MN CD2 WP3 was concluded in June 2014
The objective of this project was a feasibility study towards the Distributed Multi-source Collection and Correlation Infrastructure (DMCCI). The outcome of the study has been positive, DDMCCI capability development is considered viable, as is its ability to successfully detect the Advanced Persistent Threat (APT). the implementation and depoloyment of the capability is currently being pursued through a follow-on project within the MN CD2 framework, with focus on the Parsing, Correlation and Storage module of DMCCI.
DMCCI is intended to be a capability for improving the ability to detect malicious activity specifically focused on the APT. It is intended to be adaptable by design to a wide range of network characteristics, including small and simple networks to large, complex and globally distributed networks. It is based on a review of the problem from the point of view of modern networks and attack patterns, the availability of data from various sources, and the analysis tasks that must be performed to detect APT activities. It is based on an infrastructure with well-defined components and interfaces that decouples the need for basic services (data routing, storage and management) from the detection algorithms themselves, and whose components can be developed and deployed individually and progressively. It includes the concepts of distributed collection and processing of large amounts of diverse, distributed data, sensor agility, and instrumentation. It assumes that an organization has an existing set of intrusion detection sensors for conventional threats and complements them with this improved capability to detect APT activities. It is intended to be operated by highly proficient CIS security analysts. Data sources include network traffic collected at various points, event log data from any source, and host operating systems.
Nations interested in joining follow on work packages related to DMCCI are asked to contact the MN CD2 project office.