GLACIER consortium meeting in Bremen showed new approach to intelligent anomaly detection for the first time

On February 19, the consortium partners of the GLACIER research project met to exchange information about the ongoing development work. The focus was on future planning and not on what has been achieved so far. The BMBF project with a duration of 2.5 years is now entering the detail development phase, which had to be coordinated accordingly. All partners were able to attest a good progress of their work. The University of Applied Sciences and Arts in Hanover in particular drew attention to itself by developing an anomaly algorithm. But the GLACIER architecture is also making increasing progress.

The conception phase has now been finally left behind, so that each partner can concentrate on the development. To start the joint development, a docker workshop was held in January, which was very well received by all participants. First real data could be collected in parallel during a test run at the associated partner hanseWasser by DECOIT® GmbH, which can now also be used well for further development. This means that investigations and analyses can be carried out with this database at a later date in order to draw conclusions about the effectiveness of anomaly detection.

At the consortium meeting, DECOIT® GmbH therefore first presented its analysis results of the hanseWasser test. It was interesting to see the amount of data collected and how this affects database size and performance. The detection of incidents was also important and was subjected to an evaluation. An upcoming workshop at hanseWasser in March is expected to present the analysis results in more detail. On the other hand, the partner rt-solutions presented its current laboratory environment. Currently, 60 million firewall events concerning access to the honeypot are stored here. A model environment is to be made available for hacking tests later. Also, the partners should profit from it and get corresponding accesses.

The University of Applied Sciences and Arts Hannover, on the other hand, presented its first approach to anomaly detection, which is based on so-called cubes. The basic idea here is that attacks are easier to detect in particularly filtered and aggregated databases. Cubes are therefore a suitable data structure to better describe such aggregated data. From the history, it should be possible to define a normal behavior that is stored as a statistical model in order to calculate an anomaly score. A first small prototype based on the investigation of a home office could already be shown, which allowed an interesting analysis of the used devices.

In summary, the fourth consortium meeting in the GLACIER project was very constructive. So far, the project has been very well on schedule and the development could also be started promptly. However, the project will have to be evaluated later, especially in terms of anomaly detection. The previous approaches are already promising.