ParticipantsContact Us

WWW This Site

WP4: Data Collection and Correlation


This work package will develop a complete correlation engine solution for advanced cyber-security, by using commercially available Description Logic inference engines. The engine will manage a knowledge base and integrate input coming from different sources, including historic and actual data as well as mission impact model information. The engine will also cooperate with the visual analytics component to allow human operators to influence correlation operations by dynamically updating the knowledge base. The data collection component (i.e., the correlation engine and its knowledge base) will provide the necessary input for all the other components of the PANOPTESEC system.

EPIST is responsible for this work package.

Description of Work and Role of Partners

Task 4.1 - Collection and Correlation Analysis (Month 4 - 13)

The goal of this task is to identify user and system requirements in order to design an input-output model for the correlation engine (i.e., which data elements will be used as input for the engine, and what information the engine must provide to the rest of the system). A report deliverable (D4.1.1) will describe the requirements of the correlation engine.

Based on the input-output model, the knowledge base will be designed as well, including the available mission impact models. Once the design of the correlation engine (and its knowledge base) is completed, user and system requirements will be analysed in order to design the most appropriate correlation procedures, in the form of logic-based inference patterns. The design will be finalized by adding a high-level specification of how the correlation engine will interact with the visual analytics component, in order to allow human operators to modify the knowledge base. A report deliverable (D4.1.2) will capture the collection and correlation component design.

Specific contributions by SUPELEC and INRIA (third party to SUPELEC) in this task will involve 1) helping the administrator to generate automatically the correlation rules; 2) enhancing the existing correlation engine to take into account the knowledge base during the detection phase; and 3) contribute to the design for distributed versions of some correlation mechanisms. This work will rely on the description of the information required in the knowledge base (e.g., network topology, running services, deployed IDSes and probes, known vulnerabilities) and the description of the attack scenarios through enhanced attack trees. These contributions will continue for implementation activities described collectively with all identified participants in Tasks 4.2 and 4.3.

Responsible: EPIST; Participants: RHEA, EPIST, CIS-UROME, UzL, ACEA, SUPELEC

Task 4.2 - Collection and Correlation Analysis Implementation (Month 12 - 22)

The most adequate commercial description logics reasoner will be identified as the basis for the implementation of the correlation engine. The specific format of the input and output information will be defined, based on user and system requirements (i.e., other components in the PANOPTESEC architecture). Custom software modules will be designed and developed to encapsulate the reasoner and provide interface points and specific functionalities. A first, draft version of the knowledge base and the correlation procedures will be implemented as a first prototype (D4.2.1).

Responsible: EPIST; Participants: RHEA, EPIST, CIS-UROME, UzL, ACEA, SUPELEC

Task 4.3 - Collection and Correlation Analysis Refinement (Month 21 - 31)

The correlation engine will be tested in preparation for the operational workshop. Experiments will be conducted to evaluate the operation of the knowledge base and correlation procedures. Based on experimentation results, the knowledge base and correlation procedures will be refined accordingly. The input / output interface of the correlation engine will be updated and finalized based on the integration tests performed on the PANOPTES integration framework resulting from WP7.

The outcome of the task will be a tested and validated prototype of collection and correlation engine (D4.3.1) and its associated report (D4.3.2).

Responsible: EPIST; Participants: RHEA, EPIST, CIS-UROME, UzL, ACEA, SUPELEC