Result description
The Cyber/Physical Events Correlator collects the events relevant to physical and/or cyber detection communicated by the external monitoring resources. On the basis of a rule-based engine, by applying customized rules, it correlate events in order to raise alarms relevant to anomalies, physical and/or physical security incidents. It will also be equipped with a Machine Learning (ML) based component providing parameters and thresholds to improve the correlator rules.
RESISTO correlator is based on a holistic approach, with the main objective to correlate events and identify potential threats. Events are acquired through an interconnection layer that handles the input/output messages. All the sources transfer the log data into the raw messaging system, to be analyzed and correlated. The correlation module is composed of two principal sub-components dealing with analysis of data sources and automatic update of correlation rules. The Correlator operating workflow is composed of the following high level phases:
- Acquisition of data from external data sources through the interconnection layer
- Normalization of data in a standard format
- Transmission of the normalized data to the correlation engine and to the machine learning component
- Data correlation
- Data analysis using machine learning algorithms
- Updating of the correlation rules in:
- manual mode, by skilled operator
- automatic mode, by the machine learning
- Threat identification and normalization
- Forwarding of threat data to the interconnection layer
Addressing target audiences and expressing needs
- Business partners – SMEs, Entrepreneurs, Large Corporations
- Use of research Infrastructure
Experts in event and scenario modeling issues. End users and domain experts, like critical infrastructure operators or government agencies, personnel directly involved in all phases of cyber and physical security.
- Other Actors who can help us fulfil our market potential
- Research and Technology Organisations
R&D, Technology and Innovation aspects
The correlator allows for early detection of a new class of threats combining physical and logical means so far largely underestimated and normally seen as disjoined. By the normalization of all events is it possible to unify their type of processing and to make correlations regardless of the source and the type of event triggered. Next steps include extension of ML use and usability tests
The correlator module can be provided to many different customers (mainly critical infrastructures operators) as SaaS.
The correlator needs some initial configuration, as the algorithms must be tuned, the rules must be defined and also the events collection has to be tested. Nevertheless, it can easily replicated when applied to the same sector, like communication / energy / water / logistics networks…
The correlator increases its value, based on innovation driven by customer feedback. And the value represents a better response to securuty problems, whether accidental or malicious or due to natural hazards or simple failures, with undoubted advantage for society.
Result submitted to Horizon Results Platform by LEONARDO – SOCIETA PER AZIONI
