The project ESUKOM, represented by the project-leader DECOIT GmbH, has been invited to the workshop of the European research project MASSIF (www.massif-project.eu) during the EU forum Cyber Security & Privacy (www.cspforum.eu) in Berlin, to discuss the development of anomaly detection which has been developed within the BMBF founded project ESUKOM (www.esukom.de). Goal of the international workshop between 24. and 25. April was to build cluster between European research projects for bundeling the different developments. Within this event several projects presented their research results with the focus on "security and privacy".
The workshop of MASSIF consisted of different presentations of the project partners and a concluding panel discussion. Fraunhofer SIT presented the advanced security monitoring with the approach of SIEM. Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event management). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. MASSIF itself is an IP project within the framework of FP7 of the European Union (EU). Requirements of the projects are to find better interoperability, scalability, and flexibility. The project includes research institutes, industry partner, and SIEM providers. MASSIF uses a requirement-oriented system design, in which the project starts with the business goals, go further to the used applications, and conclude with the security questions. As use cases can be named money transfer with mobile phones and managed enterprise service infrastructures. The control of the processes within the IT infrastructure is an important goal of MASSIF. Many new recommendations have been defined for the next generation of SIEM. That includes cross-layer event filtering for the correlation of different messages, similar to the approach of ESUKOM. A security information metadata model has been developed, but it has been not defined yet if the IF-MAP standard will be used.
Within the workshop MASSIF presented the cooperations to other research projects, like ESUKOM. Additionally an user group has been established, which includes also the ESUKOM project, and the IF-MAP server of ESUKOM (developed by the University of Applied Science in Hanover) is used. For the roadmap MASSIF will also integrate cloud and virtualisation approaches. The project has many goals for the duration of three years. Critical infrastructures should be ensure by MASSIF. Examples are the Olympic Games or big dams. The developed GET framework makes it possible to collect different events and a correlation into a common format for the comparison of the collected events. The approach is an overlay support for monitoring and control technologies without functional features. The security approach contents only a formell description of the system behaviour and the security requirements without a special technical developement. More information can be found at www.massif-project.eu.
Finally the panel discussion of the MASSIF workshop talked how it would be possible to generate false alarms to flooding a monitoring system. Then normal attacks can not be recognise anymore. The approaches to prevent such a scenario by MASSIF are available, but it is not clear how can this approaches be realised. In the future the approach of ESUKOM for the anomaly recognition can be used in MASSIF, but the sensors must be able to support the Trusted Computing protocol IF-MAP. That will further discuss and is not available yet. The reason is that embedded systems like sensors can not integrate new protocols easily. Both projects will further talk about the different approaches to find a solution.
