SDCI Sec: SESv3 (Security Event System - Version 3)

SDCI Sec：SESv3（安全事件系统 - 版本 3）

• 批准号: 1127425
• 负责人: Douglas Pearson
• 金额: $ 79.93万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-08-01 至 2015-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1127425&HistoricalAwards=false
• 关键词: SDCI; Sec; SESv3; Security; Event

Activities undertaken in the SESv3 Federated Security Intelligence project will develop significant new capabilities supporting the collection and sharing of cybersecurity threat data and intelligence, and a rich analytic knowledge of the reputation and forensic history of Internet elements. Work will be based on the existing open source REN-ISAC Security Event System (SES) and sister system, the Collective Intelligence Framework (CIF). Developed capabilities will be transitioned to operational practice in the REN-ISAC community, supporting security protection and response in the higher education and research communities, and will support the sharing of security event and incident intelligence among other discrete trust federations.In 2008-9, REN-ISAC developed SESv1 with funding from the US Department of Justice through Internet2. A production service in the REN-ISAC community, SESv1 collects aggregated security event information from participating sites and information sharing partners, correlates the data to develop confidence in the identification of bad actors, and provides resulting high-confidence threat intelligence back to participating sites for use in local protections. SESv2, to be deployed summer 2011, advances SES with the addition of the "Collective Intelligence Framework". CIF integrates a vast array of data from private partners, public sources, and mining, to provide intelligence supporting reputational knowledge and forensic history of Internet elements, including IP address, URL, domain name, CIDR, AS, and email addresses.SDCI Sec: SESv3 will substantially increase the reputational knowledgebase and forensic history by incorporating additional data types, such as BGP and passive DNS. These data types will permit analytic identification of miscreant cyber infrastructures. Free form data types such as e-mail, IRC, tweets, etc. will be incorporated to enrich threat understanding by correlating human conversations with the structured security event information. The underlying repository and system architectures will be redesigned in order to support massive scaling required by the additional data types and historical record. Leveraging the flexible SES/CIF v2 RESTful API, access and submission to SES and CIF will be incorporated into common incident analyst and responder tools. And importantly, methods will be implemented permitting unique and discrete information sharing trust communities to share event and incident intelligence, mediated by policy. SESv3 will be transitioned to operational status in the REN-ISAC community, providing direct support to the higher education and research communities, will be open source published, and the SESv3 team will continue with their strong advocacy for standards-based security information interchange, and SES/CIF technologies in the security community at-large.Intellectual Merit: SDCI Sec: SESv3 will lead development and deployment of inter-community security event and incident information sharing (addressing technical and policy issues), will significantly reduce human interrupt in the discovery, analysis, and protect cycle, and will develop advanced correlations among threat data types. SESv3 will provide novel integration of federation-based intelligence and data collection into the workflow of the security incident responder and analyst, and novel correlation of human conversations to structured data regarding Internet elements.Broader Impact: SDCI Sec: SESv3 will provide fundamental improvement to national and international capabilities concerning the protection of critical cyberinfrastructure. Intelligence developed and shared in SES is actionable, and is a resource for understanding threat and criminal operations. Advanced new capabilities and information sharing relationships with industry, government, and law enforcement will be established in REN-ISAC, supporting the research and education sector. Outside R&E, national capabilities and information sharing practice will be stimulated by SESv3 concepts, open source code, data standards advocacy, and the technical and policy information sharing frameworks.

SESv3 联合安全情报项目中开展的活动将开发重要的新功能，支持网络安全威胁数据和情报的收集和共享，以及对互联网元素的声誉和取证历史的丰富分析知识。工作将基于现有的开源 REN-ISAC 安全事件系统 (SES) 和姊妹系统集体智能框架 (CIF)。开发的能力将转化为 REN-ISAC 社区的操作实践，支持高等教育和研究社区的安全保护和响应，并将支持在其他离散信任联盟之间共享安全事件和事件情报。2008 年 9 月， REN-ISAC 在美国司法部通过 Internet2 提供的资助下开发了 SESv1。 SESv1 是 REN-ISAC 社区中的一项生产服务，它从参与站点和信息共享合作伙伴收集汇总的安全事件信息，关联数据以增强识别不良行为者的信心，并将生成的高可信度威胁情报返回给参与站点，以供识别。用于地方保护。 SESv2 将于 2011 年夏季部署，通过添加“集体智能框架”来推进 SES。 CIF 集成了来自私人合作伙伴、公共来源和挖掘的大量数据，以提供支持声誉知识和互联网元素取证历史的情报，包括 IP 地址、URL、域名、CIDR、AS 和电子邮件地址。SDCI Sec： SESv3 将通过合并 BGP 和被动 DNS 等其他数据类型，大幅增加声誉知识库和取证历史。这些数据类型将允许对恶意网络基础设施进行分析识别。将合并电子邮件、IRC、推文等自由格式数据类型，通过将人类对话与结构化安全事件信息相关联来丰富威胁理解。底层存储库和系统架构将被重新设计，以支持额外数据类型和历史记录所需的大规模扩展。利用灵活的 SES/CIF v2 RESTful API，对 SES 和 CIF 的访问和提交将被纳入常见的事件分析师和响应者工具中。重要的是，将实施一些方法，允许独特且离散的信息共享信任社区在政策的调解下共享事件和事件情报。 SESv3 将在 REN-ISAC 社区中过渡到运行状态，为高等教育和研究社区提供直接支持，并将开源发布，SESv3 团队将继续大力倡导基于标准的安全信息交换，并且整个安全社区中的 SES/CIF 技术。智力优点：SDCI Sec：SESv3 将领导社区间安全事件和事件信息共享的开发和部署（解决技术和政策问题），将显着减少发现、分析和保护周期中的人为干扰，并将在威胁数据类型之间建立高级关联。 SESv3 将以新颖的方式将基于联合的情报和数据收集集成到安全事件响应者和分析师的工作流程中，并以新颖的方式将人类对话与有关互联网元素的结构化数据相关联。 更广泛的影响：SDCI Sec：SESv3 将为国家安全事件响应者和分析师的工作流程提供根本性的改进以及有关保护关键网络基础设施的国际能力。 SES 中开发和共享的情报具有可操作性，是了解威胁和犯罪活动的资源。 REN-ISAC 将建立先进的新功能以及与行业、政府和执法部门的信息共享关系，为研究和教育部门提供支持。在研发之外，SESv3 概念、开源代码、数据标准倡导以及技术和政策信息共享框架将激发国家能力和信息共享实践。