Genomförbarhetsstudie:	<Panoptes>
Sökt belopp från Vinnova:	–
Sökande organisation:	<RISE AB>
Projektledare:	<Nicolae Paladi, Ph.D>
Genomförandeperiod:	<2020-01-07 – 2020-07-31>

Summary

Small and Medium Enterprises and Micro Enterprises (SMEs & MEs) largely lack awareness of cyber security risks and have few resources to prevent, detect and counter them. Since antivirus software has limited capability to prevent data theft, managed security services (MSS) have become an effective tool to address security risks [1]. MSS is a rapidly growing industry: it is projected that Global managed security services market revenues could surpass $45 billion by 2022  However, important technical challenges must be addressed to make managed security services both widely affordable and useful for SMEs & MEs.

RISE AB (Kista, SE) and F-Secure (FI) aim to build a consortium to address this. Since September 2018, RISE and F-Secure collaborated on defining the research questions. The upcoming EU H2020 call on cyber security are a suitable framework to address the research questions and implement a working prototype.

Idea

State of the art cyber security risk management in enterprises relies on antivirus software, managed security services and possibly in-house security expertise.

Antivirus software is commonly used to protect endpoint devices from malicious software (or malware). Antiviruses work by blocking launched software with signatures matching entries in a locally stored database of known malware. This approach relies on a priori knowledge of malicious software and can be easily circumvented by skilled and determined attackers. 

Managed security services (MSS) are more effective against new and more advanced attacks: managed security service providers (MSSPs) use high-availability security operation centers to provide non-stop remote monitoring and management of cyber security services (including firewalls, intrusion detection and vulnerability scanning). When an intrusion or attack is detected and is not reliably stopped by existing software solutions, security analysts examine the incidents and remotely implement remediation steps. MSS allow to limit the operational security personnel that an enterprise needs to hire, train and retain to maintain an acceptable security posture (Fig. 1). However, MSS have two important limitations:

• First, large volumes of data (in the order of petabytes) must be collected, transferred to the MSSP and stored over a long period of time, resulting in high costs and data management challenges. 
• Second, deciding if a security incident is an attack or a false positive, as well as identifying mitigation actions based only on the experience of human operators is infeasible in the long run: it is error-prone, does not scale, and has even a human cost, leading to frequent cases of professional burnouts among security analysts.
  

Our goal is to reduce data collection for MSS, reduce the time needed to analyze security incidents, and make MSS radically more effective and affordable.

The vision of the project is to improve management of cyber security risks for SMEs & MEs using affordable means, thus reducing theft of core innovations and prevent crippling ransomware attacks. We believe the project vision can be achieved by combining two approaches:

1. Develop pre-trained machine learning models deployable in enterprise environments to distinguish benign activity and thus limit the collection of data points to cases of potentially malicious activity.
2. Develop a recommender system to assist security analysts based on activity logs and expert knowledge [3]. The recommender system will assist security analysts by suggesting mitigation actions that correspond to earlier known attack patterns.

The main idea of this project rests on two observations. First, the vast majority of data ingested by the MSS back-end is benign and presents little interest (indeed, around 99% of the data presents no interest whatsoever). However, this data must be collected, analyzed and later stored for a long time. Second, even though many approaches for detecting malicious activity are available [2] and used in practice, eliminating false positives and responding to security incidents through MSS remains labor-intensive, costly and does not scale. The two observations led to the conclusion that managed security services can be effectively improved with minimal cost using managed security services built around improved selection of collected data points and a recommender system for incident response.

There is a large body of work on malware classification for malware detection [2]. We will build on prior knowledge to develop a model that does not suffer from the shortcomings of the commonly used machine learning classifiers. The default classifier (called k-means) partitions data points into k groups. Simply put, a new data point can then be classified as “benign or malicious”, depending on which group it is allocated to. Our method will not require the number of clusters to be known in advance, plus new data arriving will not require recalculating the existing data set. This is in essence feature engineering, deciding which system attributes to monitor & classify. The model will have an architecture allowing it to effectively support transfer learning [5] and be effective on endpoint devices [7].

Recommender system architectures are a related, and likewise widely studied field [8]. Recommender system applications were primarily used for product and service recommendations. The simplest algorithm computes cosine or correlation similarity of rows (users) or columns (items) and recommends items that k - nearest neighbors have selected. Support-vector machines were earlier proposed for condition monitoring and fault diagnosis or mechanical devices [9]. However, recommender systems were not earlier proposed for cyber security attack mitigation. This may be due to reasons such as limited data availability (cyber security companies and antivirus companies are notoriously secretive) or significantly larger solution space (mechanical and electrical devices can have a limited, relatively small set of possible faults).

We intend to develop a recommender system capable to use existing data on security incidents, mitigation actions and results in order to assist security analysts in future incidents. Internal availability of such data at F-Secure is a core advantage of the project. Our intent is to develop the recommender system and train it on F-Secure premises in order to avoid the restrictions related to release of sensitive data. 

The intended program

We selected the H2020 target call SU-DS02-2020: Intelligent security and privacy management. The rationale is that the project idea and the current consortium are a perfect fit for this call.

Potential

This project has good potential to influence both industry (its primary target) and the research community. The direct impact of this work will be to improve the efficiency of managed security services and make them more affordable. This will lead to improved enterprise cybersecurity, better attack detection, and – crucially – better utilization of the scarce cybersecurity competence.

The artifacts produced within the project will enable existing and new MSSPs to focus on their core competence – detecting and counteracting cyber threats. This will reduce the effort spent on ancillary concerns such as transferring, filtering and storing large amounts of data, as well as dealing with the lack of cybersecurity competence and high turnover of security analysts.

Lower costs and improved quality of MSSs will make the service feasible and attractive for a wider spectrum of organizations – both private companies and public institutions. Evolving managed security services will not remove the need for in-house cybersecurity competence in all organizations. However, it will help complement the knowledge of domain-specific cybersecurity risks with expert recommendation systems and experienced cyber security specialists.

The project aims to advance the state of the art in the technology supporting MSS. While a variety of toolsets is currently available, they do not fully use the potential of machine learning to minimize data collection, reduce the need to store large amounts of data and improve attack response through expert recommender systems. The project artifacts will be available to existing and new MSSPs. By reducing the volume of collected information, the outcomes of the project will improve the privacy of individuals working in organizations that use MSS, since benign activities will not be collected and analyzed.

Actors in the study

The two partners mentioned in the Summary section will contribute in the feasibility study. These partners will conduct a study on behalf of other partners – listed below – interested to join the subsequent project proposal. All partners are expected to provide their input and by arranging several physical and virtual meetings we plan to align their perspectives with the overall goal of the project. Based on the existing consortium, the following areas of expertise have been already identified: 

1. Cybersecurity at RISE AB has a track record of computer security work, in platform security for server, mobile and embedded devices; security in distributed systems and cloud computing; access control; network communication security. The Security Lab will provide the theoretical and hands-on background for platform and network security monitoring in enterprise systems. Two senior researchers from RISE will work on this feasibility study:
   1. Nicolae Paladi (male) will be responsible for the prestudy. He will work on defining a project concept that will serve the basis for the target H2020 call as well as on forming the consortium.
   2. Ian Marsh (male) will contribute to the prestudy with expertise in data minimization and machine learning. He will actively participate in  consortium building activities.
2. F-Secure is a Finnish cyber security company based in Helsinki, Finland. The company develops and sells cyber security products, as well as provides MSS. F-Secure will contribute with domain knowledge, complementary prototype development and deployment, and datasets for prototype testing. The main contact is Alexey Kirichenko (male), a senior research leader. He will contribute to building the consortium and identifying a coordinator for the target H2020 call. 

Roadmap

Date	Action	Notes
Jan 2020	Visit F-Secure (FI)
February  2020	Visit Eurecom (FR) and INRIA (FR)	Partners with expertise in endpoint security and machine learning (1) and software security (2)
Feb-July 2020	Investigate feature engineering to reduce data collection	Validation of the project idea
June 2020	Consortium partners committed to a focus topic for the project proposal	Main roles for the project defined and agreed by this point.
August 2020	Application submission	Target: SU-DS02-2020: Intelligent security and privacy management

Consortium and skills

We envision a consortium that will combine multidisciplinary competencies and resources from academia, industry and research community focusing on cyber security, machine learning, big data and data analytics domains.

Beyond the currently committed members (RISE AB and F-Secure), we will extend the consortium based on the following criteria: i) critical mass within a close but diverse geographic area; ii) complementary expertise; iii) capacity to validate the new technology on the market. Prospective research partners include: Eurecom (FR; contact: Melek Önen (female)); INRIA (FR; contact: Valérie Viet Triem Tong (female)), University of Westminster (UK; contact: Tamas Kiss (male)), NEC labs (DE; contact: Felix Klaedtke (male)), NTUA (GR; contact: Yiannis Verginadis (male)).  F-Secure will identify SMEs willing to participate in the consortium as use case partners. RISE and F-Secure will jointly identify a suitable coordinator for the H2020 target call. In case no suitable third party coordinator is found RISE or F-Secure are ready to take on the coordinator role.

Results of the feasibility study

1. State of the art report focusing on the use of machine learning in MSS.
2. Investigation of reducing data collection with improved selection of data features and machine learning model architectures.
3. Definition of the main problem that we will focus on in a larger project
4. Consortium building with additional partners to cover competence areas:
   1. Scalability aspects of machine learning.
   2. Integrity and confidentiality of machine learning models in remote, potentially untrusted environments.

Feasibility Study Costs and Financing

Resource	Detail
Number of active researchers	2
Researcher level	Senior
Rate (level 2019)	–
Hours proposed	–
FTE	0.25
Travel	–
Total	4-

Table 3: Administrative summary for Panoptes

References

[1] Xia Zhao, Ling Xue & Andrew B. Whinston (2013) Managing Interdependent Information Security Risks: Cyber-Insurance, Managed Security Services, and Risk Pooling Arrangements, Journal of Management Information Systems, 30:1, 123-152

[2] Berman, D.S.; Buczak, A.L.; Chavis, J.S.; Corbett, C.L. A Survey of Deep Learning Methods for Cyber Security. Information 2019, 10, 122.

[3] Troy Nunnally, Kulsoom Abdullah, A. Selcuk Uluagac, John A. Copeland, and Raheem Beyah. 2013. NAVSEC: a recommender system for 3D network security visualizations. In Proceedings of the Tenth Workshop on Visualization for Cyber Security (VizSec ’13), John Goodall, Kwan-Liu Ma, Sophie Engle, and Fabian Fischer (Eds.). ACM, New York, USA, 41-48. 

[4] Yuan, Zhenlong, et al. “Droid-sec: deep learning in Android malware detection.” ACM SIGCOMM Computer Communication Review. Vol. 44. No. 4. ACM, 2014.

[5] Bekerman, Dmitri, et al. “Unknown malware detection using network traffic classification.” 2015 IEEE Conference on Communications and Network Security (CNS). IEEE, 2015.

[6] IBM Infrastructure Security Services Managed Network Security Services Service Description https://www.ibm.com/services/multimedia/I126-5942-EN-04.pdf

[7] Jordan, Michael I., and Tom M. Mitchell. “Machine learning: Trends, perspectives, and prospects.” Science 349.6245 (2015): 255-260.

[8] Shuai Zhang, Lina Yao, Aixin Sun, and Yi Tay. 2019. Deep Learning Based Recommender System: A Survey and New Perspectives, ACM Comput. Surv. 52, 1, Article 5 (February 2019), 38 pages. DOI: https://doi.org/10.1145/3285029

[9] Widodo, Achmad, and Bo-Suk Yang. “Support vector machine in machine condition monitoring and fault diagnosis.” Mechanical systems and signal processing 21.6 (2007): 2560-2574.