Have any questions?
+44 1234 567 890
Successful completion of the GLACIER project in Hanover
On September 29th, 2021, the final GLACIER project meeting took place at the University of Sciences and Arts Hanover. The project ends after two and a half years. All project partners presented their final results and discussed different possibilities of exploitation. Additionally, all partners looked at the results of the first field tests at hanseWasser Bremen GmbH, the project's associated partner, where the prototype has been used for more than three weeks. The personal exchange was beneficial after this long break due to the COVID-19 pandemic. All partners agreed on a positive overall impression of the reached projects results.
At the beginning, DECOIT® gave a summary of the project in which open tasks were presented. A positive conclusion could be drawn since there were not many open tasks left. That also spoke for the good and co-operative teamwork. The associated partner hanseWasser Bremen GmbH was acknowledged for the exemplary support that was given by the contribution of own requirements. Only because of that real data could have been evaluated. Within five weeks of final field trials (two weeks taking inventory of the current status and three weeks testing the anomaly detection) the GLACIER components could be tested thoroughly.
The project website will be maintained beyond the project end. In future, it will present a demonstrator, which will offer to use the rt-solutions laboratory as hacking platform. That includes an environment which represents a real production network in which hackers can give it a go. The thereby created anomalies ought to be detected and the incidents need to be described comprehensibly by the GLACIER architecture. The demonstrator will be online for an indefinite period in order to be able to gain new findings about anomalies beyond the project end. Additionally, the website will continue to list all publications which were created by the project partners before and during the project.
The results of the field test were most widely discussed at the final meeting as they provide information concerning the effectivity of the newly developed anomaly detection of the University of Applied Sciences and Arts Hanover. Within the test period a few thousand incidents could be registered and 284 million logs were recorded. All test goals could be reached as the used appliance was sufficiently powerful, stable and scalable. The further developed SIEM-GUI by DECOIT® was improved and shifted to a totally different programming language during the project. Now graphs and statistics can be changed or moved as needed. The Management-GUI for installation and set-up which was additionally developed by DECOIT® GmbH is based on the new architecture. The training of the analysis engine by University Hanover was also successful, but took too long due to the great amount of data. The RAM memory usage showed need for improvement as well. Taking into account that it was a prototypical realization the test has already been very effective. After the project end the main points for improvement need to be worked on in order to be ready for successful exploitation.
The University of Applied Sciences and Arts Hanover was therefore pleased with the reached project results. Whereas former projects failed on the development of AI based anomaly detection, this time it could be successfully implemented. Thereby, the team discovered that good training data is essential in order to detect anomalies effectively whereas the algorithm is a less decisive factor! During the practical test, nearly 100 % of the incidents were found containing almost none of „false positives”. Denial-of-service attacks were detected very well whereas the security whole Heartbleed was discovered less well. But other machine learning-procedures have problems with that as well. Via the feedback instance in the GLACIER architecture, the algorithm will gain intelligence over time because the user trains the anomaly detection by giving feedback. That is why future tests need to be extended over a significantly longer period of time. Anomalies were newly visualized by the university of Applied Sciences and Arts Hanover. But this proof of concept has not yet been integrated into the SIEM-GUI.
The industrial partner rt-solutions GmbH presented its final laboratory environment which is designed to be "destroyed". During the project the partner was in charge of the development of a component controller which can be integrated into the GLACIER infrastructure and is approachable via the management GUI. The hacking tool is supposed to generate log examples and to train the SIEM solution. Additionally, rt-solutions would like to use it for real pentesting – meaning training for future pentesters. The tool can also be used for product tests, in order to analyze communication behavior and to detect weak points.
Finally, the project partners concluded that almost all goals were reached. While DECOIT® GmbH will concentrate on integrating the prototyp into existing SIEM products, rt-solutions GmbH will focus on trainings. Thus, an exploitation strategy has been determined during this last meeting. Research results by the University of Applied Sciences and Arts Hanover are going to play a part in their upcoming research project whereby the further development of the anomaly algorithm is ensured.