Have any questions?
+44 1234 567 890
Intrusion detection via multi-dimensional analysis of security data streams
The processes employed by modern businesses, and consequently their economic success, increasingly hinge upon IT-systems, which in turn are increasingly hard to defend against security risks. On the one hand high interconnectivity grants suppliers with the opportunity to implement more efficient process chains, on the other it introduces complex dependencies and new attack vectors. Meanwhile, the last decade has seen the rise of highly organized, professional, financially motivated attackers, threatening businesses with a multitude of criminal methods.
Furthermore, the growing integration of classic information technology (IT) and operational technology (OT) creates risks of its own. These call for an increased emphasis on logging and monitoring, in addition to classic methods like firewalls and malware protection, as businesses need to assume that
1. adversaries will bypass perimeter protection and that
2. deployed malware may not be detected.
Any intrusion can only be detected through unusual behaviour of systems or applications, as well as anomalous network communication. Detecting these anomalies usually requires the aggregation of data stemming from different systems in a centralized system for correlation and analysis. This gives rise to new challenges due to the large volume of data involved. Furthermore, the development of algorithms performing the analysis is hindered by the poor availability of concurrent annotated datasets required to train and evaluate them.
In today’s IT landscape multiple tools are already being used to detect attacks, weaknesses and undesired behaviour in computer systems and networks. Signature-based methods search for the occurrence of predefined negative behaviour. Anomaly-based methods, however, build a model of normal behaviour in order to find irregularities in new data. These irregularities tend to correspond to unwanted behaviour. The structure of the data, like attributes, metrics and aggregations, from which this model is built, needs to be defined a priori. This is problematic, since it limits the analysis to finding only the anomalies that are visible in that exact structure, while missing others.
This is why the objective of this project is to develop advanced concepts for automatic aggregation and analysis of network data related to information security. In addition to covering all possible data structures to detect a variety of anomalies, automatic aggregation directly yields the view of the data that best displays anomalies. As the aggregations are generated automatically, the configuration of the system is simplified.
One of the major concerns when constructing these concepts will be efficiency, since regular hardware needs to be sufficient for supporting the resulting system. Horizontal scalability will enable the system to grow alongside an expanding IT infrastructure. Another concern is the presentation of results, which is of increased importance in automated systems. On the one hand, the results and any information explaining their classification needs to be shared with other Monitoring- and SIEM-Systems (Security and Information Management) in a structured format (Indicator of Compromise). On the other, they need to be communicated to human Security Analysts, who perform manual analysis and need to react to malicious behaviour. This necessitates proper visualization of all relevant information.
Open Source. Open Solutions. Open Strategies. The mission of the Bremen-based IT system integrator and software house is to provide, optimize, secure and support innovative open source software solutions. Among the main priorities are security applications and monitoring systems, which can be implemented and continuously developed in customer centred projects using various products (SIEM systems, IDS, firewalls, VPN, Nagios, etc.). In addition to providing consulting, system management and software development, research projects are conducted in association with both national and international partners.
rt-solutions.de GmbH is a consulting firm which was founded in 2000 by scientists and entrepreneurs with the goal of realising performant and secure IT processes and infrastructures as a basis for effective business processes. rt-solutions.de provides consulting to leading international businesses in all questions regarding information security and data privacy. The core business of the firm are developing and operating security management systems and technological security measures, as well as auditing complex IT environments and conducting forensic investigations to analyse and solve security breaches.
The research group Trust@HsH has been operating in the areas of trusted computing, network security and mobile security since 2006. Various BMBF-funded research projects were conducted within these areas, like tNAC, ESUKOM, VisITMeta and SIMU. Members of the research group present their results on national and international conferences and workshops, while also actively participating as liaison members in the specification processes of the Trusted Computing Group, a worldwide consortium of major IT companies ans research institutions, with the purpose of introducing internationally recognized standards in the area of IT security.
The Plate Büromaterial Vertreibs GmbH consists of an association of companies, located in Bremerhaven, Isernhagen, Brandenburg, Magdeburg, Dessau, Leipzig, Duisburg, Hamburg, Düsseldorf, Freiburg, Ratingen and Gütersloh. Today the group employs over 300 people and sells about 100 mio. EUR worth of “everything good for the office” annually.
The sewage company hanseWasser Bremen GmbH of about 400 employees operates the 2,300 kilometre long sewer network beneath Bremen, while securing a cost effective and environmentally sensitive purification process in two water treatment plants, located in Seehausen and Farge, for about 50 mio. Cubic metres of sewage per year from Bremen, neighbouring communities, as well as industrial and business customers.
News from the GLACIER project
Conference entries and presentations
Project meetings, telephone conferences and other important dates
|22.06.2020||Bremen||Video conference with the partners regarding the work on AP1, AP2. AP3 and AP4|
|16.06.2020||Bremen||Developer video conference with the partners regarding visualization,
back-end development and anomaly detection
|08.06.2020||Bremen||Telephone conference with the partners regarding the work on AP1, AP2. AP3 and AP4|
|18.05.2020||Bremen||Telephone conference with the partners regarding the work on AP1, AP2. AP3 and AP4|
|12.05.2020||Cologne||Developer telephone conference with the partners regarding the programming language for visualization,
back-end development and anomaly detection
|04.05.2020||Bremen||Telephone conference with the partners regarding the work on AP1, AP2. AP3 and AP4|
|20.04.2020||Bremen||Telephone conference with the partners regarding the work on AP1, AP2. AP3 and AP4|
|06.04.2020||Bremen||Telephone conference with the partners regarding the work on AP1, AP2. AP3 and AP4|
|26.03.2020||Bremen||Developer telephone conference with the partners regarding the incident report|
|23.03.2020||Bremen||Telephone conference with the partners regarding the work on AP1, AP2. AP3 and AP4|
|19.03.2020||Bremen||Developer telephone conference with the partners regarding the analysis process|
|09.03.2020||Bremen||Telephone conference with the partners regarding the work on AP1 and AP2|
|05.03.2020||Hannover||Developer workshop at the University of Applied Sciences in Hannover|
|19.02.2020||Bremen||Fourth project meeting at DECOIT GmbH in Bremen|
|14.02.2020||Bremen||Developer telephone conference with the partners regarding the anomalie detection|
|10.02.2020||Bremen||Telephone conference with the partners regarding the work on AP1 and AP2|
|27.01.2020||Bremen||Telephone conference with the partners regarding the work on AP1 and AP2|
|21.01.2020||Bremen||Developer telephone conference with the partners regarding the anomalie detection|
|20.01.2020||Bremen||Developer telephone conference with the partners regarding the Docker development|
|13.01.2020||Bremen||Telephone conference with the partners regarding the work on AP1 and AP2|
|09.01.2020||Bremen||Docker workshop with rt-solutions|
|16.12.2019||Bremen||Telephone conference with the partners regarding the work on AP1|
|05.12.2019||Bremen||Telephone conference with the partners regarding the development of agents|
|02.12.2019||Bremen||Telephone conference with the partners regarding the work on AP0 and AP1|
|14.11.2019||Cologne||Third project meeting at rt-solutions in Cologne|
|04.11.2019||Bremen||Telephone conference with the partners regarding the work on AP0 and AP1|
|21.10.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|07.10.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|23.09.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|09.09.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|26.08.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|19.08.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|12.08.2019||Bremen||Telephone conference with the developers regarding the high-level architecture|
|12.08.2019||Bremen||Telephone conference with the partners regarding the work on AP0 and AP1|
|30.07.2019||Hannover||Second project meeting in Hannover|
|15.07.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|01.07.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|17.06.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|27.05.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|26.05.2019||Bremen||Workshop at the associated partner hanseWasser|
|21.05.2019||Bremen||Open Source Business Day at the Bremen Chamber of Commerce|
|13.05.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|29.04.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|15.04.2019||Bremen||Telephone conference with the partners regarding the work on the AP0-reports|
|04.04.2019||Bremen||Kick-off meeting at DECOIT® GmbH|
|01.04.2019||Bremen||Official BMWi start date for the GLACIER project|
Zeek or advertised "The Zeek Network Security Monitor" is an open source framework for network analysis. It was originally developed by Vern Paxon in 1994, is licensed under the BSD license and consists of the programming language C++. It was originally called Bro and renamed Zeek in 2018. Zeek works as an Intrusion Detection System (IDS) and acts as a sensor to passively monitor the network. Zeek interprets network traffic and creates transaction logs with high fidelity, file content and customized output to provide it to a SIEM system in an analysis-friendly manner. Its script base allows for a wide variety of scenarios to be mapped.
OpenVAS is an open source framework consisting of various services and tools and thus forms a basis for vulnerability scanning and management. OpenVAS stands for "Open Vulnerability Assessment System", is subject to the GPL license and has been implemented in C programming language. The active security scanner has been embedded into the basic structure of the Greenbone Vulnerability Management (GVM) since 2019, as Greenbone Networks has been improving and extending OpenVAS since 2009, mainly for commercial use. The scanner is complemented by a daily updated feed service with over 50,000 Network Vulnerability Tests (NVT). The German Federal Office for Information Security (BSI) recommends OpenVAS for monitoring your own vulnerabilities and makes it available.
Wazuh is an open source based Intrusion Detection System (IDS) that can perform protocol analysis, integrity checks, Windows registry monitoring, rootkit detection, and time-based alerts, and enables active response. It is a fork of OSSEC (Open Source HIDS SECurity), which is used by the SIEM system OSSIM. It is licensed under the GNU GPLv2 license and can be used for any operating system.
RabbitMQ is an open source based message broker implemented on the basis of the Advanced Messaging Queuing Protocol (AMQP). AMQP is an open standard that represents a binary network protocol that communicates between client and message broker independent of the programming language. Erlang was used as the RabbitMQ programming language and it is subject to the Mozilla Public License. With RabbitMQ it is possible to develop large systems independently of each other by using queues for effective data exchange. Messaging with high data volume can be carried out reliably.
Docker is an open source software for isolating applications by means of container virtualization. Docker is based on the programming language Go and can be used on any operating system. It is subject to the Apache license 2.0 and simplifies the deployment of applications. Containers ensure the separation and management of computer resources. This includes code, runtime module, system tools and system libraries. Docker also offers embedded version management.