Secure Information Sharing Sensor Delivery event Network (SISSDEN)

  • Project name: Secure Information Sharing Sensor Delivery Event Network (SISSDEN)
  • Website: https://sissden.eu/
  • Source of funding: European Commission
  • Project goal: The goal of the project is to develop the tools necessary to acquire, store, analyse and share large-scale data and correlate them with data from other sources – for this purpose, we partnered with ShadowServer, national CERTs, ISPs and other major external subjects. The heart of the project is a global sensor network designed and implemented by the participants. Our researchers developed innovative architecture for the global sensor network (212 sensors in 53 countries, which makes it possible to monitor a total of nearly 900 addresses), contributing to the creation of a UX-optimised database containing the largest number of carefully selected, information-rich data needed to identify malicious software and behaviours. This system architecture allows for long-term, thorough analyses (lasting months, even years, unlike regular short-term analyses) of selected threats, offering deeper insights into attacker infrastructure, long-term targeting and potential relations between incidents.

PROJECT DESCRIPTION:

The project is a practical, and currently successful example of how to conduct broad, multi-dimensional exchanges of information on security incidents for the purpose of creating the most effective knowledge database possible. This is absolutely necessary to successfully implement cyberattack detection and response systems, both in public and commercial contexts. The useful information on hazards obtained via SISSDEN will be used to inform victims and combat attacks via such organisations as national CERTs, ISPs, hosting service providers and services such as EC3, free of charge.

A challenging innovation developed by the researchers was designing both the architecture of such a complex, highly scalable system and developing the algorithms and tools enabling its effective operation.

Together with CERT Poland, a system for analysing traffic using the darknet (network telescope) was developed, which enables automated classification and grouping of such security incidents as denial of service and other attacks. An important element of this system is our proprietary PGA (Packet Generation Algorithm) analysis module, which detects packet generation algorithms based solely by monitoring network traffic, but, unlike other simple rule-based systems, it utilises an advanced algorithm which detects various kinds of dependencies between individual packet header fields within a given group, and only then constructs rules.

Also developed was a method of deeper SMTP communication analysis which is used to filter mail. The multi-aspectual and multi-layered classification is expanded to include usually omitted elements of SMTP conversations, such as open and end commands, which resulted in the detection of double the amount of bot dialects, increasing filtration effectiveness.

The SISSDEN project was the first time we acted as the coordinator of a large European consortium, both at the application stage and after project commencement. It was largely thanks to the effective coordination of the efforts involved that a high-quality application could be submitted, as confirmed by the maximum score awarded by the reviewers (15/15 points). Our role in carrying out the project itself is also important and involves various research and coordinating the hardware acquisition and sensor system implementation processes.

PROJECT RESULTS:

To date, we have developed a series of innovative solutions as part of the SISSDEN project, of which we are the coordinator:

  • an extensive set of darknet data analysis methods for ongoing identification of various classes of incidents
  • a method of analysing packet generation algorithms used by malicious software in such attacks as DDoS, possible to be applied to darknet data and sandbox environment traffic
  • methods of continuous botnet configuration tracking, which include extensions to the existing system of extracting configurations from collected malicious software samples and a new system which emulates real bots to constantly track changes in their configuration
  • a method for analysing SMTP dialects which allows for the identification of client and server software used to send emails based on tiny differences in protocol implementation, possible to be applied regardless of spam identification content and the identification of botnets responsible for particular spam campaigns.

PROJECT PARTICIPANTS:

  • NASK PIB - leader
  • MONTIMAGE EURL (France)
  • CYBERDEFCON LIMITED (United Kingdom)
  • SAARLAND UNIVERSITY (Germany)
  • DEUTCHE TELEKOM AG (Geramany)
  • ECLEXYS SAGL (Switzerland)
  • POSTE ITALIANE – SOCIETA PER AZIONI (Italia)
  • Stichting The Shadowserver Foundation Europe (Netherlands)

RESEARCH PAPERS:

  • Kijewski, P; Jaroszewski, P; Urbanowicz, J; Jart Armin, The Never-Ending Game of Cyberattack Attribution: Exploring the Threats, Defenses and Research Gaps. Rozdział w książce: Combatting Cybercrime and Cyberterrorism - Challenges, Trends and Priorities; strony 175-192; 2016; Springer International Publishing
  • Jart armin, Bryn Thompson, Kijewski, P, Cybercrime Economic Costs: No Measure No Solution, Combatting Cybercrime and Cyberterrorism - Challenges, Trends and Priorities; strony 135-155; 2016; Springer International Publishing
  • Bazydło P., Lasota K., Kozakiewicz A. (2017) “Botnet Fingerprinting: Anomaly Detection in SMTP Conversations”. In: IEEE Security & Privacy, vol. 15, no. 6, pp. 25-32, November/December 2017, doi: 10.1109/MSP.2017.4251116