SAPPAN – Sharing and Automation for Privacy-Preserving Attack Neutralization
The SAPPAN project was established as an appeal of the European Union's Horizon 2020 (H2020) to solve cybersecurity issues in the European Union. The implementation of the four-year SAPPAN project was launched in May 2019 with the aim of effectively protect ICT infrastructures from cyberattacks. Towards a safer virtual environment, the project relies primarily on threat analysis, advanced data collection techniques, and collaboration across institutions, particularly in terms of sharing security information and experience. It places great emphasis on maintaining the privacy of all stakeholders.
ICT infrastructures are facing an ever-increasing number of security threats, so there is a strong need for the ability to respond adequately. The appropriate response is often based primarily on knowledge of the technical and organizational aspects of the attack itself. To this end, the SAPPAN project will develop a system for collaborative and federated detection of cyberattacks, enabling a swift and effective response to security threats.
SAPPAN will contribute to the protection of ICT infrastructures by proposing a standard, including a procedure for responding to cyberattacks and measures necessary to re-launch the affected system. Based on the standard, it will be possible to develop a fair comprehensive set of knowledge and responses to security incidents through automated incident handling, facilitating the sharing of knowledge and experience in cybersecurity threats.
Technology and specifics
Incident Response and Recovery
One of the four main concepts underlying the SAPPAN project is the response to cyber incidents and system recovery. It consists primarily of sharing cybersecurity information and effectively implementing the response and recovery process. The process includes a phase of incident preparation, threat detection, evaluation, and processing to successfully resolve the incident and recover the system.
Sharing information, whether at the level of one or more organizations, is often a very problematic aspect. Concerns about privacy and end-user personal information often prevent the sharing of information about cyber threats. Therefore, during the implementation of the SAPPAN project, great emphasis will be placed on developing privacy-friendly techniques for all stakeholders. Statistical and cryptographic methods will be used to maintain the privacy of participating organizations and end-users.
Processing of Large-scale data
The response and recovery process is strongly influenced by the amount of available and processed data. For this reason, great emphasis is also placed on the concept of data processing. The SAPPAN project will use the various functions of distributed data processing systems to analyze large scale of data and formulas in the context of cybersecurity and deliver comprehensive real-time analysis results.
Visualization and interactive support
To support threat detection, detection and mitigation of cyberattacks, SAPPAN also focuses on the concept of visualization and interactive support for security personnel. The development of innovative visualization techniques will provide support to security personnel during the cyberattack response and system recovery process and facilitate understanding of the nature of security threats.
The SAPPAN project consortium is formed by partners from the academic and industrial sectors, maximizing the social impact and effectiveness of the results. Specifically, the research institute Fraunhofer-Gesellschaft, the national research and education network CESNET, the multinationals Hewlett Packard Enterprise, F-Secure Oyj and Dreamlab Technologies AG. Academic representation is made up of Masaryk University, RWTH Aachen University and Universität Stuttgart.
Masaryk University, namely the CSIRT-MU cybersecurity team, contributes to the project with its experience in the field of cybersecurity incidents, processing of large amounts of data and detection of attacks and anomalies at the local level. The CSIRT-MU team will also provide its expertise to identify relevant input and threat mitigation processes.