Novel applications of AI and other enabling technologies for security operation centres

Deliverables

• Deployment of Artificial Intelligence and Advanced Key Technologies as enablers for SOCs
• Tools for creation, analysis and processing of CTI that allow for faster and more scalable SOC operations
• Original European CTI feeds or services

This topic addresses enabling technologies (such as AI) for SOCs, including National SOCs which provide a central operational capacity and support other SOCs at national level and play a central role as a hub within a context of SOCs, and also Cross-border SOC platforms where such technologies can strengthen capacities to analyse, detect and prevent cyber threats and incidents, and to support the production of high-quality intelligence on cyber threats.

These enabling technologies should allow more effective creation and analysis of Cyber Threat Intelligence (CTI), as well as faster and scalable processing of CTI and identification of patterns that allow for rapid detection and decision making.

Actions in this topic should develop and deploy systems and tools for cybersecurity based on enabling technologies (such as AI), addressing aspects such as threat detection, vulnerability detection, threat mitigation, incident recovery through self-healing, data analysis and data sharing. Activities should include at least one of the following:

• Continuous detection of patterns and identification of anomalies that indicate potential threats, recognising new attack vectors and enabling advanced detection in an evolving threat landscape.
• Creation of CTI based on novel threat detection capabilities.
• Enhancing speed of incident response through real-time monitoring of networks to identify security incidents and generating alerts or triggering automated responses.
• Mitigating malware threats by analysing code behaviour, network traffic, and file characteristics, reducing the window of opportunity for attackers to exploit malware.
• Identification and management of vulnerabilities.
• Recovery from incidents through self-healing capacities.
• Reducing the chances of attacks and pre-emptively identifying weaknesses through automated vulnerability scanning and penetration testing.
• Protecting sensitive data through the analysis of access patterns and detection of abnormal behaviour.
• Enabling organisations to leverage and share CTI and other actionable information for analysis and insights without compromising data security and privacy, through anonymisation and de-identification. Tool and service providers are welcome to apply to this topic, also when in a consortium with National SOCs. Links with stakeholders in the area of High-Performance Computing should be made where appropriate, as well as activities to foster networking with such stakeholders.

Tool and service providers are welcome to apply to this topic, also when in a consortium with National SOCs. Links with stakeholders in the area of High-Performance Computing should be made where appropriate. In well justified cases, access requests to the EuroHPC high performance computing infrastructure could be granted.

The systems, tools and services developed under this topic will be made available for licencing to National and/or Cross-Border SOC platforms under favourable market conditions.

These actions aim at creating or strengthening national and/or cross-border SOCs, which occupy a central role in ensuring the (cyber-)security of national authorities, providers of critical infrastructures and essential services. SOCs are tasked with monitoring, understanding and proactively managing cybersecurity threats. In light of the crucial operative role of SOCs for ensuring cybersecurity in the Union, the nature of the technologies involved as well as the sensitivity of the information handled, SOCs must be protected against possible dependencies and vulnerabilities in cybersecurity to pre-empt foreign influence and control. As previously noted, participation of non-EU entities entails the risk of highly sensitive information about security infrastructure, risks and incidents being subject to legislation or pressure that obliges those non-EU entities to disclose this information to non-EU governments, with an unpredictable security risk. Therefore, based on the outlined security reasons, the actions relating to SOCs are subject to Article 12(5) of Regulation (EU) 2021/694, in consistency with WP 2021/2022.