The sixth and final edition of CyberSANE’s biannual newsletter is now available. Find out what has transpired since our last newsletter in June in the final months of the project: project updates, participation in events including the CyberSANE 2022 Workshop, our final event, as well as blog posts and publications! Don’t forget, if you are also curious about the people behind CyberSANE, then you can also meet three more of our partners, in charge of our three pilots!

The third CyberSANE pilot took place on the 1st of July 2022 and was focused on the detection and communication of cyber-threats within hospitals.

In a regular hospital environment there are numerous medical devices for imaging, such as ultrasound imaging, magnetic resonance imaging or computer tomography devices. Those devices produce medical data linked to individual patients during diagnostic processes. The whole system of medical devices and their data is protected with firewalls, therefore organized in virtual local area network segments. Nevertheless, imaging devices own a relatively large attack potential as the focus during the integration of those devices into a clinical IT infrastructure often hides potential IT security risks. Medical technology is furthermore increasingly connected to network functionalities in order to orchestrate better clinical and business processes; medical technology used to be built for closed subsystems but nowadays it gets more closely related to the hospitals’ information technology. In addition, advancing digital transformation in the hospital environment leads to a large heterogeneity on infrastructure and application layers. This has a negative impact on extensive awareness of technical staff about all possibilities of cyber-attacks.

The following diagram shows a general view on the IT infrastructure within a hospital:

As an example, service technicians regularly provide support for medical devices and thus access potentially critical medical IT networks. This is a weak point for hospital IT security.

For the CyberSANE pilot, we focused on simulated attacks during a maintenance of an ultrasound device. The pilot demonstrated the cyber-threat identification in a simulated hospital environment due to an external attack and communication of lessons learned to partners using the CyberSANE platform. The diagram showed below illustrates the CyberSANE healthcare pilot deployment.

Subcomponents such as SiVi, a part of the LiveNet, and L-ADS, a part of HybridNet, were used to localize the attack flow. Furthermore, an analysis of potential cyber-attacks in the media by using EventRegistry and knowledge exchanged with partner using ShareNet were presented.

The following three scenarios were conducted in the CyberSANE healthcare pilot:

• Scenario 1 – External attack due to an infected service technician’s notebook
• Scenario 2 – Malware spreads into local network and performs DoS attacks
• Scenario 3 – Rapid communication with other hospitals about threat

The main challenges during preparation and operation phases of CyberSANE healthcare pilot were:

•  Realistic scenarios definition within a simulated environment of healthcare provider
•  Demonstrations in critical infrastructures such as hospital
  •  Difficulties to replicate infrastructure using simulated environment
  •  Use of sensitive or confidential patient data only by synthesizing and anonymizing Pilot operation and demonstration by connecting the local hospital IT infrastructure with the cloud-based CyberSANE platform

Some lessons learnt during the CyberSANE healthcare pilot were:

•  Promising for rapid information exchange on cyber-attacks and potential threats within hospital network
  •  Larger hospitals in Germany are part of the so-called KRITIS (critical infrastructures)
  •  It is obliged to inform the German federal office of security in information technology (BSI) (see the diagram below)
    
  •  The CyberSANE platform would allow to interact with partner and regional hospitals on possible and occurred cyber-attacks in a timely and structured manner
•  Harmonisation of local Information Security Management Systems (ISMS) with other hospitals
  • The CyberSANE platform assists by creating common attack patterns and identify special anomalies
  • Educational awareness of local Security Operations Center (SOC)

To learn more about the Healthcare Pilot case study, visit the events blog post and watch the recording today. If you want to learn more about CyberSANE, then visit the blog post for the CyberSANE 2022 ARES Workshop and catchup on the recordings also.

Updated 25^th August 2022

On the 23^rd August 2022, CyberSANE held the International Workshop on Cybersecurity on Critical Infrastructures Management (CyberSANE 2022). The objectives of this workshop were to present the CyberSANE project and its architecture to participants. Furthermore, we presented the three use cases as well as the results of their respective studies. We also talked about the various standardisation activities partaken during the project as well as various business models. It was held in conjunction with the 17th International Conference on Availability, Reliability and Security (ARES 2022), in Vienna, Austria.

See below for an overview of the agenda, as well as the list of speakers.

If you missed the workshop, then don’t worry, you can catch up on the projects pitch at the start of the ARES Conference, as well as the workshop itself:

Part 1

Part 2

Here are some photos of the Workshop itself:

Agenda

Virtual Registration Form

The event has passed, registration is now closed

What is ARES 2022?

The International Conference on Availability, Reliability and Security (ARES) brings together researchers and practitioners in the field of IT security & privacy.Since 2005, ARES serves as an important platform to exchange, discuss and transfer knowledge and is hosted every year in another European city.

The 2022 conference is the 17^th edition of ARES and will be held from August 23 to August 26, 2022 in Vienna, Austria.The International IFIP Cross Domain Conference for Machine Learning & Knowledge Extraction (CD-MAKE) will be co-located with ARES 2022!

Visit their website to see a list of keynote speakers as well as the detailed program of the conference.

Luis Landeiro Ribeiro

PDMFC

Luis Ribeiro received his B. Tech from Instituto Superior Técnico –Lisbon in 2007, his M.S. in Information & Computer Science from the Instituto Superior Técnico – Lisbon in 2007 with a dissertation on agents for massive multiplayer online games, which later would become the core for the version 2.0 of the online game Almansur (www.almansur.net). Started his career in 2002 as an undergraduate researcher for the INESC-ID SAT group, developing optimization techniques for speeding up SAT-Solvers on complex NP-Complete problems.

From 2004 to 2006 worked as algorithm specialist at SIEMENS R&D, during which time he created a routing simulator algorithm and a network element simulator for STP and MSTP protocols. Between 2006 and 2007 worked on his master thesis and finished the first commercial version of Almansur. He is a technical evangelist at PDMFC, making sure everyone is up to date on the usage of new technologies. In the past he lead the CSIRT team at Vodafone Portugal and worked as an expert advisor to the CSIRT of several Portuguese National Entities. Currently splits his time between security research projects, management of PDMFC group.

Thanos Karantjias

Maggioli

Dr. A. Karantjias has obtained the Degree of Electrical and Computer Engineering from University of Patras (Greece) in 2000 and a PhD in Computer Science from National Technical University of Athens (Greece) in 2005. His current research interests include identification, design and evaluation of synchronous security and privacy issues on Critical Infrastructures (i.e. Ports, Airports, Hospitals, etc.), as well as analysis, modelling and interpretation of data for the proper design, implementation and utilization of advanced computerised models, reaching new machine learning models and algorithms. He has been involved in a set of European and national research projects and he has authored over 35 publications on several topics such as cyber security, privacy, modern architecture design, and other.

Guillermo Yuste

Atos

Guillermo Yuste is a software engineer with extensive experience in designing and testing applications. He started his career seeking vulnerabilities in web applications and shortly after he specialized in the development of anomaly detection programs. He is also experienced in the risk models definition and cyber risk management. Currently he is a cybersecurity analyst in Atos Digital Security & Computer Vision group. He has been working for several years in H2020 European projects,  mainly but not only  developing cybersecurity sensors and deploying and optimizing SIEM tools.

Pablo Giménez

Fundacion Valenciaport

Pablo Gimenez, Ph.D., received his M.Sc. degree in telecommunication engineering from the Universitat Politecnica de Valencia. He made his final project about nutritional applications in TSB, a research group dedicated to improving health and well-being. Later he became a member of the Distributed Real-Time Systems research group of the Communication Department at the UPV, where he received his Ph.D. He has been involved in research projects related to the implementation of SWE to logistics services, industrial safety and security assurance for smart grids safer. He is currently working at the Valenciaport Foundation as a developer in research projects related to IT and IoT.

Robert Bordianu

Lightsource Labs

Bio coming soon

Manos Athanathos

FORTH

Manos has received his B.S. (’05) and M.Sc. (’07) degrees in Computer Science from the University of Crete, Greece. His main research interests are in the areas of systems, network and system security, deception technologies, network monitoring and Cyber Ranges. He is currently a Technical Project Manager for FORTH, handling numerous Cybersecurity H2020 projects like SMESEC, SPIDER, CyberSANE, PUZZLE and ASCAPE. He was the Scientific and technical manager of CIPSEC and participated in numerous FP6, FP7 and H2020 projects since 2005.

]]> https://www.cybersane-project.eu/cybersane-2022/feed/ 0 https://www.cybersane-project.eu/data-flow-and-system-operation/ https://www.cybersane-project.eu/data-flow-and-system-operation/#comments Mon, 08 Aug 2022 08:00:49 +0000 https://www.cybersane-project.eu/?p=1339 Continue reading

The CyberSANE platform realizes the proper implementation of six main and core structural elements / components:

• The Live Security Monitoring and Analysis (LiveNet), which is the component capable of preventing and detecting threats, providing to security professionals insights and a track record of the activities within their Information Technology environment
• The Deep and Dark Web Mining and Intelligence (DarkNet), which allows the exploitation and analysis of security risks and threats related information from the deep and dark Web
• The Data Fusion, Risk Evaluation and Event Management (HybridNet), which provide the intelligence needed to perform effective and efficient analysis of security events. This can be achieved based on one hand on information; produced and extracted from itself, and on the other on information and data derived and acquired by the LiveNet and DarkNet components
• The Intelligence and Information Sharing and Dissemination (ShareNet), which provides the necessary threat intelligence and information sharing capabilities of the critical infrastructure with other external parties that the Critical Infrastructure would like to involve, allowing them to determine the trustworthiness of each information sources
• The Privacy & Data Protection (PrivacyNet) Orchestrator, which is responsible of managing and orchestrating the application of the required privacy mechanisms, maximizing achievable levels of confidentiality and data protection
• The CyberSANE central Component, which stands in the middle of all CyberSANE services and system blocks, implementing a set of services for the web applications and the integration services required with all the tools that reside within the CyberSANE ecosystem.

This centralized element is a componentized module, enabling the interoperation of the core CyberSANE platform with every specific tool available. It actually consists of 5 concrete and custom sub-adapters, LiveNet, DarkNet, HybridNet, ShareNet, and PrivacyNet.

Each one of the aforementioned sub-modules serves as a broker middleware, which ensures that:

• Each available tool from the CyberSANE Ecosystem is successfully integrated within the CyberSANE core component
• All received messages are properly transformed and forwarded to other internal CyberSANE core modules for further processing. This is achieved by invoking multiple internal modules and aggregating the results.
• Routing functionalities (“from” and “to” the CyberSANE core component) are properly executed.

Therefore, it meets the basic CyberSANE integration needs, and tries to “standardize” a more concrete integration model and architecture for each CyberSANE component, since the list of resources (tools and systems) may be bigger in the near future. In addition, this broker model enables the provision of monitoring and auditing functions and trails to support both offline analysis and real-time troubleshooting.

---

]]>

The fifth edition of CyberSANE’s biannual newsletter is now available. Find out what has transpired since our last newsletter in January: project updates, participation in events including the CyberSANE Pilot Case Studies, as well as blog posts and publications! Don’t forget, if you are also curious about the people behind CyberSANE, then you can also meet four more of our partners!

In the last decades, the entire world has experienced a huge digital transformation. The amount of data exchanged between organizations has increased dramatically. The massive data flowing across the net every minute have created an unprecedented risk and has led to a significant technology race to secure the data and communications. Nowadays, the resource that a potential attacker has at his disposal covers a very wide spectrum from malware to zero-day exploits programs.

However, many organizations are not efficient enough recognizing the impact of emerging technologies on cybersecurity. This is especially dangerous with critical information Infrastructures (CIIs); and in many cases, the resources allocated to cyber protection are not enough. As a result, these centres have anomaly-detection classical outdated static barriers that are no longer valid for latest attacks. The only way to create a defence against an attack that hasn’t happened yet is to predict it.

In the CyberSANE project we scrutinize all received traffic in real time and analyse patterns, trying to be always one step ahead of cyber-attacks. The component in charge of this function is HybridNet, which is composed by different assets such as a L-ADS (Live Anomaly Detection System), CARMEN and SiVi. Together they cover the full spectrum of artificial intelligence to perform efficient security analysis. In this article we will describe the core of L-ADS.

The L-ADS (Live Anomaly Detection System) has the aim to classify in real time anomalous connections to a certain network. It is based on a deep learning algorithm called Auto-encoder. This kind of algorithm tries to learn about the normal behaviour of the network using the following variables: source and destination IPs, ports, number of bytes, number of packets, protocol used during the connection and duration of the connection. Once the algorithm is trained using normal traffic, it can classify any new connections. If they are too different, they will be categorised as “anomalous” connection or “legit” connection, otherwise.

If something potentially dangerous is detected, it is sent to the LiveNet, where advanced correlation rules are applied; and the predictions performed by the L-ADS (and other HybridNet components) are compared with traffic and data received from other sensor in order to fulfil the incident knowledge base.

Updated 1^st July 2022

On the 1^st July 2022, CyberSANE hosted its third and final Pilot Case Study, organised by Klinikum Nurnberg. This Pilot Case Study took place from 10:00 to 12:00 CET, via Microsoft Teams.

This pilot tested and validated the CyberSANE System in the scope of a cyber-attack scenario on a simulated infrastructure of a health care provider, hosted by Klinikum Nurnberg.

Participation in this event is free of charge, however, registration is required.

After the event, participants received an anonymous questionnaire to provide their opinion and comments on the pilot study (see Information Sheet and Consent Form conditions upon registration).

See below for an overview of the agenda, as well as the list of speakers and presentations used during the event.

If you missed the event, then don’t worry, you can catch up on what happened here:

Presentations Coming Soon

Agenda

Registration Form

The event has passed, registration is now closed

Speakers

Jorge Martins

PDMFC

Head of PMO at PDMFC, Project Manager for the CyberSANE project.

Andrius Patapovas

Klinikum Nurnberg

Bio coming soon

Thanos Karantjias

Maggioli

Dr. A. Karantjias has obtained the Degree of Electrical and Computer Engineering from University of Patras (Greece) in 2000 and a PhD in Computer Science from National Technical University of Athens (Greece) in 2005. His current research interests include identification, design and evaluation of synchronous security and privacy issues on Critical Infrastructures (i.e. Ports, Airports, Hospitals, etc.), as well as analysis, modelling and interpretation of data for the proper design, implementation and utilization of advanced computerised models, reaching new machine learning models and algorithms. He has been involved in a set of European and national research projects and he has authored over 35 publications on several topics such as cyber security, privacy, modern architecture design, and other.

Luis Landeiro Ribeiro

PDMFC

Luis Ribeiro received his B. Tech from Instituto Superior Técnico –Lisbon in 2007, his M.S. in Information & Computer Science from the Instituto Superior Técnico – Lisbon in 2007 with a dissertation on agents for massive multiplayer online games, which later would become the core for the version 2.0 of the online game Almansur (www.almansur.net). Started his career in 2002 as an undergraduate researcher for the INESC-ID SAT group, developing optimization techniques for speeding up SAT-Solvers on complex NP-Complete problems.

From 2004 to 2006 worked as algorithm specialist at SIEMENS R&D, during which time he created a routing simulator algorithm and a network element simulator for STP and MSTP protocols. Between 2006 and 2007 worked on his master thesis and finished the first commercial version of Almansur. He is a technical evangelist at PDMFC, making sure everyone is up to date on the usage of new technologies. In the past he lead the CSIRT team at Vodafone Portugal and worked as an expert advisor to the CSIRT of several Portuguese National Entities. Currently splits his time between security research projects, management of PDMFC group.

The CyberSANE platform has been deployed and tested in three different real-world domains: transport, energy and health. The first one was a container cargo transportation pilot developed in the port of Valencia and related to a platform for sharing data linked to the containers’ weight certificate. The second one – the energy pilot – was carried out by Lightsource Labs with other partners from the CyberSANE project team, including the project coordinator – PDMFC – and Maggioli, FORTH, JSI, CNR, Atos and Ubitech.

The demonstration event for the CyberSANE Energy pilot was held on Tuesday 5th April 2022. The energy pilot tested and validated the CyberSANE System by showcasing a variety of potential cyber-attack scenarios within a Solar Energy management platform. This energy management platform is used for several digital services such as helping to ensure the electrical grid and reducing the cost of electricity.

During the design and preparation phase of the different attack scenarios for the pilot, the project partners identified several challenges that needed to be solved before performing the demonstration:

• The first challenge was the very definition of the scenarios. Several workshops amongst CyberSANE partners took place to define the final scenarios and detect any vulnerabilities to cyber-attacks on the infrastructure.

• A challenging aspect of the pilot was to execute the demonstrations within the critical infrastructures. It is not an insignificant challenge to get the correct authorizations for the relevant equipment and allowing the replication in the defined scenarios. Data on these systems is confidential for security reasons. A main objective for demonstration purposes was to select processes with non-sensitive data, and virtual data was used in the case of the energy pilot adding an additional layer of security.

• The Energy pilot was the second of three demonstration pilots and although the platform was mature enough, some issues and bugs were detected due to the integration of a variety of tools. As each tool is owned by a different project partner, bilateral meetings were required to solve various issues related to the deployment, integration and execution.

The live demonstration was a success and can be viewed at the following link:

https://www.cybersane-project.eu/cybersane-pilot-case-study-2/

Updated 17^th May 2022

On the 30^th and 31^st May 2022, CyberSANE will participate in the 7th Francophone Meeting on the Design of Protocols, Performance Evaluation and Experimentation of Communication Networks – CoRes 2022 conference in Saint-Rémy-Lès-Chevreuse, France.

During the conference, Edward Staddon from Inria will present their paper AODV-Miner : Routage par Consensus Basé sur la Réputation.

What is CoRes 2022?

The 7th Francophone Meeting on the Design of Protocols, Performance Evaluation and Experimentation of Communication Networks, or CoRes 2022, is a conference to bring together the French-speaking community around issues related to the design, modelling, performance evaluation and experimentation of communication networks. It is co-organized with Algotel 2022, which will offer the possibility of having, within the same place, close communities who do not often have the opportunity to meet. Following the same principle as Algotel, the objective will be to produce an overview of the best recent work of the “networks and protocols” community in the form of short papers and interactive talks. No exclusivity is required and work already presented or soon to be presented in leading conferences and journals is particularly welcome. Here is a non-exhaustive list of topics on which papers are invited:

• Network architectures
• Algorithmic aspects of operational networks
• Performance evaluation
• Enterprise, data centre and storage networks
• SDN, NFV and network programming
• 5G Communications, Applications and Technologies
• Networks and technologies for the Internet of Things
• Collection, analysis and processing of data for networks
• Experimental results on operational networks or network applications
• Energy efficient communications
• Network management
• Security and Privacy
• Access, network, transport and application level protocols
• Network diagnosis and repair
• Metrology
• Peer-to-peer and content distribution networks
• Traffic Engineering;
• Mobile network protocols and applications (e.g., ITS, VANET, UAV)
• New network uses.

Web crawlers are special applications used to create a copy of all the visited web pages for later processing. They are mainly used for indexing websites to facilitate web search engines but are also used for web archiving, web mining and web monitoring. The basic idea of web crawling is simple: given a set of starting URLs, a crawler downloads all the web pages addressed by the URLs, extracts the hyperlinks contained in the pages, and iteratively downloads the web pages addressed by these hyperlinks. The data collection service to specifically crawl Dark Web sites requires a set of initialisation steps. These include the instantiation services, the proxies and the set-up of a keywords list for targeted look-ups to eliminate the search space in the Dark Web to the concepts which refer to cybersecurity incidents (i.e. hacks, SQL injection, DDoS attacks, etc.), email accounts (i.e. pawned email accounts for breached corporate data, job titles, names, phone numbers, physical addresses, social media profiles, etc.), an organisations’ leaked corporate information and their email servers (i.e. blacklisted email servers or blocked web services). The data migration, harmonisation and linkage services include a set of modules to store, harmonise and link the collected data with related cybersecurity concepts and ontologies. After the process of collecting the data from the Dark Web sites, we store and index them through Elasticsearch. When we retrieve the HTML page, we convert the raw HTML text to cleaned text that contains all the HTML content and it is used as the input for the TFIDF Vectorizer. After the data collection and harmonisation, we perform some text and graph analytics by using state-of-the-art Machine Learning algorithms, such as clustering. The intuition is to group the HTML pages that we collect based on their content similarity, monitor the critical score by means of top k queries of the cybersecurity terms frequency detected in the pages, as well as the way the URLs are linked in a concept graph map. To ease user’s interpretability over the text and graph analytics, we expose the back-end APIs to intuitive visualization charts. The purpose of collecting these web data sources is to extract useful information that can be visualised to report about illegal trading of breached data in marketplaces, blacklisted email servers and news about the corporate rumour of small enterprises found in the Dark Web sites. The pie visualization chart has been chosen to indicate by means of percentage which keywords have appeared more in the Dark Web pages with content relative to cyber-attacks. For instance, hack, malware, and inject are the keywords with the greatest instances in our data collection, but at the same time they are very generic. Other documents including phishing, trojan or DDoS contain much focused information about cybersecurity incidents with however fewer instances.

Percentage of Cyber-concepts in Texts

The root URLs with the criticality score of the keywords/cyber-concepts that are found in a heatmap can be also visualised. The criticality score per keyword within each URL is computed according to its category (e.g., CYBER_ATTACKS vs. ALIANSES) and the number of instances found. By using these two features, we can distinguish URLs that may contain critical information, such as breached data, preparation/call for an attack, etc. Also, we use these features to highlight and extract the most suspicious URLs, in order to create a new seed of URLs for new and more focused search.

Heatmap Score of URL vs Cyber-concepts

The connections between keywords in our collection are also illustrated as a graph. We used statistical analysis (i.e., “significant text” query from Elasticsearch) for finding hidden connections between keywords. This means that some concepts are related in our data collection. We use sampling to find the keywords connections. For example, the graph visualization shows that “csrf” is one of several terms strongly associated with “backdoor” or “xss”. It only occurs in few documents in our index and therefore most of the documents also contain “backdoor” and “xss” results. That suggests a “significant” word.

Graph visualization of significant terms interrelated in the Dark Web sites

Document clustering depicts the top-k words of each cluster. We conclude that illegal or inappropriate content are grouped together, the cyber-incidents are grouped within the CYBER_ATTACKS category, while documents without any cyber-concept form their own cluster setting apart irrelevant concepts compared to our context.

Clusters of Dark Web documents based on their content