Cyberattack Early Warning System (ARAKIS)

  • Project name: Cyberattack early warning system (ARAKIS)
  • Website: https://www.arakis.pl
  • Project goal: Development of a cyber threat and attack early warning system providing an overview of the level of security of the networks it protects, and facilitating the detection of new, previously unseen threat types.

PROJECT DESCRIPTION:

The goal of the project was to develop the ARAKIS 2.0 system, whose main functionality is advanced cyberthreat and cyberattack template detection, as well as generating descriptions of detected incidents in the form of signatures and alerts.

Effective detection of incidents violating the cybersecurity of a network requires that all data registered by five sensors are effectively aggregated and correlated. The system was developed by our team as a result of research on many distinct technical and scientific problems, including the development of algorithms which detect in polynomial time, substrings of characters which effectively characterise communication templates of network traps; designing a machine learning mechanism for developing a probabilistic model of server requests; and developing a process of testing hypotheses which assess the conformity of these request with the templates identified.

One of the fundamental components of ARAKIS 2.0 is a network of honeypots, i.e. traps which lure in attackers and register their actions. Fully utilising their potential required using advanced network engineering solutions in the system architecture, reducing the probability of trap detection and increasing the quality of signatures generated.

ARAKIS 2.0 is fed data by four categories of sensors:

  • reflector: a sensor responsible for maintaining communication between properly configured trap addresses and a honeypot farm collecting data on the threats and exploits registered in the protected network.
  • forwarder: a sensor which receives and forwards logs from external security systems, including firewalls and anti-virus software.
  • TAS: a sensor responsible for monitoring traffic for dangerous communication, including with botnets, and relaying information about suspicious activities to the ARAKIS 2.0 system centre.
  • SCADA: a sensor responsible for maintaining communication with a network of traps featuring emulated industrial automation services.

Due to its modular architecture, ARAKIS 2.0 can easily be expanded to include more services. An important element of the system is the GUI, which offers the following functionalities:

  • system component management
  • data analysis and visualisation
  • data searching using our proprietary language – AQL (Arakis Query Language)
  • automated generation of reports integrated with SIEM class data
  • creation of dashboards adapted to the needs of the user

The ARAKIS 2.0 project has been developed by us since 2012. Currently, correlation modules utilising advanced AI algorithms are being intensively developed, as well as other components.

PROJECT RESULTS:

ARAKIS 2.0 Enterprise offering ICT network attack early warning functionality for businesses.

  • Proprietary technology for managing a virtual honeypot cluster.
  • Mechanism for the automated generation of signatures describing hazardous traffic templates

PROJECTS PARTICIPANTS: NASK

RESEARCH PAPERS:

  • Brzostek, J, Network Events Correlation for Federated Networks Protection System, Towards a Service-Based Internet - 4th European Conference; tom 6994; strony 100-111; 2011; LNCS
  • Lasota, K; Niewiadomska-Szynkiewicz, E; Kozakiewicz, A, Adaptacja rozwiązań honeypot dla sieci czujników, Studia Informatica; tom 33; numer 3; strony 139-148; 2012; Politechnika Śląska
  • Karpowicz, J; Karpowicz, M, Zagrożenia infrastruktury krytycznej cyberprzestępczością na przykładzie krajowego systemu elektroenergetycznego, Współczesne zagrożenia bioterrorystyczne i cyberterrorystyczne a bezpieczeństwo narodowe Polski; strony 467-499; 2013; Wyższa Szkoła Policji w Szczytnie
  • Arabas, P; Karpowicz, M, Częstość występowania wybranych triad w sieci połączeń między systemami autonomicznymi jako wskaźnik niektórych typów anomalii ruchu, Przegląd Telekomunikacyjny, Wiadomości Telekomunikacyjne; tom 8-9; strony 1179-1184; 2016; SIGMA-NOT
  • Kozakiewicz, A; Kijewski, P, Klienckie honeypoty. Konferencja ISSE/SECURE 2007, Materiały sesji SECURE oraz sesji rządowej; strony 127-136; 2007
  • Kijewski, P; Kruk, T, Arakis - system wczesnego ostrzegania, Materiały XXII Krajowego Sympozjum Telekomunikacji i Teleinformatyki KSTiT 2006;