SDCI Sec: SESv3 (Security Event System - Version 3)

SDCI Sec：SESv3（安全事件系统 - 版本 3）

• 批准号: 1127425
• 负责人: Douglas Pearson
• 金额: $ 79.93万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-08-01 至 2015-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1127425&HistoricalAwards=false
• 关键词: SDCI; Sec; SESv3; Security; Event

Activities undertaken in the SESv3 Federated Security Intelligence project will develop significant new capabilities supporting the collection and sharing of cybersecurity threat data and intelligence, and a rich analytic knowledge of the reputation and forensic history of Internet elements. Work will be based on the existing open source REN-ISAC Security Event System (SES) and sister system, the Collective Intelligence Framework (CIF). Developed capabilities will be transitioned to operational practice in the REN-ISAC community, supporting security protection and response in the higher education and research communities, and will support the sharing of security event and incident intelligence among other discrete trust federations.In 2008-9, REN-ISAC developed SESv1 with funding from the US Department of Justice through Internet2. A production service in the REN-ISAC community, SESv1 collects aggregated security event information from participating sites and information sharing partners, correlates the data to develop confidence in the identification of bad actors, and provides resulting high-confidence threat intelligence back to participating sites for use in local protections. SESv2, to be deployed summer 2011, advances SES with the addition of the "Collective Intelligence Framework". CIF integrates a vast array of data from private partners, public sources, and mining, to provide intelligence supporting reputational knowledge and forensic history of Internet elements, including IP address, URL, domain name, CIDR, AS, and email addresses.SDCI Sec: SESv3 will substantially increase the reputational knowledgebase and forensic history by incorporating additional data types, such as BGP and passive DNS. These data types will permit analytic identification of miscreant cyber infrastructures. Free form data types such as e-mail, IRC, tweets, etc. will be incorporated to enrich threat understanding by correlating human conversations with the structured security event information. The underlying repository and system architectures will be redesigned in order to support massive scaling required by the additional data types and historical record. Leveraging the flexible SES/CIF v2 RESTful API, access and submission to SES and CIF will be incorporated into common incident analyst and responder tools. And importantly, methods will be implemented permitting unique and discrete information sharing trust communities to share event and incident intelligence, mediated by policy. SESv3 will be transitioned to operational status in the REN-ISAC community, providing direct support to the higher education and research communities, will be open source published, and the SESv3 team will continue with their strong advocacy for standards-based security information interchange, and SES/CIF technologies in the security community at-large.Intellectual Merit: SDCI Sec: SESv3 will lead development and deployment of inter-community security event and incident information sharing (addressing technical and policy issues), will significantly reduce human interrupt in the discovery, analysis, and protect cycle, and will develop advanced correlations among threat data types. SESv3 will provide novel integration of federation-based intelligence and data collection into the workflow of the security incident responder and analyst, and novel correlation of human conversations to structured data regarding Internet elements.Broader Impact: SDCI Sec: SESv3 will provide fundamental improvement to national and international capabilities concerning the protection of critical cyberinfrastructure. Intelligence developed and shared in SES is actionable, and is a resource for understanding threat and criminal operations. Advanced new capabilities and information sharing relationships with industry, government, and law enforcement will be established in REN-ISAC, supporting the research and education sector. Outside R&E, national capabilities and information sharing practice will be stimulated by SESv3 concepts, open source code, data standards advocacy, and the technical and policy information sharing frameworks.

在SESV3联合安全情报项目中开展的活动将开发出重要的新功能，支持收集和共享网络安全威胁数据和情报，以及对互联网元素的声誉和法医历史的丰富分析知识。工作将基于现有的开源Ren-ISAC安全事件系统（SES）和姊妹系统，集体智能框架（CIF）。开发的能力将过渡到Ren-ISAC社区的运营实践，支持高等教育和研究社区的安全保护和反应，并将支持其他离散信任联合会以及其他离散信任联合会的共享安全事件和事件情报的共享。 SESV1在Ren-ISAC社区的生产服务中，从参与的站点和信息共享合作伙伴收集了汇总的安全事件信息，将数据关联以发展对不良行为者的识别的信心，并提供了高信任威胁情报返回到参与的网站，以便在本地保护中使用。 SESV2将于2011年夏季部署，并加入了“集体情报框架”。 CIF集成了来自私人合作伙伴，公共资源和采矿的大量数据，以提供支持互联网元素的知识和法医历史的情报，包括IP地址，URL，域名，CIDR，CIDR，AS和电子邮件地址。SDCISEC：SESV3通过将声誉知识群和遗留类型纳入其他数据类型，例如，SESV3大大增加了bg secv3。这些数据类型将允许分析错误的网络基础架构。将合并免费表格数据类型，例如电子邮件，IRC，推文等，以通过将人类的对话与结构化安全事件信息相关联，以丰富威胁理解。为了支持其他数据类型和历史记录所需的大规模缩放，将重新设计基础存储库和系统体系结构。利用灵活的SES/CIF V2 RESTFUL API，将访问和提交SES和CIF的访问和提交将被纳入常见的事件分析师和响应器工具中。重要的是，将实施方法，允许允许独特的和离散的信息共享信托社区共享事件和事件情报，并由政策介导。 SESv3 will be transitioned to operational status in the REN-ISAC community, providing direct support to the higher education and research communities, will be open source published, and the SESv3 team will continue with their strong advocacy for standards-based security information interchange, and SES/CIF technologies in the security community at-large.Intellectual Merit: SDCI Sec: SESv3 will lead development and deployment of inter-community security event and incident信息共享（解决技术和政策问题）将大大减少人类在发现，分析和保护周期中的中断，并将在威胁数据类型之间发展高级相关性。 SESV3将提供基于联邦的智能和数据收集的新型整合到安全事件响应者和分析师的工作流程中，以及人类对话与有关互联网元素的结构化数据的新型相关性。BOADER的影响：SDCI SEC：SESV3：SESV3将对保护关键网络素养构造的保护的国家和国际能力的基本改进。在SES中开发和共享的情报是可行的，并且是理解威胁和犯罪行动的资源。先进的新功能和信息共享与行业，政府和执法部门的关系将在Ren-ISAC建立，并支持研究和教育部门。 SESV3概念，开源代码，数据标准倡导以及技术和政策信息共享框架将刺激R＆E，国家能力和信息共享实践。