre-processing threat intelligence with well-known privacy enhancing technologies and data anonymization techniques before the intelligence is shared, and (2) cryptographically protecting the shared threat intelligence in a fine-grained manner so that only authorized entities can decrypt and act upon it.
The following scenarios about enriching CTI and adaptive honeypots can leverage the capabilities offered by this scenario to request access to privatized and protected information, or to protect their own information before sharing within and across the community.
- Online proof-of-concept demonstrators and repositories:
- https://nuage.cs.kuleuven.be/ [KUL's MISP instance]
- https://nuage.cs.kuleuven.be/tatis/ [integration with KUL's MISP instance]
- https://ciel.cs.kuleuven.be/tatis/ [integration with CNR's MISP instance]
- http://155.54.95.184:8082/anonymizer/AnonymizerAPI.html [PP-CTI anonymizer service, integrated with TATIS]
- Videos:
- Scientific dissemination:
- Preuveneers, D., et al. "TATIS: trustworthy APIs for threat intelligence sharing with UMA and CP-ABE." Foundations and Practice of Security. 12th International Symposium, FPS 2019, Toulouse, France, November 5–7, 2019, Revised Selected Papers. Vol. 12056. Springer International Publishing; Switzerland, 2020.
- Preuveneers, D., et al. "Distributed Security Framework for Reliable Threat Intelligence Sharing." Security and Communication Networks 2020 (2020).
- Preuveneers, D., and Joosen, W. "Sharing Machine Learning Models as Indicators of Compromise for Cyber Threat Intelligence." Journal of Cybersecurity and Privacy 1.1 (2021): 140-163.
- Preuveneers, D., and Joosen, W. "Privacy-Preserving Polyglot Sharing and Analysis of Confidential Cyber Threat Intelligence." International Conference on Availability, Reliability and Security, ARES 2022, Vienna, Austria, August 23-26, 2022.
Scenario 2: Enriching the information on detected threats via TDS cooperation and gathered by means of honeypot instances:
The main idea consists in enriching the information on detected threats with further details provided by different TDSs. Moreover, the honeynet allows for gathering further attack instances which will be used in the learning phase of the ML-Based TDSs to improve their effectiveness.
A typical flow within the proposed scenario includes the following steps: (1) An IDS documents an attack and updates its corresponding MISP with threat intelligence (events and attributes) describing the attack. (2) The information concerning the attack is shared between entities, possibly after enhancing its confidentiality and privacy, and an operator, using TIP information, deploys a honeypot configured to enrich information concerning the new attack. (3) further information concerning the uploaded events or external events potentially relevant for the monitored network infrastructure can be collected by exploiting the data enrichment platforms. In addition, when the information on a new intrusion is gathered by the honeynet, once again these data are shared with the MISP via a custom MISP object.
- Online proof-of-concept demonstrators and repositories
- https://misp1.icar.cnr.it/ [CNR MISP instance]
- Videos:
- Scientific dissemination:
- Nieto, A. 2020. "Becoming JUDAS: Correlating Users and Devices during a Digital Investigation." IEEE Transactions on Information Forensics & Security, Volume 15, Pages 3325-3334.
- Folino, F., G. Folino, M. Guarascio, F.S. Pisani, and L. Pontieri. 2021. "On learning effective ensembles of deep neural networks for intrusion detection." Information Fusion, Volume 72, Pages 48-69.
- Guarascio, M., N. Cassavia, F.S. Pisani, and G. Manco. 2022. "Boosting Cyber Threat Intelligence via Collaborative Intrusion Detection." Future Generation Computer Systems, Volume 135, Pages 30-43.
- Liguori, A., Manco, G., Pisani, F.S., Ritacco, E.: Adversarial Regularized Reconstruction for Anomaly Detection and Generation. 2021 IEEE International Conference on Data Mining (ICDM), 2021, pp. 1204-1209, doi: 10.1109/ICDM51629.2021.00145.
- Guarascio, M-, Zuppelli, M., Cassavia, N., Caviglione, L., and Manco, G.: Revealing MageCart-like Threats in Favicons via Artificial Intelligence. In Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES '22). Association for Computing Machinery, New York, NY, USA, Article 45, 1–7. https://doi.org/10.1145/3538969.3544437
- Cassavia, N., Caviglione, L., Guarascio, M., Liguori, A., Zuppelli, M.: Ensembling Sparse Autoencoders for Network Covert Channel Detection in IoT Ecosystems. In: Foundations of Intelligent Systems. ISMIS 2022. Lecture Notes in Computer Science (LNCS), vol 13515. Springer, Cham. https://doi.org/10.1007/978-3-031-16564-1_20
- Guarascio, M., Zuppelli, M., Cassavia, N., Manco, M., Caviglione, L.: Detection of Network Covert Channels in IoT Ecosystems Using Machine Learning. ITASEC 2022: 102-113
Gathering relevant information on attack strategies and sharing precious IoCs to improve the security degree of the entities belonging to the MISP network is the main objective of this use case. In more details, this scenario aims at demonstrating how internal information gathered by means of a pool of honeypots can be used in the context of the security of an infrastructure.
Two assets collaborate to achieve this aim: (i) Briareos, a HIDS capable of launch Honeypots in any linux system and (ii) Roce, a system devoted to evaluating the fundamental problems of the software contained in a device. The information extracted by Briareos and data from a public APT database are combined by Roce and exploited to yield the probability of compromise of the monitored systems.
- Online proof-of-concept demonstrators and repositories:
- https://github.com/InesMartins31/iot-cves
- The APT Dataset (Di Tizio, et al. 2022): https://doi.org/10.5281/zenodo.6514816
- Videos:
- Scientific dissemination:
- Silva, S., Sousa, P.R., Resende, J.S., Antunes, L. (2022). Threat Detection and Mitigation with Honeypots: A Modular Approach for IoT. In: Katsikas, S., Furnell, S. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2022. Lecture Notes in Computer Science, vol 13582. Springer, Cham. https://doi.org/10.1007/978-3-031-17926-6_5
- Martins, Inês, et al. "Host-based IDS: A review and open issues of an anomaly detection system in IoT." Future Generation Computer Systems (2022).
- Pinto Bastos Martins, Maria Inês. 2020. Anomaly Detection in Cybersecurity. Mater Thesis, https://sigarra.up.pt/fcup/pt/pub_geral.show_file?pi_doc_id=275358.
- Dinis da Silva e Barbosa, Mário. 2020. JBriareos: A Secure and Scalable Distributed Intrusion Detection System. Master Thesis, https://sigarra.up.pt/fcup/pt/pub_geral.show_file?pi_doc_id=274710.
- Di Tizio, G., Armellini, M., Massacci F., "Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats", IEEE Transactions on Software Engineering, 2022
| --- | Collaborative Networks | Education & Training | Certification | Secure Platforms of Platforms | Infrastructure Protection | Holistic Data Protection | AI-based Security | Systems Security & Security Lifetime Management | Secure Architectures for Next Generation Communication | Secure Quantum Technologies | Secure AI Systems | Personalized Privacy Protection |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Briareos (C3P) | --- | --- | --- | --- | ✔️ | --- | --- | --- | --- | --- | --- | --- |
| EBIDS (CNR) | --- | --- | --- | --- | ✔️ | --- | ✔️ | ✔️ | --- | --- | ✔️ | --- |
| ENIDS (FBK) | --- | --- | --- | --- | ✔️ | --- | ✔️ | --- | --- | --- | --- | --- |
| HADES (UMA) | --- | --- | --- | --- | ✔️ | --- | --- | --- | --- | --- | --- | --- |
| IntelFrame (DTU) | --- | --- | --- | --- | ✔️ | --- | ✔️ | --- | --- | --- | ✔️ | --- |
| JUDAS (UMA) | --- | --- | --- | --- | ✔️ | --- | --- | --- | --- | --- | --- | --- |
| NetGen (Polito) | --- | --- | --- | --- | ✔️ | --- | ✔️ | ✔️ | --- | --- | ✔️ | --- |
| PP-CTI (UMU) | --- | --- | --- | --- | --- | ✔️ | --- | --- | --- | --- | --- | ✔️ |
| Reliable-CTI (UMU) | --- | --- | --- | --- | --- | --- | --- | ✔️ | --- | --- | --- | --- |
| RoCe (UNITN) | --- | --- | --- | --- | ✔️ | --- | --- | --- | --- | --- | --- | --- |
| TATIS (KUL) | --- | --- | --- | --- | ✔️ | ✔️ | ✔️ | --- | --- | --- | ✔️ | --- |
| TIE (ATOS) | ✔️ | --- | --- | --- | ✔️ | ✔️ | --- | --- | --- | --- | --- | ✔️ |
| UASD (CNR) | --- | --- | --- | --- | --- | --- | ✔️ | --- | --- | --- | --- | --- |
1 - A. Skarmeta, “D3.1 Common Framework Handbook 1”, CyberSec4Europe, 2019.