Objective:
Cyber defence applications are in most cases relying on cybersecurity technologies. There are many actions in the civil domain on the automation of penetration test. However, due to the particular conditions of defence-related use-cases, civil technologies need to be adapted, further improved or combined with defence-specific technologies through additional R&D efforts to make them suitable for defence applications. This research topic aims to overcome defence-specific obstacles associated to the automation of penetration tests, and at least partially automate the process by developing a user-friendly software solution that performs network security penetration tests for cyber defence actors.
General objective
Vulnerability scanners and various policy audit tools are available to system administrators today. However, the use of such tools are not sufficient to protect computer networks against advanced threat actors and internal threats. To complement them, many organisations employ penetration testers who actively try to think as a threat agent and compromise computer networks. Penetration testers can be used for many different purposes. For example, they can be assigned the task of verifying a system administrators hypotheses concerning a vulnerability in the computer network, to identify vulnerabilities missed by scanners and administrators, or to act as a red team that test the security operations centre of an organisation.
Specific objective
To emulate the thinking and actions of a real threat agent is difficult, and is even more complex as the capabilities of likely threat agents increase. Consequently, competent penetration testers are scarce and to regularly run penetration tests is associated with considerable costs. A number of conceptual attempts have been made to automate this process, e.g. by modelling the process as hidden Markov model and train models on theoretical/artificial data. However, security audits and penetration tests involve many activities that are non-trivial to automate.
Scope:The proposals should address research that is based on use cases where the system owner administrates the penetration tests. Thus, non-cooperative computer networks are outside the scope of this topic. For instance, the use cases can include a) whitelisting of payloads in antivirus software, or b) release of initial information about the targeted network to the penetration testing system. The expected scope is to create a user-friendly software solution that performs network security penetration tests. Interference on deployed systems should be on a minimal/acceptable level, while simultaneously leaving a realistic imprint in the systems, as security logs, etc. Furthermore, the final outcome of the proposals should be suitable for the context of military security operation centres (SOC) and evidence of this should be provided in the proposals.
Types of activities
The following table lists the types of activities which are eligible for this topic, and whether they are mandatory or optional (see Article 10(3) EDF Regulation):
Types of activities (art 10(3) EDF Regulation) | Eligible? | |
(a) | Activities that aim to create, underpin and improve knowledge, products and technologies, including disruptive technologies, which can achieve significant effects in the area of defence (generating knowledge) | Yes(mandatory) |
(b) | Activities that aim to increase interoperability and resilience, including secured production and exchange of data, to master critical defence technologies, to strengthen the security of supply or to enable the effective exploitation of results for defence products and technologies (integrating knowledge) | Yes(mandatory) |
(c) | Studies, such as feasibility studies to explore the feasibility of new or upgraded products, technologies, processes, services and solutions | Yes(mandatory) |
(d) | Design of a defence product, tangible or intangible component or technology as well as the definition of the technical specifications on which such a design has been developed, including any partial test for risk reduction in an industrial or representative environment | Yes(mandatory) |
(e) | System prototyping of a defence product, tangible or intangible component or technology | No |
(f) | Testing of a defence product, tangible or intangible component or technology | No |
(g) | Qualification of a defence product, tangible or intangible component or technology | No |
(h) | Certification of a defence product, tangible or intangible component or technology | No |
(i) | Development of technologies or assets increasing efficiency across the life cycle of defence products and technologies | No |
The proposals must cover at least the following tasks as part of the mandatory activities:
In addition, the proposals must include methods for the evaluation of the outcome of the automated penetration testing based on well-established standards such as the Common Vulnerability Scoring System (CVSS).
The proposals must also give due consideration to design principles and implement a specific ethics-focused approach during the development, deployment and/or use of AI-based solutions, e.g. by using the Assessment List for Trustworthy Artificial Intelligence (ALTAI) to develop procedures to detect and assess the level and address potential risks.
In order to avoid unnecessary duplications and to best complement R&D efforts already targeting civil applications, the research conducted must build on R&D results of projects funded by EU programmes targeting civil applications for efficient spinning-in of knowledge and innovative solutions to the defence sector.
Functional requirements
The proposals must benefit a future solution for the armed forces of the Member States and EDF associated countries (Norway).
The outcome should enable or be capable of:
The outcome should contribute to: