News
Welcome / Company / News / IDPS-ESCAPE: monitoring cyber risks with (artificial) intelligence

IDPS-ESCAPE: monitoring cyber risks with (artificial) intelligence

Interview with Lëtzebuerger Gemengen,translation  by  itrust  consulting.

By aiming to bring all European entities considered essential or important to the functioning of its Member States to a high level of maturity in terms of cybersecurity, the European NIS2 directive is challenging many organisations in terms of monitoring. To help them achieve compliance, Arash Atashpendar, Cofounder & CTO, Agnese Gini, R&D Specialist, and Camar Houssein, Security Consultant at itrust Abstractions Lab, are unveiling IDPS-ESCAPE, an open-source solution powered by artificial intelligence that has been available since 1 September.


“ADBox relies on trained artificial intelligence to model the normal behaviour of a system“


An intelligent trio  

itrust Abstractions Lab, a spin-off from itrust consulting, has just published the alpha version of one of the six sub-projects of CyFORT, a research project developed in collaboration with itrust consulting and aimed at providing cybersecurity tools with permissive licences to offer alternatives to “proprietary vendor lock-in”. Called IDPS-ESCAPE, short for “Intrusion Detection and Prevention Systems for Evading Supply Chain Attacks and Post-compromise Effects”, it meets the new requirements of the European NIS2 directive on the security of networks and information systems. “All entities providing services considered critical or highly critical to the functioning of Member States, whether public or private, will be subject to certain obligations, including the monitoring of their IT infrastructure. That’s what our intrusion detection and prevention system offers”, explains Arash Atashpendar.

IDPS-ESCAPE, developed according to C5-DEC and its tools (beta version published on 19 July), is a three-component solution that captures a flow of information and analyses it within a centralised system. The open-source software Wazuh and Suricata collect and monitor data from computers and networks respectively. “These agents, which are responsible for observing everything that runs on a computer and everything that enters it via the network, will capture a large amount of information and centralise it. On their own, these tools often generate false alarms. IT managers then have to act quickly, in a rush that simply doesn’t allow them to analyse all the data collected by the system. Sometimes, they are forced to shut down the entire infrastructure, and therefore the services provided by their organisation, even though the anomaly in question may not represent any risk. That’s why IDPS-ESCAPE contains a 3rd component of our own, ADBox, for “Anomaly Detection Box”, which is based on an machine learning model trained to learn the normal behaviour of a system. After some time, this AI has so much knowledge of the system, so many contextual elements to refine its model, that it establishes its own definition of what constitutes a deviation. The likelihood of it raising a false alarm is therefore considerably reduced. Like a detective taking fingerprints at a crime scene, it distinguishes between those of authorised users and those of criminals. If the criminals have already operated, it may be able to recognise their modus operandi and the type of attack in progress so that an appropriate response can be made. Automation not only saves a lot of time, but it saves a lot of money”, explains Arash Atashpendar.


Adaptability is the watchword

itrust Abstractions Lab works directly with its customers to implement its product. “We take care of all the technical aspects: we configure the solution so that it adapts to the needs of the system in place, because each organisation composes, organises and uses its IT environment differently. We then help our customers to deploy the tool. Although we use Wazuh and Suricata by default – because they are open source and can drastically reduce costs – we are not bound to these technologies. Our solution is flexible enough to integrate any type of data collection software. Our aim is to provide an incident management approach that relieves organisations of a significant proportion of their NIS2 obligations, so that they can concentrate on their core business”, says Camar Houssein.


The advantage of open source

The reason why the project is supported by players such as the French Ministry of the Economy is that it enables small and medium-sized businesses to benefit from tools that are as advanced as those offered by the tech giants, but at a lower cost. “In Europe, according to the European Commission and ENISA, 99% of businesses are SMEs, and over 80% of them consider cybersecurity to be essential to their activities. However, they do not necessarily have the resources of Amazon, Microsoft or Google to allocate monitoring their risks. The European initiatives that promote projects like ours aim to counter the monopoly of the few by offering products that smaller companies have neither the means nor the time to reinvent. The Ministry has provided us with resources that have enabled us to develop a solution that any company can use, but also correct if they have the necessary skills. Anyone who modifies IDPS-ESCAPE and markets an improved version must nevertheless respect the terms of our licence, i.e. publish the source code. It is by building on this more ‘sustainable’ economy that technologies with advanced capabilities can be developed at low cost”, says Arash Atashpendar.


But open-source software is not just economically advantageous. It also guarantees transparency. By its very nature, an intrusion detection and prevention system capture all an organisation’s data. How does it process it? Where does it send it? The answers to these questions are known in the case of open-source software. “And while developers may sometimes lack the time or resources to draw up all the necessary documentation, itrust Abstractions Lab has produced a very comprehensive manual that explains how to use the tool and presents its technical specifications in great detail”, continues Agnese Gini.


“Relieve organisations of a significant proportion of their NIS2 obligations”


From alpha to beta

Published on 1 September, IDPS-ESCAPE is taking its first steps out of the lab. After a few months in the hands of users, a more stable and more economical version should be available. “As we install the tool at our customers’ sites, we will inevitably come back to our R&D department with observations and comments raised in the field. Additional elements will probably have to be put in place to meet the day-to-day needs of certain organisations and any shortcomings identified. This will enable us to stabilise the solution, but also to optimise the algorithms so that the solution as a whole consumes fewer resources”, reveals Camar Houssein.

The tool has also been designed to keep pace with developments in AI. “Machine learning is a branch of artificial intelligence that is developing very rapidly. That’s why we’ve created ADBox so that new technologies in this field can be integrated as simply as possible. If a better algorithm were to emerge, we could use it without the user even being aware of it. Of course, they will be informed to a certain extent because our solutions are open source, but they will not have to rectify their use of the tool”, concludes Agnese Gini.


itrust Abstractions Lab S.à r.l.

12, rue du Chateau d’Eau

L-3364 Leudelange

www.abstractionslab.com


Read the full interview in French (p. 44-47) published in Lëtzebuerger Gemengen (LG) | September/ October 2024 | n° 263