KMUFA IKTA (Infocommunication Technologies and Applications)
|
Project Title: |
Development of Remote Security Management System |
|
Project Acronym: |
TVF |
|
Project ID: |
IKTA-00149/2000 |
|
Project URL: |
http://www.icon.hu/OMFB/index.html |
|
Project coordinator: |
ICON Computing Ltd. (Szabolcs Konkoly-Thege, szkonkoly@icon.hu) |
|
Proposers: |
ICON Computing Ltd. Budapest Univ. of Technology and Economics (BUTE) Dept. of Measurement and Information Systems (DMIS) |
|
Project duration: |
21 months (from 1st of Jan. 2001 to 30 September 2002) |
|
Project funding from Ministry of Education: |
44.240.000.- HUF/19.040.000.- HUF for BUTE DMIS |
|
Contact person at BUTE: |
Zoltán Hornák |
|
Organization: |
Budapest University of Technology and Economics Department of Measurement and Information Systems |
|
Address: |
H-1117 Budapest, Magyar tudósok krt. 2. |
|
Phone: |
+ 36-30-9401457 |
|
Fax: |
+ 36 1 463 4112 |
|
Email: |
|
|
URL: |
http://www.mit.bme.hu/searchlab |
ICON Computing Ltd. and the Department of Measurement and Information Systems of the Budapest Technical University intend to develop a Remote Security Management System within the confines of a two-year-long cooperation agreement. The R&D project is supported by the Research and Development Division of the Ministry of Education through the IKTA-3 programme.
The basic idea of the Remote Security Management System was inspired by similarities between computer network security and ordinary safeguarding security systems. It is a commonly used solution in the case of ordinary appliances when alert signals from the installed intrusion detection systems are transferred to a dispatcher center, where alerts can be handled in a centralized manner. In the world of informatics, however, this solution has not been realized yet due to several technical problems, incompatibilities, ambiguous alerts, false alarms and the lack of possible intervention. Finding a solution to the problems of remote computer security management would be an important research result as the technology itself is more efficient and economical than local security management.
One of the greatest challenges in remote computer security management is that the notion of intrusion is not so easily definable compared to ordinary safeguarding systems. Security appliances generate alerts with different warning levels and diverse semantics, moreover, these messages often prove to be false alarms. Selecting messages with valuable data from the numerous, many-layered reports definitely requires intelligent decisions. Of course this intelligent filtering functionality can be supported by an artificial intelligence module: the system can learn commonly occurring situations that have already proven to be false alarms, and later on thes cases will be recognized and false alarms can be filtered out. In order to realize this kind of functionality we intend to utilize data mining methods, where – after a certain training period – the algorithm looks for coincidences between alert messages and other environmental parameters (eg. operating system logs). The discovered patterns will be analyzed by experts who can decide whether the rule can be used to avoid false alarms or to recognize a tricky exploit. Gathering the accepted rules into a central knowledge base, the system can transfer generally applicable rules between different systems (one center can serve several smaller systems), but is also possible to learn the characteristics of each local system.