Presentation on theme: "DETECT DEtection Test bed for Event Correlation and Tuning Marc Dacier, Eurecom"— Presentation transcript:
DETECT DEtection Test bed for Event Correlation and Tuning Marc Dacier, Eurecom
Contributors University of Milano (Italy): D. Buschi Internet Systematics Lab (Greece) : Y. Corovesis Institut Eurecom (France): M. Dacier France Telecom R&D (France), H. Debar Chalmers University (Sweden): E. Jonsson Université Catholique de Louvain (Belgium): B. Le Charlier Joint Research Centre, Ispra (Italy): P. Loekkemyhr Defence Science and Technology Laboratory (Dstl, UK): T. McCutcheon Queensland University of Technology (Australia): G. Mohay Centre de Recherche Droit et Informatique, FUNDP Namur (Belgium): Y. Poullet IBM Zurich Research Laboratorium (Switzerland): A. Wespi
Paradigm Shift From Security by Obscurity –The bad guys dont know how to break into the system. To Security by Ignorance –The good guys dont know how to break into the system.
Assumptions There exists a large deployment of reliable sensors that capture data about real attacks: –DESIRE (?) –Honeynet project (?) –… ? Gathered data are freely available. The collection process is precisely defined
Open Issues Can we use these data in order to get a better understanding of the threats we are facing ? Can we use the data to validate the models? Can we carry out epidemiological studies? Can we use those data for educational purposes?
Research items Data Analysis techniques Fault taxonomy Modelling of attack patterns Trends analysis Validation of scenarios Forensic Analysis Identification of new modus operandi. Correlation of alerts Legal issues ….
Expected outcome A better understanding of the threats. A community-building task for research on malicious faults. Educational material. Input for the developpers and the security community as a whole.
Define vs. Desire Desire is where we could build such a large intrusion tolerant test bed. Define is where we would analyse together the available data.
Why a NoE ? Joint use of infrastructure Mutual cooperation but individual specialization. multidisciplinarity
Why Define ? JER -> Central Topics -> System Evaluation -> Field Experiments