Dynamic countering of cyber-attacks

The prevention of and the protection against attacks that target modern ICT components, complex ICT infrastructures and emerging technologies (e.g. IoT) remains a difficult task. The complexity of heterogeneous collections of hardware and software components finds its roots in the diversity of development contexts and of levels of maturity, in the growing means of networked interactions, in the massive exchange of information and data, and in the varied schedules of systems lifecycles that generate highly dynamic behaviours. The increase of encrypted flows over the Internet should lead to adopt new techniques for detection of suspicious cyber activities and traffic patterns, and for classification of flows, while keeping privacy and confidentiality. Another relevant challenge is to use machine learning and analytics for cybersecurity.


Proposals are invited against at least one of the following two subtopics:

a) Cyber-attacks management - advanced assurance and protection

Innovative, integrated and holistic approaches in order to minimize attack surfaces through appropriate configuration of system elements, trusted and verifiable computation systems and environments, secure runtime environments, as well as assurance, advanced verification tools and secure-by-design methods. This may entail a whole series of activities, including behavioural, social and human aspects in the engineering process until developed systems and processes address the planned security/privacy/accountability properties.

Proposals should explore how recent progress in artificial intelligence, in deep learning and in other related technologies can be used to provide breakthroughs in the fight against cyber-attacks (e.g. recognition of malicious activities on the network). Deep learning applications may also be used for cyber threat intelligence in anticipation of cyberattacks to identify malicious activity trends in the cyber space and correlate with attackers’ information, tools and techniques.

Proposals may also cover secure execution environments not only including the execution platforms themselves plus the operating systems, but also the mechanisms (e.g. security supporting services, authentication/access control mechanisms) that ensure an adequate level of security, privacy and accountability in the execution of all processes.

Proposals are encouraged to provide mechanisms for informing the users on their security/privacy levels, for providing warnings and assisting them in handling security and privacy related incidents.

b) Cyber-attacks management – advanced response and recovery

Innovative capabilities to dynamically support human operators (e.g. Incident Response professionals), in controlling response and recovery actions, including information visualization. The capabilities should include the assessment how attacks propagate in a particular infrastructure and/or across interconnected infrastructures (e.g. attack-defence graphs) and what the best measures are to withstand and recover from a threat/attack, including the convergence with measures beyond cyber that can be needed (e.g. security policies).

Proposals should address the use of -and the contribution to- appropriate threat intelligence sources as well as the share of information with relevant parties (e.g. industry cooperation groups, Computer Security Incident Response Teams - CSIRTs).

Proposals should explore forensics, penetration testing, investigation and attack attribution services -local or remote- to achieve proper identification and better protection against future attacks and zero-day vulnerabilities. Approaches can include the combination of massive data and logs collection from various sources (e.g. network traffic, dark web) to facilitate investigation on security alerts and to find suspicious files trajectories in order to have the most appropriate response. Efficient utilization of both structured data (e.g. logs) and unstructured data (e.g. data coming from social networks such as pictures, tweets, discussions on forums) should be addressed.

Applicants should also consider the efficient handling (e.g. classification, anomaly detection) of encrypted network traffic and in particular where data stays encrypted, while keeping compliance with end user’s privacy requirements.

Proposals need to consider dynamic, evidence based security and privacy risk assessment methodologies and management tools targeting emerging/advanced technologies (e.g. IoT, virtualised and service-oriented systems/networks).

Proposals are encouraged to provide mechanisms for informing the users on their security/privacy levels, for providing warnings and assisting them in handling security and privacy related incidents.

The outcome of the proposal is expected to lead to development up to Technology Readiness level (TRL) 6; please see Annex G of the General Annexes.

The Commission considers that proposals requesting a contribution from the EU of between EUR 4 and 5 million would allow this area to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.

For grants awarded under this topic for Innovation Action the Commission or Agency may object to a transfer of ownership or the exclusive licensing of results to a third party established in a third country not associated to Horizon 2020. The respective option of Article 30.3 of the Model Grant Agreement will be applied.

Expected Impact

Short/medium term

  • Enhanced protection against novel advanced threats.
  • Advanced technologies and services to manage complex cyber-attacks and to reduce the impact of breaches.
  • The technological and operational enablers of co-operation in response and recovery will contribute to the development of the CSIRT Network across the EU, which is one of the key targets of the NIS Directive.

Long term

  • Robust, transversal and scalable ICT infrastructures resilient to cyber-attacks that can underpin relevant domain specific ICT systems (e.g. for energy) providing them with sustainable cybersecurity, digital privacy and accountability.

Cross-cutting Priorities

  • Socio-economic science and humanities
  • Contractual Public-Private Partnerships (cPPPs)
  • Cybersec
Application date
Social sciences : Law, Pedagogic & Education Research