Nippon-European Cyberdefense-Oriented Multilayer threat Analysis (NECOMA)

  • Project name: Nippon-European Cyberdefense-Oriented Multilayer Threat Analysis (NECOMA)
  • Website:
  • Source of funding: European Commission
  • Project goal: Increasing cybersecurity via more effective threat detection and ensuring maximum real-time protection. These goals were achieved in three stages:
    • developing a network threat level assessment methodology
    • developing advanced cyberattack protection mechanisms
    • implementing a complete process (from acquiring information to responding) as part of a demo project


NASK researchers worked primarily on developing the tools for collecting large quantities of data and advanced inference mechanisms for analysing threats. The project was financed from the Research and Development Promotion Project of the Japanese Ministry of Internal Affairs and Communication and grant no. 608533 as part of the Seventh EU Framework Programme. The data set used to teach the classifiers and rule-based mechanisms had to be large, but also narrow enough to maximise the effectiveness of threat detection while minimising false positives, which is why the project involved developing a methodology for assessing the quality of information sources.

The project makes use of the FP-Growth (Frequent Pattern) algorithm – URLs are parsed and compressed into an FP tree form, which is then explored using the divide-and-conquer strategy developed in Han et al. (2000). This method of knowledge acquisition led to the development of a training set for the carrier vector machine classifier, whose task is to assign new suspicious templates as either “related” or “unrelated” to a particular malicious campaign. Adapting advanced data mining methods was of great importance to improving the quality of cyberattack warnings.

A key tool used in the project which constituted a source of data on malicious software was the n6 platform developed by CERT Poland (a proprietary database for automated collection, processing and relaying of incident information), which is why the project also involved work aimed at improving it (adding an incident streaming functionality to minimise delays) and publishing the n6 SDK library based on an open GPL licence.


  • development of a methodology for assessing the quality of information sources
  • techniques for detecting campaigns utilising malware via varied data set analysis
  • creation of the n6 SDK library which renders it easier for organisations to share data from any source via an n6-compatible interface


EU consortium:

  • Institut Mines-Telecom (IMT, France)
  • Atos Spain S.A,(ATOS, Spain)
  • Foundation for Research and Technology – Hellas (FORTH, Greece)
  • Research and Academic Computer Network (NASK, Poland)
  • 6cure SAS (6CURE, France)

Japanese consortium:

  • Nara Institute of Science and Technology (NAIST, Japan)
  • IIJ - Innovation Institute (IIJ-II, Japan)
  • National Institute of Informatics (NII, Japan)
  • Keio University (KEIO, Japan)
  • The University of Tokyo (UT, Japan)


  • NECOMA: Nippon-European Cyberdefense-Oriented Multilayer Analysis. Rozdział w książce: European Project Space on Networks, Systems and Technologies, w druku.
  • Paweł Pawliński, Adam Kozakiewicz. Lowering Cost of Data Exchange for Analysis and Defence. In proceedings of the Coordinating Attack Response at Internet Scale (CARIS) Workshop. Berlin, Germany, June 2015.
  • Michał Kruczkowski, Ewa Niewiadomska-Szynkiewicz, Adam Kozakiewicz. Cross-Layer Analysis of Malware Datasets for Malicious Campaign Identification. In Proceedings of the International Conference on Military Communications and Information Systems (ICMCIS 2015). Cracow, Poland, May 2015.
  • Michał Kruczkowski, Ewa Niewiadomska-Szynkiewicz, Adam Kozakiewicz. FP-tree and SVN for Malicious Web Campaign Detection. In Proceedings of the 7th Asian Conference Intelligent Information and Database Systems (ACIIDS 2015). Bali, Indonesia, March 2015.
  • Michał Kruczkowski, Ewa Niewiadomska-Szynkiewicz. Support Vector Machine for malware analysis and classification. In Proceedings of Web Intelligence (WI) and Intelligent Agent Technologies (IAT), 2014 IEEE/WIC/ACM International Joint Conferences on Web Intelligence. Warsaw, Poland. August, 2014.
  • P. Szynkiewicz, A. Kozakiewicz. System wytwarzania off-line sygnatur zagrożeń aktywnych. Przegląd telekomunikacyjny i wiadomości telekomunikacyjne, vol. 8-9, 1090–1098. September 2015.
  • Kozakiewicz, T. Pałka, P. Kijewski. Wykrywanie adresów serwerów C&C botnetów w danych ze środowisk sandbox. Przegląd telekomunikacyjny i wiadomości telekomunikacyjne, vol. 8-9, 1223-1231. September 2015.
  • M. Kruczkowski. System do wykrywania kampanii złośliwego oprogramowania. Przegląd telekomunikacyjny i wiadomości telekomunikacyjne, vol. 8-9, 789-797. September 2015.
  • Michał Kruczkowski, Ewa Niewiadomska-Szynkiewicz. Comparative study of supervised learning methods for malware analysis. Journal of Telecommunications and Information Technology (JTIT), Vol.4/2014, pp.1-10. December, 2014.