ISP Pilot Blog

This pilot aims at performing collaborative analysis of data coming from a federation of Internet Service Providers (ISPs) to detect cyber-crimes attempts in time and to quickly identify cyber-security attacks. ISPs provide to single subjects or companies access to the Internet and additional related to services like DNS, mail, news, FTP, and so on.

Since cyber-security has become a relevant topic in the ISP world, there is an open debate (https://www.techrepublic.com/article/should-isps-be-accountable-for-overall-internet-security/) trying to clarify whether ISPs should provide strong security solutions to protect themselves and their customers. In particular, should ISPs proactively protect their resources and customers with security controls and filters or are customers responsible for their own security? On one side, the CIO magazine with the article, “Seeing No Evil: Is It Time To Regulate the ISP Industry?”(https://www.cio.com/article/2448243/it-strategy/seeing-no-evil--is-it-ti...) claims that ISPs should provide security solutions. Instead, from the ISP point of view, security solutions cannot be supported only by ISPssince customers are responsible for keeping their own systems secure.

In any case, since ISPs have an advantageous position in the network, they can have a much wider impact on the overall state of security. In fact, a lack of security management at the ISP layer can generate security issues that may impact the ISP itself and its customers. As an example, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are aimed at disabling access to various Internet services for legitimate users, or Domain Name System (DNS) information may be exploited to redirect Internet traffic with malicious intent.

This pilot focuses on providing security analytics to ISPs that can benefit from a federation that securely and privately exchanges Cyber Threat Information (CTI). In addition, ISPs will benefit from data-manipulation operations, e.g., data-anonymisation and Data Sharing Agreements (DSAs) to protect, regulate and guarantee an expected privacy level of the data with the C3ISP Framework. In addition, part of the ISP pilot is Registro.it, which is the Italian registration authority for Internet domains and manages registration requests and information from about 1400 Italian Registrars (most of them act as Internet Service Providers – ISPs). In particular, within the ISP Pilot, Registro.it aims at expanding its business by offering security services to ISPs to protect their servers and services.

The most important services offered to ISPs, which benefit from the collaboration sharing of CTI within C3ISP, are:

  • Monitoring of connections to malicious hosts. This refers to the analysis of network logs, e.g., NetFlow, using homomorphic encryption to discover malicious traffic and connections in a privacy-preserving way.
  • Monitoring of Domain Generation Algorithm DNS-request. This aims at detecting DNS requests that malwares may generate usign time-based algorithms, e.g., www.fgd2iwya7vinfutj5wq5we.com
  • Detection of brute force and DDoS attacks on services. This aims at detecting brute-force and DDoS attacks by executing security analytics on log of services
  • Malware spreading analysis. Malware commonly spreads as email attachements. Replying on e-mails analysis, the C3ISP security analytics creates profiles of the malicious emails (e.g., sender, email body) and their attachements (e.g., document name) to support mail servers for blocking malicious emails and preventing spreading.