09 January 2020
Research Challenges and Requirements to Manage Digital Evidence
The goal of CyberSec4Europe's work on security intelligence is to analyse and research new threat detection, security intelligence and data analytic techniques to strengthen the security and privacy capabilities of cybersecurity applications in various vertical domains and use cases.
The key topics addressed can be summarised as follows:
- Mechanisms to share digital evidence
- Threat intelligence information systems and services
- Interoperability in privacy requirements and regulation
- Threat detection and security analytics
- Security intelligence in defensive systems
The work to date lists the relevant components, algorithms, and software building blocks from the project partners that can help address these requirements. As these assets are at different levels of maturity, the forthcoming report will describe ongoing research tracks addressing the challenges and requirements to manage digital evidence:
- Lack of trust in the way threat intelligence information is handled by
receiving parties is a key factor as to why organisations are reluctant to share
- The quality (rather than the quantity) of threat feeds and events must
increase for a reliable and automated threat analysis and mitigation;
- The event-based sharing philosophy of threat intelligence platforms does not
match well with data-driven and AI-powered threat intelligence;
- The application of security techniques – such as end-to-end encryption, onion
routing etc – makes it harder to harvest security intelligence from monitoring
data and event logs to detect new threat;
- The AI capabilities of contemporary threat intelligence platforms enable new
kinds of attacks that allow adversaries to learn how to evade detection
- Machine learning models that underpin threat detection solutions may leak
sensitive information, and need strong protection to avoid privacy concerns or
loss of reputation.
These research challenges and requirements will be the main drivers to enhance existing assets and develop new ones within the framework of this task (T3.4) to bridge the gap with the current state-of-practice and to increase technological readiness for the first set of demonstrator use cases (WP5).
More information on the ongoing results and outcomes of the task can be found in the upcoming CyberSec4Europe deliverable (D3.3).
Davy Preuveneers, KU Leuven